MSCS security

For successful MSCS security, follow these guidelines.

The guidelines are as follows:

• Make sure you that we have identical software installations on each computer in the cluster.
• Create a common namespace (security environment) across the cluster.
• Make the nodes of the MSCS cluster members of a domain, within which the user account that is the cluster owner is a domain account.
• Make the other user accounts on the cluster also domain accounts, so that they are available on both nodes. This is automatically the case if you already have a domain, and the accounts relevant to IBM MQ are domain accounts. If we do not currently have a domain, consider setting up a mini-domain to cater for the cluster nodes and relevant accounts. Your aim is to make the cluster of two computers look like a single computing resource.

  Remember that an account that is local to one computer does not exist on the other one. Even if you create an account with the same name on the other computer, its security identifier (SID) is different, so, when the application is moved to the other node, the permissions do not exist on that node.

During a failover or move, IBM MQ MSCS support ensures that all files that contain queue manager objects have equivalent permissions on the destination node. Explicitly, the code checks that the Administrators and mqm groups, and the SYSTEM account, have full control, and that if Everyone had read access on the old node, that permission is added on the destination node.

We can use a domain account to run the IBM MQ Service. Make sure that it exists in the local mqm group on each computer in the cluster.

Parent topic: Set up IBM MQ for MSCS clustering