I am investigating setting up queue managers using the MQ 9.2 Operator on cloud environments. According to the manual, only LDAP based authentication is supported because of issues with privilege escalation which are not allowed in OpenShift. Fair Enough.
However, what if I don't want to authenticate the users with a password (which would need the escalation) and just want to attach some OAM rules to an account for an MCAUSER, and I'll authenticate with mutual TLS.
I've built a version of the MQ container image (as a PoC) with a bunch of local groups and users. The accounts are locked, have an invalid shell (/bin/false) and basically can't do anything. They have no rights within the OS image. I create them in the container build phase with AS ROOT, RUN and then groupadd and useradd. I don't care what id numbers they have because MQ doesn't care either.
I can run the container via the operator and create channels which use TLS. The channels assert these userids, and I have granted permissions against them. Things work as they would on any other normal queue manager.
The use case is for a queue manager which doesn't require password based authentication for client channels, and is using TLS authentication. Password based authentication of local connections doesn't really make sense in a container environment, so I'm not worried about that either. Setting up an LDAP just for hanging MQ permissions on isn't something I really want to do.
Can I ask why this configuration is not supported?
I may not be on the call (for timezone reasons) but I'll catch up with it after the fact if it is available for replay.
------------------------------
Neil Casey
Senior Consultant
Syntegrity Solutions
Melbourne, Victoria
IBM Champion (Cloud) 2019-20
+61 (0) 414 615 334
------------------------------
Original Message:
Sent: Thu October 01, 2020 05:35 PM
From: David Ware
Subject: IBM MQ: Ask Us Anything!
This webcast features an interactive conversation with a panel of IBM MQ experts. Join us to get live answers to your most pressing questions on all things MQ in our "Ask Me Anything" style session. Our panel of experts will provide answers to the most commonly asked questions, covering licensing and usage, strategy and roadmap, technical matters, and more.
Join me and @Matt Sunley, @Amy McCormick, @MATTHEW LEMING on Tuesday, October 20th at 10 AM ET for IBM MQ: Ask Us Anything! You can post your questions below and register to watch here.
Cheers,
------------------------------
David Ware
STSM, IBM MQ Chief Architect
Hursley, UK
------------------------------