User authentication and authorization for IBM MQ in containers

IBM MQ can be configured to use LDAP users and groups for authorization. This is the recommended approach for the IBM MQ Advanced certified container.

In a multi-tenant containerized environment such as Red Hat OpenShift Container Platform, security constraints are put in place to prevent potential security issues. For example:

In Red Hat OpenShift Container Platform the default SecurityContextConstraints (called restricted) uses a randomized user ID
In IBM MQ certified containers, use of an ID that is defined on the operating system libraries inside a running container is not supported.

Both these constraints discourage using the ID of a user that is local to the container. Note: IBM MQ typically uses privilege escalation to check the passwords of users. This is also not recommended in multi-tenant container environments.

We need to configure your queue manager to use LDAP for user authentication and authorization. For information about configuring IBM MQ to do this, see Connection authentication: User repositories and LDAP authorization

Parent topic: Plan for IBM MQ in containers