MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Configuring LDAP in the IBM MQ Web Console

By Aiden Gallagher posted 17 days ago

  

Introduction

This article details how the MQ Web Console interacts with the MQ Server, and how LDAP is integrated in the configuration files to authenticate and authorise users.

MQ Setup

As of IBM MQv9.0.1 a Web Console provided a user interface into a Queue Manager which has expanded its usage over time and enables administration of the queue manager.

The Web Console is hosted on a liberty server with its own route in OpenShift / Container deployments and its own port on Virtual Machines e.g., 9443. The web server performs requests to the Queue Manager by passing a User ID and checking authority rules of that user on the Queue Manager.

Web Console User Authorisation

The user used to start the MQ Web Server is typically mapped to the mqm group. This then gives the web server ‘mqm’ authorities on the Queue Manager.

The web console acts independently to the Queue Manager, performing authentication and authorisation for access to the console, which can be configured using the mqwebuser.xml file.

Users or groups are assigned a role in the xml file: MQWebAdmin, MQWebAdminRO (read only), MFTWebAdmin and MFTWebAdminRO (read only) are all Administrative users. The liberty server makes the rest calls on behalf of the user, and the startup users authorisations are applied to provide either ‘admin’ access or ‘admin read only’ access. R0 roles denote read only.

Another role is available called MQWebUser, which when set, liberty passes the user id to the Queue Manager and checks the users authorisations on the Queue Manager.

Some considerations when using the MQWebUser role:

·      The userid must 12 characters or less

·      The userid types in the web console is case sensitive

·      The userid must map to authority records on the queue manager

Integrating with LDAP

The integration with an LDAP Registry in the Web Console is a liberty managed connection and role mapping, it does not map to the Queue Manager. Therefore, you can have separate LDAP servers for your Queue Manager and the Web Console.

Roles are first defined in the enterprise application XML with the role in the ‘security-role’, the group name mapping to a group identifier, and the realm mapping to an LDAP definition later in the file. The realm name must match the LDAP XML entry.

<enterpriseApplication id="com.ibm.mq.console">

<application-bnd>

<security-role name="MQWebAdmin">

<group name="CN=ADMIN-Group" realm="LDAP"/>

            </security-role>

</application-bnd>

</enterpriseApplication>

A special role can be defined to give all authenticated users a specific role e.g., read only access without doing a group look up.

<security-role name="MQWebAdminR0">

<special-subject type="ALL_AUTHENTICATED_USERS" />

</security-role>

 

An example LDAP entry is as follows:

<ldapRegistry id="LDAP" realm="LDAP"

host="hostnameofldap" port="636" ignoreCase="true"

baseDN=".."

bindDN="${LDAP_BIND_DN}"

bindPassword="${LDAP_BIND_PWD}"

ldapType="Microsoft Active Directory">

<activedFilters

userFilter="(&(objectClass=user)(sAMAccountName=%v))"

groupFilter="(&(objectClass=group)(cn=%v))"

           userIdMap="user:sAMAccountName"

            groupIdMap="group:cn"

            groupMemberIdMap="MemberOf:member" >

</activedFilters>

</ldapRegistry>

The bind DN and password maps to the user authorised to do LDAP searches and various filters can be used to search for specific users and groups based depending on the LDAP tree structure, user and group entities.

To set security, add the following elements inside the ldapRegistry element.

sslEnabled="true"

sslRef="LDAPSSLSettings"

Keystores and Truststores for connecting to the LDAP server can be defined as follows:

<ssl id="LDAPSSLSettings" keyStoreRef="LDAPKeyStore" trustStoreRef="LDAPTrustStore"/>

<keyStore id="LDAPKeyStore"

location="/etc/mqm/pki/KeyStore/keystore.jks"

type="JKS" password="${LDAP_KEYSTORE_PASSWORD}"/>

<keyStore id="LDAPTrustStore"

location="/etc/mqm/pki/KeyStore/truststore.jks"

type="JKS" password="${LDAP_TRUSTSTORE_PASSWORD}" />

Common Issues

1.        Errors beginning with SES and CWWK are errors between Liberty and Active Directory, these are not IBM MQ issues.

Error logs are located: MQ_DATA_PATH/web/installations/installationName/servers/mqweb/logs

The two logs located here are console.log and messages.log

2.        A user is not given access to a specific group but can access the web console, when the special role ALL_AUTHENTICATED_USERS is set. This means the user is being authenticated but no group has been assigned to the user.

3.        Check the LDAP filters for user and group allocations, there is normally a corresponding error in the Liberty logs in ‘message_logs’

4.        Incorrect locations defined for the LDAP keystore and truststore. Check the container for the files in the location set in the xml.

0 comments
7 views

Permalink