Reading and writing data and log files authorized by an alternative local security group

This task shows how to use the -a flag on the crtmqm command. The flag provides the queue manager with an alternative local security group to give it access to its log and data files.


Before starting

  1. Install IBM MQ for Windows as the primary installation.
  2. Run the Prepare IBM MQ Wizard.

    For further information, see Configure IBM MQ with the Prepare IBM MQ Wizard.

    For this task, configure the installation either to run with a local user ID, or a domain user ID. Eventually, to complete all the tasks in Windows domains and multi-instance queue managers, the installation must be configured for a domain.

  3. Log on with Administrator authority to perform the first part of the task.


About this task

This task is one of a set of related tasks that illustrate accessing queue manager data and log files. The tasks show how to create a queue manager authorized to read and write data and log files that are stored in a directory of our choosing. They accompany the task, Windows domains and multi-instance queue managers.

On Windows, we can create the default data and log paths for an IBM MQ for Windows in any directories of your choosing. The installation and configuration wizard automatically gives the local mqm group, and the user ID that is running the queue manager processes, access to the directories. If you create a queue manager specifying different directories for queue manager data and log files, we must configure full control permission to the directories.

In this example, you provide the queue manager with an alternative security local group that has full control authorization to the directories. The alternative security group gives the queue manager permission to manage files in the directory. The primary purpose of the alternate security group is to authorize an alternate security global group. Use an alternate security global group to set up a multi-instance queue manager. In this example, you configure a local group to familiarize yourself with the use of an alternate security group without installing IBM MQ in a domain. It is unusual to configure a local group as an alternative security group.

The crtmqm command creates a queue manager that starts automatically when the workstation starts using the IBM MQ service.

The task is illustrative; it uses specific values that we can change. The values we can change are in italics. At the end of the task, follow the instructions to remove all the changes you made.


Procedure

  1. Set up an alternative security group.

    The alternative security group is typically a domain group. In the example, you create a queue manager that uses a local alternate security group. With a local alternate security group, we can do the task with an IBM MQ installation that is not part of a domain.

    1. Run the lusrmgr.msc command to open the Local Users and Groups window.
    2. Right-click Groups > New Group...
    3. In the Group name field, type altmqm and click Create > Close.
    4. Identify the user ID that runs the IBM MQ service.
      1. Click Start > Run..., type services.msc and click OK.
      2. Click the IBM MQ service in the list of services, and click the Log On tab.
      3. Remember the user ID and close the Services Explorer.

    5. Add the user ID that runs the IBM MQ service to the altmqm group. Also add the user ID that you log on with to create a queue manager, and run it interactively.

      • Windows checks the authority of the queue manager to access the data and logs directories by checking the authority of the user ID that is running queue manager processes. The user ID must be a member, directly or indirectly through a global group, of the altmqm group that authorized the directories.
      • If we installed IBM MQ as part of a domain, and are going to do the tasks in Create a multi-instance queue manager on domain workstations or servers on Windows, the domain user IDs created in Create an Active Directory and DNS domain on Windows are wmquser1 and wmquser2.
      • If you did not install the queue manager as part of a domain, the default local user ID that runs the IBM MQ service is MUSR_MQADMIN. If you intend to do the tasks without Administrator authority, create a user that is a member of the local mqm group.
      • Follow these steps to add wmquser1 and wmquser2 to altmqm. If your configuration is different, substitute your names for the user IDs and group.

      1. In the list of groups right-click altmqm > Properties > Add....
      2. In the Select Users, Computers, or Groups window type wmquser1 ; wmquser2 and click Check Names.
      3. Type the name and password of a domain administrator in the Windows Security window, then click OK > OK > Apply > OK.

  2. Open a command prompt.
  3. Restart the IBM MQ service.

    We must restart the service so that the user ID it runs under acquires the additional security credentials you configured for it.

    Type the commands:

    endmqsvc
    strmqsvc
    

    The system responses:
    5724-H72 (C) Copyright IBM Corp. 1994, 2020.  ALL RIGHTS RESERVED.
    The MQ service for installation 'Installation1' ended successfully.


    And:

    5724-H72 (C) Copyright IBM Corp. 1994, 2020.  ALL RIGHTS RESERVED.
    The MQ service for installation 'Installation1' started successfully.

  4. Type the command:
    md c:\wmq\data, c:\wmq\logs
    
  5. Set the permissions on the directories to allow the local user user read and write access.
    cacls c:\wmq/T /E /G altmqm:F
    

    The system response:


    processed dir: c:\wmq
    processed dir: c:\wmq\data
    processed dir: c:\wmq\logs

  6. Optional: Switch to a user ID that is a member of the local mqm group.

    • We can continue as Administrator, but for a realistic production configuration, continue with a user ID with more restricted rights. The user ID must at least be a member of the local mqm group.
    • If the IBM MQ installation is configured as part of a domain, make the user ID a member of the Domain mqm group. The Prepare IBM MQ wizard makes the Domain mqm global group a member of the local mqm group, so we do not have to make the user ID directly a member of the local mqm group.

  7. Create the queue manager.
    crtmqm -a altmqm -sax -u SYSTEM.DEAD.LETTER.QUEUE -md c:\wmq\data -ld c:\wmq\logs QMGR
    

    The system response:


    IBM MQ queue manager created.
    Directory 'c:\wmq1\data\QMGR' created.
    The queue manager is associated with installation '1'
    Creating or replacing default objects for queue manager 'QMGR'
    Default objects statistics : 74 created. 0 replaced.
    Completing setup.
    Setup completed.

  8. Check that the directories created by the queue manager are in the c:\wmq directory.
    dir c:\wmq/D /B /S
    
  9. Check that the files have read and write, or full control permission for the local mqm group.
    cacls c:\wmq\*.*
    


What to do next

Test the queue manager by putting and getting a message to a queue.

  1. Start the queue manager.
    strmqm QMGR
    
    The system response:
    IBM MQ queue manager 'QMGR' starting.
    The queue manager is associated with installation '1'.
    5 log records accessed on queue manager 'QMGR' during the log
    replay phase.
    Log replay for queue manager 'QMGR' complete.
    Transaction manager state recovered for queue manager 'QMGR'.
    IBM MQ queue manager 'QMGR' started using V7.1.0.0.

  2. Create a test queue.
    echo define qlocal(QTEST) | runmqsc QMGR
    
    The system response:
    5724-H72 (C) Copyright IBM Corp. 1994, 2020.  ALL RIGHTS RESERVED.
    Starting MQSC for queue manager QMGR.


    1 : define qlocal(QTEST)
    AMQ8006: IBM MQ queue created.
    One MQSC command read.
    No commands have a syntax error.
    All valid MQSC commands were processed.

  3. Put a test message using the sample program amqsput.
    echo 'A test message' | amqsput QTEST QMGR
    
    The system response:
    Sample AMQSPUT0 start
    target queue is QTEST
    Sample AMQSPUT0 end

  4. Get the test message using the sample program amqsget.
    amqsget QTEST QMGR
    
    The system response:

    Sample AMQSGET0 start
    message A test message
    Wait 15 seconds ...
    no more messages
    Sample AMQSGET0 end

  5. Stop the queue manager.
    endmqm -i QMGR
    
    The system response:
    IBM MQ queue manager 'QMGR' ending.
    IBM MQ queue manager 'QMGR' ended.

  6. Delete the queue manager.
    dltmqm QMGR
    
    The system response:
    IBM MQ queue manager 'QMGR' deleted.
  7. Delete the directories you created. Tip: Add the /Q option to the commands to prevent the command prompting to delete each file or directory.
    del /F /S C:\wmq\*.*
    rmdir /S C:\wmq
    

Parent topic: Secure unshared queue manager data and log directories and files on Windows


Related tasks