Configuring Acitive Directory integration for the Web Console #570
Description
We are trying to integrate the web console with Active Directory but encountering issues. I checked the path /var/mqm/web/installations/Installation1/servers/mqweb/ but there is no change in configuration.
We have created below config map and gave its reference in IBM MQ helm chart.
We defined this in the values.yaml as in the example.
``
values.yaml
web:
enabled: true
manualConfig:
configMap:
name: mywebconfig
items:
- mqwebuser.xml
And added a configmap.
mywebconfig.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: mywebconfig
data:
mqwebuser.xml: |-
<!--
This sample grants the following role mappings:
1) MQWebAdmin role access to the 'MQWebAdminGroup' LDAP group. When a user is
a member of this group, all MQ commands issued by the MQ Console and
REST API use the security context of the operating system user running
the application server.
2) MQWebAdminRO role access to the 'mqreader' LDAP user. The 'mqreader'
user uses the security context of the operating system user running
the application server for all read-only MQ commands, such as DISPLAY
CHANNEL, QUEUE, etc, issued by the MQ Console or REST API.
3) Grants MQWebUser role access to all authenticated users. This role
is used by authenticated users where no other role is applicable, for
example the 'mqreader' user attempting to define a new queue. All MQ
commands issued by the MQ Console and REST API use the security
context of the principal and so the user must be known to the queue
manager and authorized to issue the command.
4) MFTWebAdmin role access to the 'mftadmin' LDAP user. The 'mftadmin'
user uses the security context of the operating system user running
the application server for all Managed File Transfer commands,
such as list agent, list transfer etc, issued by the REST API.
5) MFTWebAdminRO role access to the 'mftreader' user. The 'mftreader'
user uses the security context of the operating system user running the
application server for all read-only Managed File Transfer commands,
such as list agent, list transfer etc, issued by the REST API.
In addition the sample enables HTTP Basic Authentication.
-->
<!--
Enable features
-->
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>ldapRegistry-3.0</feature>
<feature>basicAuthenticationMQ-1.0</feature>
</featureManager>
<!--
Roles for the MQ Console
-->
<enterpriseApplication id="com.ibm.mq.console">
<application-bnd>
<security-role name="MQWebAdmin">
<group name="CN=somegroup,OU=Application,OU=Groups,OU=Common,DC=domain,DC=company,DC=com" realm="MyOrganizationRealm"/>
</security-role>
<security-role name="MQWebUser">
<group name="CN=somegroup,OU=Application,OU=Groups,OU=Common,DC=domain,DC=company,DC=com" realm="MyOrganizationRealm"/>
</security-role>
</application-bnd>
</enterpriseApplication>
<!--
Roles for the MQ REST API
-->
<!--
<enterpriseApplication id="com.ibm.mq.rest">
<application-bnd>
<security-role name="MQWebAdmin">
<group
name="CN=somegroup,OU=Application,OU=Groups,OU=Common,DC=domain,DC=company,DC=com" realm="MyOrganizationRealm"/>
-->
<!--
Example LDAP Registry
-->
<ldapRegistry id="ldap"
realm="MyOrganizationRealm"
host="somehostname.company.com"
port="636"
ignoreCase="true"
certificateMapMode="EXACT_DN"
bindDN="CN=serviceaccount,OU=Acconts,OU=Common,DC=domain,DC=company,DC=com"
bindPassword="XXXXXXXXXXXXXXXXXXXX"
baseDN="OU=Common,DC=domain,DC=company,DC=com"
ldapType="Microsoft Active Directory"
sslEnabled="true"
sslRef="thisSSLConfig">
<activedFilters
userFilter="(&(sAMAccountName=%v)(objectcategory=user))"
groupFilter="(&(cn=%v)(objectcategory=group))"
userIdMap="user:sAMAccountName"
groupIdMap="*:cn"
groupMemberIdMap="memberOf:member" >
</activedFilters>
</ldapRegistry>
<!--
Enable HTTPS on a specific port by uncommenting the line below and providing the required port number.
-->
<variable name="httpsPort" value="9443"/>
<!--
By default the server listens for HTTP/HTTPS requests on localhost only. To
listen on all available network interfaces uncomment the line below. To listen
on a specific IP address or hostname replace the * with an appropriate value.
-->
<variable name="httpHost" value="*"/>
<!--
Uncomment the following variable, and modify the list of hostAlias, to specify the
allowed hostname and port combinations that can access the application server.
-->
<!--
<virtualHost allowFromEndpointRef="defaultHttpEndpoint" id="default_host">
<hostAlias>localhost:9080</hostAlias>
</virtualHost>
-->
<!--
Default MQ SSL configuration allows TLS v1.2 ONLY, refer to
IBM Documentation on "IBM MQ Console and REST API security"
for details of how to configure security.
-->
<sslDefault sslRef="mqDefaultSSLConfig"/>
<!--
Enable client certificate authentication by uncommenting the
block below and creating and populating a trust.jks store.
Certificate DN mapping can be configured to match the DN
exactly or using a pattern filter (certificateMapMode).
Passwords for both defaultKeyStore and defaultTrustStore should
be changed and encoded using the securityUtility tool, refer
to the following developerWorks article for further information;
https://developer.ibm.com/wasdev/docs/configuring-ssl-liberty/
-->
<!--
<keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="password"/>
<keyStore id="defaultTrustStore" location="trust.jks" type="JKS" password="password"/>
<ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="defaultKeyStore" serverKeyAlias="default" trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2"/>
<sslDefault sslRef="thisSSLConfig"/>
-->
<!--
Uncomment the following two variables, and adjust them, to change the default CORS settings.
-->
<!--
<variable name="mqRestCorsAllowedOrigins" value="https://localhost:9883"/>
<variable name="mqRestCorsMaxAgeInSeconds" value="120"/>
-->
<!-- Include TLS config from IBM container build scripts -->
<include location="tls.xml"/>