Using token-based authentication with the REST API from IBM MQ 9.0.5
Users of the REST API can authenticate by
providing a user ID and password to the REST API
login
resource with the HTTP POST method. An LTPA token is generated that enables
the user to authenticate future requests. The user can log out by using the HTTP DELETE method, and
can query the log in information of the current user with the HTTP GET method.
Before you begin
- Configure users, groups, and roles to be authorized to use the REST API. For more information, see Configuring users and roles.
- Optionally, configure the expiry time for the LTPA token. For more information, see Configuring the user logout timer.
- Ensure that you are using a secure connection when you send REST requests. When you use the HTTP
POST method on the
login
resource, the user name and password combination that is sent with the request are not encrypted. Therefore, you must use a secure connection (HTTPS) when you use token based authentication with the REST API. - You can query the credentials of the current user by using the HTTP GET method on the
login
resource, providing the LTPA token,LtpaToken2
, to authenticate the request. This request returns information about the authentication method, the user name, and the roles that the user is assigned. For more information, see GET/login
.
Procedure
Example
Q1
, on queue
manager QM1, with token-based authentication, on Windows systems:- Log in and add the LTPA token,
LtpaToken2
, to the local cookie store. The user name and password information are included in the JSON body. The-c
flag specifies the location of the file to store the token in:curl -k https://localhost:9443/ibmmq/rest/v1/login -X POST -H "Content-Type: application/json" --data "{\"username\":\"mqadmin\",\"password\":\"mqadmin\"}" -c c:\cookiejar.txt
- Create a queue. Use the HTTP POST method with the queue resource, authenticating with the LTPA
token. The LTPA token,
LtpaToken2
, is retrieved from the cookiejar.txt file by using the-b
flag. CSRF protection is provided by the presence of theibm-mq-rest-csrf-token
HTTP header:curl -k https://localhost:9443/ibmmq/rest/v1/admin/qmgr/QM1/queue -X POST -b c:\cookiejar.txt -H "ibm-mq-rest-csrf-token: value" -H "Content-Type: application/json" --data "{\"name\":\"Q1\"}"
- Log out and delete the LTPA token from the local cookie store. The LTPA token,
LtpaToken2
, is retrieved from the cookiejar.txt file by using the-b
flag. CSRF protection is provided by the presence of theibm-mq-rest-csrf-token
HTTP header. The location of the cookiejar.txt file is specified by the-c
flag so that the LTPA token is deleted from the file:curl -k https://localhost:9443/ibmmq/rest/v1/admin/qmgr/QM1/queue -X DELETE -H "ibm-mq-rest-csrf-token: value" -b c:\cookiejar.txt -c c:\cookiejar.txt
What to do next
- As a privileged user, open
the mqwebuser.xml file. The mqwebuser.xml file can be found in one of the following directories:
- On UNIX, Linux®, and Windows:
MQ_DATA_DIRECTORY
/web/installations/installationName/servers/mqweb - On z/OS®:
WLP_user_directory/servers/mqweb
where WLP_user_directory is the directory that was specified when the crtmqweb.sh script ran to create the mqweb server definition.
- On UNIX, Linux®, and Windows:
- Add the following line to the mqwebuser.xml
file:
<webAppSecurity ssoRequiresSSL="true"/>