See information about the latest product version
Security on Linux and UNIX systems
Set up the required security on Linux and UNIX systems before you install WebSphere® Message Broker.
Use the security facilities that are provided by your operating system to complete these tasks; for example, the Systems Management Interface Tool (SMIT) on AIX®, or the System Administration Manager on HP-Itanium.
Complete the following actions:
- Log in to the system.
On AIX, you must log in as root. On Linux and on other UNIX computers, your user ID must have root authority. You need this level of authority to set up the security requirements for installing the Broker component. The product can then be installed by a user who does not have root privileges.
If you are using a Linux on x86 or a Linux on x86-64 system and are not planning to install the Broker component, continue with step 4. Otherwise, follow your local security guidelines to acquire root authority; either login as root, or log in as another user and become root.
The use of a user ID other than root itself has some advantages; it provides an audit trail of the user ID that installs the product and it limits the scope of root authority to tasks performed in a single session. The use of a user ID other than root might also be mandatory if you are logging in from a remote system.
- If you plan to run the installation as a user with root
authority, then complete the following steps:
- Under root authority, the installation automatically creates a security group called mqbrkrs. You must add your root authority login ID to the group after it has been created.
- If you have already installed WebSphere MQ on this system, a group called mqm and a user called mqm are defined. If you have not yet installed WebSphere MQ, you must create this group and user.
- Add your root authority user login ID to the group mqm, along with the user ID mqm.
- On some systems, you must log off and log on again for these new group definitions (mqbrkrs and mqm) to be recognized.
- If you plan to run the installation as a user without root
authority, a user with root authority must complete the following
steps before installation. If you have other versions of WebSphere Message
Broker already installed on the system,
you must complete subtasks c, e, f, h, and i only.
- Create a security group called mqbrkrs. For
example:
- For non-AIX systems
sudo groupadd mqbrkrs
- For AIX
sudo mkgroup mqbrkrs
- For non-AIX systems
- If WebSphere MQ has already been installed on this system, a group called mqm and a user called mqm are defined. If WebSphere MQ has not been installed, the group and user must be created.
- Add your non-root installation user login ID to the group mqm, along with the user ID mqm.
- If it does not exist, create the /var/mqsi directory.
For example:
sudo mkdir /var/mqsi
- Ensure that the correct ownership and access permissions are set
for the /var/mqsi directory. For example:
If the directory already exists, perform the command recursively:sudo chown mqm:mqbrkrs /var/mqsi sudo chmod 775 /var/mqsi
sudo chown -R mqm:mqbrkrs /var/mqsi sudo chmod -R ug+rwX /var/mqsi
Note: This command recursively changes the ownership of all files and directories. Review existing files with a system administrator to ensure this action does not create a security risk. - If multiple users are going to create and use multiple brokers,
set the group ID of the /var/mqsi directory so
new files and directories inherit the same group ID. Otherwise a
broker created by User1, with a primary group of User1,
will be accessible to User2 (with a primary group
of User2). For example:
If the broker already exists, perform the command recursively:sudo chmod g+s /var/mqsi
find /var/mqsi -type f -exec chmod g+s {} \;
- If the /var/mqsi/install.properties file
exists, ensure that your non-root installation user ID has write access
to it. For example:
sudo chmod 664 /var/mqsi/install.properties
- If they do not exist, create the directories /opt/ibm/mqsi and /opt/ibm/IE02 for Linux, or /opt/IBM/mqsi and /opt/ibm/IE02 for UNIX. For example:
- For Linux
sudo mkdir /opt/ibm/mqsi sudo mkdir /opt/ibm/IE02
- For UNIX
sudo mkdir /opt/IBM/mqsi sudo mkdir /opt/ibm/IE02
- For Linux
- Ensure that the correct ownership is assigned to the mqsi directory,
along with access permissions to both the mqsi and IE02 directories.
For example:
- For Linux
sudo chown mqm:mqbrkrs /opt/ibm/mqsi sudo chmod 775 /opt/ibm/mqsi sudo chmod 775 /opt/ibm/IE02
- For UNIX
sudo chown mqm:mqbrkrs /opt/IBM/mqsi sudo chmod 775 /opt/IBM/mqsi sudo chmod 775 /opt/ibm/IE02
- For Linux
- If there are any existing logs from a previous installation of WebSphere Message Broker or IE02 you must delete or rename them, as the installation program may not have the correct permission to replace them. The logs in question can be found in the /var/mqsi directory and have a file type of .log.
- If setting the IATEMPDIR variable, ensure that your non-root user
ID has write permission to the directory you choose. For example:
sudo chmod 775 /tmp/IATEMP
Note: This action is only needed if you have insufficient space in the default file system for the installation.
- Create a security group called mqbrkrs. For
example:
- Verification procedures are
provided for Linux on x86 and Linux on x86-64. To complete verification,
you do not require root authority. If you install with root authority,
but do not want to complete verification with root authority, log
off when you have completed installation. Log in with the same or
a different user ID, but do not become root.
If you log in with another user ID, and have not already added this ID to the groups mqbrkrs and mqm, do so before you open the WebSphere Message Broker Toolkit.