+

Search Tips | Advanced Search

Considerations when installing IBM MQ server on Windows

There are some considerations relating to security that we should take into account when installing an IBM MQ server on Windows. There are some additional considerations relating to the object naming rules and logging.


Security considerations when installing IBM MQ server on a Windows system

  • If we are installing IBM MQ on a Windows domain network running Active Directory Server, you probably need to obtain a special domain account from your domain administrator. For further information, and the details that the domain administrator needs to set up this special account, see Configure IBM MQ with the Prepare IBM MQ Wizard and Create and setting up Windows domain accounts for IBM MQ.
  • When we are installing IBM MQ server on a Windows system we must have local administrator authority. In order to administer any queue manager on that system, or to run any of the IBM MQ control commands your user ID must belong to the local mqm or Administrators group . If the local mqm group does not exist on the local system, it is created automatically when IBM MQ is installed. A user ID can either belong to the local mqm group directly, or belong indirectly through the inclusion of global groups in the local mqm group. For more information, see Authority to administer IBM MQ on UNIX, Linux, and Windows.
  • Windows versions with a User Account Control (UAC) feature restricts the actions users can perform on certain operating system facilities, even if they are members of the Administrators group. If your user ID is in the Administrators group but not the mqm group we must use an elevated command prompt to issue IBM MQ admin commands such as crtmqm, otherwise the error AMQ7077 is generated. To open an elevated command prompt, right-click the start menu item, or icon, for the command prompt, and select Run as administrator.
  • Some commands can be run without being a member of the mqm group (see Authority to administer IBM MQ on UNIX, Linux, and Windows).
  • As with other versions of Windows, the object authority manager (OAM) gives members of the Administrators group the authority to access all IBM MQ objects even when User Account Control is enabled.
  • If you intend to administer queue managers on a remote system, your user ID must be authorized on the target system. For to perform any of these operations on a queue manager when connected remotely to a Windows machine, we must have the Create global objects user access. Administrators have the Create global objects user access by default, so if we are an administrator we can create and start queue managers when connected remotely without altering your user rights. For more information, see Authorizing users to use IBM MQ remotely.
  • If we use the highly secure template, we must apply it before installing IBM MQ. If you apply the highly secure template to a machine on which IBM MQ is already installed, all the permissions you have set on the IBM MQ files and directories are removed (see Applying security template files on Windows).


Naming considerations

Windows has some rules regarding the naming of objects created and used by IBM MQ. These naming considerations apply to IBM WebSphere MQ Version 7.5 or later.

  • Ensure that the machine name does not contain any spaces. IBM MQ does not support machine names that include spaces. If you install IBM MQ on such a machine, we cannot create any queue managers.
  • For IBM MQ authorizations, names of user IDs and groups must be no longer than 64 characters (spaces are not allowed).
  • An IBM MQ for Windows server does not support the connection of a Windows client if the client is running under a user ID that contains the @ character, for example, abc@d. Similarly, the client user ID should not be the same as local group.
  • A user account that is used to run the IBM MQ Windows service is set up by default during the installation process; the default user ID is MUSR_MQADMIN. This account is reserved for use by IBM MQ. For more information, see Configure user accounts for IBM MQ and Local and domain user accounts for the IBM MQ Windows service.
  • When an IBM MQ client connects to a queue manager on the server, the username under which the client runs must not be same as the domain or machine name. If the user has the same name as the domain or machine, the connection fails with return code 2035(MQRC_NOT_AUTHORIZED).


Logging

We can set up logging during installation which assists you in troubleshooting any problems you might have with the installation.

From Version 7.5, logging is enabled by default from the Launchpad. We can also enable complete logging, for more information, see How to enable Windows Installer logging.


Digital signatures

The IBM MQ programs and installation image are digitally signed on Windows to confirm that they are genuine and unmodified. From IBM MQ Version 8.0 the SHA-256 with RSA algorithm is used to sign the IBM MQ product.

Parent topic: Plan to install IBM MQ on Windows

Last updated: 2020-10-04