Security considerations when installing WebSphere MQ server on a Windows system

Use this information to learn about the security considerations when installing IBM® WebSphere® MQ server on a Windows system.

  • If you are installing IBM WebSphere MQ on a Windows domain network running Active Directory Server, you probably need to obtain a special domain account from your domain administrator. For further information, and the details that the domain administrator needs to set up this special account, see Configuring WebSphere MQ accounts.
  • When you are installing IBM WebSphere MQ server on a Windows system you must have local administrator authority .
  • In order to administer any queue manager on that system, or to run any of the IBM WebSphere MQ control commands your user ID must belong to the local mqm or Administrators group . If the local mqm group does not exist on the local system, it is created automatically when IBM WebSphere MQ is installed. A user ID can either belong to the local mqm group directly, or belong indirectly through the inclusion of global groups in the local mqm group.
  • Windows versions with a User Account Control (UAC) feature restricts the actions users can perform on certain operating system facilities, even if they are members of the Administrators group. If your user ID is in the Administrators group but not the mqm group you must use an elevated command prompt to issue IBM WebSphere MQ admin commands such as crtmqm, otherwise the error AMQ7077 is generated. To open an elevated command prompt, right-click the start menu item, or icon, for the command prompt, and select Run as administrator
  • Some commands can be run without being a member of the mqm group (see Authority to administer WebSphere MQ).
  • If you intend to administer queue managers on a remote system, your user ID must be authorized on the target system.

  • As with other versions of Windows, the object authority manager (OAM) gives members of the Administrators group the authority to access all IBM WebSphere MQ objects even when UAC is enabled.

Additional restrictions for installing on Windows

There are some additional points to consider when installing IBM WebSphere MQ Version 7.5 or later on Windows. First, Windows has some rules regarding the naming of objects created and used by IBM WebSphere MQ . Second, you can set up logging during installation which assists you in troubleshooting any problems you might have with the installation.

Naming considerations

  • Ensure that the machine name does not contain any spaces. IBM WebSphere MQ does not support machine names that include spaces. If you install IBM WebSphere MQ on such a machine, you cannot create any queue managers.
  • For IBM WebSphere MQ authorizations, names of user IDs and groups must be no longer than 64 characters (spaces are not allowed).
  • An IBM WebSphere MQ for Windows server does not support the connection of a Windows client if the client is running under a user ID that contains the @ character, for example, abc@d. Similarly, the client user ID should not be the same as local group.
  • A user account that is used to run the IBM IBM WebSphere MQ Windows service is set up by default during the installation process; the default user ID is MUSR_MQADMIN. This account is reserved for use by IBM WebSphere MQ. Refer to Configuring WebSphere MQ accounts.
  • When a IBM WebSphere MQ client connects to a queue manager on the server, the username under which the client runs must not be same as the domain or machine name. If the user has the same name as the domain or machine, the connection fails with return code 2035(MQRC_NOT_AUTHORIZED).

Logging

Logging is enabled by default from the Launchpad. You can also enable complete logging, for more information, see How to enable Windows Installer logging