Configuring a basic registry for the IBM MQ Console and REST API
You can configure a basic registry within the mqwebuser.xml
file. The
user names, passwords, and roles in the xml file are used to authenticate and authorize users of the
IBM® MQ Console and the REST API.
Before you begin
- When you configure users within the basic registry, you must assign each user a role. Each role provides different levels of privilege to access the IBM MQ Console and REST API, and determines the security context that is used when an allowed operation is attempted. You need to understand these roles before you configure the basic registry. For more information about each of the roles, see Roles on the IBM MQ Console and REST API.
- To complete this task, you must be a user with sufficient privileges to edit the
mqwebuser.xml file:
- On z/OS®, you must have write access to the mqwebuser.xml file.
- On all other operating systems, you must be a privileged user.
Procedure
Example
In the following example, the group
MQWebAdminGroup
is granted access to the
IBM MQ Console with the role MQWebAdmin
.
The user, reader
, is granted access with the role MQWebAdminRO
,
and the user guest
is granted access with the role
MQWebUser
:<enterpriseApplication id="com.ibm.mq.console">
<application-bnd>
<security-role name="MQWebAdmin">
<group name="MQWebAdminGroup" realm="defaultRealm"/>
</security-role>
<security-role name="MQWebAdminRO">
<user name="reader" realm="defaultRealm"/>
</security-role>
<security-role name="MQWebUser">
<user name="guest" realm="defaultRealm"/>
</security-role>
</application-bnd>
</enterpriseApplication>
In the following example, the users
reader
and guest
are
granted access to the IBM MQ Console. The user
user
is granted access to the REST API, and any users within the MQAdmin
group are granted access to the IBM MQ Console and the REST API. The mftadmin
user is granted access
to the REST API for MFT
:<enterpriseApplication id="com.ibm.mq.console">
<application-bnd>
<security-role name="MQWebAdmin">
<group name="MQAdmin" realm="defaultRealm"/>
</security-role>
<security-role name="MQWebAdminRO">
<user name="reader" realm="defaultRealm"/>
</security-role>
<security-role name="MQWebUser">
<user name="guest" realm="defaultRealm"/>
</security-role>
</application-bnd>
</enterpriseApplication>
<enterpriseApplication id="com.ibm.mq.rest">
<application-bnd>
<security-role name="MQWebAdmin">
<group name="MQAdmin" realm="defaultRealm"/>
</security-role>
<security-role name="MQWebUser">
<user name="user" realm="defaultRealm"/>
</security-role>
<security-role name="MFTWebAdmin">
<user name="mftadmin" realm="defaultRealm"/>
</security-role>
</application-bnd>
</enterpriseApplication>
What to do next
Choose how users authenticate:
- IBM MQ Console authentication options
-
- Let users authenticate by using token authentication. In this case, a user enters a user ID and password at the IBM MQ Console log in screen. An LTPA token is generated that enables the user to remain logged in and authorized for a set amount of time. No further configuration is required to use this authentication option, but you can optionally configure the expiry interval for the LTPA token. For more information, see Configuring the LTPA token expiry interval.
- Let users authenticate by using client certificates. In this case, the user does not use a user ID or password to log in to the IBM MQ Console, but uses the client certificate instead. For more information, see Using client certificate authentication with the REST API and IBM MQ Console.
- REST API authentication options
-
- Let users authenticate by using HTTP basic authentication. In this case, a user name and password is encoded, but not encrypted, and sent with each REST API request to authenticate and authorize the user for that request. In order for this authentication to be secure, you must use a secure connection. That is, you must use HTTPS. For more information, see Using HTTP basic authentication with the REST API.
- Let users authenticate by using token authentication. In this case, a user provides a user ID
and password to the REST API
login
resource with the HTTP POST method. An LTPA token is generated that enables the user to remain logged in and authorized for a set amount of time. For more information, see Using token-based authentication with the REST API. You can configure the expiry interval for the LTPA token. For more information, see Configuring the LTPA token. - Let users authenticate by using client certificates. In this case, the user does not use a user ID or password to log in to the REST API, but uses the client certificate instead. For more information, see Using client certificate authentication with the REST API and IBM MQ Console.