Windows domains and multi-instance queue managers
A multi-instance queue manager on Windows requires its data and logs to be shared. The share must be accessible to all instances of the queue manager running on different servers or workstations. Configure the queue managers and share as part of a Windows domain. The queue manager can run on a domain workstation or server, or on the domain controller.
Before configuring a multi-instance queue manager, read Secure unshared queue manager data and log directories and files on Windows and Secure shared queue manager data and log directories and files on Windows to review how to control access to queue manager data and log files. The topics are educational; if you want to go directly to setting up shared directories for a multi-instance queue manager in a Windows domain; see Create a multi-instance queue manager on domain workstations or servers.
Run a multi-instance queue manager on domain workstations or servers
From Version 7.1, multi-instance queue managers run on a workstation or server that is a member of a domain. Before Version 7.1, multi-instance queue managers ran only on domain controllers; see Run a multi-instance queue manager on domain controllers. To run a multi-instance queue manager on Windows, you require a domain controller, a file server, and two workstations or servers running the same queue manager connected to the same domain.
The change that makes
it possible to run a multi-instance queue manager on any server or
workstation in a domain, is that you can now create a queue manager
with an additional security group. The additional security group is
passed in the crtmqm command, in the -a parameter.
You secure the directories that contain the queue manager data and
logs with the group. The user ID that runs queue manager processes
must be a member of this group. When the queue manager accesses the
directories, Windows checks the permissions
the user ID has to access the directories. By giving both the group
and the user ID domain scope, the user ID running the queue manager
processes has credentials from the global group. When the queue manager
is running on a different server, the user ID running the queue manager
processes can have the same credentials. The user ID does not have
to be the same. It has to be a member of the alternative security
group, as well as a member of the local mqm
group.
The task of creating a multi-instance queue manager is the same as in Version 7.0.1 with one change. You must add the additional security group name to the parameters of the crtmqm command. The task is described in Create a multi-instance queue manager on domain workstations or servers.
- Creating an Active Directory and DNS domain for IBM WebSphere MQ.
- Installing IBM WebSphere MQ on a server or workstation in a Windows domain.
- Creating a shared directory for queue manager data and log files.
- Reading and writing shared data and log files authorized by an alternative global security group.
Run a multi-instance queue manager on domain controllers
In Version 7.0.1, multi-instance queue managers ran only
on domain controllers. Queue manager data could be secured with the domain mqm
group. As the topic Secure shared queue manager data and log directories and files on Windows explains, you cannot share directories secured with
the local mqm
group on workstations or servers. However on domain controllers all
group and principals have domain scope. If you install IBM WebSphere MQ for Windows on a domain controller, the queue manager
data and log files are secured with the domain mqm
group, which can be shared.
Follow the steps in the task, Create a multi-instance queue manager on domain controllers to configure a multi-instance queue
manager on domain controllers.