Authenticating users for administration

Authentication is the process of establishing the identity of a user or system and verifying that the identity is valid. You can control access to the IBM® App Connect Enterprise administration interfaces by using the authentication capabilities that are provided with the product.

Before you begin

Read the following topics:

About this task

IBM App Connect Enterprise provides authentication support for the following administration interfaces:
  • IBM App Connect Enterprise web user interface.
  • IBM App Connect Enterprise RESTful application programming interface (REST API).
  • IBM App Connect Enterprise Toolkit.
  • IBM App Connect Enterprise commands.

If administration security authentication (basicAuth) is enabled, users of the web user interface and the REST API must log in with a user ID and password. If LDAP authentication is enabled on the integration node or independent integration server, then all users are authenticated by the LDAP server. Any local passwords are ignored. If LDAP authentication is not configured, then the user ID and password are checked against the credentials that are held in the integration node or independent integration server. Users' access to data and resources is controlled by the permissions that are associated with their role. For more information, see Role-based security.

If administration security is not enabled, web users can interact with the IBM App Connect Enterprise web user interface without logging on. They interact with the web UI as the 'default' user and can access all data and resources. For users of the REST API, all REST requests are unrestricted if administration security is not enabled.

For the following administration interfaces, authentication is provided only by the system login; no additional authentication is carried out:

  • IBM App Connect Enterprise Toolkit
  • IBM Integration API
  • IBM App Connect Enterprise commands (when they make a local connection, specifying only the integration node name)

For more information about authenticating users for administration, see Managing web user accounts and Accessing the web user interface.

For more information about authenticating web user accounts by using LDAP, see Enabling LDAP authentication.

For more information about authorizing users based on the role to which they are assigned, see Authorizing users for administration.

You can enable authentication for users of IBM App Connect Enterprise administration interfaces, either by using the mqsichangeauthmode command, or by setting security properties in the appropriate .yaml configuration file for your integration node or server.

Procedure

Enable authentication by completing the steps in one of the following tasks:

Enable authentication by using the mqsichangeauthmode command

About this task

Complete the following steps to enable authentication for users of the IBM App Connect Enterprise administration interfaces, by using the mqsichangeauthmode command:

Procedure

  1. Run the mqsichangeauthmode command on your integration node or server. Specify the -b parameter to enable authentication only, as shown in the following example: 
    mqsichangeauthmode -w myIntegrationServerWorkPath -b active

    In this example, authentication is enabled on the independent integration server, the work path of which is specified by the -w parameter.

    In the following example, authentication is enabled on the integration node ACE11NODE:
    mqsichangeauthmode ACE11NODE -b active
    Alternatively, you can specify the -s parameter, which configures both authentication and authorization. For more information, see mqsichangeauthmode command.
  2. Restart your integration node or integration server for the changes to take effect.

Enable authentication by modifying the node.conf.yaml or server.conf.yaml file

About this task

Modify properties in the .yaml configuration file for your integration node or integration server to enable authentication for users of the IBM App Connect Enterprise administration interfaces.

Procedure

  1. Open the node.conf.yaml or server.conf.yaml configuration file for your integration node or server, by using a YAML editor.
    If you do not have access to a YAML editor, you can edit the file by using a plain text editor. However, you must ensure that you do not include any tab characters, which are invalid characters in YAML and would cause your configuration to fail. If you are using a plain text editor, ensure that you use a YAML validation tool to validate the content of your file.
  2. In the Admin Security Authentication section of the .yaml configuration file, set the basicAuth property to true: 
    basicAuth: true
  3. Optional: If basic authentication is enabled, you can use the following properties to set the maximum number of login attempts that can be made within a specified period before the client is locked out:
    • authMaxAttempts - the maximum number of login attempts that can be made during the specified period before the user is blocked from logging in (default is 5)
    • authAttemptsDuration - the time (in seconds) during which the maximum number of login attempts can be made before the user is blocked from logging in (default is 300)
    • authBlockedDuration - the time (in seconds) for which the client is blocked from logging in when the maximum number of login attempts has been reached without success (default is 300).
    For example, 
     
Admin Security
   Authentication
   #  If basicAuth is enabled, a maximum of authMaxAttempts authentication attempts are allowed for a client within period authAttemptsDuration
   #  If authMaxAttempts is reached without success, the client is locked out for period authBlockedDuration  
      basicAuth: true                                                    # Clients web user name and password will be authenticated when set true
      authMaxAttempts: 3                                                 # Max allowed authentication attempts 
      authAttemptsDuration: 300                                          # Authentication attempts period in seconds 
      authBlockedDuration: 600                                           # Authentication blocked period in seconds
  4. Save the .yaml configuration file.
  5. Restart your integration node or integration server for the changes to take effect.