Enabling security for record and replay

You can restrict the users who can view and replay data for an integration server manged by an integration node, or an independent integration server, by enabling administration security and setting permissions for specified roles.

Before you begin

Read the following topics:

About this task

If you do not enable administration security, any user can complete any action against an integration node and its resources, or an integration server and its resources. You can enable administration security and specify the authorization mode for an integration node, or an integration server by using the mqsichangeauthmode command.

Procedure

To enable security for record and replay, complete the following steps:

  1. Stop the integration node or integration server:
    • To stop an integration node or an integration server managed by an integration node, stop the integration node by using the web user interface or by running the mqsistop command.
    • For an independent integration server, stop the integration server by stopping its IntegrationServer process. For more information, see Stopping an integration server.
  2. Enable administration security for an integration node, or an integration server, and specify an authorization mode by using themqsichangeauthmode command.
    For example, to enable administration security with the file-based authorization mode for the ACE11NODE integration node, enter the following command:
    mqsichangeauthmode ACE11NODE -s active -m file
    where -s active enables administration security for the integration node, and -m file specifies the file-based authorization mode.

    For more information, see Enabling administration security.

  3. Define the roles and their associated permissions:
    • If the integration node or integration server is configured to use file-based authorization (file mode), you define the roles and associated permissions on the integration node or integration server, by using the mqsichangefileauth command. For information about setting permissions for file-based authorization, see Setting file-based permissions.
    • If the integration node or integration server is configured to use queue-based authorization (mq mode), you must create a system user ID on the operating system that is running your integration node, or integration server. You must then assign permissions to the system user ID, which is then used as a role. For information about setting permissions for queue-based authorization, see Setting queue-based permissions.
    One or more web user IDs can be assigned to each role, and the permissions that were granted to the role are automatically granted to all web user IDs that are assigned to it. For more information, see Role-based security and Managing web user accounts.
  4. To allow users with an assigned role to run record and replay queries on the integration server, set the required permissions for the role, using either file-based or queue-based permissions, depending on the authorization mode that is set for the integration node or integration server:
    • If you are using file-based authorization, set read+ permission for the role for actions on the integration node or the integration server. For more information about file-based authorization, see Setting file-based permissions.
    • If you are using queue-based authorization, set +inq permission for the role for actions on the queues SYSTEM.BROKER.AUTH and SYSTEM.BROKER.AUTH.EG. For more information about queue-based authorization, see Setting queue-based permissions.
  5. You must also set the required permissions for recording to control the record and replay actions that users with a specified role (such as ibmuser) can complete on the integration node or integration server. Ensure that the role has the appropriate authorization to complete the required actions, as described in Controlling access to data and resources in the web user interface.
    To change permissions for an integration node, or integration server that is using file-based authorization, see Setting file-based permissions. To change permissions for an integration node, or integration server that is using queue-based permissions, see Setting queue-based permissions.
  6. Create a web user account by using the mqsiwebuseradmin command, and specify a role for the account. This account is the one that you will use to log on to the web user interface for viewing and replaying data.
    For more information, see Managing web user accounts.
  7. Start the integration node or integration server:
    • Start an integration node or an integration server managed by an integration node, by using the web user interface or by running the mqsistart command.
    • For an independent integration server, start the integration server by using the IntegrationServer command. For more information, see Starting an integration server.

What to do next

To view data that has been recorded, see Viewing recorded data. To replay data that has been recorded, see Replaying data.