Configuring the IBM MQ Console with a basic registry using the IBM MQ Operator

To log in to the IBM® MQ Console, you can supply your own configuration to the queue manager.

Before you begin

If you are deploying a queue manager with an IBM MQ Advanced for Developers license, there is a simple configuration built in. See Example queue manager YAML that describes how to specify passwords for admin and app users. If you are deploying an IBM Cloud Pak® for Integration license queue manager, you can enable integration with the IBM Cloud Pak for Integration Keycloak to log in to the IBM MQ Console using Single Sign-On. See Connecting to the IBM MQ Console deployed in a Red Hat OpenShift cluster.

Procedure

Create a password and encrypt it using securityUtility.

A ConfigMap is used to store the credentials you use to access your queue manager. For improved security, you encode these credentials with the securityUtility command.

Alternatively you can use a Secret, which protects credentials in the Kubernetes layer. However, monitoring or troubleshooting tools might expose the underlying file insecurely.
Optional: Log into the Red Hat OpenShift command line interface (CLI).

If using the OpenShift CLI, log in using oc login.

Alternatively you can use the OpenShift console.

Create a ConfigMap with your configuration.

For help with creating the XML configuration, see IBM MQ Console and REST API security.

The following example creates a user within the group MQWebAdminGroup. Members of the MQWebAdminGroup are assigned the MQWebAdmin role. In this example:

You must replace the USERNAME and PASSWORD with your own values. Note that USERNAME is used twice in the example.
You must specify the NAMESPACE as the one in which your IBM MQ Operator is deployed and where your queue manager will be, or already is, deployed.

Use the OpenShift console or the command line to create the following ConfigMap:

kind: ConfigMap
apiVersion: v1
metadata:
  name: mqwebuserconfigmap
  namespace: NAMESPACE
data:
  mqwebuser.xml: |
    <?xml version="1.0" encoding="UTF-8"?>
    <server>
      <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>basicAuthenticationMQ-1.0</feature>
      </featureManager>
      <enterpriseApplication id="com.ibm.mq.console">
        <application-bnd>
          <security-role name="MQWebAdmin">
            <group name="MQWebAdminGroup" realm="defaultRealm"/>
          </security-role>
        </application-bnd>
      </enterpriseApplication>
      <basicRegistry id="basic" realm="defaultRealm">
        <user name="USERNAME" password="PASSWORD"/>
        <group name="MQWebAdminGroup">
          <member name="USERNAME"/>
        </group>
      </basicRegistry>           
    </server>

Optional: If using the command line, apply the ConfigMap:
```
oc apply -f mqwebuserconfigmap.yaml
```

For the remaining steps, choose one of the following options:

Deploy a new queue manager with the configuration to access the IBM MQ Console.
Apply configuration that gives the IBM MQ Console access to an existing queue manager.

Optional: Deploy a new queue manager with the configuration to access the IBM MQ Console.
1. Create your queue manager.
  Set the authentication and authorization providers to manual and supply the newly created ConfigMap mqwebuserconfigmap though one of the following options:
  - Option 1: Through the queue manager YAML
    Add the following code under the web section of the queue manager YAML:
    
    ... web: enabled: true console: authentication: provider: manual authorization: provider: manual manualConfig: configMap: name: mqwebuserconfigmap
  - Option 2: Through the OpenShift console Form view:
    
    On the OpenShift console, select Operators > Installed Operators.
    
    Select your deployment of the IBM MQ Operator.
    
    Select Queue Manager and click Create QueueManager.
    
    Select the relevant options for your queue manager.
    
    Select Web and set Enable web server to true.
    
    Open the Advanced configuration list box.
    
    Under the Console list box, set the provider for both Authentication and Authorization to manual.
    
    Open the Configuration list box.
    
    Open the ConfigMap list box and select the ConfigMap mqwebuserconfigmap that was created in step 3.
    
    Click Create.
  You can now access the IBM MQ Console of your new queue manager through the credentials specified in the ConfigMap created in step 3.
Optional: Apply configuration that enables the IBM MQ Console for an existing queue manager.
Edit the YAML of the queue manager for which you are enabling the IBM MQ Console:
1. On the OpenShift console select Operators > Installed Operators.
2. Select your deployment of the IBM MQ Operator.
3. Select Queue Mananger and select the name of your queue manager.
4. Select YAML.
5. Replace the existing web section of the queue manager YAML with the following code:
```
...
web:
    enabled: true
    console:
      authentication:
        provider: manual
      authorization:
        provider: manual
    manualConfig:
      configMap:
        name: mqwebuserconfigmap
```
6. Click Save.
You can now access the IBM MQ Console of your existing queue manager through the credentials specified in the ConfigMap created in step 3.