ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » MQ security Windows, GUID issue?

Post new topic  Reply to topic
 MQ security Windows, GUID issue? « View previous topic :: View next topic » 
Author Message
mqseries0209
PostPosted: Fri Sep 16, 2011 7:58 am    Post subject: MQ security Windows, GUID issue? Reply with quote

Voyager

Joined: 30 Mar 2006
Posts: 90
I know I still have test it out, and I am planning to next week, but I have a concern and would really appreciate some input on this.

Environment:
Windows 2008 server, MQ 7.1 installed on Two clustered windows nodes and MQ Queue manager is a MSCS resource.

Question:
If I create local group with same name on both the windows nodes and run the security script (setmqaut for QM objects for the local group) on the group on each node, will the security will still work when QM fails over to the other cluster node?

I talked to windows admin, and they said same GUID for the same group name cannot be guaranteed on both the windows nodes so, I am concerned if the security will work when the QM fails over.

Please suggest.

thank you.
_________________
IBM Certified Solution Developer - WebSphere Message Broker V6.1

IBM Certified Solution Developer - WebSphere Integration Developer V6.0
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Sep 16, 2011 4:25 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
The groupid should be a domain groupid. This way the same uuid is guaranteed right?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
mqseries0209
PostPosted: Mon Sep 19, 2011 7:18 am    Post subject: Reply with quote

Voyager

Joined: 30 Mar 2006
Posts: 90
Quote:
The groupid should be a domain groupid. This way the same uuid is guaranteed right?


MQ security cannot be run on domain group's.

On Windows, security can either be configured on domain user or local user OR LOCAL group.
_________________
IBM Certified Solution Developer - WebSphere Message Broker V6.1

IBM Certified Solution Developer - WebSphere Integration Developer V6.0
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Mon Sep 19, 2011 4:49 pm    Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia
mqseries0209 wrote:
On Windows, security can either be configured on domain user or local user OR LOCAL group.


Correct, the setmqaut command only accepts -g localgroup on Windows. However, the local group can contain domain groups.
_________________
Glenn
Back to top
View user's profile Send private message
mqseries0209
PostPosted: Tue Sep 20, 2011 8:53 am    Post subject: Reply with quote

Voyager

Joined: 30 Mar 2006
Posts: 90
Quote:
Correct, the setmqaut command only accepts -g localgroup on Windows. However, the local group can contain domain groups.


That can be done, but does not answer my question/concern.
The security still will be run on local group and not sure how that will affect when the Queue Manager fails over.

I want to find out if the MQ security is based on unique GUID on each machine or based on unique group name.
_________________
IBM Certified Solution Developer - WebSphere Message Broker V6.1

IBM Certified Solution Developer - WebSphere Integration Developer V6.0
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Sep 20, 2011 11:19 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339
mqseries0209 wrote:
That can be done, but does not answer my question/concern. The security still will be run on local group and not sure how that will affect when the Queue Manager fails over.

I want to find out if the MQ security is based on unique GUID on each machine or based on unique group name.

I have run MSCS setups with a domain mqm group within the local mqm group, i.e. the MQSeriesService runs under a domain user, and everything works fine. Ditto WMQ-related domain user groups in local groups created for the purpose of OAM lock-down.

As far as I am aware, it's only Multi-Instance queue managers on Windows that require 'mirroring' (of the SSID I think, hence why they have to be on Domain Controllers).
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » MQ security Windows, GUID issue?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.