[Windows]

Considerations when installing IBM MQ server on Windows

There are some considerations relating to security that you should take into account when installing an IBM® MQ server on Windows. There are some additional considerations relating to the object naming rules and logging.

Security considerations when installing IBM MQ server on a Windows system

  • If you are installing IBM MQ on a Windows domain network running Active Directory Server, you probably need to obtain a special domain account from your domain administrator. For further information, and the details that the domain administrator needs to set up this special account, see Configuring IBM MQ with the Prepare IBM MQ Wizard and Creating and setting up Windows domain accounts for IBM MQ.
  • When you are installing IBM MQ server on a Windows system you must have local administrator authority. In order to administer any queue manager on that system, or to run any of the IBM MQ control commands your user ID must belong to the local mqm or Administrators group . If the local mqm group does not exist on the local system, it is created automatically when IBM MQ is installed. A user ID can either belong to the local mqm group directly, or belong indirectly through the inclusion of global groups in the local mqm group. For more information, see Authority to administer IBM MQ on UNIX, Linux®, and Windows.
  • Windows versions with a User Account Control (UAC) feature restricts the actions users can perform on certain operating system facilities, even if they are members of the Administrators group. If your user ID is in the Administrators group but not the mqm group you must use an elevated command prompt to issue IBM MQ admin commands such as crtmqm, otherwise the error AMQ7077 is generated. To open an elevated command prompt, right-click the start menu item, or icon, for the command prompt, and select Run as administrator.
  • Some commands can be run without being a member of the mqm group (see Authority to administer IBM MQ on UNIX, Linux, and Windows).
  • As with other versions of Windows, the object authority manager (OAM) gives members of the Administrators group the authority to access all IBM MQ objects even when User Account Control is enabled.
  • If you intend to administer queue managers on a remote system, your user ID must be authorized on the target system. If you need to perform any of these operations on a queue manager when connected remotely to a Windows machine, you must have the Create global objects user access. Administrators have the Create global objects user access by default, so if you are an administrator you can create and start queue managers when connected remotely without altering your user rights. For more information, see Authorizing users to use IBM MQ remotely.
  • If you use the highly secure template, you must apply it before installing IBM MQ. If you apply the highly secure template to a machine on which IBM MQ is already installed, all the permissions you have set on the IBM MQ files and directories are removed (see Applying security template files on Windows).

Naming considerations

Windows has some rules regarding the naming of objects created and used by IBM MQ. These naming considerations apply to IBM WebSphere® MQ 7.5 or later.

  • Ensure that the machine name does not contain any spaces. IBM MQ does not support machine names that include spaces. If you install IBM MQ on such a machine, you cannot create any queue managers.
  • For IBM MQ authorizations, names of user IDs and groups must be no longer than 64 characters (spaces are not allowed).
  • An IBM MQ for Windows server does not support the connection of a Windows client if the client is running under a user ID that contains the @ character, for example, abc@d. Similarly, the client user ID should not be the same as local group.
  • A user account that is used to run the IBM MQ Windows service is set up by default during the installation process; the default user ID is MUSR_MQADMIN. This account is reserved for use by IBM MQ. For more information, see Configuring user accounts for IBM MQ and Local and domain user accounts for the IBM MQ Windows service.
  • When an IBM MQ client connects to a queue manager on the server, the username under which the client runs must not be same as the domain or machine name. If the user has the same name as the domain or machine, the connection fails with return code 2035(MQRC_NOT_AUTHORIZED).

Logging

You can set up logging during installation which assists you in troubleshooting any problems you might have with the installation.

From IBM WebSphere MQ 7.5, logging is enabled by default from the Launchpad. You can also enable complete logging, for more information, see How to enable Windows Installer logging.

Digital signatures

The IBM MQ programs and installation image are digitally signed on Windows to confirm that they are genuine and unmodified. From IBM MQ 8.0 the SHA-256 with RSA algorithm is used to sign the IBM MQ product.