![[V9.0.2 2017 年 5 月]](ng902.gif)
System Authorization Facility インターフェースの構成
System Authorization Facility (SAF) インターフェースにより、mqweb サーバーは外部セキュリティー・マネージャーを認証および許可検査のために呼び出すことができます。
始める前に
- 「 始めに 」で説明されているように、機能する IBM® MQ Console および REST API
- SAF への許可インターフェースを使用するために実行される WebSphere® Application Server Liberty エンジェル・プロセス。 詳しくは、 z/OS 許可サービスを Liberty for z/OS を参照してください。
本タスクについて
SAF インターフェースにより、 mqweb サーバーは、 IBM MQ Console と REST APIの両方の認証および許可検査のために外部セキュリティー・マネージャーを呼び出すことができます。
このタスクの一部のステップを実行するには、 特権ユーザー である必要があることに注意してください。
手順
- zos_saf_registry.xml ファイルを使用します。
![[V9.0.5 2018 年 3 月]](ng905.gif)
IBM MQ 9.0.5から、パス
PathPrefix/web/mq/samp/configuration から zos_saf_registry.xml ファイルをコピーします。ここで、PathPrefixは IBM MQ Unix System Services Components のインストール・パスです。IBM MQ 9.0.4 以前の場合は、以下のファイルを使用します。
<?xml version="1.0" encoding="UTF-8"?> <server> <!-- ****************************************************************** --> <!-- --> <!-- IBM MQ security configuration for MQ Console and REST API. --> <!-- --> <!-- Name: zos_saf_registry.xml --> <!-- --> <!-- Description: SAF based registry for z/OS --> <!-- --> <!-- ****************************************************************** --> <!-- <copyright --> <!-- notice='lm-source-program' --> <!-- pids='5724-H72' --> <!-- years='2017' --> <!-- crc='0' > --> <!-- --> <!-- Licensed Materials - Property of IBM --> <!-- --> <!-- 5724-H72 --> <!-- --> <!-- (C) Copyright IBM Corp. 2017, 2024. All Rights Reserved. --> <!-- --> <!-- US Government Users Restricted Rights - Use, duplication or --> <!-- disclosure restricted by GSA ADP Schedule Contract with --> <!-- IBM Corp. --> <!-- </copyright> --> <!-- Role mappings are granted by giving users and groups READ access to the following profiles in the EJBROLE class: 1) MQWEB.com.ibm.mq.console.MQWebAdmin MQWebAdmin role access for the MQ Console. All MQ commands issued by the MQ Console use the security context of the operating system user running the application server. 2) MQWEB.com.ibm.mq.console.MQWebAdminRO MQWebAdminRO role access for the MQ Console. The security context of the operating system user running the application server is used for all read-only MQ commands, such as DISPLAY CHANNEL, QUEUE, etc, issued by the MQ Console. 3) MQWEB.com.ibm.mq.console.MQWebUser MQWebUser role access for the MQ Console. All MQ commands issued by the MQ Console use the security context of the principal and so the user must be known to the queue manager and authorized to issue the command. 4) MQWEB.com.ibm.mq.rest.MQWebAdmin MQWebAdmin role access for the MQ REST API. All MQ commands issued by the REST API use the security context of the operating system user running the application server. 5) MQWEB.com.ibm.mq.rest.MQWebAdminRO MQWebAdminRO role access for the MQ REST API. The security context of the operating system user running the application server is used for all read-only MQ commands, such as DISPLAY CHANNEL, QUEUE, etc, issued by the REST API. 6) MQWEB.com.ibm.mq.rest.MQWebUser MQWebUser role access for the MQ REST API. All MQ commands issued by the REST API use the security context of the principal and so the user must be known to the queue manager and authorized to issue the command. In addition the sample enables HTTP Basic Authentication. --> <!-- Enable features --> <featureManager> <feature>appSecurity-2.0</feature> <feature>zosSecurity-1.0</feature> <feature>basicAuthenticationMQ-1.0</feature> </featureManager> <!-- The MQ Console --> <enterpriseApplication id="com.ibm.mq.console"/> <!-- The MQ REST API --> <enterpriseApplication id="com.ibm.mq.rest"/> <safRegistry id="saf"/> <safAuthorization id="saf"/> <safCredentials unauthenticatedUser="WSGUEST" profilePrefix="MQWEB"/> <!-- Enable HTTP by uncommenting the line below. --> <!-- <variable name="httpPort" value="9080"/> --> <!-- By default the server listens for HTTP/HTTPS requests on localhost only. To listen on all available network interfaces uncomment the line below. To listen on a specific IP address or hostname replace the * with an appropriate value. --> <!-- <variable name="httpHost" value="*"/> --> <!-- Default MQ SSL configuration allows TLS v1.2 ONLY, refer to the IBM Documentation section on "IBM MQ Console and REST API security" for details of how to configure security. --> <sslDefault sslRef="mqDefaultSSLConfig"/> <!-- Enable client certificate authentication by uncommenting the block below and creating a trust.jks store. Basic registry maps the common name (CN=) issued by a trusted CA to users names in the registry. For example a certificate with a distinguished name of 'CN=mqadmin,O=IBM,C=GB' will be granted a MQWebAdmin role under the 'mqadmin' user. The default, auto-generated certificate held in key.jks is intended for developer convenience only, it is not intended for production use. Passwords for both defaultKeyStore and defaultTrustStore should be changed and encoded using the securityUtility tool, refer to the following IBM Developer article for further information; https://developer.ibm.com/wasdev/docs/configuring-ssl-liberty/ --> <!-- <keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="password"/> <keyStore id="defaultTrustStore" location="trust.jks" type="JKS" password="password"/> <ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2" serverKeyAlias="default"/> <sslDefault sslRef="thisSSLConfig"/> --> <!-- Uncomment the following two variables, and adjust them, to change the default CORS settings. --> <!-- <variable name="mqRestCorsAllowedOrigins" value="https://localhost:9883"/> <variable name="mqRestCorsMaxAgeInSeconds" value="120"/> --> </server>
結果
IBM MQ Console および REST APIの SAF 認証をセットアップしました。