Configuring the IBM MQ Console with a basic registry using the IBM MQ Operator

To log in to the IBM® MQ Console, you can supply your own configuration to the queue manager.

1. Create a password and hash it using securityUtility.

   A ConfigMap can be used to store the credentials that you use to access your queue manager. Alternatively you can use a Secret, which protects credentials in the Kubernetes layer. However, monitoring or troubleshooting tools might expose the underlying file insecurely.

   For improved security with either option, hash these credentials by using the securityUtility encode command with the --encoding=hash option.

2. Log into your cluster from the command line.

   Alternatively, if you are using Red Hat OpenShift, you can use the Red Hat OpenShift console.

3. Create a ConfigMap with your configuration.

   For help with creating the XML configuration, see IBM MQ Console and REST API security.

   The following example creates a user within the group MQWebAdminGroup. Members of the MQWebAdminGroup are assigned the MQWebAdmin role. In this example:

   • You must replace the USERNAME and PASSWORD with your own values. Note that USERNAME is used twice in the example.

     You must specify the NAMESPACE as the one in which your IBM MQ Operator is deployed and where your queue manager will be, or already is, deployed.

   1. Use the command line, or the Red Hat OpenShift console for deployments on the Red Hat OpenShift Container Platform, to create the following ConfigMap:

      kind: ConfigMap
      apiVersion: v1
      metadata:
        name: mqwebuserconfigmap
        namespace: NAMESPACE
      data:
        mqwebuser.xml: |
          <?xml version="1.0" encoding="UTF-8"?>
          <server>
            <featureManager>
              <feature>appSecurity-2.0</feature>
              <feature>basicAuthenticationMQ-1.0</feature>
            </featureManager>
            <enterpriseApplication id="com.ibm.mq.console">
              <application-bnd>
                <security-role name="MQWebAdmin">
                  <group name="MQWebAdminGroup" realm="defaultRealm"/>
                </security-role>
              </application-bnd>
            </enterpriseApplication>
            <basicRegistry id="basic" realm="defaultRealm">
              <user name="USERNAME" password="PASSWORD"/>
              <group name="MQWebAdminGroup">
                <member name="USERNAME"/>
              </group>
            </basicRegistry>           
          </server>
      

   2. Optional: If using the command line, apply the ConfigMap:
      • For deployments on the Red Hat OpenShift Container Platform:

        oc apply -f mqwebuserconfigmap.yaml
        

      • For deployments on Amazon EKS:

        kubectl apply -f mqwebuserconfigmap.yaml

   For the remaining steps, choose one of the following options:

   • Deploy a new queue manager with the configuration to access the IBM MQ Console.

   • Apply configuration that gives the IBM MQ Console access to an existing queue manager.

4. Optional: Deploy a new queue manager with the configuration to access the IBM MQ Console.
   1. Create your queue manager.
      Set the authentication and authorization providers to manual and supply the newly created ConfigMap mqwebuserconfigmap though one of the following options:

      • Option 1: Through the queue manager YAML
        For deployments on Red Hat OpenShift, add the following code under the web section of the queue manager YAML:

        ...
        web:
            enabled: true
            console:
              authentication:
                provider: manual
              authorization:
                provider: manual
            manualConfig:
              configMap:
                name: mqwebuserconfigmap

        For deployments on Amazon EKS, add the following code under the web section of the queue manager YAML:

        ...
        web:
          enabled: true
          console:
            authentication:
              provider: manual
            authorization:
              provider: manual
          manualConfig:
            configMap:
              name: mqwebuserconfigmap
          route:
            enabled: false

        spec.web.route.enabled is set to false because it is a Red Hat OpenShift specific feature that is enabled by default. This feature must be disabled explicitly on Amazon EKS.
      • Option 2: Through the OpenShift console Form view:
        1. On the OpenShift console, select Operators > Installed Operators.
        2. Select your deployment of the IBM MQ Operator.
        3. Select Queue Manager and click Create QueueManager.
        4. Select the relevant options for your queue manager.
        5. Select Web and set Enable web server to true.
        6. Open the Advanced configuration list box.
        7. Under the Console list box, set the provider for both Authentication and Authorization to manual.
        8. Open the Configuration list box.
        9. Open the ConfigMap list box and select the ConfigMap mqwebuserconfigmap that was created in step 3.
        10. Click Create.

      You can now access the IBM MQ Console of your new queue manager through the credentials specified in the ConfigMap created in step 3.

5. Optional: Apply configuration that enables the IBM MQ Console for an existing queue manager.

   There are two options for applying the configuration:

   • Option 1: by using the CLI

     OCP: oc edit qmgr <QUEUEMANAGER_NAME>

     EKS: kubectl edit qmgr <QUEUEMANAGER_NAME>

   • Option 2: OCP users, by using the OCP console

     1. On the Red Hat OpenShift console, select Operators > Installed Operators.
     2. Select your deployment of the IBM MQ Operator.
     3. Select Queue Mananger and select the name of your queue manager.
     4. Select YAML.
     5. Edit the YAML and click Save
   • For both options, replace the existing web section of the queue manager YAML with the following code:
     For deployments on Red Hat OpenShift:

     ...
     web:
         enabled: true
         console:
           authentication:
             provider: manual
           authorization:
             provider: manual
         manualConfig:
           configMap:
             name: mqwebuserconfigmap

     For deployments on Amazon EKS:

     ...
     web:
       enabled: true
       console:
         authentication:
           provider: manual
         authorization:
           provider: manual
       manualConfig:
         configMap:
           name: mqwebuserconfigmap
       route:
         enabled: false

     spec.web.route.enabled is set to false because it is a Red Hat OpenShift specific feature that is enabled by default. This feature must be disabled explicitly on Amazon EKS.
6. Amazon EKS deployments only: Configure an Ingress to connect to the IBM MQ Console.
   Follow the steps in Configuring Ingress to connect to a queue manager IBM MQ Console and IBM MQ Operator REST API from outside an Amazon EKS cluster.