Windows domains and multi-instance queue managers
A multi-instance queue manager on Windows requires its data and logs to be shared. The share must be accessible to all instances of the queue manager running on different servers or workstations. Configure the queue managers and share as part of a Windows domain. The queue manager can run on a domain workstation or server, or on the domain controller.
Before configuring a multi-instance queue manager, read Secure unshared queue manager data and log directories and files on Windows and Securing shared queue manager data and log directories and files on Windows to review how to control access to queue manager data and log files. The topics are educational; if we want to go directly to setting up shared directories for a multi-instance queue manager in a Windows domain; see Create a multi-instance queue manager on domain workstations or servers on Windows.
Run a multi-instance queue manager on domain workstations or servers
From Version 7.1, multi-instance queue managers run on a workstation or server that is a member of a domain. Before Version 7.1, multi-instance queue managers ran only on domain controllers; see Run a multi-instance queue manager on domain controllers. To run a multi-instance queue manager on Windows, you require a domain controller, a file server, and two workstations or servers running the same queue manager connected to the same domain.
The change that makes it possible to run a multi-instance queue manager on any server or workstation in a domain, is that we can now create a queue manager with an additional security group. The additional security group is passed in the crtmqm command, in the -a parameter. You secure the directories that contain the queue manager data and logs with the group. The user ID that runs queue manager processes must be a member of this group. When the queue manager accesses the directories, Windows checks the permissions the user ID has to access the directories. By giving both the group and the user ID domain scope, the user ID running the queue manager processes has credentials from the global group. When the queue manager is running on a different server, the user ID running the queue manager processes can have the same credentials. The user ID does not have to be the same. It has to be a member of the alternative security group, as well as a member of the local mqm group.
The task of creating a multi-instance queue manager is the same as in Version 7.0.1 with one change. We must add the additional security group name to the parameters of the crtmqm command. The task is described in Create a multi-instance queue manager on domain workstations or servers on Windows.
Multiple steps are required to configure the domain, and the domain servers and workstations. You must understand how Windows authorizes access by a queue manager to its data and log directories. If we are not sure how queue manager processes are authorized to access their log and data files read the topic Secure unshared queue manager data and log directories and files on Windows. The topic includes two tasks to help you understand the steps the required. The tasks are Reading and writing data and log files authorized by the local mqm group and Reading and writing data and log files authorized by an alternative local security group. Another topic, Securing shared queue manager data and log directories and files on Windows, explains how to secure shared directories containing queue manager data and log files with the alternative security group. The topic includes four tasks, to set up a Windows domain, create a file share, install IBM MQ for Windows, and configure a queue manager to use the share. The tasks are as follows:
- Create an Active Directory and DNS domain on Windows.
- Installing IBM MQ on a server or workstation in a Windows domain.
- Create a shared directory for queue manager data and log files on Windows.
- Reading and writing shared data and log files authorized by an alternative global security group.
We can then do the task, Create a multi-instance queue manager on domain workstations or servers on Windows, using the domain. Do these tasks to explore setting up a multi-instance queue manager before transferring your knowledge to a production domain.
Run a multi-instance queue manager on domain controllers
In Version 7.0.1, multi-instance queue managers ran only on domain controllers. Queue manager data could be secured with the domain mqm group. As the topic Securing shared queue manager data and log directories and files on Windows explains, we cannot share directories secured with the local mqm group on workstations or servers. However on domain controllers all group and principals have domain scope. If we install IBM MQ for Windows on a domain controller, the queue manager data and log files are secured with the domain mqm group, which can be shared. Follow the steps in the task, Create a multi-instance queue manager on Windows domain controllers to configure a multi-instance queue manager on domain controllers.
- Create a multi-instance queue manager on domain workstations or servers on Windows
An example shows how to set up a multi-instance queue manager on Windows on a workstation or a server that is part of a Windows domain. The server does not have to be a domain controller. The setup demonstrates the concepts involved, rather than being production scale. The example is based on Windows Server 2008. The steps might differ on other versions of Windows Server.- Create a multi-instance queue manager on Windows domain controllers
An example shows how to set up a multi-instance queue manager on Windows on domain controllers. The setup demonstrates the concepts involved, rather than being production scale. The example is based on Windows Server 2008. The steps might differ on other versions of Windows Server.- Verify the multi-instance queue manager on Windows
Use the sample programs amqsghac, amqsphac and amqsmhac to verify a multi-instance queue manager configuration. This topic provides an example configuration to verify a multi-instance queue manager configuration on Windows Server 2003.- Securing shared queue manager data and log directories and files on Windows
This topic describes how we can secure a shared location for queue manager data and log files using a global alternative security group. We can share the location between different instances of a queue manager running on different servers.- Secure unshared queue manager data and log directories and files on Windows
This topic describes how we can secure an alternative location for queue manager data and log files, both by using the local mqm group and an alternative security group.Parent topic: Create a multi-instance queue manager
Related information
- Manage Authorization and Access Control
- How to use Windows Server cluster nodes as domain controllers