IBM MQ Console: Working with authentication information objects

You can use the console to add and delete authentication information objects on a queue manager. You can also view and set the properties, and manage the authority records for the objects.

About this task

The authentication information view lists the authentication information that exists for a specific queue manager. You can select individual authentication information from the list to work with.

The queue manager authentication information forms part of IBM® MQ support for Transport Layer Security (TLS). These objects contain the definitions that are required to perform certificate revocation checking by using OCSP or Certificate Revocation Lists (CRLs) on LDAP servers, and the definitions that are required to enable user ID and password checking.

Procedure

To view the authentication information for a queue manager:
1. Ensure that the queue manager is running, and select it in the queue manager list.
2. Select View configuration from the menu .
3. Ensure the Security tab is selected.
4. Select Authentication information from the navigation panel.
To add an authentication information object:
1. Click the create button in the authentication information list view.
2. Specify the name of the authentication information object. Valid characters are letters and numbers and the ., /, _, and % characters.
3. Specify the type of authentication information object.
4. Specify additional information appropriate to the object type:
  - For CRL LDAP, specify the LDAP server name. This name is the host name, IPv4 dotted decimal address, or IPv6 hexadecimal notation of the host on which the LDAP server is running, with an optional port number. You can optionally specify a username and password for the user accessing the LDAP server.
  - For OCSP, specify the OCSP responder URL. This URL is the URL of the responder that is used to check for certificate revocation. This value must be an HTTP URL containing the host name and port number of the OCSP responder. If the OCSP responder is using port 80, which is the default for HTTP, then the port number can be omitted. HTTP URLs are defined in RFC 1738.
  - For IDPW OS, there are no additional requirements although you can optionally specify further options for this authentication type.
  - For IDPW LDAP, specify the LDAP server name and the Short user name. The LDAP server name is the host name, IPv4 dotted decimal address, or IPv6 hexadecimal notation of the host on which the LDAP server is running, with an optional port number. The short user name is the field in the LDAP user record that is used as a short name for the connection. You can optionally specify further options for this authentication type.
5. Click Add.
To delete an authentication information object:
1. Select the spanner icon for the authentication information object that you want to delete from the list.
2. In the object properties view, click Delete authentication info object.
3. Confirm that you want to delete the authentication information object by clicking Delete. The object is deleted.
To view and edit the properties of an authentication information object:
1. Select the spanner icon for the authentication information object that you want to view from the list.
2. To edit the displayed properties, click the Edit button
3. Edit the properties as required. If the property text box is disabled, the property is read-only, or can be edited only from the command line.
4. Click Save to save your changes.
To view and edit authority records for an authentication information object:
1. Select the spanner icon for the authentication information object that you want to view authority record for from the list.
2. Select the Security tab.
3. To edit or delete an existing authority record, select Edit or Delete from the menu .
4. To add a new authority record, click the Add button , supply the details of the new authority record and click Create.