[MQ 9.4.0 Jun 2024]

Determining the security principal used by the messaging REST API

When you use the messaging REST API, an appropriate user must be authorized to access the queue managers, queues, and topics that you want to connect to for messaging. The user that needs to be authorized depends on how your mqweb server is configured, and whether you are using remote queue managers with the messaging REST API.

By default, the security principal that is used to authorize access to the queue manager is the user that starts the mqweb server that runs the messaging REST API. The security principal that is used to authorize access to the queues and topics is the user that is logged in to the messaging REST API. However, your mqweb server or remote queue manager connection might be configured such that a different security principal is used.

Determining the security principal that is used to connect to the queue manager

For local queue manager connections, the security principal that is used to connect to the queue manager is the user that starts the mqweb server that runs the messaging REST API. For remote queue manager connections, the following security principals are used by the messaging REST API to authorize access to the queue manager, in order of priority. That is, if users are specified in multiple ways within the remote queue manager configuration, the first in the list is used for authorization.
  1. The security principal is an adopted user context from a security exit.
  2. The security principal is an adopted user context in a CHLAUTH rule on the server-connection channel that is used to connect to the remote queue manager.
  3. The security principal is the user ID that is included in the remote queue manager configuration for the messaging REST API. This user ID is optionally included in the queue manager connection information when you add the queue manager with the setmqweb remote command.
  4. The security principal is the user that starts the mqweb server that runs the messaging REST API.
For more information about setting up remote queue managers to use with the messaging REST API, see Setting up a remote queue manager to use with the messaging REST API.

Determining the security principal that is used to connect to queues and topics

You can set a property in the mqweb server configuration to determine what security principal is used to authorize connections to queues and topics when you use the messaging REST API. This property is the mqRestMessagingAdoptWebUserContext property. You can view what this property is set to by using the dspmqweb properties command.
  • If mqRestMessagingAdoptWebUserContext is set to true, then the messaging REST API uses the user ID of the user that is logged in to the messaging REST API for authorization. Therefore, the user ID or user IDs that exist in the mqweb server configuration for use with the messaging REST API are the security principals that must be authorized to access the queues and topics.
  • If mqRestMessagingAdoptWebUserContext is set to false, then the messaging REST API uses the user ID of the user that started the mqweb server that hosts the messaging REST API for authorization. Therefore, a user ID that is the same as the user ID that starts the mqweb server that hosts the messaging REST API must be authorized to access the queues and topics.
    If your queues and topics are on a remote queue manager, the security principal that is used for authorization might be determined by settings in the queue manager configuration. The following security principals might used, in order of priority:
    1. The security principal is an adopted user context from a security exit.
    2. The security principal is an adopted user context in a CHLAUTH rule on the server-connection channel that is used to connect to the remote queue manager. For example, you can configure a CHLAUTH rule on the server-connection channel to use the MCAUSER parameter. Then, all connections are mapped to a user ID that is authorized to use the queue manager.
    3. The security principal is an adopted user context from the AUTHINFO of the queue manager. If AUTHINFO object that is referred to by the CONNAUTH attribute of the queue manager is configured to use ADOPTCTX(yes), then the security principal that is used to authorize connections to the queue manager is also used to authorize the queues and topics. For example, this security principal might be the user ID that is included in the remote queue manager connection information as part of the setmqweb remote command.