Configuring users and roles
To make use of the IBM® MQ Console or the REST API, users need to authenticate against a user registry, defined to the mqweb server.
About this task
Authenticated users need to be a member of one of the groups that authorizes access to the capabilities of the IBM MQ Console and REST API. By default, the user registry does not contain any users; these need to be added by editing the mqwebuser.xml file.
When you configure users and groups, you first configure a user registry to authenticate users and groups against. This user registry is shared between the IBM MQ Console and the REST API. You can control whether users and groups have access to the IBM MQ Console, REST API, or both, when you configure roles for your users and groups.
After you configure the user registry, you configure roles for the users and groups to grant them authorization. There are three roles available, and each role grants a different level of access. For more information, see Roles on the IBM MQ Console and REST API.
A number of sample XML files are provided with the mqweb server to make the configuration of users and groups simpler. This task describes how to use the samples and adjust them for your environment.
Users who are familiar with configuring security in WebSphere® Application Server Liberty (WLP) might prefer not to use the samples. WLP provides other authorization capabilities in addition to the ones documented here.
For information about MFT roles, and an example, see Configuring MFT REST API security
Procedure
Example
MQWebAdminGroup
is granted access to the
IBM MQ Console with the role MQWebAdmin
.
The user, reader
, is granted access with the role MQWebAdminRO
,
and the user guest
is granted access with the role
MQWebUser
:<enterpriseApplication id="com.ibm.mq.console">
<application-bnd>
<security-role name="MQWebAdmin">
<group name="MQWebAdminGroup" realm="defaultRealm"/>
</security-role>
<security-role name="MQWebAdminRO">
<user name="reader" realm="defaultRealm"/>
</security-role>
<security-role name="MQWebUser">
<user name="guest" realm="defaultRealm"/>
</security-role>
</application-bnd>
</enterpriseApplication>
reader
and
guest
are granted access to the IBM MQ Console. The user user
is granted access
to the REST API, and any users within the MQAdmin
group are granted
access to the IBM MQ Console and the REST API:<enterpriseApplication id="com.ibm.mq.console">
<application-bnd>
<security-role name="MQWebAdmin">
<group name="MQAdmin" realm="defaultRealm"/>
</security-role>
<security-role name="MQWebAdminRO">
<user name="reader" realm="defaultRealm"/>
</security-role>
<security-role name="MQWebUser">
<user name="guest" realm="defaultRealm"/>
</security-role>
</application-bnd>
</enterpriseApplication>
<enterpriseApplication id="com.ibm.mq.rest">
<application-bnd>
<security-role name="MQWebAdmin">
<group name="MQAdmin" realm="defaultRealm"/>
</security-role>
<security-role name="MQWebUser">
<user name="user" realm="defaultRealm"/>
</security-role>
</application-bnd>
</enterpriseApplication>
What to do next
- IBM MQ Console authentication options
-
- Let users authenticate by using token authentication. In this case, a user enters a user ID and password at the IBM MQ Console log in screen. An LTPA token is generated that enables the user to remain logged in and authorized for a set amount of time. No further configuration is required to use this authentication option, but you can optionally configure the expiry interval for the LTPA token. For more information, see Configuring the LTPA token expiry interval.
- Let users authenticate by using client certificates. In this case, the user does not use a user ID or password to log in to the IBM MQ Console, but uses the client certificate instead. For more information, see Using client certificate authentication with the REST API and IBM MQ Console.
- REST API authentication options
-
- Let users authenticate by using HTTP basic authentication. In this case, a user name and password is encoded, but not encrypted, and sent with each REST API request to authenticate and authorize the user for that request. In order for this authentication to be secure, you must use a secure connection. That is, you must use HTTPS. For more information, see Using HTTP basic authentication with the REST API.
- Let users authenticate by using token authentication. In this case, a user provides a user ID
and password to the REST API
login
resource with the HTTP POST method. An LTPA token is generated that enables the user to remain logged in and authorized for a set amount of time. For more information, see Using token-based authentication with the REST API for IBM MQ 9.0.4 and earlier. You can configure the expiry interval for the LTPA token. For more information, see Configuring the LTPA token expiry interval. - Let users authenticate by using client certificates. In this case, the user does not use a user ID or password to log in to the REST API, but uses the client certificate instead. For more information, see Using client certificate authentication with the REST API and IBM MQ Console.