Local and domain user accounts for the IBM MQ Windows service
When IBM® MQ is running, it must check that only authorized users can access queue managers or queues. This requires a special user account that IBM MQ can use to query information about the any user attempting such access.
- Configuring special user accounts with the Prepare IBM MQ Wizard
- Using IBM MQ with Active Directory
- User rights required for an IBM MQ Windows service
Configuring special user accounts with the Prepare IBM MQ Wizard
The Prepare IBM MQ Wizard creates a special user account so that the Windows service can be shared by processes that need to use it (see Configuring IBM MQ with the Prepare IBM MQ Wizard).
A Windows service is shared between client processes
for an IBM MQ installation. One service is created for
each installation. Each service is named MQ_InstallationName
, and has a display name of IBM MQ(InstallationName)
.
When you install IBM MQ and run the Prepare IBM MQ Wizard for the first time, it creates a local user account for the service called MUSR_MQADMIN with the required settings and permissions, including Logon as a service.
For subsequent installations, the Prepare IBM MQ Wizard creates a user account named MUSR_MQADMINx, where x is the next available number representing a user ID that does not exist. The password for MUSR_MQADMINx is randomly generated when the account is created, and used to configure the logon environment for the service. The generated password does not expire.
This IBM MQ account is not affected by any account policies that are set up on the system to require that account passwords are changed after a certain period.
The password is not known outside this one-time processing and is stored by the Windows operating system in a secure part of the registry.
Using IBM MQ with Active Directory
In some network configurations, where user accounts are defined on domain controllers that are using the Active Directory directory service, the local user account that IBM MQ is running under might not have the authority that it requires to query the group membership of other domain user accounts. When you install IBM MQ, the Prepare IBM MQ Wizard identifies whether this is the case by carrying out tests and asking you questions about the network configuration.
When you have entered valid account details for the domain user account into the Prepare IBM MQ Wizard, the wizard configures an IBM MQ Windows service to run under the new account. The account details are held in the secure part of the Registry and cannot be read by users.
- The launch process requires a launch permission.
- The IBM MQ administrator requires Access permission.
User rights required for an IBM MQ Windows service
Permission | Description |
---|---|
Log on as batch job | Enables an IBM MQ Windows service to run under this user account. |
Log on as service | Enables users to set the IBM MQ Windows service to log on using the configured account. |
Shut down the system | Allows the IBM MQ Windows service to restart the server if configured to do so when recovery of a service fails. |
Increase quotas | Required for operating system CreateProcessAsUser call. |
Act as part of the operating system | Required for operating system LogonUser call. |
Bypass traverse checking | Required for operating system LogonUser call. |
Replace a process level token | Required for operating system LogonUser call. |