Contents


Opt for flexibility: File-based administration security in IBM Integration Bus V10

A guide to authorizing users and fixing permission errors

Comments

With IBM Integration Bus V10, you now have the flexibility to secure access to resources by using either files (file mode) or IBM® WebSphere® MQ queues (mq mode). If you create an integration node and specify a queue manager for the node, the queues that control administration security are automatically created. If you create an integration node without specifying an associated queue manager, the node uses file-based security by default. By using file mode, you can secure your integration resources without needing to maintain dedicated WebSphere MQ queues for authorization. At any time, you can change the mode that is in effect.

This tutorial shows you how to configure file-based security to control access to an integration node and its resources. It summarizes the required permissions for administration tasks and shows you how to fix permission-related errors that can occur when administering resources in the web UI.

Required skills

Before you begin this tutorial, you must have skills in the following areas:

  • Implementation knowledge of IBM WebSphere MQ
  • Intermediate knowledge of IBM Integration Bus administration
  • Basic development skills in IBM Integration Bus

Turn on file-based security for an integration node

The mqsichangeauthmode command changes the authorization mode in use by an integration node. To turn on file-based authorization:

  1. Stop the node by using the web UI or the mqsistop command.
  2. Enter the mqsichangeauthmode command. Type the name of the node (IIB10 in this example). The -s option turns on administration security and the -m option indicates the authorization mode.
     mqsichangeauthmode IIB10 -s active -m file

    The output is:

     BIP8071I: Successful command completion.
  3. Enter the mqsireportauthmode command to display the authorization mode that is in effect for a node:
    mqsireportauthmode IIB10

    The output is:

    BIP8930I: Integration node name 'IIB10'
    Administration security = 'active' 
    Authorization mode = 'file'

Authorization levels for file-based security

File-based security supports three levels of authorizations: read, write, and execute. The mqsichangefileauth command grants and revokes authorizations. The syntax is:

mqsichangefileauth <integrationNodeName> -r <role> -p <permissions> -e <integrationServerName>

You can specify more than one permission by using comma-separated values. You grant permissions to a user by specifying the type of permission followed by the plus sign (+). You revoke a permission by specifying the permission followed by the minus sign (-). For example, the following command grants read permission to the user IIBuser on the IIB10 integration node. The -r option specifies the name of the user role, in this case IIBuser.

mqsichangefileauth IIB10 -r IIBuser -p read+

This command grants both read and write permissions to the user IIBuser on the default integration server.

mqsichangefileauth IIB10 -r IIBuser -e default -p read+,write+

You must log off and log back in to the web user interface so that new permissions take effect.

Table 1 summarizes the required authorization permissions for administration tasks in IBM Integration Bus. You can grant or revoke all permissions by specifying all+ or all- as the value of the -p option.

Table 1. Administration tasks and their required authorization permissions
TasksTask categoryFile-based permissions
Log in to the web UI Integration node read+
Create and delete an integration server Integration node read+,write+
Read the properties of an integration server Integration server read+
Set and remove the properties of an integration server Integration server read+,write+
Deploy bar files Integration server read+,write+,execute+
Stop and start message flows Integration server read+,execute+
Remove message flows Integration server read+,write+,execute+
Turn statistics on and off Integration server read+,execute+
Create and delete configurable services Integration node read+,write+
Start and stop a recording Integration node read+,write+,execute+

The following sections describe error scenarios that can occur when you lack the required permissions for an administration task. Each scenario shows the commands that you need to resolve the error.

Scenario 1: Unable to access the web UI (requires read permission)

To access the web UI for IBM Integration Bus, you need both authentication credentials and authorization permissions. Use the mqsiwebuseradmin command to create a user account and set a password for that account. The following example creates a web account for the user IIBuser and an account password. The integration node is IIB10.

mqsiwebuseradmin IIB10 -c -u IIBuser -a <password>

You need read permission on an integration node to access the web UI. When you do not have read permission, the UI displays the error shown in Figure 1.

Figure 1. Login error when a user lacks permissions to access the web UI
Login error when a user lacks permissions to access the web                     UI
Login error when a user lacks permissions to access the web UI

To grant read access to a user for an integration node:

  1. Enter the mqsichangefileauth command and specify read+ as the value of the -p option:
     mqsichangefileauth IIB10 -r IIBuser -p read+

    The output is:

    BIP8071I: Successful command completion.
  2. Verify the permissions. In the output, a minus sign (-) following a permission indicates that the user does not have the permission.
     mqsireportfileauth IIB10 -r IIBuser

    The output is:

    BIP8931I: Role = 'IIBuser', 
    Resource = '',
    Permissions ='read+,write-,execute-'
  3. Log in to the web interface again. Verify that you can successfully access the node as shown in Figure 2.
    Figure 2. Successful read access to an integration node
    Successful read access to an integration node
    Successful read access to an integration node

Scenario 2: Unable to create an integration server (requires read and write permissions)

You need both read and write permissions to create an integration server. Figure 3 shows the error that the UI displays when you do not have the required permissions.

Figure 3. Error message when a user lacks write permission to create an integration server
Error message when a user lacks write permission to create an                     integration server
Error message when a user lacks write permission to create an integration server

To grant read and write access to a user for an integration node:

  1. Enter the mqsichangefileauth command and specify read+,write+ as the value of the -p option.
     mqsichangefileauth IIB10 -r IIBuser -p read+,write+

    The output is:

     BIP8071I: Successful command completion.
  2. Verify the permissions.
     mqsireportfileauth IIB10 -r IIBuser

    The output is:

    BIP8931I: Role = 'IIBuser',
    Resource = '',
    Permissions = 'read+,write+,execute-'
  3. Create the default integration server.
    1. On the left pane of the web UI, click the menu next to Servers.
    2. Select Create and specify the name of the integration server.

    The UI displays a message when you successfully create an integration server (Figure 4).

    Figure 4. Successful creation of a default integration server
    Successful creation of a default integration                     server
    Successful creation of a default integration server

Scenario 3: Cannot view properties for an integration server (requires read permission)

You must have read permission on an integration server to view the server's properties. To verify that you have the required permission, expand the Servers entry and click any integration server. If you see a lock symbol to the left of the integration server, you do not have the required permission to view properties such as REST APIs and message flows. In Figure 5, note the lock symbol to the left of the default integration server.

Figure 5. Lock symbol on the integration server indicates lack of read permission
Lock symbol on the integration server indicates lack of                     read permission
Lock symbol on the integration server indicates lack of read permission

To grant read permission to a user for an integration server:

  1. Enter the mqsichangefileauth command and specify read+ as the value of the -p option.
    mqsichangefileauth IIB10 -r IIBuser -e default -p read+

    The output is:

     BIP8071I: Successful command completion.
  2. Verify the permissions.
    mqsireportfileauth IIB10 -e default -r IIBuser

    The output is:

    BIP8931I: Role = 'IIBuser',
    Resource = 'default',
    Permissions = 'read+,write-,execute-'
    BIP8071I: Successful command completion.
  3. In the web UI, view the properties of the integration server. Figure 6 shows the properties of the default integration server.
    Figure 6. The properties of the default integration server
    The properties of the default integration                             server
    The properties of the default integration server

Scenario 4: Unable to modify properties for an integration server (requires read and write permissions)

You must have both read and write permissions to an integration server to modify the values of a server's properties. If you attempt to modify the value of a property but you do not have the required permissions, the web UI displays an error (Figure 7).

Figure 7. UI error message when a user lacks permissions to modify properties
UI error message when a user lacks permissions to modify properties
UI error message when a user lacks permissions to modify properties

To grant read and write permissions to a user:

  1. Enter the mqsichangefileauth command and specify both read+ and write+ as the values of the -p option. In this example, the integration server is the default server.
    mqsichangefileauth IIB10 -r IIBuser -e default -p read+,write+

    The output is:

     BIP8071I: Successful command completion
  2. Verify the permissions.
     mqsireportfileauth IIB10 -e default -r IIBuser

    The output is:

    BIP8931I: Role = 'IIBuser',
    Resource = 'default',
    Permissions = 'read+,write+,execute-'
  3. Modify the value of a property on the default integration server. As shown in Figure 8, the web UI displays a message indicating that the value is successfully saved.
    Figure 8. Successful modification of properties for an integration server
    Successful modification of properties for an integration                     server
    Successful modification of properties for an integration server

Scenario 5: Unable to deploy files or start and stop message flows (requires execute permission)

You must have execute permission to deploy a bar file or to start and stop message flows on an integration server. For each integration server, the web UI displays a menu to the right of the server. This menu contains options for various administration tasks. As shown in Figure 9, a missing menu next to the default server indicates that you do not have the required permissions for tasks that are available on that menu.

Figure 9. Missing arrow indicates lack of execute permission for deploying files
Missing arrow indicates lack of execute permissions for                     deploying files
Missing arrow indicates lack of execute permissions for deploying files

To grant execute permission on the default integration server:

  1. Enter the mqsichangefileauth and specify execute+ as the value of the -p option.
    mqsichangefileauth IIB10 -r IIBuser -e default -p execute+

    The output is:

     BIP8071I: Successful command completion.
  2. Verify the permissions. In this example, the user IIBuser currently has both read and write permissions. The execute permission is granted and the output lists all three permissions.
     mqsireportfileauth IIB10 -e default -r IIBuser

    The output is:

    BIP8931I: Role = 'IIBuser',
    Resource = 'default',
    Permissions = 'read+,write+,execute+'
    BIP8071I: Successful command completion.
  3. Deploy the bar file on the default integration server. Figure 10 shows that the Deploy menu option is now available.
    Figure 10. The Deploy option is available in the UI
    The Deploy option is available in the UI
    The Deploy option is available in the UI
  4. The menu for starting and stopping message flows is also available (Figure 11). To stop a message flow, click the menu to the right of the message flow and select Stop.
    Figure 11. Successful stopping of a message flow
    Successful stopping of a message flow
    Successful stopping of a message flow

Conclusion

In this tutorial, you learned how to use file-based security in WebSphere IBM Integration Bus v10.0. The tutorial described several error scenarios that are caused by authentication errors. It showed the commands that you need to grant the required permissions.

Acknowledgements

The author thanks Rajish E Pattavalapil, Venu Movva, and Ganesh Gopalakrishnan for their assistance and valuable input during the creation of this tutorial.


Downloadable resources


Related topics


Comments

Sign in or register to add and subscribe to comments.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Middleware, Security
ArticleID=1028342
ArticleTitle=Opt for flexibility: File-based administration security in IBM Integration Bus V10
publish-date=03182016