Configuring a SAF registry for the IBM MQ Console and REST API
The System Authorization Facility (SAF) interface allows the mqweb server to call the external security manager for authentication and authorization checking. A user can then log in to the IBM® MQ Console and REST API with a z/OS® user ID and password.
Before you begin
- When you configure a SAF registry, you must assign users a role. Each role provides different levels of privilege to access the IBM MQ Console and REST API, and determines the security context that is used when an allowed operation is attempted. You need to understand these roles before you configure the registry. For more information about each of the roles, see Roles on the IBM MQ Console and REST API.
- You need the WebSphere® Liberty Angel process running to use the authorized interface to SAF. See Enabling z/OS authorized services on Liberty for z/OS for more information.
- To complete this task, you must have write access to the mqwebuser.xml file, and authority to define security manager profiles.
This update fixes an issue where an ICH408I error can occur when the MQ Console on z/OS is upgraded to a level that ships WebSphere Liberty Profile 22.0.0.12 or later: that is, from IBM MQ 9.1.0 Fix Pack 15. Having more than one safAuthorization statement is not supported and might cause an ICH408I error when users who are not in either MQWebAdmin or MQWebAdminRO roles, in the EBJROLE class, try to access a z/OS queue manager through the MQ Console.
The default for racRouteLog, which specifies the types of access attempts to log, is NONE. If you require an additional report or record for security auditing, see SAF Authorization (safAuthorization) for more information.
About this task
The SAF interface allows the mqweb server to call the external security manager for authentication and authorization checking for both the IBM MQ Console and REST API.
Procedure
Results
You have set up SAF authentication for the IBM MQ Console and REST API.
What to do next
- IBM MQ Console authentication options
-
- Let users authenticate by using token authentication. In this case, a user enters a user ID and password at the IBM MQ Console log in screen. An LTPA token is generated that enables the user to remain logged in and authorized for a set amount of time. No further configuration is required to use this authentication option, but you can optionally configure the expiry interval for the LTPA token. For more information, see Configuring the LTPA token expiry interval.
- Let users authenticate by using client certificates. In this case, the user does not use a user ID or password to log in to the IBM MQ Console, but uses the client certificate instead. For more information, see Using client certificate authentication with the REST API and IBM MQ Console.
- REST API authentication options
-
- Let users authenticate by using HTTP basic authentication. In this case, a user name and password is encoded, but not encrypted, and sent with each REST API request to authenticate and authorize the user for that request. In order for this authentication to be secure, you must use a secure connection. That is, you must use HTTPS. For more information, see Using HTTP basic authentication with the REST API.
- Let users authenticate by using token authentication. In this case, a user provides a user ID
and password to the REST API
login
resource with the HTTP POST method. An LTPA token is generated that enables the user to remain logged in and authorized for a set amount of time. For more information, see Using token-based authentication with the REST API. You can configure the expiry interval for the LTPA token. For more information, see Configuring the LTPA token. - Let users authenticate by using client certificates. In this case, the user does not use a user ID or password to log in to the REST API, but uses the client certificate instead. For more information, see Using client certificate authentication with the REST API and IBM MQ Console.