ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Changing MQ service Account

Post new topic  Reply to topic
 Changing MQ service Account « View previous topic :: View next topic » 
Author Message
jeevan
PostPosted: Tue Jul 17, 2007 11:31 am    Post subject: Changing MQ service Account Reply with quote

Grand Master

Joined: 12 Nov 2005
Posts: 1432

I need to change the account MQ services is running from local user MUSR_MQADMIN to a domain account. When we set up the account

[ stop mq services
ran AMQMJPSE -r
finishe setup wizard
start mq services]

first we get mq running on unknkown account. After checking we found two things happened:

MUSR_MQADMIN was deleted
the new services account was not added to the mqm group ( i was expecting that)

I had more, doing test with various scenario but are these two actions expected?

thanks a lot
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Jul 18, 2007 12:02 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

From a personal perspective, I wouldn't run the services as a domain user. They're better under the control of a local user, you get no authenticaion issues that way.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
jeevan
PostPosted: Wed Jul 18, 2007 10:59 am    Post subject: Reply with quote

Grand Master

Joined: 12 Nov 2005
Posts: 1432

Thank you Vitor. My situation is like this:

The SI support team is in europe. So any isntallation of MQ and PM4DATA comes from them. The full repository for mq and EP for PM4DATA is in europe the they are administer them. So, they need access to every installation of MQ and PM4DATA.

PM4DATA is not an issue as one one is logged in the box anyway, they can work on it. But in MQ, this is not the case.

Initially, we create services (domain ) account in us domain. But the domain mqm group user in european domain can not administer the mq. We do not like to create 10 account on every mq installation. We we agreed to create domain account and run mq on this account.

But it does not seem smooth process. I am having so man y issues.

Do you have any idea, like if mq is running on an account that belong to XXX domain, ( XXXXX and YYYYY are trusted doamin), can a domain account on YYYY domain administer MQ? As I said, XXXXX and YYYYY are trusted domain.

Thanks
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Jul 18, 2007 12:12 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Any domain user has trouble administering MQ. It gets worse if the service is run as a domain user; if domain authentication fails the service fails & MQ doesn't run.

If the question is how a team in Europe can administer MQ on another continent, there are a number of options depending on how they want to do it even with the MQ running on a local user. All you really need is someone (anyone) locally with enough knowledge to switch the server on and off, and a script to restart the queue managers!
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
jeevan
PostPosted: Wed Jul 18, 2007 1:26 pm    Post subject: Reply with quote

Grand Master

Joined: 12 Nov 2005
Posts: 1432

Vitor wrote:
Any domain user has trouble administering MQ. It gets worse if the service is run as a domain user; if domain authentication fails the service fails & MQ doesn't run.

If the question is how a team in Europe can administer MQ on another continent, there are a number of options depending on how they want to do it even with the MQ running on a local user. All you really need is someone (anyone) locally with enough knowledge to switch the server on and off, and a script to restart the queue managers!


Vitor,

AS this time, I would like to ask two questions:

We are considering creating all the accounts who need to deal with mq under one of the domains and still running mq on domain account. From you experiences, running MQ on doamin is not a good idea correct?

What exactly do you mean

Quote:

All you really need is someone (anyone) locally with enough knowledge to switch the server on and off, and a script to restart the queue managers!


I do not think it is feasible changing account running mq and management will definitely not allow us to do doing this with a produciton server.

What we are trying to avoid is not to create 20 accounts when we add one mq box. But we can just add domain mqm group of both domains in to local mqm and admin group and who need somethime, login and do. If they reqruie local account, they can create as they are in admin group.

I want to ask is there a better and more dfficient way than this?


Thank you a lot
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Jul 18, 2007 2:00 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

jeevan wrote:

We are considering creating all the accounts who need to deal with mq under one of the domains and still running mq on domain account. From you experiences, running MQ on doamin is not a good idea correct?


My experience is that it's best to have MQ services running under a local account, with a local mqm user and group. Running them with a domain user causes problems; if you search the forum you'll see often quoted advice to install and run MQ as a local user.

This has nothing to do with who is the designated administrator.


jeevan wrote:

What exactly do you mean

Quote:

All you really need is someone (anyone) locally with enough knowledge to switch the server on and off, and a script to restart the queue managers!



I mean the one thing you can't do remotely is reboot a server.

jeevan wrote:
What we are trying to avoid is not to create 20 accounts when we add one mq box.


Why create so many? What are you doing?

jeevan wrote:

I want to ask is there a better and more dfficient way than this?


Any number. As a bare minimum you can use the remote administration facilites built into MQ, or Windoze.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Changing MQ service Account
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.