MainView Middleware Administrator integration options

During the installation of the MainView Middleware Monitor (MVMM) product, you choose the method in which to integrate the product with MainView Middleware Administrator (MVMA).

The integration of the two products enables you to administer the same queue managers shown in the MVMM object repository from the MVMA console. Before installing the MVMM product, you must determine the security and queue manager integration options for your environment. 

Refer to the following sections to view the different options so that you can plan for the integration and gather the information that you will need during the installation process.

BMC recommends that you install, but not configure, the MVMA product before starting the MVMM installation (you cannot use the MVMA Monitor Edition until the MVMM installation has completed and MVMM Services are running). Following the successful installation of MVMM, the product automatically configures MVMA by installing the execution key, filling in the security fields, and by adding the administrator user and group when you start the services.

If you do not follow the recommended process, you must manually configure the integration between MVMA and MVMM using the mqtool utility.

Determining the MVMA product to integrate with MVMM

When you purchase the MVMM product license, you are also entitled to download and install the Monitor Edition of MVMA, which enables you to administer all of the queue managers in the MVMM object repository from the MVMA consoles. Depending on your licensing, you might also be entitled to install a separately-licensed version of MVMA, which provides additional features. Before starting the MVMM installation, you must know whether your installation of the MVMM product will integrate with the Monitor Edition or the separately-licensed version of MVMA.

When integrating with the Monitor Edition of MVMA or a newly installed separately-licensed version of MVMA that will use the same security as MVMM you will install MVMA first and start MVMA. MVMM will configure the MVMA for you when the MVMM services are started.

• When installing the Monitor Edition of MVMA, you should always select WebSphere MQ Install Set. Note that the Monitor Edition does not support administering TIBCO EMS. Picking Full Administration Install Set will not enable that feature. During the MVMM installation you must select Monitor Edition.
• When installing a separately-licensed version of MVMA choose the install set for which you are licensed. During the MVMM installation you must select New separately licensed installation.
  • When using a separately-licensed MVMA installation, the license must support the administration of the same or greater number of queue managers that exist in the MVMM object repository.
  • If the separately-licensed MVMA product does not adequately support the queue managers in the MVMM repository, install and integrate MVMA Monitor Edition with MVMM. You can then install the separately-licensed MVMA product to administer selected queue managers. In this case, the separately-licensed instance of MVMA will not be integrated with MVMM, as shown in the following illustration.

When integrating with an existing install of a separately-licensed version of MVMA or a new install of a separately-licensed version of MVMA that does not use the same security as MVMM then it is recommended you install and start MVMA as necessary before installing MVMM. When installing a separately-licensed version of MVMA choose the install set for which you are licensed. During the MVMMinstallation you must select Existing separately licensed installation.

User authentication options

MVMM and MVMA support the following user authentication options:

• Local authentication, which uses the distributed directory information service
• External authentication (Delegate Mode), which uses your Active Directory service

When both products use the same authentication method, you can specify the authentication method during the MVMM installation, and the configuration will occur automatically after you start the MVMM services. However, when you choose to configure different authentication methods for the two products, you will specify the authentication mode for the MVMM product during the installation, and you cannot administer the queue manager from the MVMA console.

Note that when installing the Monitor Edition, its authentication mode must match that of the MVMM product. 

Local authentication for MVMM and MVMA

The following diagram illustrates MVMM and MVMA using MVMM's security. Although shown as two separate hosts, MVMM and MVMA can reside on the same host computer.

External authentication for MVMM and MVMA

The following diagram illustrates MVMM and MVMA using MVMM's Active Directory for external authentication. Although shown as two separate hosts, MVMM and MVMA can reside on the same host computer.

MVMM and MVMA using separate authentication

Although shown as two separate hosts, MVMM and MVMA can reside on the same host computer.

Users and security

There are three types of users involved with the MVMM and MVMA integration.

• MVMA Integration Administrator: A user with the “MVMA Integration Configuration” permission is allowed to use the mqtool utility, use the three MVMA options in the Object Repository tab, and execute the Create WMQ Connection policy action. In addition, all groups with that permission are added as a MVMA Administrator when integration is configured or reconfigured (for example, changing user IDs, passwords, license keys, etc.). The credentials for a single user with this permission is preserved in the MVMM services.cfg file to log into and configure MVMA as needed. If the user or the user’s password must be changed it is recommended you use the mqtool utility to do so. You may change that user’s password on login to the Management Console or via the Security tab. However, do not use mqsusertool, which updates the password directly in the security service. When using Active Directory, you should first change the password in Active Directory. In between the time the password was changed in Active Directory and the mqtool utility was executed any attempts to create additional or update WMQ Connections or synchronize groups will fail.
  
  In addition to the “MVMA Integration Configuration” permission others are required for certain operations. For example, the “Access Object Repository” permission is required for using the MVMA options in the Management Console Object Repository tab. There are also several MQ actions required to create the server connection channel or query MQ information. The “MVMA Integration” group is provided with the product with all required permissions for MVMA integration enabled. It is recommended you add users who need to perform these duties to this group in case new permissions are added or required in the future. 
• MVMA User: This user is a non-administrative user with access to a MVMA project.  Groups with the “MVMA Project Access” or "Enable MQ Actions" permissions may be added to the project when the project is initially created the first time a WMQ Connection is created or when synchronizing WMQ Connections.   
  • Synchronization of WMQ Connections is enabled and occurs every five minutes by default.  For more details on synchronization see Creating the WMQ Connection server connection channel.
  • Synchronization of groups is enabled when choosing the Monitor Edition or New separately licensed installation.  For convenience, the “MVMA Users” group is provided with the product and may be assigned members for users who need access to the MVMA project.
  • Synchronization of mq groups is enabled on upgrade installations when choosing the Monitor Edition or New separately licensed installation.   Groups which used to have the "Run CM" permission now have the "Enable MQ Actions" permission after upgrade so that all users which previously had MQ administrative abilities using the Configuration Manager will have similar abilities using MVMA.  If you do not wish this you may either disable synchronization of mq groups or synchronization of groups entirely.

See Managing integration with MainView Middleware Administrator with the CLI for details if synchronization of groups, synchronization of mq groups or the synchronization interval need to be changed.  Disabling synchronization of groups using the CLI will disable synchronization of mq groups.  However, if you need to re-enable this migration feature you must change the value directly in services.cfg.  See the [Admin] section in services.cfg for more details.  
 

• LDAP User: Credentials that gives MVMA access to the security server to authenticate users and retrieve user and group information.  The credentials are preserved in the MVMM services.cfg file to configure MVMA as needed. If the credentials must be changed it is recommended you use the mqtool utility to do so.
  
  • Local Authentication/Internal LDAP:  The credentials are for a user that requires no permission for other activity in MVMM and does not need to belong to any group.  In addition to mqtool, you can change that user’s password on login to the Management Console or via the Security tab. However, do not use mqsusertool which updates the password directly in the security service.
  • External Authentication/Active Directory (Delegate Mode): The credentials are for a common name (CN).  When changing the CN's password you must first use the mqtool utility to change the password used by MVMA and then change the password in Active Directory. In between the time the mqtool utility was executed and the password is changed in Active Directory, users will be unable to log into MVMA. 

Integration properties

When you choose to integrate the two products during the installation or upgrade, you must first install the MVMA product and know the following information about the MVMA installation:

Working with .bin message files in MVMA

If you are using MVMM .bin message files created by the legacy Configuration Manager tool, you will need to convert these files for use in MVMA or MVMA (Monitor Edition).

To convert the .bin files to .json format in MVMM, use the mqtool utility to ensure the files are compatible for uploading into MVMA. Note that a single message should be saved using the Save queue option (and not the Save message option).

For example:

C:\MVMM>mqtool --msg-file-convert QM1_ABC_001_20171114120435.bin SA -p BMCSOFTWARE

OPTION SETTINGS:
--msg-file-convert = QM1_ABC_001_20171114120435.bin
Converted message(s) saved to
C:\MVMM\QM1_ABC_001_20171114120435.bin.json

Queue Manager and WQM connection considerations

A queue manager in MVMA is represented as a WMQ Connection, which contains the necessary information to connect to the queue manager as a client. MVMM can assist in creating the WMQ Connections as agent and WebSphere MQ extension packages are deployed and configured or immediately after an upgrade for existing installations. The following three options are supported:

• MVMM agent and WebSphere MQ extension using local MQ bindings (ie. residing on the same machine as the queue manager).
• MVMM agentless configuration where MVMM and MVMA connect to a queue manager using different server conn channels.
• MVMM agentless configuration where the MVMM agent and WebSphere MQ extension reside on the same machine as MVMA and connect to a queue manager using the same server connection channel. Because MVMA might require more permissions than MVMM for administrative purposes (with MVMA being an MQ client connection it may require more queue manager permissions or authority to perform MQ related administrative tasks than MVMM and its MQ client connection), BMC does not recommend this configuration.

MVMM monitoring with local agent

In this setup, MVMA uses its own server connection channel to connect to the queue manager and you can set up channel authentication. MVMM has a local bindings connection to the queue manager.

MVMM agentless monitoring with separate channels

In this setup, each connection to the queue manager uses its own server connection channel, which enables you to restrict connections to those from Host A or Host B, respectively.

Because each channel can specify different authentication, BMC recommends this configuration when MVMM uses an agentless configuration on the queue manager host server.

MVMM agentless monitoring with shared channel 

In this configuration, each connection to the queue manager shares the same server connection channel and the same channel authentication.

Because you might want different authentication for MVMM and MVMA, BMC does not recommend this configuration when MVMM uses an agentless configuration on the queue manager host computer.

Feature comparison

The following table compares the features in the licensed version of MVMA that are not fully supported in the MVMA Monitor Edition. Any features not listed are fully supported in the MVMA Monitor Edition (see the MVMA documentation for further information on the full functionality of the product).