Configuring authorization for an integration server by modifying the server.conf.yaml file

You can configure integration servers to use file-based authorization, or LDAP authorization, by setting the security properties in the server.conf.yaml configuration file.

Before you begin

Read the following topics:

About this task

You can configure authorization for an independent integration server (which is not associated with an integration node) by setting file-based permissions, or LDAP authorization in the Security section of the integration server's server.conf.yaml configuration file:

# Admin Security
  #  Authentication
  #basicAuth: true                                                    # Clients web user name and password will be authenticated when set true
  #ldapUrl: ldap[s]://server[:port]/baseDN[?[uid_attr][?[base|sub]]]  # ldap search url
  #ldapBindDn: ldap::adminAuthentication                              # Resource alias
  #ldapBindPassword: ldap::adminAuthentication                        # Resource alias
  #  Authorization
  #adminSecurity: 'inactive'                  # Used to enable Authorization. Clients web user role will be authorized when set active
  #authMode: 'file'                           # Set admin authorization mode to 'file' or 'ldap'
  #ldapAuthorizeUrl: ldap[s]://server[:port]/baseDN[?[attr_name][?[base|sub]][?filter_expr]]  # ldap authorization search url

Security:
  LdapAuthorizeAttributeToRoleMap:
    # When 'authMode' is ldap, set the mapping from a matched LDAP authorization attribute, as
    # configured in 'ldapAuthorizeUrl' to the ACE web user role name
    # e.g. map the following LDAP group DNs to web user roles 'adminRole', 'viewRole'
    #'cn=admins,cn=group,ou=ace': 'adminRole' 
    #'cn=monitors,cn=group,ou=ace': 'viewRole'
  Permissions:
    # Set Admin Security Authorization file permissions by web user role using 'read+:write+:execute+' , or 'all+'
    # '+' grants permission, '-' denies permission
    # e.g. define the following web user roles 'viewRole' and 'adminRole'
    #viewRole:  'read+:write-:execute-'
    #adminRole: 'all+'
  DataPermissions:
    # Set Admin Security Authorization file permissions for Record and Replay web user role using 'read+:write+:execute+' , or 'all+'
    # '+' grants permission, '-' denies permission.  Record and Replay roles also require 'read+' permission to be defined
    # in the Permissions section above.
    # e.g. define the following web user roles 'dataViewer', 'dataReplayer' and 'adminRole'
    #dataViewer:  'read+:write-:execute-'
    #dataReplayer: 'read+:write-:execute+'
    #adminRole: 'all+'

For information about controlling access to an integration node, see Configuring authorization for an integration node by modifying the node.conf.yaml file.

Procedure

Configure the authorization mode for an integration server by completing the following steps:

Open the server.conf.yaml configuration file for your integration server, by using a YAML editor.

If you do not have access to a YAML editor, you can edit the file by using a plain text editor; however, you must ensure that you do not include any tab characters, because they are not valid in YAML and would cause your configuration to fail. If you are using a plain text editor, ensure that you use a YAML validation tool to validate the content of your file.
If administration security has not already been enabled, enable it now by setting the adminSecurity property in the server.conf.yaml file to active:
```
adminSecurity: active
```
Specify the authorization mode that you require, by setting the authMode property to either file, or ldap.
For example, to configure the integration node to use file-based authorization, set the following value:
```
authMode: file
```
Assign permissions to the defined roles, by specifying a combination of read, write, and execute, or all, with + to grant permission, and - to deny permission; for example:
```
viewOnly:  'read+:write-:execute-'
admin:     'all+'
```
where the viewOnly role has only read permission, and the admin role has permission for all actions.
Save the modified server.conf.yaml file.
Restart the integration server for the changes to take effect.

What to do next

You can also configure authorization for an integration server by using the mqsichangeauthmode command, and then set permissions by using the mqsichangefileauth command. For more information, see Configuring authorization by using the mqsichangeauthmode command and Setting file-based permissions.