Considering security for an integration node

Consider several factors when you are deciding which users can execute integration node commands, and which users can control security for other integration node resources.

About this task

Although most security for the integration node and integration node resources is optional, you might find it appropriate to restrict the tasks that some user IDs can perform. You can then apply greater control to monitor changes.

You can control all IBM® Integration Bus administration tasks by enabling administration security. You can enable administration security and specify either the file-based or queue-based authorization mode by using the mqsichangeauthmode command. This task is described in Enabling administration security, and is independent of the tasks described in this section.

When you are deciding which users are to perform the different tasks, consider the following steps:

Procedure

Deciding which user account to use for the integration node service ID

About this task

On a Linux® or UNIX operating system, when you run the mqsistart command with a user ID that is a member of the mqm and mqbrkrs groups, the user ID under which you run the mqsistart command becomes the user ID under which the integration node component process runs.

On the Windows platform the integration node runs under a service user account. To decide which user ID to use for the integration node service ID answer the following questions:

Procedure

Do you want your integration node to run under a Windows local account?
1. No: Go to the next question.
2. Yes: Ensure that your user ID has the following characteristics:
  - It is defined in your local domain.
  - It is a member of the mqbrkrs group.
  Go to Setting security on the integration node.
Do you want your integration node to run under a Windows domain account?
1. No: Go to the next question.
2. Yes: Assume that your computer named, for example, WKSTN1, is a member of a domain named DOMAIN1. When you run an integration node using, for example, DOMAIN1\user1, ensure that:
  - Your user ID has been granted the Logon as a service privilege (from the Local Security Policy).
  - DOMAIN1\user1 is a member of DOMAIN1\MyDomainGroup group, where MyDomainGroup is a domain group which you have defined on your domain controller.
  - DOMAIN1\MyDomainGroup is a member of WKSTN1\mqbrkrs.
  Go to Setting security on the integration node.
Do you want your integration node to run under theWindows built in LocalSystem account?
1. Yes: Specify LocalSystem for the -i parameter on the mqsicreatebroker or mqsichangebroker command.
  In either case you must enter the -a (password) parameter on the command line, but the value entered is ignored.
  
  Go to Setting security on the integration node.

Results

Note that for cases one and two above, the user ID chosen must be granted the Logon as a service privilege.

This is normally done automatically by the mqsichangebroker command or the mqsichangeproperties command when a service user ID is specified that does not have this privilege.

However, if you want to do this manually before running these commands, you can do this by using the Local Security Policy tool in Windows, which you can access by selecting Control Panel > Performance and maintenance > Administrative Tools > Local Security Policy.

Setting security on the integration node

About this task

If you are using the queue-based authorization mode for the integration node (mq mode), the local mqbrkrs group is granted access to internal queues whose names begin with the characters SYSTEM.BROKER. If you are using the file-based authorization mode, the local mqbrkrs group is granted read, write, and execute permissions on the integration node for running local mqsi commands. Ensure that user IDs requiring these permissions are members of the mqbrkrs group.

Securing the integration node registry

About this task

Integration node operation depends on the information in the integration node registry, which you must secure to guard against accidental corruption. The integration node registry is stored on the file system under the work path directory, which is specified by the MQSI_WORKPATH environment variable. Set your operating system security options so that only user IDs that are members of the group mqbrkrs can read from or write to integrationNodeName/CurrentVersion and all subkeys.