ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » Requirement for Domain Controllers in Multi-Instance QMgr

Post new topic  Reply to topic
 Requirement for Domain Controllers in Multi-Instance QMgr « View previous topic :: View next topic » 
Author Message
saurabh25281
PostPosted: Fri Aug 12, 2016 12:54 pm    Post subject: Requirement for Domain Controllers in Multi-Instance QMgr Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Hi All,

I am planning to setup a multi-instance Queue Manager v8.0.0.5 on a Windows 2012 R2 Server. The documentation says that both the Windows machines should be running as Domain controller.
https://www.ibm.com/support/knowledgecenter/SSKM8N_8.0.0/com.ibm.etools.mft.doc/fa70161_.htm

I spoke to my clients and they have raised security risks and wanted to explore other options rather than Domain controllers. So,
1. are there any other options available?

I looked into older posts which points out that the requirement is primarily due to the need for having same SID for both the mqm groups, which is only possible for domain local groups. So http://www./phpBB2/viewtopic.php?p=282032&sid=f3243ebdbc9ecdbb7935f49414ab8af7

2. Can we have domain local groups (mqm) created for my 2 Windows servers & file server, without making them run as DCs?

3. Are the other possibilities, as specified in the above links that are still valid, like creating sub-domain which can be used only for MQ servers.

4. Do you guys think MQ 8.0.0.5 is a stable version to work with? We are planning for a plain vanilla MQ setup for MQ-MQ intercommunication with some .Net application connecting our MQ servers.

Regards
Saurabh
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
exerk
PostPosted: Sat Aug 13, 2016 7:12 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Have a read of THIS - there is no requirement to have MI queue managers on DCs with the version of MQ you're going to use.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
saurabh25281
PostPosted: Tue Aug 16, 2016 2:31 am    Post subject: Security in multi-instance QMgr on Windows Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Thanks for your link exerc.

I have another query. Please consider my security scenario and let me know what is the correct way of implementation.

In a normal implementation (single node MQ server) I would provide access to MQ users by creating a local mqusers group and provide access using setmqaut at group level. But in the case of a multi-instance Queue Manager on Windows, how do we implement the same scenario? The users I have are domain users.

Do we create Local groups on both server and add domain users into the group, or,
Do we create Global groups containing domain users and provide access to the Global group?
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
fjb_saper
PostPosted: Tue Aug 16, 2016 2:44 am    Post subject: Re: Security in multi-instance QMgr on Windows Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

saurabh25281 wrote:

Do we create Global groups containing domain users and provide access to the Global group?

And you have to run the MQ Service (see services.msc plugin) with the Domain ID that you set up as described in the infocenter
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
saurabh25281
PostPosted: Tue Aug 16, 2016 3:45 am    Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Thanks for the quick response fjb_saper.

As per the infocenter the domain user under which MQ should run, should be a part of both the local mqm group and an alternate Global security group.

Do you not think that the domain user would be automatically configured for services.msc panel, if I perform the installation as a domain user.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
smdavies99
PostPosted: Tue Aug 16, 2016 5:01 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

saurabh25281 wrote:


Do you not think that the domain user would be automatically configured for services.msc panel, if I perform the installation as a domain user.


The post install processing is where you define the account that MQ is to run under. You will have preconfigured that in the DC with all the right properties (A lot easier under Server 2016)
The post processing checks the settings on the account then if good, it creates the service with the correct login credentials.

You have to perform the install as an Admin otherwise the installer won't have the right access to check the account privs etc.
Why don't you try it using an account that does not have the rights to check the account rights on the DC?
IBM wisely does not specify the account name that MQ runs under. If they did the security people in many companies with have an apoplectic fit. They want all sorts of security on these accounts.
One install I did, I had a security bod enter all the passwords for me.

Oh, and make sure that the account that MQ is using never expires. I've had many a battle with Security who mandated that all accounts expire every 'N' days.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » Requirement for Domain Controllers in Multi-Instance QMgr
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.