Hi,

For MQ in container (deployed in Azure Kubernetes), I am trying to integrate LDAP for WebConsole. Is there a reference available on how to configure LDAP for MQ Webconsole deployed as containers.

Hi,

I'm not aware of any official (or other) reference but I can share what we have done. Basically we just configured the mqwebuser.xml as we would have done for non-container installation, sample below:

<?xml version="1.0" encoding="UTF-8"?><server>	<featureManager>		<feature>appSecurity-2.0</feature>		<feature>ldapRegistry-3.0</feature>		<feature>basicAuthenticationMQ-1.0</feature>	</featureManager>	<!--  Roles for the MQ Console -->	<enterpriseApplication id="com.ibm.mq.console">		<application-bnd>			<security-role name="MQWebAdmin">				<group name="CN=mq_admins,OU=Groups,DC=example,DC=com" realm="defaultRealm"/>			</security-role>			<security-role name="MQWebUser">				<group name="CN=mq_users,OU=Groups,DC=example,DC=com" realm="defaultRealm"/>			</security-role>		</application-bnd>	</enterpriseApplication>	<!--     Example LDAP Registry     -->	<ldapRegistry id="ldap"         realm="defaultRealm"         host="ldap.example.com"         port="636"        ignoreCase="true"         bindDN="CN=ldap_user,DC=example,DC=com"         bindPassword="*******"         baseDN="DC=example,DC=com"        certificateMapMode="EXACT_DN"        ldapType="Microsoft Active Directory"		sslEnabled="true"        sslRef="thisSSLConfig">	  <activedFilters           userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))"           groupFilter="(&amp;(cn=%v)(objectcategory=group))"            userIdMap="user:sAMAccountName"            groupIdMap="*:cn"            groupMemberIdMap="memberOf:member" >	  </activedFilters>	</ldapRegistry>	<!--     Enable HTTPS on a specific port by uncommenting the line below and providing the required port number.    -->	<variable name="httpsPort" value="9443"/>	<!--     By default the server listens for HTTP/HTTPS requests on localhost only. To     listen on all available network interfaces uncomment the line below. To listen    on a specific IP address or hostname replace the * with an appropriate value.    -->	<variable name="httpHost" value="*"/>		<!-- Include TLS config from IBM container build scripts -->    <include location="tls.xml"/>	</server>

Then we added some additional lines to jvm.options file as we don't have any access to any revocation list services.

-Dcom.ibm.jsse2.checkRevocation=false-Dcom.ibm.security.enableCRLDP=false

Then it is just a matter of inserting the config files into the right folders inside the container before the embedded web server starts, and that is something that you'll have to setup to your build and deploy pipeline. Our MQ container setup is quite old so we still use custom startup scripts but there might be a bit more sophisticated way to handle this step nowadays. Hope this helps.

Hi,

For MQ in container (deployed in Azure Kubernetes), I am trying to integrate LDAP for WebConsole. Is there a reference available on how to configure LDAP for MQ Webconsole deployed as containers.

Hi,

Do you need to build your own image with mqwebuser settings?

As in the CRD queuemananger from the Operator i can see "mqsc" or "ini" files to inject configuration, i dont see any place to inject mqwebuser.

Hi,

I'm not aware of any official (or other) reference but I can share what we have done. Basically we just configured the mqwebuser.xml as we would have done for non-container installation, sample below:

<?xml version="1.0" encoding="UTF-8"?><server>	<featureManager>		<feature>appSecurity-2.0</feature>		<feature>ldapRegistry-3.0</feature>		<feature>basicAuthenticationMQ-1.0</feature>	</featureManager>	<!--  Roles for the MQ Console -->	<enterpriseApplication id="com.ibm.mq.console">		<application-bnd>			<security-role name="MQWebAdmin">				<group name="CN=mq_admins,OU=Groups,DC=example,DC=com" realm="defaultRealm"/>			</security-role>			<security-role name="MQWebUser">				<group name="CN=mq_users,OU=Groups,DC=example,DC=com" realm="defaultRealm"/>			</security-role>		</application-bnd>	</enterpriseApplication>	<!--     Example LDAP Registry     -->	<ldapRegistry id="ldap"         realm="defaultRealm"         host="ldap.example.com"         port="636"        ignoreCase="true"         bindDN="CN=ldap_user,DC=example,DC=com"         bindPassword="*******"         baseDN="DC=example,DC=com"        certificateMapMode="EXACT_DN"        ldapType="Microsoft Active Directory"		sslEnabled="true"        sslRef="thisSSLConfig">	  <activedFilters           userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))"           groupFilter="(&amp;(cn=%v)(objectcategory=group))"            userIdMap="user:sAMAccountName"            groupIdMap="*:cn"            groupMemberIdMap="memberOf:member" >	  </activedFilters>	</ldapRegistry>	<!--     Enable HTTPS on a specific port by uncommenting the line below and providing the required port number.    -->	<variable name="httpsPort" value="9443"/>	<!--     By default the server listens for HTTP/HTTPS requests on localhost only. To     listen on all available network interfaces uncomment the line below. To listen    on a specific IP address or hostname replace the * with an appropriate value.    -->	<variable name="httpHost" value="*"/>		<!-- Include TLS config from IBM container build scripts -->    <include location="tls.xml"/>	</server>

Then we added some additional lines to jvm.options file as we don't have any access to any revocation list services.

-Dcom.ibm.jsse2.checkRevocation=false-Dcom.ibm.security.enableCRLDP=false

Then it is just a matter of inserting the config files into the right folders inside the container before the embedded web server starts, and that is something that you'll have to setup to your build and deploy pipeline. Our MQ container setup is quite old so we still use custom startup scripts but there might be a bit more sophisticated way to handle this step nowadays. Hope this helps.

Hi,

For MQ in container (deployed in Azure Kubernetes), I am trying to integrate LDAP for WebConsole. Is there a reference available on how to configure LDAP for MQ Webconsole deployed as containers.

That is a good question. We have always built our own containers so I cannot tell whether there is a way to inject the mqwebuser file in the Operator option. 

Hi,

Do you need to build your own image with mqwebuser settings?

As in the CRD queuemananger from the Operator i can see "mqsc" or "ini" files to inject configuration, i dont see any place to inject mqwebuser.

Hi,

I'm not aware of any official (or other) reference but I can share what we have done. Basically we just configured the mqwebuser.xml as we would have done for non-container installation, sample below:

<?xml version="1.0" encoding="UTF-8"?><server>	<featureManager>		<feature>appSecurity-2.0</feature>		<feature>ldapRegistry-3.0</feature>		<feature>basicAuthenticationMQ-1.0</feature>	</featureManager>	<!--  Roles for the MQ Console -->	<enterpriseApplication id="com.ibm.mq.console">		<application-bnd>			<security-role name="MQWebAdmin">				<group name="CN=mq_admins,OU=Groups,DC=example,DC=com" realm="defaultRealm"/>			</security-role>			<security-role name="MQWebUser">				<group name="CN=mq_users,OU=Groups,DC=example,DC=com" realm="defaultRealm"/>			</security-role>		</application-bnd>	</enterpriseApplication>	<!--     Example LDAP Registry     -->	<ldapRegistry id="ldap"         realm="defaultRealm"         host="ldap.example.com"         port="636"        ignoreCase="true"         bindDN="CN=ldap_user,DC=example,DC=com"         bindPassword="*******"         baseDN="DC=example,DC=com"        certificateMapMode="EXACT_DN"        ldapType="Microsoft Active Directory"		sslEnabled="true"        sslRef="thisSSLConfig">	  <activedFilters           userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))"           groupFilter="(&amp;(cn=%v)(objectcategory=group))"            userIdMap="user:sAMAccountName"            groupIdMap="*:cn"            groupMemberIdMap="memberOf:member" >	  </activedFilters>	</ldapRegistry>	<!--     Enable HTTPS on a specific port by uncommenting the line below and providing the required port number.    -->	<variable name="httpsPort" value="9443"/>	<!--     By default the server listens for HTTP/HTTPS requests on localhost only. To     listen on all available network interfaces uncomment the line below. To listen    on a specific IP address or hostname replace the * with an appropriate value.    -->	<variable name="httpHost" value="*"/>		<!-- Include TLS config from IBM container build scripts -->    <include location="tls.xml"/>	</server>

Then we added some additional lines to jvm.options file as we don't have any access to any revocation list services.

-Dcom.ibm.jsse2.checkRevocation=false-Dcom.ibm.security.enableCRLDP=false

Then it is just a matter of inserting the config files into the right folders inside the container before the embedded web server starts, and that is something that you'll have to setup to your build and deploy pipeline. Our MQ container setup is quite old so we still use custom startup scripts but there might be a bit more sophisticated way to handle this step nowadays. Hope this helps.

Hi,

For MQ in container (deployed in Azure Kubernetes), I am trying to integrate LDAP for WebConsole. Is there a reference available on how to configure LDAP for MQ Webconsole deployed as containers.

Are you creating your own containers and deploying them with MQ Operator?

I create my own container with somple mqwebuser, but when i deploy a Queue Manager, the Operator expect that i have an OIDC (open auth connection with IBM Cloud Pak OIDC) and the deploy fails.

That is a good question. We have always built our own containers so I cannot tell whether there is a way to inject the mqwebuser file in the Operator option. 

Hi,

Do you need to build your own image with mqwebuser settings?

As in the CRD queuemananger from the Operator i can see "mqsc" or "ini" files to inject configuration, i dont see any place to inject mqwebuser.

Hi,

I'm not aware of any official (or other) reference but I can share what we have done. Basically we just configured the mqwebuser.xml as we would have done for non-container installation, sample below:

<?xml version="1.0" encoding="UTF-8"?><server>	<featureManager>		<feature>appSecurity-2.0</feature>		<feature>ldapRegistry-3.0</feature>		<feature>basicAuthenticationMQ-1.0</feature>	</featureManager>	<!--  Roles for the MQ Console -->	<enterpriseApplication id="com.ibm.mq.console">		<application-bnd>			<security-role name="MQWebAdmin">				<group name="CN=mq_admins,OU=Groups,DC=example,DC=com" realm="defaultRealm"/>			</security-role>			<security-role name="MQWebUser">				<group name="CN=mq_users,OU=Groups,DC=example,DC=com" realm="defaultRealm"/>			</security-role>		</application-bnd>	</enterpriseApplication>	<!--     Example LDAP Registry     -->	<ldapRegistry id="ldap"         realm="defaultRealm"         host="ldap.example.com"         port="636"        ignoreCase="true"         bindDN="CN=ldap_user,DC=example,DC=com"         bindPassword="*******"         baseDN="DC=example,DC=com"        certificateMapMode="EXACT_DN"        ldapType="Microsoft Active Directory"		sslEnabled="true"        sslRef="thisSSLConfig">	  <activedFilters           userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))"           groupFilter="(&amp;(cn=%v)(objectcategory=group))"            userIdMap="user:sAMAccountName"            groupIdMap="*:cn"            groupMemberIdMap="memberOf:member" >	  </activedFilters>	</ldapRegistry>	<!--     Enable HTTPS on a specific port by uncommenting the line below and providing the required port number.    -->	<variable name="httpsPort" value="9443"/>	<!--     By default the server listens for HTTP/HTTPS requests on localhost only. To     listen on all available network interfaces uncomment the line below. To listen    on a specific IP address or hostname replace the * with an appropriate value.    -->	<variable name="httpHost" value="*"/>		<!-- Include TLS config from IBM container build scripts -->    <include location="tls.xml"/>	</server>

Then we added some additional lines to jvm.options file as we don't have any access to any revocation list services.

-Dcom.ibm.jsse2.checkRevocation=false-Dcom.ibm.security.enableCRLDP=false

Then it is just a matter of inserting the config files into the right folders inside the container before the embedded web server starts, and that is something that you'll have to setup to your build and deploy pipeline. Our MQ container setup is quite old so we still use custom startup scripts but there might be a bit more sophisticated way to handle this step nowadays. Hope this helps.

Hi,

For MQ in container (deployed in Azure Kubernetes), I am trying to integrate LDAP for WebConsole. Is there a reference available on how to configure LDAP for MQ Webconsole deployed as containers.

No, we have just created yamls for the deployment. Our installation is so old that IBM provided operators didn't yet exist when we built the first container setups. We haven't started using the operator as it doesn't provide the flexibility that we require.

What scripts are you using for the build? I noticed that IBM provided mqwebuser.xml config has the OIDC definition, did you try to change that to something else or is the actual operator logic expecting the OIDC registration?

------------------------------
Hermanni Pernaa

Original Message:
Sent: Fri October 20, 2023 08:04 AM
From: Andres Colodrero
Subject: MQ Container - LDAP integration for MQ WebConsole

Are you creating your own containers and deploying them with MQ Operator?

I create my own container with somple mqwebuser, but when i deploy a Queue Manager, the Operator expect that i have an OIDC (open auth connection with IBM Cloud Pak OIDC) and the deploy fails.

------------------------------
Andres Colodrero

Original Message:
Sent: Thu October 19, 2023 09:23 AM
From: Hermanni Pernaa
Subject: MQ Container - LDAP integration for MQ WebConsole

That is a good question. We have always built our own containers so I cannot tell whether there is a way to inject the mqwebuser file in the Operator option. 

------------------------------
Hermanni Pernaa

Original Message:
Sent: Thu October 19, 2023 04:43 AM
From: Andres Colodrero
Subject: MQ Container - LDAP integration for MQ WebConsole

Hi,

Do you need to build your own image with mqwebuser settings?

As in the CRD queuemananger from the Operator i can see "mqsc" or "ini" files to inject configuration, i dont see any place to inject mqwebuser.

------------------------------
Andres Colodrero

Original Message:
Sent: Wed October 18, 2023 08:48 AM
From: Hermanni Pernaa
Subject: MQ Container - LDAP integration for MQ WebConsole

Hi,

I'm not aware of any official (or other) reference but I can share what we have done. Basically we just configured the mqwebuser.xml as we would have done for non-container installation, sample below:

<?xml version="1.0" encoding="UTF-8"?><server>	<featureManager>		<feature>appSecurity-2.0</feature>		<feature>ldapRegistry-3.0</feature>		<feature>basicAuthenticationMQ-1.0</feature>	</featureManager>	<!--  Roles for the MQ Console -->	<enterpriseApplication id="com.ibm.mq.console">		<application-bnd>			<security-role name="MQWebAdmin">				<group name="CN=mq_admins,OU=Groups,DC=example,DC=com" realm="defaultRealm"/>			</security-role>			<security-role name="MQWebUser">				<group name="CN=mq_users,OU=Groups,DC=example,DC=com" realm="defaultRealm"/>			</security-role>		</application-bnd>	</enterpriseApplication>	<!--     Example LDAP Registry     -->	<ldapRegistry id="ldap"         realm="defaultRealm"         host="ldap.example.com"         port="636"        ignoreCase="true"         bindDN="CN=ldap_user,DC=example,DC=com"         bindPassword="*******"         baseDN="DC=example,DC=com"        certificateMapMode="EXACT_DN"        ldapType="Microsoft Active Directory"		sslEnabled="true"        sslRef="thisSSLConfig">	  <activedFilters           userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))"           groupFilter="(&amp;(cn=%v)(objectcategory=group))"            userIdMap="user:sAMAccountName"            groupIdMap="*:cn"            groupMemberIdMap="memberOf:member" >	  </activedFilters>	</ldapRegistry>	<!--     Enable HTTPS on a specific port by uncommenting the line below and providing the required port number.    -->	<variable name="httpsPort" value="9443"/>	<!--     By default the server listens for HTTP/HTTPS requests on localhost only. To     listen on all available network interfaces uncomment the line below. To listen    on a specific IP address or hostname replace the * with an appropriate value.    -->	<variable name="httpHost" value="*"/>		<!-- Include TLS config from IBM container build scripts -->    <include location="tls.xml"/>	</server>

Then we added some additional lines to jvm.options file as we don't have any access to any revocation list services.

-Dcom.ibm.jsse2.checkRevocation=false-Dcom.ibm.security.enableCRLDP=false

Then it is just a matter of inserting the config files into the right folders inside the container before the embedded web server starts, and that is something that you'll have to setup to your build and deploy pipeline. Our MQ container setup is quite old so we still use custom startup scripts but there might be a bit more sophisticated way to handle this step nowadays. Hope this helps.

------------------------------
Hermanni Pernaa

Original Message:
Sent: Tue October 17, 2023 05:40 PM
From: Santhosh Ramanathan
Subject: MQ Container - LDAP integration for MQ WebConsole

Hi,

For MQ in container (deployed in Azure Kubernetes), I am trying to integrate LDAP for WebConsole. Is there a reference available on how to configure LDAP for MQ Webconsole deployed as containers.

------------------------------
Thanks,
Santhosh Ramanathan
------------------------------