Configure users and roles

To make use of the IBM MQ Console or the REST API, users need to authenticate against a user registry, defined to the mqweb server.


Authenticated users need to be a member of one of the groups that authorizes access to the capabilities of the IBM MQ Console and REST API. By default, the user registry does not contain any users; these need to be added by editing the mqwebuser.xml file.

When you configure users and groups, you first configure a user registry to authenticate users and groups against. This user registry is shared between the IBM MQ Console and the REST API. We can control whether users and groups have access to the IBM MQ Console, REST API, or both, when you configure roles for the users and groups.

After you configure the user registry, you configure roles for the users and groups to grant them authorization. There are several roles available, including roles specific to using the REST API for Managed File Transfer. Each role grants a different level of access. For more information, see Roles on the IBM MQ Console and REST API.

A number of sample XML files are provided with the mqweb server to make the configuration of users and groups simpler. Users who are familiar with configuring security in WebSphere Liberty (WLP) might prefer not to use the samples. WLP provides other authorization capabilities in addition to the ones documented here.


Procedure

  • Configure users and groups with a basic registry by using the basic_registry.xml file.

    The user names and passwords in the registry are used to authenticate and authorize users of the IBM MQ Console and the REST API.

    To configure a basic registry by using the basic_registry.xml sample file, see Configure a basic registry for the IBM MQ Console and REST API.

  • Configure users and groups with an LDAP registry by using the ldap_registry.xml file.

    The user names and passwords in the LDAP registry are used to authenticate and authorize use of the IBM MQ Console and the REST API.

    To configure an LDAP registry by using the ldap_registry.xml sample file, see Configure an LDAP registry for the IBM MQ Console and REST API.

  • Configure users and groups with a local operating system registry by using the local_os_registry.xml file.

    The user names and passwords in the operating system registry are used to authenticate and authorize users of the IBM MQ Console and the REST API.

    To configure a local OS registry by using the local_os_registry.xml sample file, see Configure a local OS registry for the IBM MQ Console and REST API.

  • Configure users and groups with the System authorization facility (SAF) interface on z/OS by using the zos_saf_registry.xml file.

    RACF, or other security product, profiles are used to grant users and groups access to roles. The user names and passwords in the RACF database are used to authenticate and authorize users of the IBM MQ Console and REST API.

    To configure the SAF interface by using the zos_saf_registry.xml sample file, see Configure a SAF registry for the IBM MQ Console and REST API.

  • Disable security, including the ability to access the IBM MQ Console, or the REST API, using HTTPS, by using the no_security.xml file.


What to do next

Choose how users authenticate:

    IBM MQ Console authentication options

    • Let users authenticate by using token authentication. In this case, a user enters a user ID and password at the IBM MQ Console log in screen. An LTPA token is generated that enables the user to remain logged in and authorized for a set amount of time. No further configuration is required to use this authentication option, but we can optionally configure the expiry interval for the LTPA token. For more information, see Configure the LTPA token expiry interval.
    • Let users authenticate by using client certificates. In this case, the user does not use a user ID or password to log in to the IBM MQ Console, but uses the client certificate instead. For more information, see Use client certificate authentication with the REST API and IBM MQ Console.

    REST API authentication options

    • Let users authenticate by using HTTP basic authentication. In this case, a user name and password is encoded, but not encrypted, and sent with each REST API request to authenticate and authorize the user for that request. In order for this authentication to be secure, we must use a secure connection. That is, we must use HTTPS. For more information, see Use HTTP basic authentication with the REST API.
    • Let users authenticate by using token authentication. In this case, a user provides a user ID and password to the REST API login resource with the HTTP POST method. An LTPA token is generated that enables the user to remain logged in and authorized for a set amount of time. For more information, see Use token-based authentication with the REST API. We can configure the expiry interval for the LTPA token. For more information, see Configure the LTPA token.
    • Let users authenticate by using client certificates. In this case, the user does not use a user ID or password to log in to the REST API, but uses the client certificate instead. For more information, see Use client certificate authentication with the REST API and IBM MQ Console.

  • Configure a basic registry for the IBM MQ Console and REST API
    We can configure a basic registry within the mqwebuser.xml file. The user names, passwords, and roles in the xml file are used to authenticate and authorize users of the IBM MQ Console and the REST API.
  • Configure a local OS registry for the IBM MQ Console and REST API
    We can configure a local operating system registry within the mqwebuser.xml file. The user names and passwords on the local operating system are used to authenticate and authorize users of the IBM MQ Console and the REST API.
  • Configure an LDAP registry for the IBM MQ Console and REST API
    We can configure an LDAP registry within the mqwebuser.xml file. The user names and passwords in the LDAP registry are used to authenticate and authorize users of the IBM MQ Console and the REST API.
  • Configure a SAF registry for the IBM MQ Console and REST API
    The System Authorization Facility (SAF) interface allows the mqweb server to call the external security manager for authentication and authorization checking. A user can then log in to the IBM MQ Console and REST API with a z/OS user ID and password.
  • Roles on the IBM MQ Console and REST API
    When you authorize users and groups to use the IBM MQ Console or REST API, we must assign the users and groups one of the available roles: MQWebAdmin, MQWebAdminRO, MQWebUser, MFTWebAdmin, and MFTWebAdminRO. Each role provides different levels of privilege to access the IBM MQ Console and REST API, and determines the security context that is used when an allowed operation is attempted.

Parent topic: IBM MQ Console and REST API security