Configuring credential mapping with an XML file by using the command line

Use the command line to configure the appliance to authorize users by using access policies that are defined in an XML file.

1. Connect to the IBM MQ Appliance as described in Command line access. Log in as an administrative user.
2. Type config to enter global configuration mode.
3. Type the following command to configure role based management:

   rbm

4. Enter the following command to specify the XML file authorization method:

   mc-method local

5. Specify the URL of the XML file that you want to use.

   mc-info-url URL

6. If you have defined a user authentication method of LDAP, you can look up an attribute (usually the distinguished name) of each group the user belongs to. These attributes are then used as the input credential to the XML file. Otherwise, the distinguished name of the user is used as the input credential. If you want to perform an LDAP search, you must then supply the details for connecting to the LDAP server:
   1. Specify that you want to perform an LDAP search:

      mc-ldap-search on

   2. Specify the server and password for connecting to the LDAP server:

      mc-server-host host
      mc-server-port port

      Where host is the IP address or domain name of the LDAP server and port is usually 389, or 636 for an SSL connection.
   3. If you have configured a load balancer group for LDAP access and created a profile, specify the profile by using the following command:

      mc-loadbalancer-group name

      Where name is the name of the load balancer group profile.
   4. Specify the Distinguished Name and password that the appliance uses to bind to the LDAP server to perform the search by using the following commands. (Omit these commands if you are using an anonymous bind to access the LDAP server.)

      mc-ldap-bind-dn dn
      mc-ldap-bind-password password

      Where dn is the Distinguished Name and password is the password.
   5. Specify the LDAP search parameters by entering the following command:

      mc-ldap-parameters parameters_name

      Where parameters_name is the name of a set of LDAP search parameters that you have previously defined using the ldap-search-parameters command. Your search must look for the user group or groups that the authenticated user belongs to, and return one or more user group names.
   6. Specify a timeout for the LDAP search. This is the time that the appliance will attempt to connect to the LDAP server before closing the connection. The default is 60 seconds. Specify 0 to never timeout.

      mc-ldap-readtimeout timeout

      Where timeout specifies the duration of the timeout period.
   7. If you want to use an SSL (TLS) connection to the LDAP server, specify an SSL client profile to use by entering the following commands:

      ssl-client-type client
      ssl-client client_profile

      Where client_profile is the name of a client profile that you have previously created.

mqa# config
Global configuration mode
mqa(config)# rbm
Modify RBM Settings configuration

mqa(config rbm)# mc-method xmlfile
mqa(config rbm)# mc-info-url store:///RBMInfo.xml
mqa(config rbm)# exit
mqa(config)# write memory
Overwrite previously saved configuration? Yes/No [y/n]: y
Configuration saved successfully.

mqa# config
Global configuration mode
mqa(config)# rbm
Modify RBM Settings configuration

mqa(config rbm)# mc-method xmlfile
mqa(config rbm)# mc-info-url store:///RBMInfo.xml
mqa(config rbm)# mc-ldap-search on
mqa(config rbm)# mc-server-host LDAP_serv1
mqa(config rbm)# mc-server-port 389
mqa(config rbm)# mc-ldap-bind-dn "cn=proxyuser"
mqa(config rbm)# mc-ldap-bind-password p@Ssw0rd
mqa(config rbm)# mc-ldap-parameters ldap1-MC
mqa(config rbm)# mc-ldap-readtimeout 120
mqa(config rbm)# exit
mqa(config)# write memory
Overwrite previously saved configuration? Yes/No [y/n]: y
Configuration saved successfully.