Security

The WebSphere MQ Services snap-in and the components associated with it use the Microsoft Windows security model. It is this security model that allows or denies access to WebSphere MQ services.

The WebSphere MQ Services snap-in uses Component Object Model (COM) and Distributed Component Object Model (DCOM) technology to communicate between servers and between processes on a server.

The COM server application, AMQMSRVN, is shared between any client processes that need to use the WebSphere MQ Services snap-in components (for example, the WebSphere MQ Services snap-in, the alert monitor task bar, and the WebSphere MQ service).

Because AMQMSRVN must be shared between non-interactive and interactive logon sessions, you must launch it under a special user account. This special user account is called MUSR_MQADMIN. When you install WebSphere MQ and run the Prepare WebSphere MQ Wizard for the first time, it creates a local user account for AMQMSRVN called MUSR_MQADMIN with the required settings and permissions. The password for MUSR_MQADMIN is randomly generated when the account is created, and used to configure the logon environment for AMQMSRVN.

The password is not known outside this onetime processing and is stored by the Windows operating system in a secure part of the Registry.

In some network configurations, where user accounts are defined on domain controllers that are using the Windows 2000 operating system, the local user account MUSR_MQADMIN might not have the authority it requires to query the group membership of other domain user accounts. The Prepare WebSphere MQ Wizard identifies whether this is the case by carrying out tests and asking the user questions about the network configuration. If the local user account MUSR_MQADMIN does not have the required authority, the Prepare WebSphere MQ Wizard prompts the user for the account details of a domain user account with particular settings and permissions. The online help for the Prepare WebSphere MQ Wizard contains information about the domain user account required. Once the user has entered valid account details for the domain user account into the Prepare WebSphere MQ Wizard, it configures AMQMSRVN to run under this account instead of the local user account MUSR_MQADMIN. The account details are held in the secure part of the Registry and cannot be read by users.

When the service is running, AMQMSRVN is launched and remains running for as long as the service is running. A WebSphere MQ administrator who logs onto the server after AMQMSRVN is launched can use the WebSphere MQ Services snap-in to administer queue managers on the server. This connects the WebSphere MQ Services snap-in to the existing AMQMSRVN process. These two actions need different levels of permission before they can work:

• The launch process requires a launch permission.
• The WebSphere MQ administrator requires Access permission.

Changing the user name associated with WebSphere MQ Services

You might need to change the user name associated with WebSphere MQ Services from MUSR_MQADMIN to something else. (For example, you might need to do this if your queue manager is associated with DB2, which does not accept user names of more than 8 characters.)

To change the user name :

1. Create a new user account (for example NEW_NAME)
2. Use the Prepare WebSphere MQ Wizard to enter the account details of the new user account. Alternatively, use the following command line to set the new account:

   AMQMSRVN -user <domain\>NEW_NAME -password <password> 
   

   Where NEW_NAME is the new user name you have chosen. This can be qualified by a domain name if required. WebSphere MQ allocates the correct security rights and group membership to the new user account

If for any reason you need to reset the user account back to the default MUSR_MQADMIN account, use the following command:

AMQMJPSE -r

Controlling access

When you install WebSphere MQ, default access permissions are set up for the AMQMSRVN process. These default access permissions grant access to the process to:

• mqm (local WebSphere MQ administrators group)
• Administrators (local administrators of this machine)

These permissions restrict access to the alert monitor task bar application, the WebSphere MQ Services snap-in, and the WebSphere MQ Explorer snap-in to these users and groups only. Other users trying to access these functions are denied access.

Before you can grant or deny users access to the WebSphere MQ Services snap-in, you must configure the access permissions of the objects involved. Use a tool called DCOMCNFG.EXE, shipped with Windows systems, to do this.

Using DCOMCNFG.EXE

To start DCOMCNFG.EXE:

1. Click Start
2. Select Run
3. Type dcomcnfg in the open input field
4. Click OK

A list of applications is displayed. From this list:

1. Find and highlight the IBM WebSphere MQ Services entry.
2. Click Properties. This displays information about the location of the DCOM server (AMQMSRVN.EXE), together with its identity and security properties.
3. Select the Security page to view or modify the launch, access, or configuration permissions.
4. Stop the WebSphere MQ service from the Windows Services control panel and restart it for your changes to take effect. (If your changes affect a user who is currently logged on, that user must log off and on again.)

In addition to being able to add to the list of users that are allowed access to a service, you can deny access to specific users and groups. This means that you can grant access to a group of users (by specifying a group name) but deny access to individuals within that group.

Controlling remote access

You can also grant or deny access to users of remote machines using DCOMCNFG.EXE.

You can turn the DCOM server on or off for the entire server using the appropriate setting on the Default Properties page.

User rights granted for MUSR_MQADMIN

The following table lists the user rights granted for MUSR_MQADMIN.

Table 4. User rights granted for MUSR_MQADMIN

Changing the password of the AMQMSRVN user account

If AMQMSRVN is running under the local user account MUSR_MQADMIN (or another local user account), you can change the password for the account as follows:

1. Stop the WebSphere MQ service.
2. Close any WebSphere MQ programs that are using the AMQMSRVN COM server (this includes snap-ins, alert monitor, task bar, and so on).
3. Use the User Manager to change the MUSR_MQADMIN password in the same way that you would change an individual's password. The User Manager is a Windows NT system management tool that allows system administrators to add, delete, or change users on a WebSphere MQ system.
4. Use DCOMCNFG.EXE to bring up the properties pages for the WebSphere MQ service.
5. Select the Identity Page.
6. Modify the password given for the MUSR_MQADMIN user account.

If AMQMSRVN is running under a domain user account, you can also change the password for the account as follows:

1. Change the password for the domain account on the domain controller. You might need to ask your domain administrator to do this for you.
2. Use the Prepare WebSphere MQ Wizard to enter the account details including the new password.

The user account that AMQMSRVN runs under executes any MQSC commands that are issued by user interface applications, or performed automatically on system startup, shutdown, or service recovery. This user account must therefore have WebSphere MQ administration rights. By default it is added to the local mqm group on the server. If this membership is removed, the WebSphere MQ service will not work.

If a security problem arises with the DCOM configuration or with the user account that AMQMSRVN runs under, error messages and descriptions appear in the system event log. One common error is for a user not to have access or launch rights to the server. This error appears in the system log as a DCOM error with the following message description:

Access denied attempting to launch a DCOM server.  The server is:
{55B99860-F95E-11d1-ABB6-0004ACF79B59}