Considerations when installing IBM MQ server on Windows
There are some considerations relating to security that you should take into account when installing an IBM MQ server on Windows. There are some additional considerations relating to the object naming rules and logging.
Security considerations when installing IBM MQ server on a Windows system
- If you are installing IBM MQ on a Windows domain network running Active Directory Server, you probably need to obtain a special domain account from your domain administrator. For further information, and the details that the domain administrator needs to set up this special account, see Configure IBM MQ with the Prepare IBM MQ Wizard and Creating and setting up Windows domain accounts for IBM MQ.
- When you are installing IBM MQ server on a Windows system you must have local administrator authority .
- In order to administer any queue manager on that system, or to run any of the IBM MQ control commands your user ID must belong to the local mqm or Administrators group . If the local mqm group does not exist on the local system, it is created automatically when IBM MQ is installed. A user ID can either belong to the local mqm group directly, or belong indirectly through the inclusion of global groups in the local mqm group.
- Windows versions with a User Account Control (UAC) feature restricts the actions users can perform on certain operating system facilities, even if they are members of the Administrators group. If your user ID is in the Administrators group but not the mqm group you must use an elevated command prompt to issue IBM MQ admin commands such as crtmqm, otherwise the error AMQ7077 is generated. To open an elevated command prompt, right-click the start menu item, or icon, for the command prompt, and select Run as administrator
- Some commands can be run without being a member of the mqm group (see Authority to administer IBM MQ).
- If you intend to administer queue managers on a remote system, your user ID must be authorized on the target system.
-
As with other versions of Windows, the object authority manager (OAM) gives members of the Administrators group the authority to access all IBM MQ objects even when UAC is enabled.
Naming considerations
Windows has some rules regarding the naming of objects created and used by IBM MQ. These naming considerations apply to IBM WebSphere MQ Version 7.5 or later.
- Ensure that the machine name does not contain any spaces. IBM MQ does not support machine names that include spaces. If you install IBM MQ on such a machine, we cannot create any queue managers.
- For IBM MQ authorizations, names of user IDs and groups must be no longer than 64 characters (spaces are not allowed).
- An IBM MQ for Windows server does not support the connection of a Windows client if the client is running under a user ID that contains the @ character, for example, abc@d. Similarly, the client user ID should not be the same as local group.
- A user account that is used to run the IBM MQ Windows service is set up by default during the installation process; the default user ID is MUSR_MQADMIN. This account is reserved for use by IBM MQ. For more information, see Configure an IBM MQ server and Local and domain user accounts for the IBM MQ Windows service.
- When an IBM MQ client connects to a queue manager on the server, the username under which the client runs must not be same as the domain or machine name. If the user has the same name as the domain or machine, the connection fails with return code 2035(MQRC_NOT_AUTHORIZED).
Logging
We can set up logging during installation which assists you in troubleshooting any problems you might have with the installation.
From Version 7.5, logging is enabled by default from the Launchpad. We can also enable complete logging, for more information, see How to enable Windows Installer logging.
Digital signatures
The IBM MQ programs and installation image are digitally signed on Windows to confirm that they are genuine and unmodified. From IBM MQ Version 8.0 the SHA-256 with RSA algorithm is used to sign the IBM MQ product.