MQ

Expand all | Collapse all

mqm group being used in Authrec in HA environment

  • 1.  mqm group being used in Authrec in HA environment

    Posted 20 days ago
    Hi Folks,
    I've got entries like
    AUTHREC... GROUP('mqm@MachineName')...

    this is a multi-instance environment so I don't want the specific machine name to be in Auth records at all. Ideally I want to remove the records that refer to the mqm group completely. I'm guessing that these entries are somehow created automagically by MQ but they're not needed are they? Doesn't mqm group have access to all mq objects by default? Therefore, I can just delete all authrecs that mention the mqm group?

    thanks,
    John.

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------


  • 2.  RE: mqm group being used in Authrec in HA environment

    Posted 15 days ago
    Anyone ?

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------



  • 3.  RE: mqm group being used in Authrec in HA environment

    Posted 15 days ago

    I don't believe you can delete the mqm Authority Records.

    Are you using a Domain controller? The mqm group should be a global group in this set up I think?

    Have a read of Creating a multi-instance queue manager on domain workstations or servers on Windows and it's linked pages at the bottom.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 4.  RE: mqm group being used in Authrec in HA environment

    Posted 12 days ago
    Hi John,

    When running MQ in MIQM mode on Windows, your machines would normally not be domain controllers, but just normal members of the domain.

    There should be a domain group (called 'domain mqm') although you can give it a different name. Things are simpler to set up if you call the group 'domain mqm' though. This is documented in https://www.ibm.com/docs/en/ibm-mq/9.2?topic=mq-creating-setting-up-windows-domain-accounts

    Each server that runs the MIQM queue manager then has a local mqm group, and 'domain mqm' is a member of the local 'mqm' group. The service account which runs the queue manager should be a domain account which is a member of the 'domain mqm' group.

    Permissions get given to the local mqm group rather than the domain group when objects get created, but these don't really get used. They still need to exist though as far as I know.

    These permissions are created automatically by the queue manager, and I would therefore consider them to be 'internals' and not to be trifled with.

    Regards,


    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-21
    ------------------------------