MQ

 View Only
  • 1.  MQ Messagign REST API using Client Auth Cert.. how to?

    IBM Champion
    Posted Thu December 01, 2022 11:24 AM
    We plan to use MQ Messaging REST API authenticating using Client Auth Cert. Not userid/password.

    Client -> MQ WebServer -> Queue Manager -> Queue ( PUT and GET).

    The client presents a client auth cert; which the webserver has to accept. Example: Cert CN is CN:myid.mq.example.com

    This CN name is not a valid AD/Unix group.

    The webserver should accept the Client auth cert and authenticate; and then using Channel rules; convert the CN value to a valid AD/Unix group which will allow MQ queue manager to authenticate and allow the GET and PUT.

    Which Channel will the MQ Web use and then which is the next channel MQ Web using to communicate with Queue manager.


    Has anybody implemented this pattern?

    Any other solution/idea?

    ------------------------------
    om prakash
    ------------------------------


  • 2.  RE: MQ Messagign REST API using Client Auth Cert.. how to?

    Posted Fri December 02, 2022 05:39 AM
    Hi om
    in my experience, the REST API does not depend on channels.
    MQ Web runs on the same machine as the queue manager.
    You need to grant permissions at the queue/topic level.
    Maybe those articles, help a bit.
    https://www.ibm.com/docs/en/ibm-mq/9.3?topic=mcras-using-client-certificate-authentication-rest-api-mq-console
    https://www.ibm.com/docs/en/ibm-mq/9.3?topic=mq-messaging-using-rest-api
    I never used it in production:

    ------------------------------
    Matthias Jungbauer
    ------------------------------



  • 3.  RE: MQ Messagign REST API using Client Auth Cert.. how to?

    IBM Champion
    Posted Fri December 02, 2022 07:45 AM
    thanks @Matthias Jungbauer. Wondering how the CName handles the security for GET and PUT.
    As the example CN:myid.mq.example.com is not a valid id/group; then how does the GET and PUT happen; is id "mqm" being used.

    The way IBM has documented; it indicates if a Client Auth cert is authenticated; then they have access to all MQ Objects.




    ------------------------------
    om prakash
    ------------------------------