MQ

 View Only
Expand all | Collapse all

Configuring MQ Messaging REST API (mqweb) with LDAP

  • 1.  Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Tue June 21, 2022 03:29 PM
    I'm trying to configure the MQ web server to work with LDAP security.  The goal is to use the MQ Messing REST API to add/remove messages from a queue.  I have the server installed and can successfully authenticate (using LDAP) with the web server.  The part that's failing is when I try to interact with a queue.  For example, on the POST the API returns a 403 with the message, "MQWB0103E: Not authorized to put to '{queue-name}'".  I'm using basic auth to supply the web server credentials. 

    In the MQ server log I see a similar message: 

    06/21/22 18:20:03 - Process(227.15) User(mqm) Program(amqzlaa0)
                        Host(mqserver-simple-0) Installation(Installation1)
                        VRMF(9.2.0.4) QMgr(QS90)
                        Time(2022-06-21T18:20:03.340Z)
                        CommentInsert1(IBM MQ REST API)
                       
    AMQ5540E: Application 'IBM MQ REST API' did not supply a user ID and password

    EXPLANATION:
    The queue manager is configured to require a user ID and password, but none was
    supplied.
    ACTION:
    Ensure that the application provides a valid user ID and password, or change
    the value of CHCKCLNT to OPTIONAL on the AUTHINFO object specified by the
    CONNAUTH attribute on the queue manager. For the change to take effect, you
    must refresh the connection authentication configuration of the queue manager.
    ----- amqzfuca.c : 5089 -------------------------------------------------------
    From this error it appears the MQ web server is not supplying the credentials to the MQ server when it attempts to connect.

    Access to each queue is controlled via LDAP groups.  What I would like to have is that I can use the same credentials to connect to the MQ web server from my client, and then to the MQ server from the web server.  Is there a setting that informs the web server which credentials to use when forwarding the request?  

    Note, I started by copying 'ldap_registry.xml' to mqwebuser.xml and began updating the config found there.  This is what I have for the MQ REST API roles:
        <!--  
    Roles for the MQ REST API 
    -->
    <enterpriseApplication id="com.ibm.mq.rest">
        <application-bnd>
            <security-role name="MQWebAdmin">
                <user name="uid=ADMIN,ou=Users,dc=dev,dc=mq,dc=com"/>
            </security-role>
            <!--
                <security-role name="MQWebAdminRO">
                    <user name="cn=mqreader" realm="MyOrganizationRealm"/>
                </security-role>
            -->
            <security-role name="MQWebUser">
                <special-subject type="ALL_AUTHENTICATED_USERS"/>
            </security-role>
            <!--
            <security-role name="MFTWebAdmin">
               <user name="cn=mftadmin" realm="MyOrganizationRealm"/>
            </security-role>
            <security-role name="MFTWebAdminRO">
               <user name="cn=mftreader" realm="MyOrganizationRealm"/>
            </security-role>
            -->
        </application-bnd>
    </enterpriseApplication>​


    At the moment I'm using a very simple LDAP structure, and don't have any LDAP filter properties set.  How, exactly, are these used?

        <!-- 
        Example LDAP Registry 
    -->
    <ldapRegistry id="ldap" 
        host="mqldap" 
        port="1389" 
        ignoreCase="true" 
        baseDN="dc=dev,dc=mq,dc=com"
        certificateMapMode="NOT_SUPPORTED"
        ldapType="Custom">
        <!--idsFilters="ibm_dir_server"-->
    </ldapRegistry>

    <!-- 
    <idsLdapFilterProperties id="ibm_dir_server"
        userFilter="(&amp;(|(primaryuserid=%v)(mail=%v))(objectclass=Person))"
        groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))"
        userIdMap="*:uid" 
        groupIdMap="*:cn"
        groupMemberIdMap="myOrg-allGroups:member;myOrg-allGroups:uniqueMember">
    </idsLdapFilterProperties>
    -->


    FWIW, the access to the MQ Web Console is working as expected.

    Thanks,
    Jim


    ------------------------------
    Jim Creasman
    ------------------------------


  • 2.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Wed June 22, 2022 01:53 AM

    Hi Jim,

    Are you trying to run the whole queue manager using LDAP authentication and LDAP authorization, or just the MQ web server using LDAP security? The reason I ask is because you have started your post by showing us a CONNAUTH error message, suggesting that you have CHCKLOCL(REQUIRED) set on your CONNAUTH settings, but you have not mentioned them further.

    You say "I have the server installed and can successfully authenticate (using LDAP) with the web server." - what do you mean by "server" when you say you "have the server installed" - do you mean the web server, or the queue manager (many many people call a queue manager the "MQ server" so I have to ask!). And what action are you doing to prove you "can successfully authentication with the web server"?

    Does the "password missing" error message occur at the time you attempt to use the REST API to put to a queue? Or does it occur at MQ Web Server startup?

    Can you show us the full REST command you supply (obviously xxx-ing out or changing the password to something banal when you show us it. Are you sending the user id and password with each request, or are you using cookies?

    It is odd that you get message "MQWB0103E: Not authorized to put to '{queue-name}'" as that does suggest that the password did go through. If you had failed password authentication, I would have expected you to get message "MQWB0104E: The REST API request to '{queue-name-url}' is not authenticated."

    Are there any interesting messages in the servers/mqweb/logs/messages.log?

    Given that you say the Web Console is working - I assume it is using the same MQ Web Server with the same security settings? Isn't there a simple put a message to a queue operation that you can do in the web console? Does that work?

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------

    Original Message


  • 3.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Wed June 22, 2022 08:33 AM
    Edited by Jim Creasman Wed June 22, 2022 08:35 AM
    Morag,

         I have both the qmgr and the web server configured to use LDAP.  The qmgr has been configured to use LDAP for some time and authentication/authorization is working fine with the other clients.  Starting this week I updated the install to also install the MQ Web Server and configure the MQ Console MQ Messaging API components (previously, these were excluded).  MQ (both qmgr and web server) is running on Debian Linux.

         I verified I can log into the MQ Console using an admin account I have configured.  I can add messages to a queue using this admin account, going through the MQ Console UI.  I'm not sure how the console communicates with the qmgr, but this seems to be working as expected.  The admin account is configured to have full privileges to the qmgr resources.

         My goal is to use the MQ Messaging API to add, browse and receive messages from a queue.  Access to each of our queues is controlled by one or more LDAP groups.  We typically have a "send" group and a "receive" group, for PUTting and GETting, respectively.  My assumption is that accessing a queue through the REST API is a two-step process as far as the authentication/authorization is concerned.  First, you have to authenticate with the web server.  I've configured this to use LDAP in the mqwebuser.xml before I run 'strmqweb'.  Second step is for the qmgr to authenticate the user and verify they are authorized to perform whatever action is being requested.

         I believe authentication with the web server is working.  For example, if I use Postman with basic authorization I can invoke GET /ibmmq/rest/v2/login and see the ID along with the web server role returned. 
    {
    "user": [
        {
            "name": "mqdevsnd",
            "role": [
                "MQWebUser"
            ]
        }
    ]
}​

    If I intentionally enter an incorrect password, the same endpoint fails with a 401 (MQWB0105E).

         Next, I tried the POST /ibmmq/rest/v1/messaging/qmgr/QS90/queue/MQDEV.QUEUE.V1/message with the body JSON as the message to add.  I'm using the same credentials that were successful on the login endpoint.  This returns the 403 error:

    {
    "error": [
        {
            "action": "Obtain the necessary authorization to perform the operation and resubmit the request.",
            "completionCode": 2,
            "explanation": "The authenticated principal is not authorized to perform the requested REST API operation.",
            "message": "MQWB0103E: Not authorized to put to 'MQDEV.QUEUE.V1'.",
            "msgId": "MQWB0103E",
            "reasonCode": 2035,
            "type": "rest"
        }
    ]
}​

    and the message I reported in the original post in the qmgr log:

    mqdev-server-simple | 06/22/22 12:14:58 - Process(214.17) User(mqm) Program(amqzlaa0)
mqdev-server-simple |                     Host(mqserver-simple-0) Installation(Installation1)
mqdev-server-simple |                     VRMF(9.2.0.4) QMgr(QS90)
mqdev-server-simple |                     Time(2022-06-22T12:14:58.562Z)
mqdev-server-simple |                     CommentInsert1(IBM MQ REST API)
mqdev-server-simple |                    
mqdev-server-simple | AMQ5540E: Application 'IBM MQ REST API' did not supply a user ID and password
mqdev-server-simple | 
mqdev-server-simple | EXPLANATION:
mqdev-server-simple | The queue manager is configured to require a user ID and password, but none was
mqdev-server-simple | supplied.
mqdev-server-simple | ACTION:
mqdev-server-simple | Ensure that the application provides a valid user ID and password, or change
mqdev-server-simple | the value of CHCKCLNT to OPTIONAL on the AUTHINFO object specified by the
mqdev-server-simple | CONNAUTH attribute on the queue manager. For the change to take effect, you
mqdev-server-simple | must refresh the connection authentication configuration of the queue manager.
mqdev-server-simple | ----- amqzfuca.c : 5089 -------------------------------------------------------

    The curl looks like this:

    curl --location --request POST 'https://localhost:7443/ibmmq/rest/v1/messaging/qmgr/QS90/queue/MQDEV.QUEUE.V1/message' \
--header 'ibm-mq-rest-csrf-token: blank' \
--header 'Content-Type: text/plain;charset=utf-8' \
--header 'Authorization: Basic bXFkZXZzbmQ6cGFzc3dvcmQ=' \
--data-raw '{
    "msg": "Hello!"
}'


         Hopefully, I've answered your questions.  Thanks for taking a look at this.  Based on the behavior and the messages I'm seeing my best guess is that the REST API is not forwarding the user ID and password on to the qmgr at the time it tries to connect.  I'm likely missing some configuration that tells the web server to do this, or I need to pass the credentials differently.  My goal is that whatever LDAP ID is used to authenticate with the web server, the same ID is passed to the qmgr for performing the requested action.

    Regards,
    Jim



    ------------------------------
    Jim Creasman
    ------------------------------

    Original Message


  • 4.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Thu June 23, 2022 04:07 AM
    Edited by Francois Brandelik Thu June 23, 2022 04:14 AM
    Hi Jim,

    Either your web console is set up to use a client connection to the queue manager or you have configured the authinfo to require user password  even when using a server connection. You may want to review your authinfo settings. Can you set the check locally bound connections to optional?

    You may also want to talk to your LDAP specialist. The filter properties will allow you to retrieve for a specific user the group membership. You can then define in your web set up which group has access to change stuff (admin) or post / get messages from queues.

    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 5.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    Posted Thu June 23, 2022 05:56 AM
    Edited by Emir Garza Thu June 23, 2022 07:55 AM
    Jim,
    Not sure that this suggestion will work (it is, at best, an educated guess): Do you see a "Set-Cookie" response header when you login? If yes, try using it for Put/Get calls.
    This is what I see when I login (note: not using LDAP, so may not apply to your case):

    Login as     `app1` and obtain a token:
    # Login:

idpw='{"username":"app1","password":"passw0rd"}'
curl -k -i https://$rest_hostname/ibmmq/rest/v2/login -X POST -H "Content-Type: application/json" --data "$idpw" -c app1-cookie.txt

# Response:

HTTP/1.1 204 No Content
...
Set-Cookie: LtpaToken2_1648032846462470073=ewndKB82nScrScT3e6ENjXj+u7NKZ/.../eh7zkulso20Iw0c83Rr7K89E; Path=/; Secure; HttpOnly; 
...
    The call above saved the cookie in a file ("app1.cookie.txt"). Subsequent Put/Get calls use the cookie:

    # Put a test message:

curl -k -i https://$rest_hostname/ibmmq/rest/v2/messaging/qmgr/QM12/queue/Q1/message  -H "Content-Type: text/plain;charset=utf-8" -b app1-cookie.txt -H "ibm-mq-rest-csrf-token: blank" --data 'Test message 1 - put using MQ REST API with Token authentication'

# Response:
HTTP/1.1 201 Created
Content-Language: en-US
Content-Length: 0
Content-Type: text/plain; charset=utf-8
ibm-mq-md-messageId: 414d5120514d39202020202020202020c21e2a6201350140
Date: Thu, 10 Mar 2022 17:02:33 GMT​
    Hope it helps.
    Regards,

    ------------------------------
    Emir Garza
    ------------------------------

    Original Message


  • 6.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Thu June 23, 2022 09:16 AM
    LTPA method is not preferred with the new REST API option from MQ.

    ------------------------------
    om prakash
    ------------------------------

    Original Message


  • 7.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Thu June 23, 2022 09:36 AM

    Here is a sample to use. Give a try.
    make sure u work with your AD team; and get teh correct group, dir-search values.

        <!--
    Enable features
    -->
    <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>ldapRegistry-3.0</feature>
        <feature>basicAuthenticationMQ-1.0</feature>
        <feature>apiDiscovery-1.0</feature>
        <feature>transportSecurity-1.0</feature>
    </featureManager>

    <!--
    Roles for the MQ Console
    -->
    <enterpriseApplication id="com.ibm.mq.console">
        <application-bnd>
            <security-role name="MQWebAdmin">
                <group name="CN=mqadmingroup,ou=Users,dc=dev,dc=mq,dc=com" realm="OrgRealm"/>
            </security-role>
            <security-role name="MQWebAdminRO">
                <user name="CN=mqreadgroup,ou=Users,dc=dev,dc=mq,dc=com" realm="OrgRealm"/>
            </security-role>
            <security-role name="MQWebUser">
                <special-subject type="ALL_AUTHENTICATED_USERS"/>
            </security-role>
        </application-bnd>
    </enterpriseApplication>

    <!--
    Roles for the MQ REST API
    -->
    <enterpriseApplication id="com.ibm.mq.rest">
        <application-bnd>
            <security-role name="MQWebAdmin">
                <group name="CN=mqadmingroup,ou=Users,dc=dev,dc=mq,dc=com" realm="OrgRealm"/>
            </security-role>
            <security-role name="MQWebAdminRO">
                <user name="CN=mqreader,ou=Users,dc=dev,dc=mq,dc=com" realm="OrgRealm"/>
            </security-role>
            <security-role name="MQWebUser">
                <special-subject type="ALL_AUTHENTICATED_USERS"/>
            </security-role>
        </application-bnd>
    </enterpriseApplication>

    <!--
    LDAP Registry
    -->

    <ldapRegistry baseDN="dc=xxx,dc=xxxxx,dc=com" bindDN="CN=uid,ou=Users,dc=dev,dc=mq,dc=com" bindPassword="xxxxxxxx" host="og.comp.com" id="ldap" idsFilters="xxxxxx" ignoreCase="true" ldapType="Microsoft Active Directory"
 port="636" realm="OrgRealm" sslEnabled="true" sslRef="LDAPSSLSettings">
    </ldapRegistry>

    <idsLdapFilterProperties groupFilter="group" groupIdMap="*:cn" groupMemberIdMap="memberOf:member" id="org_dir_server" userFilter="search" userIdMap="user:accountName">
    </idsLdapFilterProperties>

    <!--
    Enable HTTPS on a specific port by uncommenting the line below and providing the required port number.
    -->

    <variable name="httpsPort" value="9443"/>


    ------------------------------
    om prakash
    ------------------------------

    Original Message


  • 8.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Thu June 23, 2022 01:18 PM
    Thanks for all the suggestions and help offered.  Unfortunately, I haven't yet cracked this nut.  It might help if I knew more about how the MQ Web Server handles the MQ Messaging REST API.  Perhaps someone from the IBM team can help in this area.  Are there debug settings I can use?

    My current understanding is that the web server is implemented as a Liberty application.  As such, the configuration I'm entering is (to some extent) specific to Liberty (e.g., the MQ doc directs the reader to the Liberty docs for configuring an LDAP user registry).  The first level of authentication occurs with this Liberty user registry.  Once that passes, the MQ Messaging application is handling the request by interacting with the MQ qmgr.  Does that sound about right?

    The problem I'm encountering is that the Messaging API is not sending any credentials to the qmgr, hence the "did not supply a user ID..." message.  I don't want to remove any of the security settings we have in place for the queues/topics.  Instead, I would like to use the credentials supplied to the Liberty user registry to authenticate with the qmgr as well.  Does this require special configuration to handle?  I did read at the above link about mapping LDAP attributes to user registry schema attributes.  If this is required, is there documentation on what these would be for MQ?

    I'll post the mqwebuser.xml I'm using and some other info here in case someone spots anything I've missed.  I'm running both the LDAP server (OpenLDAP) and MQ locally in Docker containers, and can adjust whatever settings might be necessary to resolve the issue.

    mqwebuser.xml:
    <?xml version="1.0" encoding="UTF-8"?>
<server>
  <featureManager>
      <feature>appSecurity-2.0</feature>
      <feature>ldapRegistry-3.0</feature>
      <feature>basicAuthenticationMQ-1.0</feature>
  </featureManager>
    
  <!-- Roles for the MQ Console                                                   -->
  <enterpriseApplication id='com.ibm.mq.console'>
    <application-bnd>
      <security-role name='MQWebAdmin'>
        <user name='uid=MQ_ADMIN,ou=Users,dc=dev,dc=mq,dc=com'/>
      </security-role>
    </application-bnd>
  </enterpriseApplication>
  
  <!-- Roles for the MQ REST API                                                  -->
  <enterpriseApplication id='com.ibm.mq.rest'>
    <application-bnd>
      <security-role name='MQWebAdmin'>
        <user name='uid=MQ_ADMIN,ou=Users,dc=dev,dc=mq,dc=com'/>
      </security-role>
      <security-role name='MQWebUser'>
        <special-subject type='ALL_AUTHENTICATED_USERS'/>
      </security-role>
    </application-bnd>
  </enterpriseApplication>
  
  <!-- LDAP registry configuration                                                -->
  <ldapRegistry id='ldap'
      host='mqldap'
      port='1389'
      ignoreCase='true'
      baseDN='dc=dev,dc=mq,dc=com'
      certificateMapMode='NOT_SUPPORTED'
      idsFilters='ibm_dir_server'
      ldapType='Custom'>
  </ldapRegistry>
  
  <idsLdapFilterProperties id="ibm_dir_server"
      userFilter="(&amp;(cn=%v)(objectclass=inetOrgPerson))"
      groupFilter="(&amp;(cn=%v)(objectclass=groupOfNames))"
      userIdMap="*:uid" 
      groupIdMap="*:cn"
      groupMemberIdMap="memberOf:member">
  </idsLdapFilterProperties>

  <variable name="httpHost" value="*"/>
  <variable name="httpsPort" value="9443"/>
</server>
​

    Verify required role is assigned:
    curl -L -X GET 'https://localhost:7443/ibmmq/rest/v2/login' -H 'Content-Type: text/plain;charset=utf-8' -H 'Authorization: Basic bXFkZXZzbmQ6cGFzc3dvcmQ=' -k


{
  "user": [
    {
      "name": "mqdevrcv",
      "role": [
        "MQWebUser"
      ]
    }
  ]
}
​

    Attempt to put a message to the queue:
    curl -L -X POST 'https://localhost:7443/ibmmq/rest/v2/messaging/qmgr/QS90/queue/MQDEV.QUEUE.V1/message' -H 'ibm-mq-rest-csrf-token: blank' -H 'Content-Type: text/plain;charset=utf-8' -k -H 'Authorization: Basic bXFkZXZzbmQ6cGFzc3dvcmQ=' --data-raw '{
    "msg": "Hello!"
}'



{
    "error": [
        {
            "action": "Obtain the necessary authorization to perform the operation and resubmit the request.",
            "completionCode": 2,
            "explanation": "The authenticated principal is not authorized to perform the requested REST API operation.",
            "message": "MQWB0103E: Not authorized to put to 'MQDEV.QUEUE.V1'.",
            "msgId": "MQWB0103E",
            "reasonCode": 2035,
            "type": "rest"
        }
    ]
}​


Message at qmgr:  
     AMQ5540E: Application 'IBM MQ REST API' did not supply a user ID and password


    ------------------------------
    Jim Creasman
    ------------------------------

    Original Message


  • 9.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Thu June 23, 2022 04:23 PM
    What is the auth defined to the queue? Also look at the queue manager error log to verify if it states which auth is missing.

    ------------------------------
    om prakash
    ------------------------------

    Original Message


  • 10.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Mon June 27, 2022 10:28 AM
    Edited by Jim Creasman Mon June 27, 2022 10:31 AM
    The qmgr is set up to authenticate users against LDAP as follows:
    * LDAP authentication statements:
DEFINE AUTHINFO('MQDEV.LDAP.AUTHINFO') AUTHTYPE(IDPWLDAP) CHCKCLNT(REQUIRED) CHCKLOCL(REQUIRED) ADOPTCTX(YES) REPLACE +
        BASEDNU('ou=Users,dc=dev,dc=mq,dc=com') +
        BASEDNG('ou=Groups,dc=dev,dc=mq,dc=com') + 
        GRPFIELD('cn') +    
        CLASSUSR('inetOrgPerson') +
        CLASSGRP('groupOfNames') +
        CONNAME('mqldap(1389)') +                    
        LDAPUSER('uid=MQ_ADMIN,ou=Users,dc=dev,dc=mq,dc=com') +
        LDAPPWD('password') +
        SHORTUSR('uid') +
        USRFIELD('uid') +
        AUTHORMD(SEARCHGRP) +
        FINDGRP('member') +
        SECCOMM(NO)
ALTER QMGR CONNAUTH('MQDEV.LDAP.AUTHINFO')
REFRESH SECURITY(*) TYPE(CONNAUTH)
*
* Channel authentication rule -- Global block:
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule - Blocks everyone') ACTION(REPLACE)
​


    For the specific queue the following statements are run:

    * Queue AUTHREC statements:
SET AUTHREC GROUP('mq_dev_recv_group') OBJTYPE(QMGR) AUTHRMV(ALL) AUTHADD(CONNECT,INQ)
SET AUTHREC GROUP('mq_dev_send_group') OBJTYPE(QMGR) AUTHRMV(ALL) AUTHADD(CONNECT,INQ)
* 
SET AUTHREC PROFILE('MQDEV.QUEUE.V1') GROUP('mq_dev_send_group') OBJTYPE(QUEUE) AUTHADD(GET,PUT,INQ,BROWSE)


    The issue is that the REST API is not forwarding any credentials to the MQ server, so it never authenticates with the qmgr and does not get as far as checking for the particular queue access.  The only message in the qmgr log is "AMQ5540E: Application 'IBM MQ REST API' did not supply a user ID and password".

    I'm using basic authentication with the MQ Web Server, passing in the ID mqdevsnd.  This ID is defined in LDAP and is a member of the mq_dev_send_group.  This group has the proper access to the target queue.  For example, if I use one of the other MQ clients (e.g., Python or NodeJS), I am able to connect and put messages to the queue.

    Jim



    ------------------------------
    Jim Creasman
    ------------------------------

    Original Message


  • 11.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Mon June 27, 2022 10:39 AM
    Jim,
    The real issue here is that over the WEB you are just doing authentication but not group retrieval. As such the system has no idea which group the user might be a member of, and as such can't authorize it.

    Have you looked at Om Prakash's filter properties? He uses it to retrieve the group membership of the user. You probably need to do the same or a least something similar.

    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 12.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Mon June 27, 2022 04:32 PM
    Francois,

         I have updated the config to include the user and group filters.  These are the current settings:
      <!-- LDAP registry configuration                                                -->
  <ldapRegistry id='ldap'
      host='mqldap'
      port='1389'
      ignoreCase='true'
      bindDN='uid=MQ_ADMIN,ou=Users,dc=dev,dc=mq,dc=com'
      bindPassword='********'
      baseDN='ou=Users,dc=dev,dc=mq,dc=com'
      certificateMapMode='NOT_SUPPORTED'
      ldapType='Custom'
      recursiveSearch='true'>
      <customFilters
          id="customFilters"
          userFilter="(&amp;(uid=%v)(objectclass=inetOrgPerson))"
          groupFilter="(&amp;(cn=%v)(objectclass=groupOfNames))"  
          userIdMap="*:uid"  
          groupIdMap="*:cn" 
          groupMemberIdMap="pri-allGroups:member"          
        />
  </ldapRegistry>​

    However, I'm not convinced that is the problem.  The MQ webserver has everything it needs to find any user/group in the LDAP tree.  I verified both the user and group filters using Apache Directory Studio.  These return the expected values.

    The authorization failure is coming first from the queue manager and the webserver is simply relaying the information.  The message is saying that not user or password is sent.  I'm happy to be wrong, but it still seems the root cause is that the webserver is not passing any credentials to the queue manager.

    I found this page on tracing the REST APIs (https://www.ibm.com/docs/en/ibm-mq/9.2?topic=trace-tracing-rest-api) and have been working that angle this afternoon.  Unfortunately, the detail doesn't give me any clue as to what I might be missing.

    Jim

    ------------------------------
    Jim Creasman
    ------------------------------

    Original Message


  • 13.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Mon June 27, 2022 04:39 PM
    Is the webserver local to the qmgr or is the qmgr remote?

    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 14.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Mon June 27, 2022 05:24 PM
    It is local to the queue manager.  Both are running in the same container.

    ------------------------------
    Jim Creasman
    ------------------------------

    Original Message


  • 15.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Tue June 28, 2022 02:50 AM
    Check your queue manager for the authinfo and qmgr connauth field, make sure that the chcklocl field on your authinfo is set to optional, if you have to change it make sure you do a refresh security type(connauth). Then try it again.

    Hope that helps.

    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 16.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Wed June 29, 2022 07:55 PM
    @Francois Brandelik ​ and @om prakash Thanks for sticking with me on this one.  I was finally able to get back​ to this today and took your advise, setting CHCKLOCL(OPTIONAL).  Previously, I'd set this value to REQUIRED.  After refreshing the security it now works.  It even seems to respect the group permissions assigned to the particular group for which the ID is a member.  

    I'm guessing the way the MQ REST API works is that the webserver must first authenticate itself, and then it passes the user information on to the qmgr.  However, it does not supply credentials and the CHCKLOCL setting was blocking it.  Since the webserver is running on the same server as the qmgr relaxing this to optional should not be an issue.  Do you see any other concerns with setting CHCKLOCL as OPTIONAL (the default value)?  

    Thanks again,
    Jim

    ------------------------------
    Jim Creasman
    ------------------------------

    Original Message


  • 17.  RE: Configuring MQ Messaging REST API (mqweb) with LDAP

    IBM Champion
    Posted Thu June 30, 2022 02:51 AM
    Relaxing the chklocl should not be a problem.
    • in order to be on the server, you had to authenticate
    • in order to access the REST API you had to authenticate (hopefully)
    So the authentication part should be covered.

    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message