You can map the username specified by a TLS certificate to another name that can be used
by IBM® MQ.
You might have an existing naming convention for your TLS user certificates, which does not
contain a DN attribute that can be used as a valid IBM MQ username. If this is the case, you can map the
distinguished name (DN) or an attribute of it (such as the CN) onto an alternative value that can be
used as the authenticated principal. If you require a user authenticated with a TLS certificate to
have the MQWebUser role (see Configuring user access to the IBM MQ Console, REST API, and the CLI), then you must map the
user name onto a name that meets the IBM MQ user name
requirements and can be used as the authenticated principal. (You do not need to map the username if
the user has the MQWebAdmin or MQWebAdminRO role.)
You can define such mappings by using the Web UI, the command line interface, or the REST
API.
The mapping rules are Perl regular expressions (PCRE), and this means that a rule can be defined
that matches multiple certificates (and so avoid the need to define a separate rule for each
certificate). For example, if you use certificates with common names
com.example.users.jdoe
and
com.example.users.jbloggs, then a single mapping rule could be defined to strip off the
com.example.users prefix. Capture groups can be used in the
From regular expression,
which can then be referred to in the
To field when building the mapped value. In the
following example, the value
$1 in the
To field is substituted for the first capture
group in the
From field, which is identified by the use of parentheses. If multiple capture
groups are specified, then their values are associated with
$1,
$2,
$3, and so
on, up to a maximum of
$9.
mqa(config rbm)# au-user-map com\.example\.users\.(.*) $1
When you use mapping rules in this way, the target values for the authenticated principal are
used in the RBM XML credential mapping file.
Note: If the distinguished name (or an attribute of the distinguished name) contains whitespace,
such as CN=MQ Administrator, then the whitespace remains in the value that is the input to
the mapping rules. The PCRE values cannot contain whitespace, but \s can be used to match a
space character. For example, to match an input value of MQ Administrator, the pattern
MQ\sAdministrator can be used.
