Introducing Role-Based Management (RBM) for the IBM MQ Appliance
Jamie Squibb 2700061B5H Visits (1685)
Last week IBM MQ version 9.0.1 was released. If you have not already seen information about this update then I encourage you to read the introductory articles that have been posted to this blog (links below). This is the first continuous delivery update for version 9 and it includes support for both software MQ and the IBM MQ Appliance. Version 9.0.1 is a significant firmware update for the appliance. In addition to providing an upgrade from version 8 to version 9 it introduces support for a number of requested features that improve security, monitoring, system management and availability. This article discusses the introduction of role-based management (RBM), which provides for more granular, and flexible, user and authority management, including support for configuring an external LDAP repository. Further articles will be posted in due course that discuss this capability in more detail and other features we’ve added.
What is role-based management (RBM)?
Readers who are familiar with the appliance will know that there are two distinct types of user, those who administer the system (appliance users) and those who perform messaging operations (messaging users). RBM is a new security model for managing appliance users and the authorities assigned to them. As its name implies, although users can be explicitly granted authorities they are typically authorised to perform actions via membership of groups that represent user roles. The security model for messaging users in 9.0.1 remains unchanged - the IBM MQ OAM is used to define which resources they can access and what actions they can perform.
RBM provides the following core capabilities:
To authenticate a user the appliance must identify if they are valid and that they are who they say they are. The latter is confirmed through the use of a password. In version 9.0.1 the use of role-based management allows valid users to be defined using either:
If users are defined in an XML file this provides an easy way to define the same set of users on multiple appliances. The file can be centrally deployed to the appliance using a method such as secure copy (SCP) or the new REST management interface. An XML file is also an easy way to ensure user credentials are backed up.
Many organisations use a central LDAP repository to define employee information. Using LDAP provides a central control point for security management and avoids the need for bespoke solutions throughout an enterprise. Using RBM, appliance users can be defined in an external LDAP repository and they can be authenticated using any unique attribute in their user profile, such as their employee serial number, common name or email address. The appliance can be configured to secure the connection to the LDAP repository using SSL/TLS and it is also able to connect to a pool of LDAP servers for load balancing and availability.
Once a user has been authenticated the appliance must then ascertain which resources they are authorised to see and what actions they can perform. Credential mapping is the name that RBM uses for the rules that define this information. Policies are defined that specify the authorities the users or groups have been granted, using either generic or specific access profiles that each define access to a type or class of resource. Administrators are able to quickly configure simple rules or they can build granular definitions to satisfy more complex security policies. If multiple profiles are defined that match a resource then the most specific profile applies. This allows access to be granted at a high level using a generic profile then restricted or extended for more specific types of resource. A common pattern is to use a generic profile to grant a user read-only access to the system, then introduce additional profiles for resources they are allowed to modify or not permitted to see. For each type of resource users can be independently granted authority to:
RBM also allows access policies to be restricted to specific network interfaces so, for example, more sensitive actions might only be permitted locally.
If authentication is performed using locally defined users then access policies can also be defined using local groups. Alternatively, access policies can be defined in an XML file, which can be the same or a different file to that in which authentication information is specified. It is important to note that an XML file must be used for credential mapping if an XML file or an LDAP repository is used for authentication. The appliance web UI includes a wizard that helps an administrator generate this file. Once generated the file can then be deployed to other appliances as necessary.
Using RBM in 9.0.1 it is now possible to grant appliance users access to only a subset of the system resources. For example, network administrators can be granted access to modify the network interfaces on the appliance, but not be able to modify user information . Users can also be restricted so they can only access the appliance using specific administrative interfaces, such as the CLI, the web user interface or the REST management API. It is now also possible to grant access to system resources without granting access to the MQ configuration. This is because the MQ CLI and the embedded IBM MQ Console (web UI) have their own resource type for which access can be independently restricted. Access to the MQ CLI is ‘all or nothing’, but access to the IBM MQ Console can be granted to each user with either:
The latter is useful if you wish to allow a user access to the IBM MQ Console but restrict what resources they can manage using authorities defined to the MQ OAM. To use LDAP authentication for appliance users in conjunction with messaging user authorities defined to the OAM then the LDAP attribute used as the login user name must be compatible with the names of messaging users. For example, in this configuration a user cannot login to the appliance with their email address because an email address is not a valid name for a messaging user.
Password and account policy
RBM allows administrators to define a policy to enforce rules that passwords must satisfy for locally defined users. This policy is not applicable to other authentication methods where such a policy is enforced elsewhere. RBM allows the following rules to be configured:
RBM also allows the following account rules to be configured:
Hopefully this blog article has provided a useful overview of the user management capabilities that role-based management (RBM) has introduced to the MQ appliance in version 9.0.1. We intend to post further articles to this blog on both RBM and the other new features in MQ and the MQ Appliance. If there are subjects you would particularly like us to cover please let us know.
IBM MQ and IBM MQ Appliance 9.0.1 Continuous Delivery Releases are available
Introducing the MQ Appliance Version 9.0.1
IBM MQ Appliance 9.0.1 KnowledgeCenter