As a first step I recommend reading the article ‘Configuring MQ to work with Windows Domain Users’ which explains how IBM MQ should be configured to allow access to domain users.

Configuring MQ to work with Windows Domain Users

In this article we will see how IBM MQ can be configured to allow access to domain accounts that belongs to another trusted domain. To explain this scenario I am using 2 domains MQL3S and MQL3SUP with a one-way trust . That is MQL3S trusts MQL3SUP but not the other way (the same configuration works in a two-way trusted systems as well). IBM MQ runs on a member server that belongs to the domain MQL3S.

Example:

This example illustrates how IBM MQ can be configured such that the user accounts from the domain MQL3SUP can administer MQ. In order to do this a domain group needs to be created on the domain MQL3SUP as documented in the below Knowledge Center page.

https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.wizard_help.doc/i_conf_win2000.htm

The permissions granted to this group ensures that the users belonging to this group has the permission to query the group membership information of the other domain accounts. A member of this group is then used to configure IBM MQ.

The image below shows the definition of ‘Domain mqm’ group and its member on the Domain Controller MQL3SUP.

Add the domain group ‘MQL3SUP\Domain mqm’ as a member of the local mqm group on MQL3S\ServerA where MQ is installed.

Run Prepare MQ Wizard to configure IBM MQ with the domain account ‘mqdevadmin’ which is a member of MQL3SUP\Domain mqm

When the wizard completes successfully you will see IBM MQ service is configured to run under the domain account MQL3SUP\mqdevadmin.

The domain accounts from mql3sup can be granted specific accesses on MQ using setmqaut command. The domain user account mq_user_maya is granted permission using setmqaut command to connect to the queue manager QM_TEST and put messages to the queue Q1.

Restriction :
Granting permissions to a domain group from the mql3sup domain using setmqaut command will not work.

Example: I have a domain user account mq_user_xyz which is a member of the domain group mq_user_group. Granting connect and put permissions to the group mq_user_group does not reflect as a permission granted for the user.

C:\>setmqaut -m QM_TEST -t qmgr -g mql3sup\mq_user_group +connect +inq +dsp
The setmqaut command completed successfully.

C:\>setmqaut -m QM_TEST -t q -n Q1 -g mql3sup\mq_user_group +put +inq +dsp
The setmqaut command completed successfully.
However, when the user mq_user_xyz connects MQRC_NOT_AUTHORIZED 2035 error is reported.

This issue can be overcome by creating a local group on the server MQL3S\ServerA and add the domain users from the domain mql3sup as a member of this group and grant MQ permissions to this local group.

Leave a Reply