| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Installation UserId |
« View previous topic :: View next topic » |
| Author |
Message
|
| mqdev |
 Posted: Wed Apr 11, 2007 7:43 am Post subject: Installation UserId |
 |
|
Centurion
Joined: 21 Jan 2003
Posts: 136
|
Hello,
We are trying to evolve a good process for MQ installs in our enterprise and would like to know the best practices for this. Ours is a purely Windows shop with a mix of Win2000, Win2003 (the would be Corp. standard). The practice has been that MQ software is installed & configured as User 'MQAdmin' on these boxes. Ours is a Hub & Spoke architecture with the Spokes' MQ (which really are different Enterprise Applications) being administered by the Application team MQ Admin. As can be seen, the "MQAdmin" UserId's password will be known to multiple folks and this is perceived as a Security risk as these folks tend to leave the Organisation. Due to SOX compliance, the Corp MQ team cannot administer the Spoke MQ env. and thus it is not possible to restrict the knowledge of MQAdmin password to a smaller group.
We will need something similar to Unix's "sudo" wherein an User can perform tasks that are authorized only to root. The command that comes close to this on Windows is "contact admin" but this requires that the password of the UserId that I am running as, be entered (sudo does not require this - it works off of a sudoers list which is configured by the root). Would like to know if anyone has encountered same/similar issue and the solution if any...
Thanks
-mqdev |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Apr 11, 2007 7:53 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Um.
First off, are you using domains?
Second off, the "mqm" group is designed for this. And on windows anyone in the local Administrators group has full mqm rights. So on Box 1, you can put User 1 into mqm, and on Box 2 you can put User 2 into mqm.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| mqdev |
| Posted: Fri Apr 13, 2007 7:59 am Post subject: |
|
|
Centurion
Joined: 21 Jan 2003
Posts: 136
|
Jeff,
Thanks for your reply.
Yes we do use Windows domains (the MQAdmin UserID profile is available in Windows Active Directory which is referenced by all nodes in the Network).
The MQ Service on each box is installed and started as UserId MQAdmin (actually <Domain>\MQAdmin ). Thus for each new box being built, the MQ Software installation and configuration is done by logging in as MQAdmin (for a Spoke MQ box, this is done by the Spoke Team's MQ Admin - he logs in as MQAdmin and hence is privy to the MQAdmin password). In addition, there are some Trigger Services and MQ Applications which are configured as Windows services which also need UserID and password as parameters. The UserId configured for MQ related services is again <Domain>\MQAdmin (for App related services, it is App related UserId which is not in the scope of current discussion). Now here are our questions:
1. Due to a recent Corp change, the domain name has been changed. Thus, what was <Domain1>\MQAdmin has now become <Domain2>\MQAdmin. The impact of this is that -
(a) All MQ objects which had access granted to UserID <Domain1>\MQAdmin should now have identical access granted to USerID <Domain2>\MQAdmin
(b) All services which are configured to run as <Domain1>\MQAdmin should now be configured to run as <Domain2>\MQAdmin
As you can see, this entails changing settings on each of the boxes and hence a lot of work. Can things be done differently so that we don't need to incur all this effort, in future? Also are there any other impacts other then the above listed, due to the Windows domain name change?
2. Like already explained, the spoke MQ Admins are privy to MQAdmin password. If they, instead install the service as their own USerId - say JohnDoe, there will be an issue when John Doe quits as his UserId will be disabled upon his termination (once the Id is disabled, the Windows Service configured using his Id wouldn't run as the credentials are no longer valid). Is there a better way of going about configuring MQ Services in Windows? How are the major Windows shops handling this situation?
Thanks
-mqdev |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Apr 13, 2007 12:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Yes there is a better way...
MQ Services can be configured to run with a "Service ID" for which the password never expires. Make sure the "Service Id" is part of the MQM group and has the rights to access and resolve user authorizations in the domain.
Now you can administer the qmgrs with any id in the mqm group....or with any id granted the right permissions...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
