WebSphere MQ has a component, running as a Windows service, that
checks that any user account attempting to access WebSphere MQ is authorized.
As part of the check, the service must query which groups the account is a
member of. The service itself runs under a local user account (MUSR_MQADMIN)
created by WebSphere MQ at installation.
If you are using Windows 2000
or Windows 2003 on any domain controller on your network, it can be set up
such that local user accounts do not have authority to query the group membership
of its domain user accounts - this will prevent WebSphere MQ from completing
its check, and access will fail. To handle this:
- Each installation of WebSphere MQ on the network must be configured to
run its service under a domain user account that has the required authority
(see the instructions below for creating one).
Note: If an installer carries on anyway and configures WebSphere MQ without
a special account, many or all parts of WebSphere MQ will not work, depending
upon the particular user accounts involved, as follows:
- An installer currently logged on with a Windows 2000 or Windows 2003 domain
user account will not be able to complete the Default Configuration, and the
Postcard and API Exerciser will not work.
- WebSphere MQ connections to queue managers running under Windows 2000
or Windows 2003 domain accounts on other computers may fail.
- Typical errors include "AMQ8066: Local mqm group not found" and "AMQ8079:
Access was denied when attempting to retrieve group membership information
for user 'abc@xyz' ".
The detailed instructions that follow guide a domain administrator
to:
- Create a global or universal domain group and give members of this group
the authority to query the group membership of any account
- Create one or more user accounts, and add them to the group
- Repeat Step 2 to Step 4 for each domain
- Use the accounts to configure each installation of WebSphere MQ
- Set the password expiry periods.
The following information is aimed at Domain Administrators. Repeat
Steps 2 to 4 below for each domain that has user names that will install WebSphere
MQ, to create an account for WebSphere MQ on each domain:
- Create a domain group with a special name that is known to WebSphere MQ
and give members of this group the authority to query the group membership
of any account:
On Windows 2000 Server:
- Log on to the domain controller as an account with domain administrator
authority.
- From the Start menu, open Active Directory Users and Computers.
- Find the domain name in the navigation pane on the left, right-click it
and select New Group.
- Type domain mqm (this exact string should be used
because it is understood and used by WebSphere MQ).
- In Group scope select either Global or Universal.
- In Group type select Security,
and click OK.
- Find the domain name in the navigation pane on the left, right-click it
and select Delegate Control..., then click Next.
- At Selected Groups and Users, press Add, select domain
mqm then click Add. Click OK.
- Select domain mqm and click Next.
- Select Create a custom task to delegate and click Next.
- Select Only the following objects in the folder,
and then check User Objects in the alphabetical list.
Click Next.
- Check Property-specific, then select from the list
(it is in alphabetical order on the second word) the following options:
- Read Group Membership
- Read Group MembershipSAM
- Click OK to close each window.
On Windows 2003 Server:
- Log on to the domain controller as an account with domain administrator
authority.
- From the Start menu, open Active Directory Users and Computers.
- Find the domain name in the navigation pane on the left, right-click it
and select New Group.
- Type domain mqm (this exact string should be used
because it is understood and used by WebSphere MQ).
- In Group scope select either Global or Universal.
- In Group type select Security,
and click OK.
- View Active Directory Users and Computers in Advanced Features mode.
- Find the domain name in the left panel, right-click the domain name, then
click Properties.
- Click the Security tab.
- Click Advanced.
- Click Add, then type domain mqm and
click OK. A new dialog is displayed.
- Click the Properties tab.
- In the Apply onto box, change the view to User
objects.
- Select the allow check box for the following options:
- Read Group Membership
- Read Group MembershipSAM
- Click OK to close each window.
- Create one or more accounts, and add them to the group:
- In Active Directory Users and Computers, create a user account with a
name of your choosing and add it to group "domain mqm".
- Repeat for all the accounts you want to create.
- Repeat Steps 1 and 2 for each domain that has user names that will install
WebSphere MQ, to create an account for WebSphere MQ on each domain.
- Use the accounts to configure each installation of WebSphere MQ:
- Either use the same domain user account (as created in Step 1 above) for
each installation of WebSphere MQ, or create a separate account for each one,
adding each to the "domain mqm" group.
- When you have created the account(s), give one to each person configuring
an installation of WebSphere MQ, who should enter the account details (domain
name, user name and password) into the Prepare WebSphere MQ Wizard. Give them
the account that exists on the same domain as their installing userid.
- When you install WebSphere MQ on any computer on the domain, the WebSphere
MQ install program detects the existence of the "domain mqm" group on the
LAN, and automatically adds it to the local "mqm" group. (The local "mqm"
group is created during installation; all user accounts in it have authority
to use WebSphere MQ). Thus all members of the "domain mqm" group will have
authority to use WebSphere MQ on this computer.
- However, you do still need to provide a domain user account (as created
in Step 1 above) for each installation, and configure WebSphere MQ to use
it when making its queries. The account details should be entered into the
Prepare WebSphere MQ Wizard that runs automatically at the end of installation
(the wizard can also be run at any time from the start menu).
- Set the password expiry periods:
- If you use just one account for all users of WebSphere MQ, consider making
the password of the account never expire, otherwise all instances of WebSphere
MQ will stop working at the same time when the password expires.
- If you give each user of WebSphere MQ their own user account you will
have more user accounts to create and manage, but only one instance of WebSphere
MQ will stop working at a time when the password expires.
If you set the password to expire, warn the users that they will see
a message from WebSphere MQ each time it expires - the message warns that
the password has expired, and describes how to reset it.
For more information, see the System Administration Guide.