Guidelines for Windows 2000

 

Overview

WebSphere MQ for Windows runs on Windows 2000, Windows XP, and Windows NT, but the operation of WebSphere MQ security can be affected by differences between the platforms.

WebSphere MQ security relies on calls to the operating system API for information about user authorizations and group memberships. Some functions do not behave identically on the Windows systems. This section includes descriptions of how those differences might affect WebSphere MQ security when you are running WebSphere MQ in a Windows 2000 environment.

 

When you get a 'group not found' error

This problem can arise because WebSphere MQ loses access to the local mqm group when Windows 2000 servers are promoted to, or demoted from, domain controllers. The symptom is an error indicating the lack of a local mqm group, for example: 

>crtmqm qm0
AMQ8066:Local mqm group not found.

Altering the state of a machine between server and domain controller can affect the operation of WebSphere MQ, because WebSphere MQ uses a locally-defined mqm group. When a server is promoted to be a domain controller, the scope changes from local to domain local. When the machine is demoted to server, all domain local groups are removed. This means that changing a machine from server to domain controller and back to server loses access to a local mqm group.

To remedy this problem, re-create the local mqm group using the standard Windows 2000 management tools. Because all group membership information is lost, reinstate privileged WebSphere MQ users in the newly-created local mqm group. If the machine is a domain member, also add the domain mqm group to the local mqm group to grant privileged domain WebSphere MQ user IDs the required level of authority.

 

When you have problems with WebSphere MQ and domain controllers

This section describes problems that can arise with security settings when Windows 2000 servers are promoted to domain controllers.

While promoting Windows 2000 servers to domain controllers, you are presented with the option of selecting a default or non-default security setting relating to user and group permissions. This option controls whether arbitrary users are able to retrieve group memberships from the active directory. Because WebSphere MQ relies on group membership information to implement its security policy, it is important that the user ID that is performing WebSphere MQ operations can determine the group memberships of other users.

When a domain is created using the default security option, the default user ID created by WebSphere MQ during the installation process (MUSR_MQADMIN) can obtain group memberships for other users as required. The product then installs normally, creating default objects, and the queue manager can determine the access authority of local and domain users if required.

When a domain is created using the non-default security option, the user ID created by WebSphere MQ during the installation (MUSR_MQADMIN) cannot always determine the required group memberships. In this case, you need to know:

  • How Windows 2000 with non-default security permissions behaves

  • How to allow domain mqm group members to read group membership

  • How to configure WebSphere MQ Services to run under a domain user

 

Windows 2000 domain with non-default security permissions

If a local user installs WebSphere MQ, the Prepare WebSphere MQ Wizard detects that the local user (MUSR_MQADMIN) created for the WebSphere MQ services (AMQMSRVN) can retrieve the group membership information of the installing user. The Prepare WebSphere MQ Wizard asks the user questions about the network configuration to determine whether there are other user accounts defined on domain controllers running Windows 2000. If so, the WebSphere MQ services need to run under a domain user account with particular settings and authorities. The Prepare WebSphere MQ Wizard prompts the user for the account details of this user. Its online help provides details of the domain user account required that can be sent to the domain administrator.

If a domain user installs WebSphere MQ, the Prepare WebSphere MQ Wizard detects that the local user (MUSR_MQADMIN) created for the WebSphere MQ services (AMQMSRVN) cannot retrieve the group membership information of the installing user. In this case, the Prepare WebSphere MQ Wizard always prompts the user for the account details of the domain user account for the WebSphere MQ services to use.

When WebSphere MQ services needs to use a domain user account, WebSphere MQ cannot operate correctly until this has been configured using the Prepare WebSphere MQ Wizard. This configuration includes creating default objects such as the Default Configuration. The Prepare WebSphere MQ Wizard does not allow the user to continue with other tasks, such as creating the Default Configuration, until the WebSphere MQ services have been configured with a suitable account.

 

Allowing domain mqm group members to read group membership

If a Windows 2000 domain has been configured with non-default security permissions, the usual solution to enable WebSphere MQ to work correctly is to configure it with a suitable domain user account, as described in the previous section.

In some situations, you might prefer to change the domain security settings instead, to allow domain mqm group members to read group membership information for an arbitrary user. To do this, in Active Directory Users and Computers, right-click the domain name, for example mqdev.hursley.ibm.com, then:

  1. Click Delegate Control, then click Next

  2. Click Groups and Users:

    1. Click Add.

    2. Highlight Domain mqm and click Add.

  3. Click OK.

  4. Highlight the Domain mqm selection and click Next.

  5. Select the Create a custom task to delegate check box and click Next.

  6. Select Only the following objects in the folder and then search under object types for User objects (the list is alphabetical, so go to the last one).

  7. Select User Objects and click Next.

  8. Select Property-specific and then search down to: 
    Read Group Membership
Read groupMembershipSAM

    (The list is sorted alphabetically on the second word). Select both these check boxes, then click Next.

  9. Click Finish.

 

Configuring WebSphere MQ Services to run under a domain user

Use the Prepare WebSphere MQ Wizard to enter the account details of the domain user account. Alternatively, use the following command line to set the domain user account: 

AMQMSRVN -user [domain]\[userid] -password [password]

In either case, WebSphere MQ allocates the correct security rights and group membership to the new user account.

 

Applying security template files

Windows 2000 supports text-based security template files that you can use to apply uniform security settings to one or more computers with the Security Configuration and Analysis MMC snap-in. In particular, Windows 2000 supplies several templates that include a range of security settings with the aim of providing specific levels of security. These include compatible, basic, secure, and highly-secure.

Be aware that applying one of these templates might affect the security settings applied to WebSphere MQ files and directories. If you want to use the highly-secure template, configure your machine before you install WebSphere MQ. If you apply the highly-secure template to a machine on which WebSphere MQ is already installed, all the permissions you have specifically set on the WebSphere MQ files and directories are removed. This means that you lose Administrator and mqm group access and, when applicable, Everyone group access from the error directories.

 

Nested groups

You can place Windows 2000 domain controllers in native mode, which allows users to nest local groups, and also to perform multiple nesting of global and universal groups. The WebSphere MQ security model does not support either nested local groups, or multiple nesting of global and universal groups. The supported group model is the same as for Windows NT, except that you can use universal groups instead of global groups. This means that local and domain local groups are supported, as are any immediately nested global or universal groups.

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.