Migration considerations for MFT
If you are planning to migrate Managed File Transfer, review the following information.
Configuration layout directly after installation in MFT
- Default configuration directories:
- Information is split over four separate sub-directories: config, installations, ipc, and logs.
- Default product root directories (MQ_DATA_PATH) are as follows:
-
- UNIX systems: /var/mqm
- Linux® systems: /var/mqm
- Windows: the location of the configuration directory
depends on the location of your primary IBM MQ
installation. The default locations for primary installations are as follows:
- 32-bit: C:\Program Files (x86)\IBM\WebSphere MQ
- 64-bit: C:\Program Files\IBM\MQ
- Configuration sub-directories are as follows:
-
- The MQ_DATA_PATH/mqft/config directory contains the parts of the configuration that are read-only for Managed File Transfer processes. For example, agent.properties and command.properties.
- The MQ_DATA_PATH/mqft/installations directory contains configuration information for each installation. The content of this directory is equivalent to the content of the wmqfte.properties file.
- The MQ_DATA_PATH/mqft/ipc directory contains IPC resources used internally to communicate between the Managed File Transfer components. Applicable to UNIX and Linux systems only.
- The MQ_DATA_PATH/mqft/logs directory contains the parts of the configuration that are written by Managed File Transfer processes. For example, trace information and log files.
- installation.properties file
- On UNIX and Linux systems, the default location is MQ_DATA_PATH/mqft/installations/installation_name
- logger.properties file
- This file incorporates property information for stand-alone file loggers, stand-alone database loggers, and Java EE database loggers.
Security changes
For IBM WebSphere® MQ 7.5, or later, only users who are administrators (members of the mqm group) can run the following list of fte commands:
- fteChangeDefaultConfigurationOptions
- fteCreateAgent (create an MFT agent)
- fteCreateBridgeAgent (create and configure an MFT protocol bridge agent)
- fteCreateCDAgent (create a Connect:Direct bridge agent)
- fteCreateLogger (create an MFT file or database logger)
- fteDeleteAgent
- fteDeleteLogger
- fteMigrateAgent: migrate an FTE 7.0 agent to MQ 7.5 or later
- fteMigrateConfigurationOptions: migrate an FTE 7.0 configuration to MQ 7.5 or later
- fteMigrateLogger: migrate an FTE 7.0 database logger to MQ 7.5 or later
- fteModifyAgent (run an MFT agent as a Windows service)
- fteModifyLogger (run an MFT logger as a Windows service)
- fteSetupCommands: create the MFT command.properties file
- fteSetupCoordination
When using IBM WebSphere MQ 7.5 or later on Multiplatforms, only the user that the agent process is running under can run the fteSetAgentTraceLevel command.
- The same userid that the agent process is running as.
- Members of the group specified by the agent property adminGroup.
- The same userid that the agent process is running as.
- Members of the group specified by the agent property adminGroup.
For more information, see the adminGroup property in The MFT agent.properties file.
Security changes in IBM MQ 8.0
If you are running Managed File Transfer on IBM WebSphere MQ 7.0, and migrate to IBM MQ 8.0, the user Id information in the MQMFTCredentials.xml file is passed to the queue manager, but will not be acted upon.
This is because the passing of user Id and password information only is supported in IBM MQ 8.0.
commandPath and agent sandboxes
For IBM MQ 8.0 and later, if an agent has been configured with an agent sandbox and the agent property commandPath has been set, then the directories specified by commandPath are automatically added to the denied paths when the agent starts. If the commandPath property is set on an agent which is not configured with an agent sandbox, then a new sandbox is set up automatically and the directories specified by the commandPath are added to the denied directories when the agent starts.
If the commandPath property is set on an agent which is not configured with an agent sandbox, then a new sandbox is set up automatically and the directories specified by the commandPath are added to the denied directories when the agent starts.
For more information about the commandPath property, see commandPath MFT property and The MFT agent.properties file.
commandPath and user sandboxes
For IBM MQ 8.0 and later, if an agent has been
configured with one or more user sandboxes, and has the agent property commandPath set, then the
directories specified by commandPath (and all of their subdirectories) are automatically added as
<exclude>
elements to the <read>
and
<write>
elements for each user sandbox when the agent starts up.
For more information about the commandPath property, see commandPath MFT property and The MFT agent.properties file.
Migrating MFT agents that run as a Windows service from IBM WebSphere MQ 7.5 to IBM MQ 9.0
Between IBM WebSphere MQ 7.5, IBM MQ 8.0, and IBM MQ 9.0, the default IBM MQ installation path has changed on the Windows platform.
If a queue manager is being migrated from IBM WebSphere MQ 7.5 to IBM MQ 8.0 or IBM MQ 9.0, any applications that are running on the same system as the queue manager must be reconfigured to load the IBM MQ libraries from the new installation location. This includes any IBM MQ Managed File Transfer agents that are running as a Windows service.
- Stop the agents that are associated with the IBM WebSphere MQ 7.5 queue manager. See stopping an MFT agent for more information. For example issue the following
command:
fteStopAgent <agent_name>
- Modify the agent to remove the service definition of the agent. See run an MFT agent
as a Windows service for more information. For example, issue the following command:
fteModifyAgent -agentName <agent_name>
- Next, migrate the agent queue manager from IBM WebSphere MQ 7.5 to the later version by using the setmqm command. See associating a queue manager with an installation for more information about the setmqm command.
- Finally, modify the agent to reconfigure the agent to run as a Windows service again, by using the
fteModifyAgent command.For example:
fteModifyAgent -agentName AGENT1 -s -su fteuser -sp ftepassword