Configuring user authentication with a TLS user certificate by using the Web UI

Configure the appliance to authenticate the users by using a TLS user certificate.

Before you begin

Before you specify this method of user authentication, you must obtain the required certificates and specify validation of the user certificates that you intend to use. You import the user certificates that are going to be allowed to connect. You then create definition objects for the certificates, which are used when you create a validation credential (valcred) object (see certificate and valcred).

If you are using certificates other than the default one for the Web UI and REST API on your appliance, and have configured server profiles for this purpose, then you must also set the options in the server profiles to request and require client authentication, and to validate the client certificate. See Creating a TLS server profile.

About this task

You can use the IBM® MQ Appliance web UI to configure role based management to specify that the appliance uses TLS user certificates.

Procedure

  1. Start the IBM MQ Appliance web UI and click the Administration icon shows the administration icon.
  2. Select Access > RBM Settings.
  3. Ensure that Administrative state is On (it is selected by default) and click the Authentication tab to view the authentication options.
  4. Select an Authentication method of TLS user certificate.
  5. Select the validation credentials that you have previously specified from the Validation Credentials list.
  6. If required, specify that the common name part of the user's distinguished name is used as the user id for authentication by entering CN in the Certificate username attribute field.
    By default, the authenticated principal for a TLS user certificate is the distinguished name (DN) of the certificate subject in X.509 format, converted to lower case, and with any embedded whitespace removed. For example, the TLS certificate subject C=GB, ST=Hursley, L=Hursley, O=IBM, OU=MQ Appliance, CN=Jo Jo becomes the authenticated principal c=gb,st=hursley,l=hursley,o=ibm,ou=mqappliance,cn=jojo. You can, however, specify that the common name portion of the full name is used, so, in the example, jojo is the user id. The user id is displayed in the title bar of the Web UI.
  7. If required, use the Username mapping fields to map user names as specified in the TLS certificates onto a username in a format that can be used by IBM MQ. See Using an alternative user name (TLS certificate).
  8. To define fallback users, you can choose All users from the Local accounts for fallback list to have all local users able to log in to the appliance if the certificate is unavailable. Alternatively, select Specific users and select one or more local users.
  9. Optionally, change the default cache settings. Cache settings determine how long user details are held on the appliance before authentication is performed again. By default, the appliance retains details for an absolute period of 600 seconds. You can change the cache mode or the cache lifetime, or both. You can also disable caching altogether.
  10. Click Apply to apply your changes.

What to do next

After you specify the user authentication method, you must next configure credential mapping.