Configure user access for the Java EE database logger for MFT

When you configure the Java Platform, Enterprise Edition (Java EE) database logger for Managed File Transfer, you need user accounts to access IBM MQ , your database, and your operating system. The number of operating system users that is required depend on the number of systems you are using to host these components.

About this task

The number and type of user accounts you need to run the Java EE database logger depend on the number of systems you use. User accounts are required to access the following three environments:

• Local operating system
• IBM MQ
• Database

We can install the Java EE database logger, IBM MQ and your database on a single system, or across several systems. The components can be installed in the following example topologies:

Java EE database logger, IBM MQ, and the database all on the same system

We can define a single operating system user for use with all three components. The logger uses Bindings mode to connect to IBM MQ and a native connection to connect to the database.

Java EE database logger and IBM MQ on one system, the database on a separate system

We create two users for this configuration: an operating system user on the system running the logger, and an operating system user with remote access to the database on the database server. The logger uses Bindings mode to connect to IBM MQ and a client connection to access the database.

Java EE database logger on one system, IBM MQ on another system, the database on a further system

We create three users for this configuration: An operating system user to start the application server, an IBM MQ user to access the queues and topics being used, and a database server user to access and insert into the database tables. The logger uses Client mode to access IBM MQ and a client connection to access the database.

As an example, the rest of these instructions assume that the user is called ftelog, but we can use any user name, new or existing. Configure the user permissions as follows:

Procedure

1. Ensure that the operating system user has its own group, and is not also in any groups with wide-ranging permissions on the coordination queue manager. The user should not be in the mqm group. On certain platforms, the staff group is automatically given queue manager access as well; the logger user should not be in the staff group. We can view authority records for the queue manager itself and for objects in it using the IBM MQ Explorer. Right-click the object and select Object Authorities > Manage Authority Records. At the command line, we can use the commands dspmqaut (display authority) or dmpmqaut (dump authority).
2. Use the Manage Authority Records window in the IBM MQ Explorer or the setmqaut (grant or revoke authority) command to add authorities for the IBM MQ user's own group (on UNIX, IBM MQ authorities are associated with groups only, not individual users). The authorities required are as follows:
   • CONNECT and INQUIRE on the queue manager (the IBM MQ Java libraries require INQUIRE permission to operate).
   • SUBSCRIBE permission on the SYSTEM.FTE topic.
   • PUT permission on the SYSTEM.FTE.LOG.RJCT.logger_name queue.
   The reject and command queue names given are the default names. If you chose different queue names when you configured the logger queues, add the permissions to those queue names instead.
3. Perform the database user configuration that is specific to the database you are using.
   • If your database is Db2®, carry out the following steps:Note: There are several mechanisms for managing database users with Db2. These instructions apply to the default scheme based on operating system users.
     • Ensure that the ftelog user is not in any Db2 administration groups (for example, db2iadm1, db2fadm1, or dasadm1)
     • Give the user permission to connect to the database and permission to select, insert, and update on the tables that you created as part of Step 2: create the required database tables
   • If your database is Oracle, carry out the following steps:
     • Ensure that the ftelog user is not in any Oracle administration groups (for example, ora_dba on Windows or dba on UNIX)
     • Give the user permission to connect to the database and permission to select, insert and update on the tables that you created as part of Step 2: create the required database tables