You can map client certificates to principals to authenticate IBM® MQ Console and REST API users.
Before you begin
- Configure users, groups, and roles to be authorized to use the IBM MQ Console and REST API. For more information, see Configuring users and roles.
- When you use the REST API, you can query the
credentials of the current user by using the HTTP GET method on the
login
resource,
providing the client certificate to authenticate the request. This request returns information about
the user name, and the roles that the user is assigned. For more information, see GET /login
.
- When you map client certificates to principals to authenticate users, the distinguished name of
the client certificate is used to match against users in the configured user registry:
- For a basic registry, the Common Name (CN) is matched against the user. For example,
CN=Fred, O=IBM, C=GB
is matched against a user name of Fred
.
- For an LDAP registry, by default the full distinguished name is matched against LDAP. You can
set up filters and mapping to customize the matching. For more information,
see Liberty:LDAP certificate map mode in the WebSphere® Liberty documentation.
About this task
When a user authenticates by using a client certificate, the certificate is used in place of a
user name and password. For the REST API, the client
certificate is provided with each REST request to authenticate the user. For the IBM MQ Console, when a user logs in with a certificate, the user
cannot then be logged out.
The procedure assumes the following information:
- That your
mqwebuser.xml
file is based on one of the following samples:
basic_registry.xml
local_os_registry.xml
ldap_registry.xml
- That you are using a UNIX, Linux®, or Windows
system.
- You are a privileged
user.
To configure client certificate authentication with a RACF®
key ring on z/OS®, follow the procedure in
Configuring TLS for the REST API and IBM MQ Console on z/OS.
Note: The following procedure outlines the steps necessary to use client certificates with the
IBM MQ Console and REST API. For developer convenience, the steps detail how to
create and use self-signed certificates. However, for production, use certificates that are obtained
from a certificate authority.
Procedure
-
Start the mqweb server by entering the strmqweb command on the command
line.
-
Create a client certificate:
-
Create a PKCS#12 keystore:
- Open the IBM Key Management tool by entering the strmqikm command on the
command line.
- From the Key Database File menu in the IBM Key Management tool, click
New.
- Select PKCS12 from the Key database type
list.
- Select a location to save the keystore, and enter an appropriate name in the File
Name field. For example,
user.p12
- Set a password when prompted.
-
Create the certificate, either by creating a self-signed certificate, or by obtaining a
certificate from a certificate authority:
- Create a self-signed certificate:
- Click New Self-Signed.
- Enter
user
in the Key Label field.
- If you are using a basic user registry, enter the name of a user from your user registry in the
Common Name field. For example,
mqadmin
. For an LDAP user
registry, make sure that the distinguished name for the certificate matches the distinguished name
in the LDAP registry.
- Click OK.
- Obtain a certificate from a certificate authority. The CA certificate must include the
appropriate user name within the common name (CN) of the distinguished name (DN) field:
- Request a new certificate. From the Create menu, click New
Certificate Request.
- In the Key Label field, enter the certificate label.
-
If you are using a basic user registry, in the Common Name field, enter
the user name of the user that the certificate is for.
If you are using a local OS registry, the Common Name field must match the
local OS user id.
For an LDAP user registry, make sure that the distinguished name for the certificate matches the
distinguished name in the LDAP registry.
- Type or select values for the remaining fields, as applicable.
- Choose where to save the certificate request, and the filename for the certificate request, then
click OK.
- Send the certificate request file to a certificate authority (CA).
- When you have the certificate from the CA, open the IBM Key Management tool by entering the
strmqikm command on the command line.
- From the Key Database File menu in the IBM Key Management tool, click
Open.
- Select the PKCS#12 keystore that holds the client certificate. For example,
user.p12
- Click Receive, select the appropriate certificate, and click
OK.
-
Extract the public part of the client certificate:
-
Open the IBM Key Management tool by entering the strmqikm command on the
command line.
-
From the Key Database File menu in the IBM Key Management tool, click
Open.
-
Select the PKCS#12 keystore that holds the client certificate. For example,
user.p12
-
Select the client certificate from the certificate list in the IBM Key Management tool.
-
Click Extract Certificate.
-
Select a location to save the certificate, and enter an appropriate file name in the
Certificate file name field. For example,
user.arm
.
-
Import the public part of the client certificate into the mqweb server trust keystore as a
signer certificate so that the server can validate the client certificate:
-
Create a
trust.jks
keystore for use by the mqweb server, if one does not
already exist:
- From the Key Database File menu in the IBM Key Management tool, click
New.
- Select JKS from the Key database type list.
- Click Browse and navigate to:
MQ_DATA_DIRECTORY/web/installations/installationName/servers/mqweb/resources/security.
This
directory should already contain a key.jks
file. If a trust.jks
file already exists then open the existing one rather than overwriting it.
- Enter trust.jks in the File Name field.
- Set a password when prompted.
-
From the drop-down menu, select Signer Certificates.
-
Click Add.
-
Select the appropriate arm file, and click OK. For example, select
user.arm
.
-
Enter a label for the certificate.
-
Change the password of the mqweb server keystore:
-
From the Key Database File menu, click
Open.
-
Select JKS from the Key database type list.
-
Click Browse and navigate to
MQ_DATA_PATH/web/installations/installationName/servers/mqweb/resources/security
-
Select the
key.jks
keystore, and click Open.
-
Enter the password when prompted. The default password is
password
.
-
From the Key Database File menu, click Change
Password.
-
Enter a new password for the keystore.
-
Enable client certificate authentication in the mqwebuser.xml file:
The mqwebuser.xml file can be found on the following path:
MQ_DATA_PATH/web/installations/installationName/servers/mqweb
-
Uncomment the section in the mqwebuser.xml file that enables client
certificate authentication. The section contains the following text:
<keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="password"/>
<keyStore id="defaultTrustStore" location="trust.jks" type="JKS" password="password"/>
<ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="defaultKeyStore"
trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2" serverKeyAlias="default"/>
<sslDefault sslRef="thisSSLConfig"/>
-
Check that the serverKeyAlias value matches the name of the server
certificate. If you are using the default server certificate, the value is correct.
-
Change the value for password for the
defaultKeyStore
to an encoded version of the password for the key.jks
keystore:
- From the
MQ_INSTALLATION_PATH
/web/bin directory, enter the following command on the command
line:securityUtility encode password
- Place the output of this command in the password field for the
defaultKeyStore
.
-
Change the value for password for the
defaultTrustStore
to match the password for the trust.jks
keystore:
- From the
MQ_INSTALLATION_PATH
/web/bin directory, enter the following command on the command
line:securityUtility encode password
- Place the output of this command in the password field for the
defaultTrustStore
.
-
Remove, or comment out, the following line from the mqwebuser.xml
file:
<sslDefault sslRef="mqDefaultSSLConfig"/>
-
Stop the mqweb server by entering the endmqweb command on the command
line.
-
Start the mqweb server by entering the strmqweb command on the command
line.
-
Use the client certificate to authenticate:
Example
Important: In the example, not all cURL implementations support self signed
certificates, so you must use a cURL implementation that does.
The following cURL example shows how to create a new queue Q1
, on queue manager
QM1
, with client certificate authentication. The exact configuration of this cURL
command depends on the libraries that cURL was built against. The example is based on a Windows system, with cURL built against OpenSSL.