Configuring user authentication with OIDC by using the command line

Configure the appliance to authenticate the users by using OIDC.

About this task

You can use the command line interface (CLI) to configure role based management to specify that the appliance uses OIDC to authenticate users.

Procedure

  1. Connect to the IBM® MQ Appliance as described in Command line access. Log in as an administrative user.
  2. Type config to enter global configuration mode.
  3. Type the following command to configure role based management: 
    rbm
  4. Enter the following command to specify the TLS certificate authentication method: 
    au-method oidc
  5. Specify the details of the OIDC connection by using the following commands:
  6. If required, use the au-user-map command to specify username mapping so that OIDC user names are mapped onto user names in a format that can be used by IBM MQ. See Using an alternative user name (OIDC).
  7. Optionally specify fallback users who can log in to the appliance if the certificate is not available. Fallback users must already have been added as local users to the appliance. You can specify that all local users are fallback users by entering the following command: 
    fallback-login local
    Alternatively, you can specify one or more particular users by entering the following commands:
    fallback-login restricted
fallback-user localuser1
fallback-user localuser2
...
fallback-user localuserN
  8. Alter the default cache settings, if required. By default, the appliance caches results of authentication attempts for 600 seconds, but you can change the mode of caching, and the caching duration by entering the following commands: 
    au-cache-mode mode
au-cache-ttl seconds
    Where mode is one of:
    absolute

    Caches the results of user authentications for a period of time specified by the au-cache-ttl command (the explicit time-to-live). This is the default setting.

    disabled

    Disables caching. The appliance will not cache any results and instead always authenticates every time a user requests access.

    maximum

    Compares the explicit TTL to the TTL contained in the response (if any) and cache authentication results for the maximum of the two values.

    minimum

    Compares the explicit TTL to the TTL contained in the response (if any) and cache authentication results for the minimum of the two values.

  9. Click Apply to apply your changes.

What to do next

After you specify the user authentication method, you must next configure credential mapping.
Note: After configuring RBM to use OIDC authentication, you must disable the admin state of the web management service then enable it again so that the OIDC configuration is picked up. Alternatively you can reboot the appliance if the configuration changes have been saved.