MainView Middleware Administrator integration options
During the installation of the MainView Middleware Monitor (MVMM) product, you choose the method in which to integrate the product with MainView Middleware Administrator (MVMA).
Note
The integration of the two products enables you to administer the same queue managers shown in the MVMM object repository from the MVMA console. Before installing the MVMM product, you must determine the security and queue manager integration options for your environment.
Refer to the following sections to view the different options so that you can plan for the integration and gather the information that you will need during the installation process.
BMC recommends that you install, but not configure, the MVMA product before starting the MVMM installation (you cannot use the MVMA Monitor Edition until the MVMM installation has completed and MVMM Services are running). Following the successful installation of MVMM, the product automatically configures MVMA by installing the execution key, filling in the security fields, and by adding the administrator user and group when you start the services.
If you do not follow the recommended process, you must manually configure the integration between MVMA and MVMM using the mqtool utility.
Tip
The planning information on this page corresponds to the "Configuring Integration with MainView Middleware Administrator" screens in the MVMM installation wizard. To log your decisions, download the Installation worksheet.
MVMA Monitor Edition replaces Configuration Manager.
Determining the MVMA product to integrate with MVMM
When you purchase the MVMM product license, you are also entitled to download and install the Monitor Edition of MVMA, which enables you to administer all of the queue managers in the MVMM object repository from the MVMA consoles. Depending on your licensing, you might also be entitled to install a separately-licensed version of MVMA, which provides additional features. Before starting the MVMM installation, you must know whether your installation of the MVMM product will integrate with the Monitor Edition or the separately-licensed version of MVMA.
When integrating with the Monitor Edition of MVMA or a newly installed separately-licensed version of MVMA that will use the same security as MVMM you will install MVMA first and start MVMA. MVMM will configure the MVMA for you when the MVMM services are started.
- When installing the Monitor Edition of MVMA, you should always select WebSphere MQ Install Set. Note that the Monitor Edition does not support administering TIBCO EMS. Picking Full Administration Install Set will not enable that feature. During the MVMM installation you must select Monitor Edition.
- When installing a separately-licensed version of MVMA choose the install set for which you are licensed. During the MVMM installation you must select New separately licensed installation.
- When using a separately-licensed MVMA installation, the license must support the administration of the same or greater number of queue managers that exist in the MVMM object repository.
- If the separately-licensed MVMA product does not adequately support the queue managers in the MVMM repository, install and integrate MVMA Monitor Edition with MVMM. You can then install the separately-licensed MVMA product to administer selected queue managers. In this case, the separately-licensed instance of MVMA will not be integrated with MVMM, as shown in the following illustration.
When integrating with an existing install of a separately-licensed version of MVMA or a new install of a separately-licensed version of MVMA that does not use the same security as MVMM then it is recommended you install and start MVMA as necessary before installing MVMM. When installing a separately-licensed version of MVMA choose the install set for which you are licensed. During the MVMMinstallation you must select Existing separately licensed installation.
User authentication options
MVMM and MVMA support the following user authentication options:
- Local authentication, which uses the distributed directory information service
- External authentication (Delegate Mode), which uses your Active Directory service
When both products use the same authentication method, you can specify the authentication method during the MVMM installation, and the configuration will occur automatically after you start the MVMM services. However, when you choose to configure different authentication methods for the two products, you will specify the authentication mode for the MVMM product during the installation, and you cannot administer the queue manager from the MVMA console.
Note that when installing the Monitor Edition, its authentication mode must match that of the MVMM product.
Local authentication for MVMM and MVMA
The following diagram illustrates MVMM and MVMA using MVMM's security. Although shown as two separate hosts, MVMM and MVMA can reside on the same host computer.
External authentication for MVMM and MVMA
The following diagram illustrates MVMM and MVMA using MVMM's Active Directory for external authentication. Although shown as two separate hosts, MVMM and MVMA can reside on the same host computer.
MVMM and MVMA using separate authentication
Although shown as two separate hosts, MVMM and MVMA can reside on the same host computer.
Users and security
There are three types of users involved with the MVMM and MVMA integration.
- MVMA Integration Administrator: A user with the “MVMA Integration Configuration” permission is allowed to use the mqtool utility, use the three MVMA options in the Object Repository tab, and execute the Create WMQ Connection policy action. In addition, all groups with that permission are added as a MVMA Administrator when integration is configured or reconfigured (for example, changing user IDs, passwords, license keys, etc.). The credentials for a single user with this permission is preserved in the MVMM services.cfg file to log into and configure MVMA as needed. If the user or the user’s password must be changed it is recommended you use the mqtool utility to do so. You may change that user’s password on login to the Management Console or via the Security tab. However, do not use mqsusertool, which updates the password directly in the security service. When using Active Directory, you should first change the password in Active Directory. In between the time the password was changed in Active Directory and the mqtool utility was executed any attempts to create additional or update WMQ Connections or synchronize groups will fail.
In addition to the “MVMA Integration Configuration” permission others are required for certain operations. For example, the “Access Object Repository” permission is required for using the MVMA options in the Management Console Object Repository tab. There are also several MQ actions required to create the server connection channel or query MQ information. The “MVMA Integration” group is provided with the product with all required permissions for MVMA integration enabled. It is recommended you add users who need to perform these duties to this group in case new permissions are added or required in the future. - MVMA User: This user is a non-administrative user with access to a MVMA project. Groups with the “MVMA Project Access” or "Enable MQ Actions" permissions may be added to the project when the project is initially created the first time a WMQ Connection is created or when synchronizing WMQ Connections.
- Synchronization of WMQ Connections is enabled and occurs every five minutes by default. For more details on synchronization see Creating the WMQ Connection server connection channel.
- Synchronization of groups is enabled when choosing the Monitor Edition or New separately licensed installation. For convenience, the “MVMA Users” group is provided with the product and may be assigned members for users who need access to the MVMA project.
- Synchronization of mq groups is enabled on upgrade installations when choosing the Monitor Edition or New separately licensed installation. Groups which used to have the "Run CM" permission now have the "Enable MQ Actions" permission after upgrade so that all users which previously had MQ administrative abilities using the Configuration Manager will have similar abilities using MVMA. If you do not wish this you may either disable synchronization of mq groups or synchronization of groups entirely.
See Managing integration with MainView Middleware Administrator with the CLI for details if synchronization of groups, synchronization of mq groups or the synchronization interval need to be changed. Disabling synchronization of groups using the CLI will disable synchronization of mq groups. However, if you need to re-enable this migration feature you must change the value directly in services.cfg. See the [Admin] section in services.cfg for more details.
- LDAP User: Credentials that gives MVMA access to the security server to authenticate users and retrieve user and group information. The credentials are preserved in the MVMM services.cfg file to configure MVMA as needed. If the credentials must be changed it is recommended you use the mqtool utility to do so.
- Local Authentication/Internal LDAP: The credentials are for a user that requires no permission for other activity in MVMM and does not need to belong to any group. In addition to mqtool, you can change that user’s password on login to the Management Console or via the Security tab. However, do not use mqsusertool which updates the password directly in the security service.
- External Authentication/Active Directory (Delegate Mode): The credentials are for a common name (CN). When changing the CN's password you must first use the mqtool utility to change the password used by MVMA and then change the password in Active Directory. In between the time the mqtool utility was executed and the password is changed in Active Directory, users will be unable to log into MVMA.
Note
When using Active Directory, the MVMM pre-configured groups added during installation for MVMA administrator or user project access may not exist in Active Directory. You can remove those groups from MVMM and MVMA to avoid the possible risk where a group is added to your AD and happens to match the MVMM group name (which would result in unintended access to either MVMM or MVMA). If you remove them from MVMM and synchronization of groups is enabled, the removed groups will also be removed from the MVMA project. If you remove an administrative group you will need to use the mqtool utility with the --reconfigure
option, or manually remove it from within MVMA.
Integration properties
When you choose to integrate the two products during the installation or upgrade, you must first install the MVMA product and know the following information about the MVMA installation:
Requirement | Notes |
---|---|
License key for MVMA | License key that was provided when you purchased the license. |
Location of MVMA | Host name or IP address where MVMA is installed |
MVMA project | MVMA project that will contain discovered queue managers from MVMM |
HTTPS trust store | For MVMM to connect securely to MVMA using HTTPS, the MVMA certificate must be installed into a MVMM trust store. BMC recommends that you choose a unique trust store for this purpose so it can be easily recreated without losing other certificates. If the trust store file does not exist, you can use any password. If it already exists, you must know the password of the existing trust store file. You will need this password to access or add additional certificates in the future. The MVMM installation program will attempt to fetch the certificate from your running MVMA installation. |
Local Authentication | Internal LDAP |
MVMA administrator credentials | This user defaults to admin_user and a password is generated. |
LDAP user credentials | This user defaults to ldap_user and a password is generated. |
External Authentication | Active Directory (Delegate Mode) You may need to obtain this information from your Active Directory Administrator. For additional details see Configuring the Active Directory security mode with the Security Configuration tool. |
Active Directory Domain Name | Active Directory domain name. |
Active Directory Security Transport Type | SSL, SASL or SSL/SASL |
Base Active Directory Fully Qualified Domain Name | The base activey directory fully qualified domain name. |
MVMA administrator credentials | The user must exist and the password must match that in Active Directory |
Common Name (CN) Credentials | The common name of a user which can read entries in the directory. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
LDAP User Search Base | The base DN from which searches for user information occurs. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
LDAP User Search Filter | The search filter used to identify users. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
LDAP Users Search Filter | The search filter used to find users within the directory. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
LDAP User Name Attribute | This is used to identify the text to use as the username. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
LDAP Group Search Base | This is the base DN used to search for groups. Groups should be somewhere down the sub tree rooted by this DN. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
LDAP Group Search Filter | This is the search filter expression used to find groups by name. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
LDAP Group Member Search Filter | This is the search filter expression used to determine members of groups. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
LDAP Groups Search Filter | This is the search filter expression that returns group names. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
LDAP Group Name Attribute | This is the attribute that represents the name of a group. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
LDAP Group Member Attribute | This is the attribute that represents a member of a group. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
LDAP Max Nested Group Recursion Level | Limits the amount of recursion used to find nested groups. This value is not required when using an existing fully licensed version of MVMA that does not use the same security as MVMM. |
List of domain controllers | The list may be able to be discovered or you may specify the list. |
Certificates | You may capture certificates from selected domain controllers or import them. Obtain certificates to import from your active directory administrator. |
Best practice
If the only purpose for this trust store is for MVMA accessibility you can always remove the file and recreate it using the mqtool utility.
If your MVMA service is not currently running, this installer will be unable to retrieve the certificate, as the certificate is only available when MVMA is running. In that event, you will have to run the command line utility "mqtool --reconfigure" at a later time.
Working with .bin message files in MVMA
If you are using MVMM .bin message files created by the legacy Configuration Manager tool, you will need to convert these files for use in MVMA or MVMA (Monitor Edition).
To convert the .bin files to .json format in MVMM, use the mqtool utility to ensure the files are compatible for uploading into MVMA. Note that a single message should be saved using the Save queue option (and not the Save message option).
For example:
C:\MVMM>mqtool --msg-file-convert QM1_ABC_001_20171114120435.bin SA -p BMCSOFTWARE
OPTION SETTINGS:
--msg-file-convert = QM1_ABC_001_20171114120435.bin
Converted message(s) saved to
C:\MVMM\QM1_ABC_001_20171114120435.bin.json
Queue Manager and WQM connection considerations
A queue manager in MVMA is represented as a WMQ Connection, which contains the necessary information to connect to the queue manager as a client. MVMM can assist in creating the WMQ Connections as agent and WebSphere MQ extension packages are deployed and configured or immediately after an upgrade for existing installations. The following three options are supported:
- MVMM agent and WebSphere MQ extension using local MQ bindings (ie. residing on the same machine as the queue manager).
- MVMM agentless configuration where MVMM and MVMA connect to a queue manager using different server conn channels.
- MVMM agentless configuration where the MVMM agent and WebSphere MQ extension reside on the same machine as MVMA and connect to a queue manager using the same server connection channel. Because MVMA might require more permissions than MVMM for administrative purposes (with MVMA being an MQ client connection it may require more queue manager permissions or authority to perform MQ related administrative tasks than MVMM and its MQ client connection), BMC does not recommend this configuration.
MVMM monitoring with local agent
In this setup, MVMA uses its own server connection channel to connect to the queue manager and you can set up channel authentication. MVMM has a local bindings connection to the queue manager.
MVMM agentless monitoring with separate channels
In this setup, each connection to the queue manager uses its own server connection channel, which enables you to restrict connections to those from Host A or Host B, respectively.
Because each channel can specify different authentication, BMC recommends this configuration when MVMM uses an agentless configuration on the queue manager host server.
MVMM agentless monitoring with shared channel
In this configuration, each connection to the queue manager shares the same server connection channel and the same channel authentication.
Because you might want different authentication for MVMM and MVMA, BMC does not recommend this configuration when MVMM uses an agentless configuration on the queue manager host computer.
Feature comparison
The following table compares the features in the licensed version of MVMA that are not fully supported in the MVMA Monitor Edition. Any features not listed are fully supported in the MVMA Monitor Edition (see the MVMA documentation for further information on the full functionality of the product).
Note
When standard MVMA functionality is not available for the Monitor Edition users, an "Access restricted by licensing" message is displayed for the selected feature in the User/Admin Console.
Console/ Sub-component | Feature | MVMA | MVMA Monitor |
---|---|---|---|
Admin Console | |||
Global Actions bar | Events | + | Not supported |
Options | + | Limited | |
Navigation panel | Users | + | Not supported |
Groups | + | Not supported | |
Filters | + | Not supported | |
Settings | + | Not supported | |
Security | + | Limited | |
EMS Connections | + | Not supported | |
Workspace | Users | + | Not supported |
Groups | + | Not supported | |
Projects | + | Limited | |
Filters Summary | + | Not supported | |
Filter Properties | + | Not supported | |
Security | + | Limited | |
Settings | + | Not supported | |
EMS Connections Summary | + | Not supported | |
WMQ Connections Summary | + | Limited | |
WMQ Connection Properties | + | Limited | |
User Console | |||
Global Actions bar | Events | + | Not supported |
Options | + | Limited | |
Navigation panel | Tags Tab | + | Not supported |
Layout Editor | + | Not supported | |
All Queue Manager Connections | + | Not supported | |
Queue Statistics | + | Not supported | |
Scheduled Tasks | + | Not supported | |
Archives | + | Not supported | |
Import/Export | + | Limited | |
Manage Objects | + | Not supported | |
Dashboard | + | Not supported | |
Workspace | Scheduling Operations | + | Not supported |
Tagging Objects | + | Not supported | |
Manage Layouts | + | Not supported |
Comments
Log in or register to comment.