IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Considering security for a broker

Consider several factors when you are deciding which users can execute broker commands, and which users can control security for other broker resources.

Although most security for the broker and broker resources is optional, you might find it appropriate to restrict the tasks that some user IDs can perform. You can then apply greater control to monitor changes.

You can control all broker administration tasks by enabling broker administration security when you create a broker. You can also change existing brokers to enable administration security. This option is described in Setting up administration security, and is independent of the options described in this section.

When you are deciding which users are to perform the different tasks, consider the following steps:

Deciding which user account to use for the broker service ID

On a Linux or UNIX operating system, when you run the mqsistart command with a user ID that is a member of the mqm and mqbrkrs groups, the user ID under which you run the mqsistart command becomes the user ID under which the broker component process runs.

On the Windows platform the broker runs under a service user account. To decide which user ID to use for the broker service ID answer the following questions:

Do you want your broker to run under a Windows local account?
1. No: Go to the next question.
2. Yes: Ensure that your user ID has the following characteristics:
  - It is defined in your local domain.
  - It is a member of the mqbrkrs group.
  Go to Setting security on the broker queues.
Do you want your broker to run under a Windows domain account?
1. No: Go to the next question.
2. Yes: Assume that your computer named, for example, WKSTN1, is a member of a domain named DOMAIN1. When you run a broker using, for example, DOMAIN1\user1, ensure that:
  - Your user ID has been granted the Logon as a service privilege (from the Local Security Policy).
  - DOMAIN1\user1 is a member of DOMAIN1\MyDomainGroup group, where MyDomainGroup is a domain group which you have defined on your domain controller.
  - DOMAIN1\MyDomainGroup is a member of WKSTN1\mqbrkrs.
  Go to Setting security on the broker queues.
Do you want your broker to run under theWindows built in LocalSystem account?
1. Yes: Specify LocalSystem for the –i parameter on the mqsicreatebroker or mqsichangebroker command.
  In either case you must enter the –a (password) parameter on the command line, but the value entered is ignored.
  
  Go to Setting security on the broker queues.

Note that for cases one and two above, the user ID chosen must be granted the Logon as a service privilege.

This is normally done automatically by the mqsichangebroker command or the mqsichangeproperties command when a service user ID is specified that does not have this privilege.

However, if you want to do this manually before running these commands, you can do this by using the Local Security Policy tool in Windows, which you can access by selecting Control Panel > Performance and maintenance > Administrative Tools > Local Security Policy.

Setting security on the broker queues

When you run the mqsicreatebroker command, the local mqbrkrs group is granted access to internal queues whose names begin with the characters SYSTEM.BROKER.

Securing the broker registry

Broker operation depends on the information in the broker registry, which you must secure to guard against accidental corruption. The broker registry is stored on the file system. Set your operating system security options so that only user IDs that are members of the group mqbrkrs can read from or write to brokername/CurrentVersion and all subkeys.

ap03982_.htm |

Last updated Friday, 21 July 2017