mqsiwebuseradmin command - Windows, Linux, and UNIX systems

Use the mqsiwebuseradmin command to administer user accounts for the web user interface on Linux®, UNIX, or Windows systems.

Syntax

integrationNodeSpec

Parameters

integrationNodeSpec

(Required) You must specify at least one parameter to identify the target integration node for this command, in one of the following forms:

integrationNodeName

This parameter identifies the name of a specified integration node. To connect to a remote integration node, you must also specify -i and -p.

-n integrationNodeFileName

This parameter identifies the name of a .broker file that contains the connection details for a local or remote integration node. Include the location (path) and file name when you specify this parameter. You must ensure that the location is accessible when you run this command.

Use this option if multiple users want to connect to the same integration node, or if you are using advanced connection parameters such as SSL. To learn more about creating and using a .broker file, see Connecting to an integration node by creating a .broker file.

If you want to run a command that uses SSL to administer a remote integration node over a secured channel, you must specify the keystore and truststore password for the connection that is using the IBM_JAVA_OPTIONS environment variable. For more information, see Resolving problems when running commands.

-i ipAddress, -p port

These parameters identify the connection details for the integration node.

Use this option for connections to remote integration nodes that do not require advanced connection parameters.

If you are connecting to a remote integration node, you can additionally prefix integrationNodeName to explicitly set which integration node to connect to. You cannot use -n integrationNodeFileName in the same command.

Parameters that you omit assume default values:

-i ipAddress: The host name or IP address of the computer on which the integration node is running. If you do not specify this parameter, a value that represents the local computer is used.
If you want to connect to a secured integration server as a specific user, provide the security credentials as a URI in the following format: tcp://user:password@hostname. If your password contains URI Reserved characters, you must convert these characters to the percent-encoded format. For more information, see A correct URL and password returns error BIP1939 when you attempt to connect to a remote host name in Resolving problems when running commands.
-p port: The port on which the web user interface HTTP connection listener is listening. If you do not specify this parameter, the value 4414 is used.

-l

(Optional) Lists the web users that are defined within the integration node, and the roles with which they are associated. If -u (user) or -r (role) is supplied, the list is filtered by that user or role.

-c

(Optional) Creates a web user account, which can log on to the web user interface and make REST API calls. If you use this parameter, you must also specify the -u and -a parameters. If you do not specify the -r parameter when you create a web user account, a default role is created with the same name as the web user account. In this case, the web user account that you create must have the same name as the system user account that has been specified on the system.

-m

(Optional) Modifies a web user account. If you use this parameter, you must use the -u parameter to specify the user account, and you must also specify a value for at least one of the -a, -r, and -x parameters, dependent upon which parameter you are modifying.

-d

(Optional) Deletes a web user account. If you use this option, you must also use the -u parameter to specify the user account.

-u username

(Optional) Specifies the name of a web user account. This parameter is required if you specify the -c, -d, or -m parameters.

You can specify a value of '*' to apply the command to all user IDs that are in the LDAP directory but not defined as web users on the integration node.

-a password

(Optional) Specifies a web user account password. If the integration node is configured to use LDAP for authentication, and you don't specify a password when you create a web user account, the integration node uses LDAP to authenticate the user name that is supplied by the -u parameter.

-x

(Optional) Indicates that the user account does not have a password. If you use this parameter with the -c parameter to specify that you are creating the account, the account is created without a password. If you use this parameter with the -m parameter to specify that you are modifying an existing account, any existing local password is removed.

-r role

(Optional) Specifies a role to be associated with the web user account. If you are using queue-based authorization, the role is the system user account whose administration security permissions are checked. Each web user account is associated with a single role, and multiple web user accounts can be assigned to the same role.

Assuming that you have not specified a value of '*' for the -u parameter, if you do not specify the -r parameter when you create a web user account (by specifying the -c parameter), a default role is created with the same name as the web user account. If you are using queue-based authorization, the web user account that you create must have the same name as the system user account that has been specified on the system.

If you have specified a value of '*' for the -u parameter, and you also specify the -r parameter, all LDAP users that are not already defined as web users on the integration node will be mapped to the same role, namely the role specified in the -r parameter.

If you have specified a value of '*'' for the -u parameter, and a value of '*' for the -r parameter, then, following LDAP authentication, when doing queue-based authorization, you are responsible for ensuring that the relevant user accounts are defined and have the relevant authorizations defined.

For more information about roles, see Role-based security.

-v traceFileName

(Optional) This parameter sends internal debug trace information to the specified file.

-w timeoutSecs

(Optional) This parameter specifies the maximum time in seconds that the command waits for the integration node to complete the request before returning.

You can set this parameter to a value in the range 1 - 2 145 336 164. If you do not provide a timeoutValue value, or you set a value less than 1 or greater than 2 145 336 164 is specified, an error is returned.

Set this parameter to a value greater than the sum of the configuration timeout parameters ConfigurationChangeTimeout and InternalConfigurationTimeout that you specified for the integration node, if you want to ensure that a response is received within the timeoutValue period. If you set a smaller value, the response returned might indicate that the state of the deploy request is unknown.

Deprecation of the -q parameter

In previous versions of IBM® Integration Bus, you might have used the -q parameter for this command to define a connection to a queue manager. A queue manager connection is no longer used to connect to an integration node. The -q parameter is now deprecated, and is ignored if used. If you use the -q parameter, a BIP1922 warning is displayed.

Examples

Create a web user account and password and specify the associated role (system user account):

mqsiwebuseradmin IBNODE -c -u webuser1 -r admin -a passw0rd

In the preceding example, the value admin corresponds to a system account.

Change the password for webuser1:

mqsiwebuseradmin IBNODE -m -u webuser1 -a n3wpass

Create a web user account for each user ID that is in the LDAP directory but not defined as a web user on the integration node:

mqsiwebuseradmin IBNODE -c -u '*' -x -r iibuser

Delete the web user account for webuser1:

mqsiwebuseradmin IBNODE -d -u webuser1