MQ

Hiello all! 

Can I setup MQ Web Console as read only for all users accessing the console url? 
Without autthencicarion, Is this possible? 
I'm with MQ 9.1 Windows

Thanks !

------------------------------
JOAO MIGUEL RAMIRES
------------------------------

Original Message:
Sent: 10/24/2022 6:23:00 AM
From: JOAO MIGUEL RAMIRES
Subject: MQ Web Console readonly

Hiello all! 

Can I setup MQ Web Console as read only for all users accessing the console url? 
Without autthencicarion, Is this possible? 
I'm with MQ 9.1 Windows

Thanks !

------------------------------
JOAO MIGUEL RAMIRES
------------------------------

Thanks Kashif

is it possible to define a default read only role and and bypassing the login dialog on the web page? 

There is this default role: 

<security-role name="MQWebAdminRO">
                <user name="mqreader" realm="defaultRealm"/>

can I assing this role to all user accessing the web console without logging in?

Regards
joao 


------------------------------
JOAO MIGUEL RAMIRES
------------------------------

Original Message:
Sent: Tue October 25, 2022 01:35 AM
From: Kashif Qadeer
Subject: MQ Web Console readonly

Hi Joao,

  Yes, you can use the MQ Web Console read only for all users, but it depends whether you want to use this in the frame of basic registry( creating user by MQ Administrator) or by LDAP.

It's a simple process 

> Just go into the WEB MQ sample file directory normally you will find it /opt/mqm/web/mq/samp/configuration

> copy any of the file as per the need i.e. basic_registry or ldap_registry

> Paste the file in MQ Installation directory i.e. /var/mq/web/installation/installations/mqweb

> Rename the same file as mqwebuser.xml.

> Define the roles as per the need of the security.

Regards,

KASHIF QADEER

Middleware Consultant Royal Cyber Inc. KSA.

Original Message:
Sent: 10/24/2022 6:23:00 AM
From: JOAO MIGUEL RAMIRES
Subject: MQ Web Console readonly

Hiello all! 

Can I setup MQ Web Console as read only for all users accessing the console url? 
Without autthencicarion, Is this possible? 
I'm with MQ 9.1 Windows

Thanks !

------------------------------
JOAO MIGUEL RAMIRES
------------------------------

Original Message:
Sent: 10/25/2022 4:18:00 AM
From: JOAO MIGUEL RAMIRES
Subject: RE: MQ Web Console readonly

Thanks Kashif

is it possible to define a default read only role and and bypassing the login dialog on the web page? 

There is this default role: 

<security-role name="MQWebAdminRO">
                <user name="mqreader" realm="defaultRealm"/>

can I assing this role to all user accessing the web console without logging in?

Regards
joao 


------------------------------
JOAO MIGUEL RAMIRES
------------------------------

Original Message:
Sent: Tue October 25, 2022 01:35 AM
From: Kashif Qadeer
Subject: MQ Web Console readonly

Hi Joao,

  Yes, you can use the MQ Web Console read only for all users, but it depends whether you want to use this in the frame of basic registry( creating user by MQ Administrator) or by LDAP.

It's a simple process 

> Just go into the WEB MQ sample file directory normally you will find it /opt/mqm/web/mq/samp/configuration

> copy any of the file as per the need i.e. basic_registry or ldap_registry

> Paste the file in MQ Installation directory i.e. /var/mq/web/installation/installations/mqweb

> Rename the same file as mqwebuser.xml.

> Define the roles as per the need of the security.

Regards,

KASHIF QADEER

Middleware Consultant Royal Cyber Inc. KSA.

Original Message:
Sent: 10/24/2022 6:23:00 AM
From: JOAO MIGUEL RAMIRES
Subject: MQ Web Console readonly

Hiello all! 

Can I setup MQ Web Console as read only for all users accessing the console url? 
Without autthencicarion, Is this possible? 
I'm with MQ 9.1 Windows

Thanks !

------------------------------
JOAO MIGUEL RAMIRES
------------------------------

hmm ok , thanks, why it defaults to the MQ Admin role and not to a more restrictive role, do you know? 

The intention is to give development team access to display/browse MQ objects without the need to give them, or to a group, MQ acls 
these development users are remote to the MQ server, their users exist on a different Windows AD from the one where the MQ server runs

I need to give them a simple remote browser only access to the MQ server. I can create a svrconn channel, with a "display" role MCA user, and them the dev team use remote MQ Explorer over this chanell, but for this I need to create in my Windows AD side an user (to be used in MCA) and I'm tying to avoid this.    


------------------------------
JOAO MIGUEL RAMIRES
------------------------------

Original Message:
Sent: Tue October 25, 2022 07:42 AM
From: Kashif Qadeer
Subject: MQ Web Console readonly

Dear Joao,

   We can bypass the security by commenting the line <feature>appsecurity-2.0</feature> but it automatically revokes the basic MQ security roles and the Admin roles by default appear on screen every time. 

So we can remove the security parameter but the read-only role can not be implemented after it. Please check with some other expert.

Original Message:
Sent: 10/25/2022 4:18:00 AM
From: JOAO MIGUEL RAMIRES
Subject: RE: MQ Web Console readonly

Thanks Kashif

is it possible to define a default read only role and and bypassing the login dialog on the web page? 

There is this default role: 

<security-role name="MQWebAdminRO">                <user name="mqreader" realm="defaultRealm"/>

can I assing this role to all user accessing the web console without logging in?

Regards
joao 


------------------------------
JOAO MIGUEL RAMIRES

Original Message:
Sent: Tue October 25, 2022 01:35 AM
From: Kashif Qadeer
Subject: MQ Web Console readonly

Hi Joao,

  Yes, you can use the MQ Web Console read only for all users, but it depends whether you want to use this in the frame of basic registry( creating user by MQ Administrator) or by LDAP.

It's a simple process 

> Just go into the WEB MQ sample file directory normally you will find it /opt/mqm/web/mq/samp/configuration

> copy any of the file as per the need i.e. basic_registry or ldap_registry

> Paste the file in MQ Installation directory i.e. /var/mq/web/installation/installations/mqweb

> Rename the same file as mqwebuser.xml.

> Define the roles as per the need of the security.

Regards,

KASHIF QADEER

Middleware Consultant Royal Cyber Inc. KSA.

Original Message:
Sent: 10/24/2022 6:23:00 AM
From: JOAO MIGUEL RAMIRES
Subject: MQ Web Console readonly

Hiello all! 

Can I setup MQ Web Console as read only for all users accessing the console url? 
Without autthencicarion, Is this possible? 
I'm with MQ 9.1 Windows

Thanks !

------------------------------
JOAO MIGUEL RAMIRES
------------------------------

Original Message:
Sent: 10/25/2022 9:21:00 AM
From: JOAO MIGUEL RAMIRES
Subject: RE: MQ Web Console readonly

hmm ok , thanks, why it defaults to the MQ Admin role and not to a more restrictive role, do you know? 

The intention is to give development team access to display/browse MQ objects without the need to give them, or to a group, MQ acls 
these development users are remote to the MQ server, their users exist on a different Windows AD from the one where the MQ server runs

I need to give them a simple remote browser only access to the MQ server. I can create a svrconn channel, with a "display" role MCA user, and them the dev team use remote MQ Explorer over this chanell, but for this I need to create in my Windows AD side an user (to be used in MCA) and I'm tying to avoid this.    


------------------------------
JOAO MIGUEL RAMIRES
------------------------------

Original Message:
Sent: Tue October 25, 2022 07:42 AM
From: Kashif Qadeer
Subject: MQ Web Console readonly

Dear Joao,

   We can bypass the security by commenting the line <feature>appsecurity-2.0</feature> but it automatically revokes the basic MQ security roles and the Admin roles by default appear on screen every time. 

So we can remove the security parameter but the read-only role can not be implemented after it. Please check with some other expert.

Original Message:
Sent: 10/25/2022 4:18:00 AM
From: JOAO MIGUEL RAMIRES
Subject: RE: MQ Web Console readonly

Thanks Kashif

is it possible to define a default read only role and and bypassing the login dialog on the web page? 

There is this default role: 

<security-role name="MQWebAdminRO">                <user name="mqreader" realm="defaultRealm"/>

can I assing this role to all user accessing the web console without logging in?

Regards
joao 


------------------------------
JOAO MIGUEL RAMIRES

Original Message:
Sent: Tue October 25, 2022 01:35 AM
From: Kashif Qadeer
Subject: MQ Web Console readonly

Hi Joao,

  Yes, you can use the MQ Web Console read only for all users, but it depends whether you want to use this in the frame of basic registry( creating user by MQ Administrator) or by LDAP.

It's a simple process 

> Just go into the WEB MQ sample file directory normally you will find it /opt/mqm/web/mq/samp/configuration

> copy any of the file as per the need i.e. basic_registry or ldap_registry

> Paste the file in MQ Installation directory i.e. /var/mq/web/installation/installations/mqweb

> Rename the same file as mqwebuser.xml.

> Define the roles as per the need of the security.

Regards,

KASHIF QADEER

Middleware Consultant Royal Cyber Inc. KSA.

Original Message:
Sent: 10/24/2022 6:23:00 AM
From: JOAO MIGUEL RAMIRES
Subject: MQ Web Console readonly

Hiello all! 

Can I setup MQ Web Console as read only for all users accessing the console url? 
Without autthencicarion, Is this possible? 
I'm with MQ 9.1 Windows

Thanks !

------------------------------
JOAO MIGUEL RAMIRES
------------------------------

Hello,
You can also set up a secure autologon mechanism, with certificate identification:

• using basic registry
• adding a "guest_console" account (for example) to the registry, in the mqreader group
• setting up an SSL certificate for the mqweb server
• setting up an ssl certificate for users with CN=guest_console

As soon as a user accesses the console url, he automatically presents his certificate and is logged in under the guest_console account with reader rights.

HTH, LMD.


------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

Original Message:
Sent: Wed October 26, 2022 12:55 AM
From: Kashif Qadeer
Subject: MQ Web Console readonly

Hi,

I suggest we can go in 2 different ways. 

> You can enter the remote AD connection credentials in LDAP file and restrict developers to read only access.

> You can simply add the read only properties in the basic registry file and share a common username & password with every developer.  

Going into interactive command mode I think is a viable option.

Regards,

KASHIF QADEER

Original Message:
Sent: 10/25/2022 9:21:00 AM
From: JOAO MIGUEL RAMIRES
Subject: RE: MQ Web Console readonly

hmm ok , thanks, why it defaults to the MQ Admin role and not to a more restrictive role, do you know? 

The intention is to give development team access to display/browse MQ objects without the need to give them, or to a group, MQ acls 
these development users are remote to the MQ server, their users exist on a different Windows AD from the one where the MQ server runs

I need to give them a simple remote browser only access to the MQ server. I can create a svrconn channel, with a "display" role MCA user, and them the dev team use remote MQ Explorer over this chanell, but for this I need to create in my Windows AD side an user (to be used in MCA) and I'm tying to avoid this.    


------------------------------
JOAO MIGUEL RAMIRES

Original Message:
Sent: Tue October 25, 2022 07:42 AM
From: Kashif Qadeer
Subject: MQ Web Console readonly

Dear Joao,

   We can bypass the security by commenting the line <feature>appsecurity-2.0</feature> but it automatically revokes the basic MQ security roles and the Admin roles by default appear on screen every time. 

So we can remove the security parameter but the read-only role can not be implemented after it. Please check with some other expert.

Original Message:
Sent: 10/25/2022 4:18:00 AM
From: JOAO MIGUEL RAMIRES
Subject: RE: MQ Web Console readonly

Thanks Kashif

is it possible to define a default read only role and and bypassing the login dialog on the web page? 

There is this default role: 

<security-role name="MQWebAdminRO">                <user name="mqreader" realm="defaultRealm"/>

can I assing this role to all user accessing the web console without logging in?

Regards
joao 


------------------------------
JOAO MIGUEL RAMIRES

Original Message:
Sent: Tue October 25, 2022 01:35 AM
From: Kashif Qadeer
Subject: MQ Web Console readonly

Hi Joao,

  Yes, you can use the MQ Web Console read only for all users, but it depends whether you want to use this in the frame of basic registry( creating user by MQ Administrator) or by LDAP.

It's a simple process 

> Just go into the WEB MQ sample file directory normally you will find it /opt/mqm/web/mq/samp/configuration

> copy any of the file as per the need i.e. basic_registry or ldap_registry

> Paste the file in MQ Installation directory i.e. /var/mq/web/installation/installations/mqweb

> Rename the same file as mqwebuser.xml.

> Define the roles as per the need of the security.

Regards,

KASHIF QADEER

Middleware Consultant Royal Cyber Inc. KSA.

Original Message:
Sent: 10/24/2022 6:23:00 AM
From: JOAO MIGUEL RAMIRES
Subject: MQ Web Console readonly

Hiello all! 

Can I setup MQ Web Console as read only for all users accessing the console url? 
Without autthencicarion, Is this possible? 
I'm with MQ 9.1 Windows

Thanks !

------------------------------
JOAO MIGUEL RAMIRES
------------------------------