Creating a shared directory for queue manager data and log files

This task is one of a set of related tasks that illustrate accessing queue manager data and log files. The tasks show how to create a queue manager authorized to read and write data and log files that are stored in a directory of your choosing.

In a production scale configuration, you might have to tailor the configuration to an existing domain. For example, you might define different domain groups to authorize different shares, and to group the user IDs that run queue managers.

The example configuration consists of three servers:
sun
A Windows Server 2008 domain controller. It owns the wmq.example.com domain that contains Sun, mars, and venus. For the purposes of illustration, it is also used as the file server.
mars
A Windows Server 2008 used as the first IBM® WebSphere® MQ server. It contains one instance of the multi-instance queue manager called QMGR.
venus
A Windows Server 2008 used as the second IBM WebSphere MQ server. It contains the second instance of the multi-instance queue manager called QMGR.

Replace the italicized names in the example, with names of your choosing.

Before you begin

  1. To do this task exactly as documented, do the steps in the task, Creating an Active Directory and DNS domain for IBM WebSphere MQ, to create the domain sun.wmq.example.com on the domain controller sun. Change the italicized names to suit your configuration.

About this task

This task is one of a set of related tasks that illustrate accessing queue manager data and log files. The tasks show how to create a queue manager authorized to read and write data and log files that are stored in a directory of your choosing. They accompany the task, Windows domains and multi-instance queue managers.

In the task, you create a share containing a data and log directory, and a global group to authorize access to the share. You pass the name of the global group that authorizes the share to the crtmqm command in its -a parameter. The global group gives you the flexibility of separating the users of this share from users of other shares. If you do not need this flexibility, authorize the share with the Domain mqm group rather than create a new global group.

The global group used for sharing in this task is called wmqha, and the share is called wmq. They are defined on the domain controller sun in the Windows domain wmq.example.com. The share has full control permissions for the global group wmqha. Replace the italicized names in the task with names of your choosing.

For the purposes of this task the domain controller is the same server as the file server. In practical applications, split the directory and file services between different servers for performance and availability.

You must configure the user ID that the queue manager is running under to be a member of two groups. It must be a member of the local mqm group on an IBM WebSphere MQ server, and of the wmqha global group.

In this set of tasks, when the queue manager is running as a service, it runs under the user ID wmquser1, so wmquser1 must be a member of wmqha. When the queue manager is running interactively, it runs under the user ID wmquser2, so wmquser2 must be a member of wmqha. Both wmquser1 and wmquser2 are members of the global group Domain mqm. Domain mqm is a member of the local mqm group on the mars and venus IBM WebSphere MQ servers. Hence, wmquser1 and wmquser2 are members of the local mqm group on bothIBM WebSphere MQ servers.

Procedure

  1. Log on to the domain controller, sun.wmq.example.com as the domain administrator.
  2. Create the global group wmqha.
    1. Open Server Manager > Roles > Active Directory Domain Services > wmq.example.com > Users.
    2. Open the wmq.example.com\Users folder
    3. Right-click Users > New > Group.
    4. Type wmqha into the Group name field.
    5. Leave Global clicked as the Group scope and Security as the Group type. Click OK.
  3. Add the domain users wmquser1 and wmquser2 to the global group, wmqha.
    1. In the Server Manager navigation tree, click Users and right-click wmqha > Properties in the list of users.
    2. Click the Members tab in the wmqha Properties window.
    3. Click Add...; type wmquser1; wmquser2 and click Check Names > OK > Apply > OK.
  4. Create the directory tree to contain queue manager data and log files.
    1. Open a command prompt.
    2. Type the command:
      md c:\wmq\data , c:\wmq\logs
  5. Authorize the global group wmqha to have full control permission to the c:\wmq directories and share.
    1. In Windows Explorer, right-click c:\wmq > Properties.
    2. Click the Security tab and click Advanced > Edit....
    3. Clear the check box for Include inheritable permissions from this object's owner. Click Copy in the Windows Security window.
    4. Select the lines for Users in the list of Permission entries and click Remove. Leave the lines for SYSTEM, Administrators, and CREATOR OWNER in the list of Permission entries.
    5. Click Add..., and type the name of the global group wmqha. Click Check Names > OK.
    6. In the Permission Entry for wmq window, select Full Control in the list of Permissions.
    7. Click OK > Apply > OK > OK > OK
    8. In Windows Explorer, right-click c:\wmq > Share....
    9. Click Advanced Sharing... and select the Share this folder check box. Leave the share name as wmq.
    10. Click Permissions > Add..., and type the name of the global group wmqha. Click Check Names > OK.
    11. Select wmqha in the list of Group or user names. Select the Full Control check box in the list of Permissions for wmqha; click Apply.
    12. Select Administrators in the list of Group or user names. Select the Full Control check box in the list of Permissions for Administrators; click Apply > OK > OK > Close.

What to do next

Check that you can read and write files to the shared directories from each of the IBM WebSphere MQ servers. Check the IBM IBM WebSphere MQ service user ID, wmquser1 and the interactive user ID, wmquser2.

  1. If you are using remote desktop, you must add wmq\wmquser1 and wmquser2 to the local group Remote Desktop Users on mars.
    1. Log on to mars as wmq\Administrator
    2. Run the lusrmgr.msc command to open the Local Users and Groups window.
    3. Click Groups. Right-click Remote Desktop Users > Properties > Add.... Type wmquser1; wmquser2 and click Check Names.
    4. Type in the user name and password of the domain administrator, wmq\Administrator, and click OK > Apply > OK.
    5. Close the Local Users and Groups window.
  2. Log on to mars as wmq\wmquser1.
    1. Open a Windows Explorer window, and type in \\sun\wmq.

      The system responds by opening the wmq share on sun.wmq.example.com, and lists the data and logs directories.

    2. Check the permissions of wmquser1 by creating a file in data subdirectory, adding some content, reading it, and then deleting it.
  3. Log on to mars as wmq\wmquser2, and repeat the checks.
  4. Do the next task, to create a queue manager to use the shared data and log directories; see Reading and writing shared data and log files authorized by an alternative global security group.