[MQ 9.3.2 Feb 2023]

Configuring the user context that is used for authorization in the messaging REST API

[MQ 9.3.2 Feb 2023]You can configure what user context is used for authorization when you are using the messaging REST API to send, receive, browse, or publish a message. That is, you can choose whether the user that is logged in to the messaging REST API, or the user that started the mqweb server, is used for authorization.

Before you begin

To complete this task, you must be a user with certain privileges so that you can use the dspmqweb and setmqweb commands:
  • [z/OS]On z/OS®, you must have authority to run the dspmqweb and setmqweb commands, and write access to the mqwebuser.xml file.
  • [UNIX, Linux, Windows, IBM i]On all other operating systems, you must be a privileged user.
  • [Linux][MQ 9.3.5 Feb 2024]If the mqweb server is part of a stand-alone IBM® MQ Web Server installation, you must have write access to the mqwebuser.xml file in the IBM MQ Web Server data directory.
[z/OS]Attention:

Before you issue either the setmqweb or dspmqweb commands on z/OS, you must set the WLP_USER_DIR environment variable so that the variable points to your mqweb server configuration.

To set the WLP_USER_DIR environment variable, issue the following command:
export WLP_USER_DIR=WLP_user_directory
where WLP_user_directory is the name of the directory that is passed to crtmqweb. For example:
export WLP_USER_DIR=/var/mqm/web/installation1

For more information, see Create the mqweb server.

About this task

  • When the user ID that is used is the user ID that is logged in to the messaging REST API, the MQMD.UserIdentifier is set to the user ID that is logged in to the REST API. The MQMD.AppIdentityData is set to the user ID that is logged in to the REST API.
  • When the user ID that is used is the user ID that started the mqweb server, the MQMD.UserIdentifier is left blank. The MQMD.AppIdentityData is set to the user ID that is logged in to the REST API.

See MQMD for more information on the message descriptor parts of the IBM MQ message.

Procedure

  • View the current configuration of the messaging REST API by using the following command: 
    dspmqweb properties -a
    The mqRestMessagingAdoptWebUserContext field shows what user ID is used for authorization when you send, publish, receive, or browse messages. If the value is True, the user that is logged in to the messaging REST API is used for authorization. If the value is False the user that started the mqweb server is used for authorization.
  • Configure the messaging REST API to use the user ID of the user that is logged in to the messaging REST API for authorization by using the following command: 
    setmqweb properties -k mqRestMessagingAdoptWebUserContext -v true
    When mqRestMessagingAdoptWebUserContext is set to true, the MQMD.UserIdentifier is set to the user ID that is logged in to the REST API. The MQMD.AppIdentityData is set to the user ID that is logged in to the REST API.
  • Configure the messaging REST API to use the user ID of the user that started the mqweb server by using the following command: 
    setmqweb properties -k mqRestMessagingAdoptWebUserContext -v false
    When mqRestMessagingAdoptWebUserContext is set to false, the MQMD.UserIdentifier is left blank. The MQMD.AppIdentityData is set to the user ID that is logged in to the REST API.