LDAP part 2: Updating the IBM MQ backup for LDAP authorization information

IBM® MQ provides fine grained authorization rules that control access to the IBM MQ objects. If you changed the authentication and authorization to LDAP, the authorization rules might be invalid and require updating.

Before you begin

This task assumes that you have updated the backup for the LDAP server.

About this task

Do I need to do this?

If you are already using LDAP for authentication and authorization then no changes are required. If you are not sure if LDAP is being used, see Optional: Configuring LDAP.

There are two parts to updating the LDAP authorization information:

  1. Remove all existing authorization from the file.
  2. Define new authorization information for LDAP.

Procedure

  1. Remove all existing authorization from the file.

    In the backup file, near to the end of the file, you should see several entries that start with SET AUTHREC:

    A screen capture of the backup.mqsc code, showing a SET AUTHREC entry.

    Find the existing entries and delete them. The most straightforward approach is to remove all the existing SET AUTHREC rules, then create new entries based on the LDAP entries.

  2. Define new authorization information for LDAP

    Depending on your queue manager configuration, and the number of resources and groups, this could be either a time consuming or straightforward activity. The following example assumes that your queue manager has only a single queue called Q1, and you want to allow the LDAP group apps to have access.

    
SET AUTHREC GROUP('apps') OBJTYPE(QMGR) AUTHADD(ALL)
SET AUTHREC PROFILE('Q1') GROUP('apps') OBJTYPE(QUEUE) AUTHADD(ALL)

    The first AUTHREC command adds permission to access the queue manager, and the second provides access to the queue. If access to a second queue is required then a third AUTHREC command is needed, unless you decided to use wildcards to provide more generic access.

    Here is another example. If an administrator group (called admins) needs full access to the queue manager, add the following commands:

    
SET AUTHREC PROFILE('*') OBJTYPE(QUEUE) GROUP('admins') AUTHADD(ALL)
SET AUTHREC PROFILE('*') OBJTYPE(TOPIC) GROUP('admins') AUTHADD(ALL)
SET AUTHREC PROFILE('*') OBJTYPE(CHANNEL) GROUP('admins') AUTHADD(ALL)
SET AUTHREC PROFILE('*') OBJTYPE(CLNTCONN) GROUP('admins') AUTHADD(ALL)
SET AUTHREC PROFILE('*') OBJTYPE(AUTHINFO) GROUP('admins') AUTHADD(ALL)
SET AUTHREC PROFILE('*') OBJTYPE(LISTENER) GROUP('admins') AUTHADD(ALL)
SET AUTHREC PROFILE('*') OBJTYPE(NAMELIST) GROUP('admins') AUTHADD(ALL)
SET AUTHREC PROFILE('*') OBJTYPE(PROCESS) GROUP('admins') AUTHADD(ALL)
SET AUTHREC PROFILE('*') OBJTYPE(SERVICE) GROUP('admins') AUTHADD(ALL)
SET AUTHREC PROFILE('*') OBJTYPE(QMGR) GROUP('admins') AUTHADD(ALL)

What to do next

You are now ready to change the IP addresses and host names in the IBM MQ configuration.