MQ V9.0.4 added the ability to authenticate and authorize users of the IBM MQ Console and REST API based on users and groups defined in the local operating system on distributed platforms. My colleague, John Barfield, recently wrote a blog article about this.

The equivalent function on z/OS is the ability to use the System authorization facility (SAF) interface for authentication and authorization. This allows the MQ Console and REST API to use user names and passwords in the RACF database to authenticate users, and grant access to roles based on the access that users and groups have to RACF profiles.

SAF authentication for the MQ Console and REST API doesn’t rely on any features provided in MQ. All you need is to do is configure the mqweb server to use the SAF registry by tailoring the mqwebuser.xml file containing the server configuration, and set up the profiles needed to give users access to the MQ Console and REST API. Configuring System Authorization Facility interface in the Knowledge Center describes how to do this.

MQ ships with several sample XML files that show how the mqweb server can be configured to use different forms of authentication. There is currently no equivalent file for SAF authentication. We hope to include one in a future release of MQ. In the meantime, I’ve included a sample file below that shows how the mqweb server can be configured to use SAF authentication.

<?xml version="1.0" encoding="UTF-8"?>
<server>
    <!-- ****************************************************************** -->
    <!--                                                                    -->
    <!--  IBM MQ security configuration for MQ Console and REST API.        -->
    <!--                                                                    -->
    <!--  Name: zos_saf_registry.xml                                        -->
    <!--                                                                    -->
    <!--  Description: SAF based registry for z/OS                          -->
    <!--                                                                    -->
    <!-- ****************************************************************** -->
    <!-- <copyright                                                         -->
    <!--     notice='lm-source-program'                                     -->
    <!--     pids='5724-H72'                                                -->
    <!--     years='2017'                                                   -->
    <!--     crc='0' >                                                      -->
    <!--                                                                    -->
    <!--     Licensed Materials - Property of IBM                           -->
    <!--                                                                    -->
    <!--     5724-H72                                                       -->
    <!--                                                                    -->
    <!--     (C) Copyright IBM Corp. 2017 All Rights Reserved.              -->
    <!--                                                                    -->
    <!--     US Government Users Restricted Rights - Use, duplication or    -->
    <!--     disclosure restricted by GSA ADP Schedule Contract with        -->
    <!--     IBM Corp.                                                      -->
    <!-- </copyright>                                                       -->

    <!--
    Role mappings are granted by giving users and groups READ access to the 
    following profiles in the EJBROLE class:
    
    1) MQWEB.com.ibm.mq.console.MQWebAdmin 
    
    MQWebAdmin role access for the MQ Console. All MQ commands issued by the
    MQ Console use the security context of the operating system user running
    the application server.
    
    2) MQWEB.com.ibm.mq.console.MQWebAdminRO
    
    MQWebAdminRO role access for the MQ Console. The security context of
    the operating system user running the application server is used for
    all read-only MQ commands, such as DISPLAY CHANNEL, QUEUE, etc,
    issued by the MQ Console.
         
    3) MQWEB.com.ibm.mq.console.MQWebUser

    MQWebUser role access for the MQ Console. All MQ commands issued by
    the MQ Console use the security context of the principal and so the
    user must be known to the queue manager and authorized to issue the
    command.
    
    4) MQWEB.com.ibm.mq.rest.MQWebAdmin
    
    MQWebAdmin role access for the MQ REST API. All MQ commands issued by the
    REST API use the security context of the operating system user running
    the application server.
    
    5) MQWEB.com.ibm.mq.rest.MQWebAdminRO
    
    MQWebAdminRO role access for the MQ REST API. The security context of
    the operating system user running the application server is used for
    all read-only MQ commands, such as DISPLAY CHANNEL, QUEUE, etc,
    issued by the REST API.
    
    6) MQWEB.com.ibm.mq.rest.MQWebUser
    
    MQWebUser role access for the MQ REST API. All MQ commands issued by
    the REST API use the security context of the principal and so the
    user must be known to the queue manager and authorized to issue the
    command.
 
    In addition the sample enables HTTP Basic Authentication.
    -->
    
    <!-- 
    Enable features 
    -->
    <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>zosSecurity-1.0</feature>
        <feature>basicAuthenticationMQ-1.0</feature>
    </featureManager>

    <!-- 
    The MQ Console 
    -->
    <enterpriseApplication id="com.ibm.mq.console" />

    <!-- 
    The MQ REST API 
    -->
    <enterpriseApplication id="com.ibm.mq.rest" />

    <!-- 
    Example SAF Registry 
    -->
    <safAuthorization racRouteLog="ASIS"/>
    <safRegistry id="saf" />
    <safAuthorization id="saf" />
    <safCredentials unauthenticatedUser="WSGUEST" profilePrefix="MQWEB" />    
    
    <!-- 
    Enable HTTP by uncommenting the line below. 
    -->
    <!--
    <variable name="httpPort" value="9080"/>
    -->
    
    <!-- 
    By default the server listens for HTTP/HTTPS requests on localhost only. To 
    listen on all available network interfaces uncomment the line below. To listen
    on a specific IP address or hostname replace the * with an appropriate value.
    -->
    <!--
    <variable name="httpHost" value="*"/>
    -->
            
    <!--       
    Default MQ SSL configuration allows TLS v1.2 ONLY, refer to the 
    IBM Knowledge Center section on "IBM MQ Console and REST API security" 
    for details of how to configure security.
    -->             
    <sslDefault sslRef="mqDefaultSSLConfig"/>
                    
    <!-- 
    Enable client certificate authentication by uncommenting the
    block below and creating a trust.jks store. Basic registry
    maps the common name (CN=) issued by a trusted CA to
    users names in the registry. For example a certificate with 
    a distinguished name of 'CN=mqadmin,O=IBM,C=GB' will be granted 
    a MQWebAdmin role under the 'mqadmin' user.
           
    The default, auto-generated certificate held in key.jks is
    intended for developer convenience only, it is not intended for
    production use.

    Passwords for both defaultKeyStore and defaultTrustStore should
    be changed and encoded using the securityUtility tool, refer
    to the following developerWorks article for further information;

    https://developer.ibm.com/wasdev/docs/configuring-ssl-liberty/
    -->
    <!--
    <keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="password"/>
    <keyStore id="defaultTrustStore" location="trust.jks" type="JKS" password="password"/>
    <ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="defaultKeyStore"
         trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2" serverKeyAlias="default"/>
    <sslDefault sslRef="thisSSLConfig"/>    
    -->    
    
    <!--
    Uncomment the following two variables, and adjust them, to change 
    the default CORS settings.
    -->
    <!--
    <variable name="mqRestCorsAllowedOrigins" value="https://localhost:9883"/>
    <variable name="mqRestCorsMaxAgeInSeconds" value="120"/>
    -->    
</server>

Leave a Reply