MQWEB (or MQCONSOLE) is a web browser interface to MQ commands. There is also a rest API but I was not testing this at the time.
I had some success in getting access to the MQCONSOLE using certificates - sometimes it did work, some times it did not work. I changed nothing ( honestly) and could not understand why it only sometimes worked.
This (long) blog post gives more information about using Certificates to authenticate to MQCONSOLE, and how I fixed it.
Setting up certificates for authentication to MQCONSOLE
Within MQCONSOLE is a WAS Liberty web server - you should be using the Liberty documentation for the detailed configuration information.
I had set up my keyring with
>SCENSTC.RING< -------------------------------- ------------ -------- ------ SCENCA CERTAUTH CERTAUTH NO MVSCA ID(SCENSTC) PERSONAL YES CONS4096 ID(SCENSTC) PERSONAL NO ..... PAICE2 ID(PAICE2) PERSONAL NO
My LPAR was called WINMVSCA and the MVSCA certificate was used to authenticate requests. It had WINMVSCA.HURSLEY.. in the definition
The Certificate authority was SCENCA
CONS4096 was a user certificate belonging to userid SCENSTC
PAICE2 is a certificate belonging to userid PAICE2
Certificates CONS4096 and PAICE had been exported from z/OS and imported into Chrome.
When I started a browser session, I was offered a list of certificate stored from the Chrome keystore
If I selected CONS4096, them this certificate was passed to the web browser. It looks in the keyring and sees this belongs to ID(SCENSTC)
This all worked fine, then sometimes I got
I did not change my configuration - honestly - not even to change a comment, so what was going on?
I had help from an Angel
For ease of use I had put my SAF definitions into its own file SAF.XML
<?xml version="1.0" encoding="UTF-8"?> <server> <featureManager> <feature>zosSecurity-1.0</feature> </featureManager> <safAuthorization racRouteLog="ASIS"/> <safRegistry id="saf" /> <safAuthorization id="saf" /> <safCredentials unauthenticatedUser="WSGUEST" profilePrefix="BBGCCP" /> </server>
With Liberty you have an Angel process which processes authorized requests. For me this was Started task MQANGEL.
If this was not running, then I could use certficate CONS4096 and so userid SCENSTC to logon.
If MQANGEL was running, then I got the 403 forbidden message.
If MQANGEL was running
in the ...logs/message.log file I got a message
CWWKB0103I: Authorized service group SAFCRED is available.
When you logon it checks against profiles in the RACF EJBROLE class.
I enabled audit in the profiles, and when I logged on using the SCENSTC certificate I got
ICH408I USER(SCENSTC ) GROUP(SCENU ) NAME(COLIN C. PAICE BBGCCP.com.ibm.mq.console.MQWebAdmin CL(EJBROLE ) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) ICH408I USER(SCENSTC ) GROUP(SCENU ) NAME(COLIN C. PAICE BBGCCP.com.ibm.mq.console.MQWebAdminRO CL(EJBROLE ) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) ICH408I USER(SCENSTC ) GROUP(SCENU ) NAME(COLIN C. PAICE BBGCCP.com.ibm.mq.console.MQWebUser CL(EJBROLE ) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
Note the profile prefix BBGCCP matches profilePrefix in the
<safCredentials .../> statement
When I listed the authorised users of the profile I got
USER ACCESS ACCESS COUNT ---- ------ ------ ----- PAICE2 READ 000000 PAICE READ 000000
and SCENSTC is not there.
I added SCENSTC to the access list, and used SETR RACLIST(EJBROLE)REFRESH.
I restarted the Chrome browser, and connected again - and it worked.
If MQANGEL was not running
In this case information from the uss server __passwd is used.
In the ../logs/messages.log I got
CWWKB0104I: Authorized service group SAFCRED is not available.
<user name="PAICE" />
The userid SCENSTC was chosen as before.
There was a record in the trace showing accessId=user:PLEXCA/SCENSTC ... . group:PLEXCA/SCENU
The group SCENU matched the group in the XML, and so access was granted.
The root cause
The root cause was that the MQANGEL was/was not running. I ipled the LPAR and MQANGEL was not running, so it all worked. I ran some automation which started MQANGEL, and from then on it did not work - until I reipled it again when it did work.