Configuring WebSphere MQ V7.0 in a Microsoft Windows Domain Environment
JoelPointer 060000AP95 Visits (13057)
We get questions about the configuration of WebSphere MQ in a Windows domain at least once a week. Today I will try to eliminate the myth and confusion surrounding this topic and explain how to easily accomplish this task.
When WebSphere MQ (WMQ) is installed in a standalone environment the authority of the built-in userid MUSR_MQADMIN is used for all WMQ processes. The authority manager process AMQZFUMA, verifies the authority of users and groups to access queue and channel objects and the commands that operate upon the objects. This process is critical to the start up of a queue manager and can be seen in the list of processes in Windows Task Manager. The default access to WebSphere MQ object is "No Access" which means if the authority of a user or group cannot be checked the entity has no authority to the object. Read on and in a moment you will see why this point is very important.
Most organizations use WebSphere MQ in a Windows domain with Active Directory configuration. In this configuration the users are not defined locally on the computer where WebSphere MQ is installed but within the domain controller. With this configuration the AMQZFUMA process cannot check the authority of the domain users and groups therefore the users and groups cannot access the MQ objects.
The solution is to define a userid and password in the domain and authorize this user to Read
Although it is not required, creating and adding your domain users to a group named "domain mqm" (i.e., DOMAIN/domain mqm) can make life simpler because WMQ is designed to look for this domain group when running the domain setup portion of the installation. This new domain ID should be in the mqm group so that it will have full authority to WMQ processes and commands
If the computer where MQ is installed is in a different domain than the user's, a two-way trust must exist between these domains in order for authority checking to be successful.
See the WebSphere MQ Information Center section "Information for Domain Administrators" for more details on this topic.
Password Expiry Period
If you use just one account for all users of WebSphere MQ, consider making the password of the account never expire, otherwise all instances of WebSphere MQ will stop working at the same time when the password expires. If you give each user of WMQ their own user account you will have more user accounts to create and manage. Only one instance of WMQ will stop working at a time when the password expires. If you set the password to expire, warn the users that they will see a message from WMQ each time it expires - the message warns that the password has expired and describes how to reset it.
I recommend that you use a single domain userid/password configured to never expire. I realize that there are those who scoff at this suggestion but here are three reason why that position should be reconsidered:
WebSphere MQ server can be configured to function within a Windows domain using several methods:
Method 1) Use the Prepare MQ Wizard
With this method the dcom userid/password should be pre-configured before starting the install of WebSphere MQ server. By having completed the creation of the domain userid/password and using the special domain name, "domain mqm" and it will be detected and added to the local mqm group during the domain configuration phase of the installation
Method 2) Let WebSphere MQ change the DCOM userid and password
From a command line use: amqmsrvn -user Domain\User-ID -password xxxxxxxxx
'amqmsrvn' is the name of the MQ DCOM server. This will change the ID and password in dcomcnfg and automatically register the service with Windows. You should also use this method if you change only the password for the ID. You can find more details about this command in the Information Center section "Changing the password of the AMQMSRVN user account"
If you change a password using method 2 and you are still having problems you may want to try re-registering the MQ DCOM service as follows...
Note: AMQMSRVN is deprecated in WMQ v7.1 and greater.
Method 3) Manually change the user ID and password in dcomcnfg
In DCOMCNFG you can manually change the user ID and password by following these steps:
Now that you understand the reasons behind configuring WebSphere MQ in a Windows domain, you are better equipped to help others in your organization through this complex topic.