Configure non-root account access for IBM Websphere MQ (websphere_mq probe)

User authorization
Add the user ID to the mqm group: On AIX or Linux, add the non-root user ID to the mqm group. This group has administrative access to MQ resources.

Set appropriate authority for MQ objects
For WebSphere MQ V7.5 or later on AIX or Linux, use the setmqaut command to grant the non-root user ID specific permissions to access IBM MQ objects. For example, setmqaut -m queue_manager -t qmgr -p user_ID +inq +connect +dsp +setid grants inquire, connect, display, and set identity authority to the specified user on the queue manager, according to www.ibm.com. This provides more granular control than simply adding the user to the mqm group.

Consider using alternate user IDs: You can configure the WebSphere MQ connector to use an alternate user ID for access-control checking when opening a queue.

General security practices
Follow WebSphere MQ security best practices: Restrict membership in the mqm group, grant granular permissions using setmqaut, and consider using third-party security tools or SupportPacs like MS0E for accessing and altering MQ configurations.

Secure channel connections: Configure channels with disconnect intervals and ensure that application accounts are not using the SYSTEM.DEF.SVRCONN channel, which is a known security hazard.

Use TLS/SSL for secure communication: Secure remote administrative channels using TLS/SSL when remote access is enabled on production systems.

IBM WebSphere MQ - UIM Agent Install
- UIM Agent Installation & Configuration 

** FOR RHEL ONLY Steps 1 - 8 have been automated via <Third-Party Automation_Product>for example, puppet/ansible ... by adding the UIM class to an MQ server's hostname.yaml in puppet/ansible those pieces will be setup by running the following: ** 

puppet agent -tv --tags=uim
 

1. Create UIM local user / group

     groupadd -g 7778 <uim_service_acct>

     useradd -g <uim_service_acct> -u 7778 -d /home/<uim_service_acct> -m -c 'CA UIM Service Account' -s /bin/bash <uim_service_acct>
 

2. Install the nimsoft-robot pkg

     yum install nimsoft-robot –y
 

3. Create nms-robot-vars.cfg using the DC specific variables listed below

     vi /opt/nms-robot-vars.cfg

** Make sure you update all of the items listed below to the match the environment where the install is being done.
 

Environment:

domain=xxxxx
hubip=xxxx
hub=xxxx
hubrobotname=xxxx
hubport=48002

     4. Execute the RobotConfigurer

    /opt/nimsoft/install/RobotConfigurer.sh 

5. Update nimsoft ownership to <uim_service_acct>

     chown -R <uim_service_acct>:<uim_service_acct> /opt/nimsoft/

     chown <uim_service_acct>:<uim_service_acct> /etc/nimbus.conf 

6. Update the default user the nimbus process will run as

     perl -pi -e 's/NIMBUS_USER=root/NIMBUS_USER=<uim_service_acct>/' /etc/init.d/nimbus
 

7. Create Probe Request File for automated deployment

     vi /opt/nimsoft/request.cfg    (insert text below to file)

 
     <distribution request>

         packages=websphere_mq,<websphere_mq>_template

     </distribution request>

8. Start nimbus service & reload daemon

     systemctl start nimbus

     daemon-reload 

9. 
   Wait for probe deployment to complete... You can confirm by checking that the application folder is created

     watch ls /opt/nimsoft/probes          (CTRL + c to exit)
 

10. Once confirmed that /opt/nimsoft/probes/application has been created, replace the root user with <uim_service_acct> within the Set MQ Probe script

perl -pi -e 's/root/<uim_service_acct>/' /opt/nimsoft/probes/application/websphere_mq/setmqprobe_auth.sh

11. Change user to mqm and execute the Set MQ Probe script    (NOTE: this will only work if the queue managers are already started)

     /opt/nimsoft/probes/application/websphere_mq/setmqprobe_auth.sh all

           ** Press ENTER to accept default selection ** 

12. Restart the nimbus service

     systemctl restart nimbus

websphere_mq AC Configuration

Configure the websphere_mq probe using the Admin Console.

The MQ channel needs to be open between the queue manager and the probe and you need to check the root or non-root user access and commands detailed in the techdocs (see above). 

Check out the Setup Monitoring Environment section:

Important considerations

Version-specific details: The exact configuration steps and commands might vary slightly depending on the specific versions of IBM WebSphere MQ and WebSphere Application Server you are using. Always consult the official IBM documentation for your particular versions.

Security auditing and logging: Implement proper auditing and logging to track JMX access and identify any unauthorized activity.

Avoid using the root user: While gaining root access can be a way to resolve permission issues, mqseries.net says it is NOT mandatory to be logged in as root for MQ Install. It is strongly recommended to configure non-root user access for security purposes. 

By following these steps and considering the security best practices, you can successfully configure a non-root user account to run JMX queries on IBM WebSphere MQ while maintaining a secure and stable environment.

WebSphere Application Server configuration (optional, and if applicable):

If WebSphere MQ is integrated with WebSphere Application Server, ensure the application server is configured for non-root administration, notes www.ibm.com. This might involve specific post-installation steps and ensuring the non-root user has read permissions on configured files.

Use the userinst command instead of install to start IBM Installation Manager in "user mode" when installing WebSphere Application Server as a non-root user.