Configuring IBM WebSphere MQ accounts

The IBM® WebSphere® MQ service and queue managers check that any users attempting to access queue managers or queue manager resources such as queues, have the permission to access them.

Most networked Windows systems are members of a Windows domain where user accounts, other security principals, and security groups are maintained and managed by a directory service, Active Directory, running on a number of domain controllers. IBM WebSphere MQ checks that only authorized users can access queue managers or queues.

In such networks, IBM WebSphere MQ queue manager processes access the Active Directory information to find the security group membership of any users attempting to use IBM WebSphere MQ resources. The accounts under which IBM WebSphere MQ services run must be authorized to look up such information from the directory. In most Windows domains, local accounts defined at individual Windows servers cannot access directory information, so the IBM WebSphere MQ services must run under a domain account that has the appropriate permission.

If the Windows server is not a member of a Windows domain or the domain has a reduced security or functional level, then the IBM WebSphere MQ services can run under a local account that was created during installation.

Assuming that a domain account is needed, provide the information described in the Information for domain administrator to your domain administrator, and ask for one of the special accounts it describes. When you install the product, towards the end of the installation procedure, in the Prepare IBM WebSphere MQ wizard, you are asked to enter details of this account (domain, user name, and password).

If a domain account is needed and you install IBM WebSphere MQ without a special account (or without entering its details), many or all parts of IBM WebSphere MQ do not work, depending upon the particular user accounts involved. Also, IBM WebSphere MQ connections to queue managers that run under domain accounts on other systems might fail. The account can be changed by running the Prepare IBM WebSphere MQ wizard and specifying the details of the account to be used.

For information about the user rights required to take advantage of the Active Directory support, see Using Active directory (Windows only).

For information about the user rights required to take advantage of the Kerberos authentication support, see Security.