Hello

Has anyone had any experience integrating keycloak to authenticate users to put messages on IBM MQ queues?

https://www.keycloak.org/documentation.html

------------------------------
Wotenis Ribeiro Silva
------------------------------

Hello

Has anyone had any experience integrating keycloak to authenticate users to put messages on IBM MQ queues?

https://www.keycloak.org/documentation.html

Hi,

You may find this blog post helpful: https://community.ibm.com/community/user/integration/blogs/anthony-beardsmore1/2023/11/07/mq-jwt

In 9.3.2 CD we added support of JWT's to be sent to a queue manager, by a messaging application, for authentication. In our automated testing of this feature we use a keycloak server to act as the token provider.

While IBM MQ does not support full OIDC/SAML/OAUTH flows needed to link in with keycloak, we support authenticating any tokens issued by keycloak so long as the secrets are provided to the queue manager. These secrets can be provided manually or in 9.4 LTS we released JWKS support which you can read about here: https://community.ibm.com/community/user/integration/blogs/vasily-shcherbinin1/2024/06/19/introducing-jwks . JWKS enables you to tell the queue manager to get the secrets it needs to validate a token signature. Keycloak supports the necessary JWKS endpoint.

For token signatures, we support the RSA signed token signatures, you can also use HMAC signed but the JWKS functionality is unable to retrieve the secrets needed to validate these token signatures so you will need to provide them manually. 

One thing to note about tokens too, if you intend to adopt the identity from the token you must ensure that a claim within the token is 12 characters or less to meet IBM MQ's requirements. In keycloak this can be done using a customer user attribute on the user entry and then providing a user attribute mapper to a client scope.

For the IBM MQ Console you may find this blog post series helpful: https://community.ibm.com/community/user/integration/blogs/robert-parker1/2022/08/17/authenticating-to-the-ibm-mq-console-with-the-open . In this series i use the IBM App ID service, but you could switch this out for keycloak instead.

In conclusion, you can configure a queue manager to validate tokens issued by a keycloak server and then write application logic to obtain these secrets from the various endpoints that keycloak offers, however it is not a full OIDC/OAUTH integration.

I hope this helps.

------------------------------
Rob Parker
Security Architect, IBM MQ Distributed
IBM UK Ltd

Original Message:
Sent: Fri August 02, 2024 02:58 PM
From: Wotenis Ribeiro Silva
Subject: IBM MQ + Keycloak

Hello

Has anyone had any experience integrating keycloak to authenticate users to put messages on IBM MQ queues?

https://www.keycloak.org/documentation.html

------------------------------
Wotenis Ribeiro Silva
------------------------------

Hi
Thanks everyone. In addition to IBM MQ web access, would I be able to use keycloak for PUT and GET on queues?

------------------------------
Wotenis Ribeiro Silva

Original Message:
Sent: Mon August 05, 2024 04:09 AM
From: Rob Parker
Subject: IBM MQ + Keycloak

Hi,

You may find this blog post helpful: https://community.ibm.com/community/user/integration/blogs/anthony-beardsmore1/2023/11/07/mq-jwt

In 9.3.2 CD we added support of JWT's to be sent to a queue manager, by a messaging application, for authentication. In our automated testing of this feature we use a keycloak server to act as the token provider.

While IBM MQ does not support full OIDC/SAML/OAUTH flows needed to link in with keycloak, we support authenticating any tokens issued by keycloak so long as the secrets are provided to the queue manager. These secrets can be provided manually or in 9.4 LTS we released JWKS support which you can read about here: https://community.ibm.com/community/user/integration/blogs/vasily-shcherbinin1/2024/06/19/introducing-jwks . JWKS enables you to tell the queue manager to get the secrets it needs to validate a token signature. Keycloak supports the necessary JWKS endpoint.

For token signatures, we support the RSA signed token signatures, you can also use HMAC signed but the JWKS functionality is unable to retrieve the secrets needed to validate these token signatures so you will need to provide them manually. 

One thing to note about tokens too, if you intend to adopt the identity from the token you must ensure that a claim within the token is 12 characters or less to meet IBM MQ's requirements. In keycloak this can be done using a customer user attribute on the user entry and then providing a user attribute mapper to a client scope.

For the IBM MQ Console you may find this blog post series helpful: https://community.ibm.com/community/user/integration/blogs/robert-parker1/2022/08/17/authenticating-to-the-ibm-mq-console-with-the-open . In this series i use the IBM App ID service, but you could switch this out for keycloak instead.

In conclusion, you can configure a queue manager to validate tokens issued by a keycloak server and then write application logic to obtain these secrets from the various endpoints that keycloak offers, however it is not a full OIDC/OAUTH integration.

I hope this helps.

------------------------------
Rob Parker
Security Architect, IBM MQ Distributed
IBM UK Ltd

Original Message:
Sent: Fri August 02, 2024 02:58 PM
From: Wotenis Ribeiro Silva
Subject: IBM MQ + Keycloak

Hello

Has anyone had any experience integrating keycloak to authenticate users to put messages on IBM MQ queues?

https://www.keycloak.org/documentation.html

------------------------------
Wotenis Ribeiro Silva
------------------------------

Hi,

You may find this blog post helpful: https://community.ibm.com/community/user/integration/blogs/anthony-beardsmore1/2023/11/07/mq-jwt

In 9.3.2 CD we added support of JWT's to be sent to a queue manager, by a messaging application, for authentication. In our automated testing of this feature we use a keycloak server to act as the token provider.

While IBM MQ does not support full OIDC/SAML/OAUTH flows needed to link in with keycloak, we support authenticating any tokens issued by keycloak so long as the secrets are provided to the queue manager. These secrets can be provided manually or in 9.4 LTS we released JWKS support which you can read about here: https://community.ibm.com/community/user/integration/blogs/vasily-shcherbinin1/2024/06/19/introducing-jwks . JWKS enables you to tell the queue manager to get the secrets it needs to validate a token signature. Keycloak supports the necessary JWKS endpoint.

For token signatures, we support the RSA signed token signatures, you can also use HMAC signed but the JWKS functionality is unable to retrieve the secrets needed to validate these token signatures so you will need to provide them manually. 

One thing to note about tokens too, if you intend to adopt the identity from the token you must ensure that a claim within the token is 12 characters or less to meet IBM MQ's requirements. In keycloak this can be done using a customer user attribute on the user entry and then providing a user attribute mapper to a client scope.

For the IBM MQ Console you may find this blog post series helpful: https://community.ibm.com/community/user/integration/blogs/robert-parker1/2022/08/17/authenticating-to-the-ibm-mq-console-with-the-open . In this series i use the IBM App ID service, but you could switch this out for keycloak instead.

In conclusion, you can configure a queue manager to validate tokens issued by a keycloak server and then write application logic to obtain these secrets from the various endpoints that keycloak offers, however it is not a full OIDC/OAUTH integration.

I hope this helps.

------------------------------
Rob Parker
Security Architect, IBM MQ Distributed
IBM UK Ltd

Original Message:
Sent: Fri August 02, 2024 02:58 PM
From: Wotenis Ribeiro Silva
Subject: IBM MQ + Keycloak

Hello

Has anyone had any experience integrating keycloak to authenticate users to put messages on IBM MQ queues?

https://www.keycloak.org/documentation.html

------------------------------
Wotenis Ribeiro Silva
------------------------------

Just a note. The article from Anthony Beardsmore refers to this link in the IBM MQ Documentation:

https://www.ibm.com/docs/en/ibm-mq/9.3?topic=tokens-configuring-queue-manager-accept-authentication

Which states the following:

1. Use one of the following methods to add the token issuer's public key certificate or symmetric key to the key repository.
   • To add the RSA public key certificate to the key repository, issue the following command:

     runmqakm -cert -add -db /var/mqm/qmgrs/qm1/tokenissuer/key.kdb -pw MyKeystorePassword -label keylabel         -file keyfile
   • To add a base64 encoded symmetric key to the key repository, issue the following command:

     runmqakm -secretkey -add -db /var/mqm/qmgrs/qm1/tokenissuer/key.kdb -pw MyKeystorePassword -label keylabel         -file keyfile -format ascii

   Where keylabel is the label to be attached to the certificate or secret key, and keyfile is the name of the file that contains the certificate or the base64 encoded secret key.

Based on a recent POC I did with IBM MQ and JWT at 9.4.0, I found that the keyfile (symmetric key) approach wanted the raw secret key entered into the key.kdb, and not the secrect key with base64 encoding.

------------------------------
Tim Zielke

Original Message:
Sent: Mon August 05, 2024 04:09 AM
From: Rob Parker
Subject: IBM MQ + Keycloak

Hi,

You may find this blog post helpful: https://community.ibm.com/community/user/integration/blogs/anthony-beardsmore1/2023/11/07/mq-jwt

In 9.3.2 CD we added support of JWT's to be sent to a queue manager, by a messaging application, for authentication. In our automated testing of this feature we use a keycloak server to act as the token provider.

While IBM MQ does not support full OIDC/SAML/OAUTH flows needed to link in with keycloak, we support authenticating any tokens issued by keycloak so long as the secrets are provided to the queue manager. These secrets can be provided manually or in 9.4 LTS we released JWKS support which you can read about here: https://community.ibm.com/community/user/integration/blogs/vasily-shcherbinin1/2024/06/19/introducing-jwks . JWKS enables you to tell the queue manager to get the secrets it needs to validate a token signature. Keycloak supports the necessary JWKS endpoint.

For token signatures, we support the RSA signed token signatures, you can also use HMAC signed but the JWKS functionality is unable to retrieve the secrets needed to validate these token signatures so you will need to provide them manually. 

One thing to note about tokens too, if you intend to adopt the identity from the token you must ensure that a claim within the token is 12 characters or less to meet IBM MQ's requirements. In keycloak this can be done using a customer user attribute on the user entry and then providing a user attribute mapper to a client scope.

For the IBM MQ Console you may find this blog post series helpful: https://community.ibm.com/community/user/integration/blogs/robert-parker1/2022/08/17/authenticating-to-the-ibm-mq-console-with-the-open . In this series i use the IBM App ID service, but you could switch this out for keycloak instead.

In conclusion, you can configure a queue manager to validate tokens issued by a keycloak server and then write application logic to obtain these secrets from the various endpoints that keycloak offers, however it is not a full OIDC/OAUTH integration.

I hope this helps.

------------------------------
Rob Parker
Security Architect, IBM MQ Distributed
IBM UK Ltd

Original Message:
Sent: Fri August 02, 2024 02:58 PM
From: Wotenis Ribeiro Silva
Subject: IBM MQ + Keycloak

Hello

Has anyone had any experience integrating keycloak to authenticate users to put messages on IBM MQ queues?

https://www.keycloak.org/documentation.html

------------------------------
Wotenis Ribeiro Silva
------------------------------

I think the 

 -format ascii

flag tells runmqakm that the file will be in a base64 format. If you don't supply that flag or supply -format binary then the file must contain just the key.

Just a note. The article from Anthony Beardsmore refers to this link in the IBM MQ Documentation:

https://www.ibm.com/docs/en/ibm-mq/9.3?topic=tokens-configuring-queue-manager-accept-authentication

Which states the following:

1. Use one of the following methods to add the token issuer's public key certificate or symmetric key to the key repository.
   • To add the RSA public key certificate to the key repository, issue the following command:

     runmqakm -cert -add -db /var/mqm/qmgrs/qm1/tokenissuer/key.kdb -pw MyKeystorePassword -label keylabel         -file keyfile
   • To add a base64 encoded symmetric key to the key repository, issue the following command:

     runmqakm -secretkey -add -db /var/mqm/qmgrs/qm1/tokenissuer/key.kdb -pw MyKeystorePassword -label keylabel         -file keyfile -format ascii

   Where keylabel is the label to be attached to the certificate or secret key, and keyfile is the name of the file that contains the certificate or the base64 encoded secret key.

Based on a recent POC I did with IBM MQ and JWT at 9.4.0, I found that the keyfile (symmetric key) approach wanted the raw secret key entered into the key.kdb, and not the secrect key with base64 encoding.

------------------------------
Tim Zielke

Original Message:
Sent: Mon August 05, 2024 04:09 AM
From: Rob Parker
Subject: IBM MQ + Keycloak

Hi,

You may find this blog post helpful: https://community.ibm.com/community/user/integration/blogs/anthony-beardsmore1/2023/11/07/mq-jwt

In 9.3.2 CD we added support of JWT's to be sent to a queue manager, by a messaging application, for authentication. In our automated testing of this feature we use a keycloak server to act as the token provider.

While IBM MQ does not support full OIDC/SAML/OAUTH flows needed to link in with keycloak, we support authenticating any tokens issued by keycloak so long as the secrets are provided to the queue manager. These secrets can be provided manually or in 9.4 LTS we released JWKS support which you can read about here: https://community.ibm.com/community/user/integration/blogs/vasily-shcherbinin1/2024/06/19/introducing-jwks . JWKS enables you to tell the queue manager to get the secrets it needs to validate a token signature. Keycloak supports the necessary JWKS endpoint.

For token signatures, we support the RSA signed token signatures, you can also use HMAC signed but the JWKS functionality is unable to retrieve the secrets needed to validate these token signatures so you will need to provide them manually. 

One thing to note about tokens too, if you intend to adopt the identity from the token you must ensure that a claim within the token is 12 characters or less to meet IBM MQ's requirements. In keycloak this can be done using a customer user attribute on the user entry and then providing a user attribute mapper to a client scope.

For the IBM MQ Console you may find this blog post series helpful: https://community.ibm.com/community/user/integration/blogs/robert-parker1/2022/08/17/authenticating-to-the-ibm-mq-console-with-the-open . In this series i use the IBM App ID service, but you could switch this out for keycloak instead.

In conclusion, you can configure a queue manager to validate tokens issued by a keycloak server and then write application logic to obtain these secrets from the various endpoints that keycloak offers, however it is not a full OIDC/OAUTH integration.

I hope this helps.

------------------------------
Rob Parker
Security Architect, IBM MQ Distributed
IBM UK Ltd

Original Message:
Sent: Fri August 02, 2024 02:58 PM
From: Wotenis Ribeiro Silva
Subject: IBM MQ + Keycloak

Hello

Has anyone had any experience integrating keycloak to authenticate users to put messages on IBM MQ queues?

https://www.keycloak.org/documentation.html

------------------------------
Wotenis Ribeiro Silva
------------------------------

Here is an example.

I have this raw key below. It is not base64 encoded, because it includes an invalid character of "!".

TheQuickBrownFoxJumpedOverTheSlowLazyDog!TheQuickBrownFoxJumpedOverTheSlowLazyDog!

The base64 encoding of this key is the following:

VGhlUXVpY2tCcm93bkZveEp1bXBlZE92ZXJUaGVTbG93TGF6eURvZyFUaGVRdWlja0Jyb3duRm94SnVtcGVkT3ZlclRoZVNsb3dMYXp5RG9nIQ==

I then add them both to my key.kdb.

> od -c keyfile5
0000000   T   h   e   Q   u   i   c   k   B   r   o   w   n   F   o   x
0000020   J   u   m   p   e   d   O   v   e   r   T   h   e   S   l   o
0000040   w   L   a   z   y   D   o   g   !   T   h   e   Q   u   i   c
0000060   k   B   r   o   w   n   F   o   x   J   u   m   p   e   d   O
0000100   v   e   r   T   h   e   S   l   o   w   L   a   z   y   D   o
0000120   g   !
0000122

> runmqakm -secretkey -add -db /var/mqm/qmgrs/sbox1/tokenissuer/key.kdb -pw MyKeystorePassword -label mykey5 -file keyfile5 -format ascii

> od -c keyfile6
0000000   V   G   h   l   U   X   V   p   Y   2   t   C   c   m   9   3
0000020   b   k   Z   v   e   E   p   1   b   X   B   l   Z   E   9   2
0000040   Z   X   J   U   a   G   V   T   b   G   9   3   T   G   F   6
0000060   e   U   R   v   Z   y   F   U   a   G   V   R   d   W   l   j
0000100   a   0   J   y   b   3   d   u   R   m   9   4   S   n   V   t
0000120   c   G   V   k   T   3   Z   l   c   l   R   o   Z   V   N   s
0000140   b   3   d   M   Y   X   p   5   R   G   9   n   I   Q   =   =
0000160

> runmqakm -secretkey -add -db /var/mqm/qmgrs/sbox1/tokenissuer/key.kdb -pw MyKeystorePassword -label mykey6 -file keyfile6 -format ascii

I then use the jwt.io website to create valid JWTs for the raw key and base64 encoded key. Both resolve to the same JWT.

Using this key -> TheQuickBrownFoxJumpedOverTheSlowLazyDog!TheQuickBrownFoxJumpedOverTheSlowLazyDog!
I get this JWT -> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE3MjUxMjg5MDN9.yrIneUa307arVMGNdwONddANUZ3QmGCpOhsn7iYya_Y

Using this base64 encoded key -> VGhlUXVpY2tCcm93bkZveEp1bXBlZE92ZXJUaGVTbG93TGF6eURvZyFUaGVRdWlja0Jyb3duRm94SnVtcGVkT3ZlclRoZVNsb3dMYXp5RG9nIQ==
I get this JWT -> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE3MjUxMjg5MDN9.yrIneUa307arVMGNdwONddANUZ3QmGCpOhsn7iYya_Y

When I run my test with the mykey5 label and the above JWT, it works:

> export MQSAMP_TOKEN=blah
> /opt/mqm/samp/bin/amqsputc TCZ.TEST1 sbox1
Sample AMQSPUT0 start
Enter token: *********************************************************************************************************************************************************************************
target queue is TCZ.TEST1
msg5

Sample AMQSPUT0 end

When I run the test with mykey6 and the above JWT, it fails with a 2035 error that is a 106 token authentication error (Validation of the authentication token's signature failed.)

> /opt/mqm/samp/bin/amqsputc TCZ.TEST1 sbox1
Sample AMQSPUT0 start
Enter token: *********************************************************************************************************************************************************************************
MQCONNX ended with reason code 2035

Based on my testing, it seems like the key needs to be the raw key and not the raw key with base64 encoding that is added to the key.kdb.

I think the 

 -format ascii

flag tells runmqakm that the file will be in a base64 format. If you don't supply that flag or supply -format binary then the file must contain just the key.

Just a note. The article from Anthony Beardsmore refers to this link in the IBM MQ Documentation:

https://www.ibm.com/docs/en/ibm-mq/9.3?topic=tokens-configuring-queue-manager-accept-authentication

Which states the following:

1. Use one of the following methods to add the token issuer's public key certificate or symmetric key to the key repository.
   • To add the RSA public key certificate to the key repository, issue the following command:

     runmqakm -cert -add -db /var/mqm/qmgrs/qm1/tokenissuer/key.kdb -pw MyKeystorePassword -label keylabel         -file keyfile
   • To add a base64 encoded symmetric key to the key repository, issue the following command:

     runmqakm -secretkey -add -db /var/mqm/qmgrs/qm1/tokenissuer/key.kdb -pw MyKeystorePassword -label keylabel         -file keyfile -format ascii

   Where keylabel is the label to be attached to the certificate or secret key, and keyfile is the name of the file that contains the certificate or the base64 encoded secret key.

Based on a recent POC I did with IBM MQ and JWT at 9.4.0, I found that the keyfile (symmetric key) approach wanted the raw secret key entered into the key.kdb, and not the secrect key with base64 encoding.

------------------------------
Tim Zielke

Original Message:
Sent: Mon August 05, 2024 04:09 AM
From: Rob Parker
Subject: IBM MQ + Keycloak

Hi,

You may find this blog post helpful: https://community.ibm.com/community/user/integration/blogs/anthony-beardsmore1/2023/11/07/mq-jwt

In 9.3.2 CD we added support of JWT's to be sent to a queue manager, by a messaging application, for authentication. In our automated testing of this feature we use a keycloak server to act as the token provider.

While IBM MQ does not support full OIDC/SAML/OAUTH flows needed to link in with keycloak, we support authenticating any tokens issued by keycloak so long as the secrets are provided to the queue manager. These secrets can be provided manually or in 9.4 LTS we released JWKS support which you can read about here: https://community.ibm.com/community/user/integration/blogs/vasily-shcherbinin1/2024/06/19/introducing-jwks . JWKS enables you to tell the queue manager to get the secrets it needs to validate a token signature. Keycloak supports the necessary JWKS endpoint.

For token signatures, we support the RSA signed token signatures, you can also use HMAC signed but the JWKS functionality is unable to retrieve the secrets needed to validate these token signatures so you will need to provide them manually. 

One thing to note about tokens too, if you intend to adopt the identity from the token you must ensure that a claim within the token is 12 characters or less to meet IBM MQ's requirements. In keycloak this can be done using a customer user attribute on the user entry and then providing a user attribute mapper to a client scope.

For the IBM MQ Console you may find this blog post series helpful: https://community.ibm.com/community/user/integration/blogs/robert-parker1/2022/08/17/authenticating-to-the-ibm-mq-console-with-the-open . In this series i use the IBM App ID service, but you could switch this out for keycloak instead.

In conclusion, you can configure a queue manager to validate tokens issued by a keycloak server and then write application logic to obtain these secrets from the various endpoints that keycloak offers, however it is not a full OIDC/OAUTH integration.

I hope this helps.

------------------------------
Rob Parker
Security Architect, IBM MQ Distributed
IBM UK Ltd

Original Message:
Sent: Fri August 02, 2024 02:58 PM
From: Wotenis Ribeiro Silva
Subject: IBM MQ + Keycloak

Hello

Has anyone had any experience integrating keycloak to authenticate users to put messages on IBM MQ queues?

https://www.keycloak.org/documentation.html

------------------------------
Wotenis Ribeiro Silva
------------------------------