| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| best practices around userid's to run/startup the MQ etc... |
« View previous topic :: View next topic » |
| Author |
Message
|
| sarlindo |
 Posted: Fri Sep 16, 2011 9:40 am Post subject: best practices around userid's to run/startup the MQ etc... |
 |
|
Newbie
Joined: 16 Sep 2011
Posts: 2
|
| We have MQ running on a AIX server and have Q managers for different environments such as "DEV, SIT, UAT" etc… Now my question is, what Unix ID should I start each Q manager under? Should I just use the "mqm" user to start up all enviroments? Should I create a new userid and add it to the mqm group and start everything up with that userid? Should I create a different userid for each environment as use those id's for each separate environment? What is the best partice around these type of questions? |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Sep 16, 2011 11:04 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| best practice is to put different environments in different LPARs or physical servers. |
|
| Back to top |
|
|
| sarlindo |
| Posted: Fri Sep 16, 2011 11:13 am Post subject: |
|
|
Newbie
Joined: 16 Sep 2011
Posts: 2
|
| Yes running environments on different LPARs or physical servers is a best practice but what I am really after is the userid to run MQ under on AIX. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 16, 2011 11:29 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| sarlindo wrote: |
| Yes running environments on different LPARs or physical servers is a best practice but what I am really after is the userid to run MQ under on AIX. |
MQ always really runs under mqm anyway - fun with setguid and setuid and other sticky wickets.
The problem with putting different envs on the same physical/logical partition is that it's much harder to maintain separate sets of administrative controls - there is only really one mqm group and user.
So, again, don't think about what user is *running* mq.
Think very very very long and hard about what users need to do what things to each qmgr in each environment, and then "do the needful" to ensure that everyone is locked in to their specific role without overlap.
And by "long and hard" I mean "at least a week". Not "an hour or two while flipping through the security manual".
This is not an easy topic, particularly if you are still trying to think about what user is running programs, rather than handling mq authorization. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Sep 18, 2011 5:45 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| sarlindo wrote: |
| Yes running environments on different LPARs or physical servers is a best practice but what I am really after is the userid to run MQ under on AIX. |
Run all the queue managers on the LPAR under the default MQ admin userid 'mqm'. Set up groups for each app environment. Use these to provide limited MQ authority to the queues on each queue manager which they need to use. All MQ admin requests (eg. creating queues) for all envrionments should go through a common "gate keeper" MQ admin team. Encourage good change control and security practices, even with the development team (who would like to have free reign to do whatever they want).
_________________
Glenn |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
