Planning for security when you install WebSphere Business Integration Event Broker

Start of changeAlways refer to the file install.html for the latest information about installation tasks. On UNIX systems, you must complete security tasks before you install WebSphere Business Integration Event Broker; these tasks are described in install.html. End of change

On Windows systems, you can define user IDs up to 12 characters long. On UNIX systems and on z/OS you are restricted to eight characters. If you have a mixed environment, ensure that your user IDs are not more than eight characters long.

Considering security when you install on Windows

Perform this task by considering the following steps:

  1. Choosing a user ID for installation
  2. Creating groups during installation

Choosing a user ID for installation

Ensure that the user ID with which you log on:

  • Has Administrator authority on the computer that you are using. You cannot complete the installation without this authority.
  • Is eight characters or less in length.

    When you are using DB2 databases, your user ID must be up to eight characters long.

Creating groups during installation

Start of changeThe installation program does not create groups or user IDs. You can launch the Security Wizard from the installation program dialogs, or you can select Start > Programs > IBM WebSphere Business Integration Message Brokers > Security Wizard. If you prefer, you can create groups and users manually; the steps required are shown in install.html.End of change

Start of changeIf you intend to install WebSphere Business Integration Event Broker in a domain environment, review these additional considerations:End of change

  • If you intend to install WebSphere Business Integration Event Broker on the domain controller system: Start of change
    1. Install on the domain controller before you install on any of the domain workstations.

      The WebSphere Business Integration Event Broker installation program does not create the mqbrkrs local group; you can launch the Security Wizard, or create this group manually.

      In a domain environment, WebSphere Business Integration Event Broker also requires a global group, Domain mqbrkrs, which you must create manually. You must also add Domain mqbrkrs to the local group mqbrkrs.

      Creating security principals on Windows provides detailed instructions.

    2. Install on each workstation that is a member of the same domain. The WebSphere Business Integration Event Broker installation program does not create the mqbrkrs local group; you can launch the Security Wizard, or create this group manually. Add the Domain mqbrkrs global group to the local mqbrkrs group.
    End of change
  • If you do not intend to install WebSphere Business Integration Event Broker on the domain controller system:
    1. Create the Domain mqbrkrs global group on the domain controller system.
    2. Install on each workstation. The WebSphere Business Integration Event Broker installation program does not create the mqbrkrs local group. Ensure that you create this group and add the Domain mqbrkrs global group to the local group.

Considering security when you install on UNIX

Start of changeSecurity control of WebSphere Business Integration Event Broker components, resources, and tasks depends on the definition of users and groups of users (principals) to the security subsystem of the operating system. You must create the groups and users required by WebSphere Business Integration Event Broker before you install the product. Refer to the install.html file for details of what to create, and how to complete the task.End of change

Users must also have the appropriate authority to WebSphere MQ resources (queues and queue managers) and to the databases being used by the broker. Users on UNIX need appropriate authority to the WebSphere MQ resources on UNIX and to those on any remote queue managers (for example, the Configuration Manager on Windows). The Security requirements for UNIX platforms table provides a summary of authorizations in the UNIX environment.

Creating user IDs after installation

When you are planning the administration of your broker configuration, consider defining user IDs for the following roles:

If you are running a Configuration Manager with one user ID and a broker with a different user ID on another system, you might see an error message when you deploy message flows to the broker. To avoid this, complete the following steps:

  • Ensure that the broker's user ID is a member of the mqm and mqbrkrs groups.
  • Define the broker's user ID on the system on which the Configuration Manager is running.
  • Define the Configuration Manager's user ID on the system on which the broker is running.
  • Ensure that all IDs are in lowercase so that they are compatible between computers.