Secure message directories and log files to restrict access to the /var/mqm directories and log files needed for WebSphere embedded messaging or WebSphere MQ as the JMS provider.
Set the permissions described in this topic to reduce the risk of severe security exposures.
Tip: Use the /var file system to store all the security logging information for the system, and to store the temporary files for e-mail and printing. It is critical that you maintain free space in the /var directory for these operations and prevent unauthorized access to the file system. If you fail to create a separate file system for messaging data, and the /var directory fills up, all security logging is stopped on the system until free space becomes available in the /var directory. Also, e-mail and printing are no longer possible some free space is available in the /var directory.
This procedure involves steps that you complete during different stages of installing and using IBM WebSphere Application Server. The steps are also described at appropriate points in other tasks, but are collected here for completeness.
This procedure applies only to the ordinary UNIX file system. If your site uses access-control lists, secure the files by using that mechanism. Any site-specific requirements can effect the desired owner, group and corresponding privileges. For example, on AIX systems, complete the following stages:
This step is described in the following topics in the WebSphere Application Server InfoCenter:
As part of this step, the installation program creates the /var/mqm/errors and /var/mqm/qmgrs/@SYSTEM/errors directories that are used to hold messaging logging files.
chmod 3777 /var/mqm/errors chown mqm:mqm /var/mqm/errors touch /var/mqm/errors/AMQERR01.LOG chown mqm:mqm /var/mqm/errors/AMQERR01.LOG chmod 666 /var/mqm/errors/AMQERR01.LOG touch /var/mqm/errors/AMQERR02.LOG chown mqm:mqm /var/mqm/errors/AMQERR02.LOG chmod 666 /var/mqm/errors/AMQERR02.LOG touch /var/mqm/errors/AMQERR03.LOG chown mqm:mqm /var/mqm/errors/AMQERR03.LOG chmod 666 /var/mqm/errors/AMQERR03.LOG
chmod 3777 /var/mqm/qmgrs/@SYSTEM/errors chown mqm:mqm /var/mqm/qmgrs/@SYSTEM/errors touch /var/mqm/qmgrs/@SYSTEM/errors/AMQERR01.LOG chown mqm:mqm /var/mqm/qmgrs/@SYSTEM/errors/AMQERR01.LOG chmod 666 /var/mqm/qmgrs/@SYSTEM/errors/AMQERR01.LOG touch /var/mqm/qmgrs/@SYSTEM/errors/AMQERR02.LOG chown mqm:mqm /var/mqm/qmgrs/@SYSTEM/errors/AMQERR02.LOG chmod 666 /var/mqm/qmgrs/@SYSTEM/errors/AMQERR02.LOG touch /var/mqm/qmgrs/@SYSTEM/errors/AMQERR03.LOG chown mqm:mqm /var/mqm/qmgrs/@SYSTEM/errors/AMQERR03.LOG chmod 666 /var/mqm/qmgrs/@SYSTEM/errors/AMQERR03.LOG
To restrict access to the server directory and logging files, use the following commands:
chmod 3775 /var/mqm/qmgrs/long_server_name/errors chown mqm:mqm /var/mqm/qmgrs/long_server_name/errors touch /var/mqm/qmgrs/long_server_name/errors/AMQERR01.LOG chown mqm:mqm /var/mqm/qmgrs/long_server_name/errors/AMQERR01.LOG chmod 666 /var/mqm/qmgrs/long_server_name/errors/AMQERR01.LOG touch /var/mqm/qmgrs/long_server_name/errors/AMQERR02.LOG chown mqm:mqm /var/mqm/qmgrs/long_server_name/errors/AMQERR02.LOG chmod 666 /var/mqm/qmgrs/long_server_name/errors/AMQERR02.LOG touch /var/mqm/qmgrs/long_server_name/errors/AMQERR03.LOG chown mqm:mqm /var/mqm/qmgrs/long_server_name/errors/AMQERR03.LOG chmod 666 /var/mqm/qmgrs/long_server_name/errors/AMQERR03.LOG
Where long_server_name is the long name assigned to the server, in the following form: WAS_nodename_server_name. For example, if you created an application server called server1 to run on the node called appnode1, the long server name would be: WAS_appnode1_server1.
Results
This task restricted access to the /var/mqm directories and log files needed for WebSphere embedded messaging or WebSphere MQ as the JMS provider, such that only the user ID mqm or members of the mqm user group have write access.