Configuring role-based security with the IBM Integration Bus V9 web user interface

This article walks you through the IBM Integration Bus V9 web user interface and shows you how to configure role-based security to control access to a broker and its resources on the web user interface.

Share:

Shenfu (Mike) Fan (sfan@us.ibm.com), Certified IT Architect and IT Specialist, IBM

Photo of Shenfu (Mike) FanShenfu (Mike) Fan is a Certified IT Architect and IT Specialist with IBM Software Services for WebSphere. He focuses on architectural design, development, and implementation of enterprise application integration solutions using IBM integration products such as IBM Integration Bus, WebSphere Message Broker, WebSphere MQ, WebSphere Service Registry and Repository, and others. You can contact Mike at sfan@us.ibm.com.



27 December 2013

The web user interface

IBM® Integration Bus V9 provides the Integration Explorer, an Eclipse-based graphical user interface, to administer broker resources. An optional feature called the web user interface (hereafter called the web UI) lets you access broker resources through an HTTP client, and provides an alternative to the Integration Explorer.

Role-based security

If administrative security is not enabled, any user can use the web UI as a default user and access all broker resources. When administrative security is enabled, a security manager controls permissions to perform administrative tasks for a broker. Permissions are associated with roles which are system user accounts with a set of security permissions (authorities) assigned to them. A user can access the web UI only when logged on using the web user account.

As an administrator, you can control access to a broker and its resources by associating each web user account with a particular role. You can authorize users with a particular role to perform specific actions, by enabling or disabling aspects of the web UI, or by configuring the web UI to display only the options for which users are authorized. Therefore, the web UI can be tailored to a specific role, so that the users can view and operate on only the broker objects that are available based on the permissions that have been assigned to the role.

In this article, the role-based security for the web UI is configured on Windows V7 using the broker and its resources, as shown in Figure 1. There are two integration servers (also known as execution groups), IS1 and IS2, on the integration node IIB9BRK1 (also known as the broker). The message flow MsgFlow1 is deployed on IS1 and MsgFlow2 on IS2. Both message flows are simple message pass-throughs from an input queue to an output queue.

Figure 1. A broker and its resources
fig01.jpg

To benefit from this article, you should have some knowledge of IBM Integration Bus V9. For product information, see Resources at the bottom of the article.

Enabling the web UI server

By default, the web UI is enabled automatically when a new broker is created. To check the status, run the following command:

mqsireportproperties IIB9BRK1 -b webadmin -o server -a
server=''
uuid='server'
enabled='true'
enableSSL='false'
BIP8071I: Successful command completion.

If it is disabled for some reasons, enable the web UI using the following command to change the enabled property of the webadmin component to true:

mqsichangeproperties IIB9BRK1  -b webadmin -o server -n enabled -v true
BIP8071I: Successful command completion.

This property can be changed either when the broker is stopped or while it is running. If a change is made while the broker is running, the change takes effect when the broker is restarted.

By default, the port number for the web UI is 4414. You can change the port number using the mqsichangeproperties command. To use port number 4424, run the following command:

mqsichangeproperties IIB9BRK1 -b webadmin -o HTTPConnector -n port -v 4424

This property can be changed only when the broker is running, and the change takes effect when the broker is restarted. To confirm that the port properties are set correctly, run the following command:

mqsireportproperties IIB9BRK1  -b webadmin -o HTTPConnector -n port 4424
BIP8071I: Successful command completion.

Alternatively, you can use Integration Explorer to enable or disable the web UI, and to change the port number to which it is assigned.

You can select HTTP or HTTPS as the communication protocol for the web UI. In this article, only HTTP is used when showing how to configure role-based security.

Configuring role-based security for the web UI

As described previously, an administrator can authorize users with a particular role to perform specific actions by configuring the web UI to display only the options for which the users are allowed. For example, a group of users with one role might be allowed to view certain broker resources, while another group of users with other role might be allowed to modify the broker resources. The same authorizations can be granted to multiple users by assigning these users to the same role.

To configure the role-based security for the web UI, you need to complete the following steps:

  1. Defining the access control requirements
  2. Creating system groups and users
  3. Setting up role-based security
  4. Creating web user accounts

1. Defining the access control requirements

For demonstration purpose, two roles, administrator and normal user, are defined. Full access to all the broker resources is granted to the administrator's role and only view authority is granted to the normal user's role. The role-based security is configured on the system groups. Two system groups, wmbadmin and wmbuser, are created. Two users, wmbadmin1 and wmbuser1, are created and added to the groups wmbadmin and wmbuser, respectively. The system groups and users are listed in Table 1. Any users in the wmbadmin group have full access to all the broker resources and any users in the wmbuser group only have view authority for the broker and its resources.

Table 1. System groups and users
GroupUserAuthorization
wmbadminwmbadmin1Full authority to all broker resources
wmbuserwmbuser1Only view authority to all broker resources

2. Creating system groups and users

To create the wmbadmin group, click Start => Control Panel and select Administrative Tools. Double-click Computer Management and expand Local Users and Groups. Right-click Groups and select New Group. Type the group name wmbadmin and click Create as shown in Figure 2. Repeat the same steps to create the group wmbuser:

Figure 2. Creating a system group wmbadmin
fig02.jpg

To create the wmbadmin1 user, click Start => Control Panel, and select Administrative Tools. Double-click Computer Management and expand Local Users and Groups. Right-click Users and select New User. Type the user name wmbadmin1 and click Create, as shown in Figure 3. Repeat the same steps to create the user wmbuser1.

Figure 3. Creating system user wmbadmin1
fig03.jpg

Add the user wmbadmin1 into the wmbadmin group, and the user wmbuser1 into the wmbuser group, respectively, as shown in Figure 4:

Figure 4. Users in system groups
fig04.jpg

3. Setting up role-based security

You can set up security control by registering MQ permissions for individual principals (user IDs) or groups of users, or both. The permissions are granted on the authorization queues to the system user groups that were created for administrator and normal user roles. The required authorities for the roles are listed in Table 2:

Table 2. Summary of the required authorities for the roles
Object typeObject namePermission required for administrator's rolePermission required for normal user's role
Queue managerIIB9BRK1QMConnect, InquireConnect, Inquire
QueueSYSTEM.BROKER.DEPLOY.QUEUEPutPut
QueueSYSTEM.BROKER.DEPLOY.REPLYPut, GetPut, Get
QueueSYSTEM.BROKER.AUTHInquire, Put, SetInquire
QueueSYSTEM.BROKER.AUTH.IS1Inquire, Put, SetInquire
QueueSYSTEM.BROKER.AUTH.IS2Inquire, Put, SetInquire
QueueSYSTEM.BROKER.DC.AUTHInquire, SetInquire, Set
QueueSYSTEM.BROKER.WEBADMIN.SUBSCRIPTIONPut, GetPut, Get
TopicSYSTEM.BROKER.MB.TOPICSub, PubSub, Pub

The last two rows above (the subscription queue SYSTEM.BROKER.WEBADMIN.SUBSCRIPTION and the topic SYSTEM.BROKER.MB.TOPIC) are required for viewing statistics data of the message flows.

Run the following MQ control commands on the group wmbadmin to grant full administrative access to all broker resources:

setmqaut -m IIB9BRK1QM -t qmgr -g wmbadmin +connect +inq
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.DEPLOY.QUEUE -t queue -g wmbadmin +put
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.DEPLOY.REPLY -t queue -g wmbadmin +put +get
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.AUTH -t queue -g wmbadmin +inq +put +set
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.AUTH.IS1 -t queue -g wmbadmin +inq +put +set
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.AUTH.IS2 -t queue -g wmbadmin +inq +put +set
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.DC.AUTH -t queue -g wmbadmin +inq +set
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.WEBADMIN.SUBSCRIPTION -t queue -g wmbadmin +put +get
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.MB.TOPIC -t topic -g wmbadmin +sub +pub

Run the following MQ control commands on the group wmbuser to grant view-only access to all broker resources:

setmqaut -m IIB9BRK1QM -t qmgr -g wmbuser +connect +inq
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.DEPLOY.QUEUE -t queue -g wmbuser +put
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.DEPLOY.REPLY -t queue -g wmbuser +put +get
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.AUTH -t queue -g wmbuser +inq
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.AUTH.IS1 -t queue -g wmbuser +inq
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.AUTH.IS2 -t queue -g wmbuser +inq
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.DC.AUTH -t queue -g wmbuser +inq +set
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.WEBADMIN.SUBSCRIPTION -t queue -g wmbuser +put +get
setmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.MB.TOPIC -t topic -g wmbuser +sub +pub

The authority granted to a group or a user ID at the broker level on the queue SYSTEM.BROKER.AUTH does not inherit the authority for execution groups. The authority to an execution group must be explicitly granted on the queue SYSTEM.BROKER.AUTH.ExecutionGroupName. If a user ID is a member of the MQ security group mqm, it automatically has authority to all WebSphere MQ objects. On Windows, if a user ID is a member of the security group Administrators, it automatically has authority to all WebSphere MQ objects.

Though authorizations are granted on system groups, they can be set up on a principal (individual user). When you authorize a principal on Linux or UNIX, the broker authorizes the same permissions to the primary group of that principal. If there are many users who belong to that primary group, they are authorized at the same time. Therefore, you should use system groups instead of individual users for authorization.

When you change authorizations on a queue, the broker accesses the updated values the next time that a request is processed. You do not have to stop and restart the broker.

Use the dspmqaut command to check administrative security settings. For example, run the following command to display administrative security settings on the queue SYSTEM.BROKER.AUTH for the group wmbadmin:

dspmqaut -m IIB9BRK1QM -n SYSTEM.BROKER.AUTH -t queue -g wmbadmin
Entity wmbadmin has the following authorizations for object SYSTEM.BROKER.AUTH:
   put
   inq
   set

The dmpmqaut command can also be used to dump all the administrative security settings on a group or a user. For example, run the following command to dump all the administrative security settings on the queue manager IIB9BRK1QM for the group wmbadmin:

dmpmqaut -m IIB9BRK1QM -g wmbadmin
profile:     @CLASS
object type: topic
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   none
- - - - - - - -
profile:     SYSTEM.BROKER.AUTH.IS2
object type: queue
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   put inq set
- - - - - - - -
profile:     SYSTEM.BROKER.AUTH.IS1
object type: queue
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   put inq set
- - - - - - - -
profile:     SYSTEM.BROKER.MB.TOPIC
object type: topic
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   pub sub
- - - - - - - -
profile:     SYSTEM.BROKER.AUTH
object type: queue
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   put inq set
- - - - - - - -
profile:     SYSTEM.BROKER.WEBADMIN.SUBSCRIPTION
object type: queue
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   get put
- - - - - - - -
profile:     SYSTEM.BROKER.DEPLOY.QUEUE
object type: queue
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   put
- - - - - - - -
profile:     SELF
object type: qmgr
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   inq connect
- - - - - - - -
profile:     SYSTEM.BROKER.DC.AUTH
object type: queue
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   inq set
- - - - - - - -
profile:     SYSTEM.BROKER.DEPLOY.REPLY
object type: queue
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   get put
- - - - - - - -
profile:     @CLASS
object type: queue
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   none
- - - - - - - -
profile:     @CLASS
object type: qmgr
entity:      wmbadmin@ADMINIB-NFREDCN
entity type: group
authority:   none

4. Creating web user accounts

In order to access to the web UI, a web user account needs to be created. An administrator can use the mqsiwebuseradmin command to create a web user, to set or change a web user's password, to remove a web user, or to assign a web user to a role. Run the following command to create the web user accounts wmbadmin1 and wmbadmin2 and specify the associated role (system user account, wmbadmin1). These web users have the full authority to the broker and its resources.

mqsiwebuseradmin IIB9BRK1 -c -u wmbadmin1 -r wmbadmin1 -a wmbadmin1pw
mqsiwebuseradmin IIB9BRK1 -c -u wmbadmin2 -r wmbadmin1 -a wmbadmin2pw

Similarly, run the following commands to create the web user accounts wmbuser1 and wmbuser2 and specify the associated role (system user account, wmbuser1). These web users have view-only authority to the broker and its resources.

mqsiwebuseradmin IIB9BRK1 -c -u wmbuser1 -r wmbuser1 -a wmbuser1pw
mqsiwebuseradmin IIB9BRK1 -c -u wmbuser2 -r wmbuser1 -a wmbuser2pw

Run the following command to list all web users created:

mqsiwebuseradmin IIB9BRK1 -l
BIP2837I: Web user 'wmbadmin1' is defined as having a role of 'wmbadmin1'.
BIP2837I: Web user 'wmbadmin2' is defined as having a role of 'wmbadmin1'.
BIP2837I: Web user 'wmbuser1' is defined as having a role of 'wmbuser1'.
BIP2837I: Web user 'wmbuser2' is defined as having a role of 'wmbuser1'.
BIP8071I: Successful command completion.

Enabling administrative security

To enable administrative security for the Integration Node IIB9BRK1, run the following commands by setting the -s parameter to active:

mqsistop IIB9BRK1
mqsichangebroker IIB9BRK1 -s active 
mqsistart IIB9BRK1

After administrative security is enabled, a web user must be authorized when logging on to the web UI.

Accessing the web UI

Open a web browser using the following URL to access the web UI: http://localhost:4424/, where localhost is the web UI server address, and 4424 is the port number that was specified for the HTTP connector object in the preceding steps.

Enter the web user ID wmbadmin1 and password wmbadmin1pw, and then click Log in:

Figure 5. The web UI log-in screen
fig05.jpg

After logging in to the web UI, a window opens, as shown in Figure 6. The Navigator view is displayed on the left, and the content on the right side depends on the resource selected in the Navigator view:

Figure 6. Integration Node IIB9BRK1 view on the web UI
fig06.jpg

The web UI is tailored to the user's role, so that the options that are available on the web UI are based on the permissions that have been assigned to the role. Since the web user ID wmbadmin1 has the role of administrator, full access to all the broker resources is provided. For example, you can start or stop an Integration Server (an execution group) and start or stop the deployed message flows. As shown in Figure 7, the Integration Server IS1 is stopped by selecting Stop from the drop-down list. You can also turn on or off statistics on message flows and view the administration log from the web UI. However, there are some operations which are not available in the web UI, such as creating a new Integration Server, and removing deployed message flows. Obviously, you cannot stop the Integration Node.

Figure 7. Stop an Integration Server on the web UI
fig07.jpg

Log out from the web UI and log in using the different web user ID wmbuser1. Since this web user ID has a normal user role, view-only authority is allowed. As shown in Figure 8, there is no drop-down list to start or stop Integration Servers and message flows:

Figure 8. View only on the web UI
fig08.jpg

You can monitor statistics data for a message flow, such as the message throughputs and CPU usage, as shown in Figure 9 (assuming that the message flow statistics is already on).

Figure 9. View of the statistics on applications
fig09.jpg

You can also display the administrative log:

Figure 10. View of the administrative logs
fig10.jpg

Conclusion

This article showed you how to configure role-based security in the IBM Integration Bus web UI. Two roles, an administrator with full broker access and a normal user with view only authority, were created. Web users can access the web UI to view and administer the broker and its resources based on their assigned role.

Acknowledgments

The author would like to thank Doug Drake from IBM Software Services for WebSphere for reviewing and helping to improve this article.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=958685
ArticleTitle=Configuring role-based security with the IBM Integration Bus V9 web user interface
publish-date=12272013