Authenticating users for administration
Authentication is the process of establishing the identity of a user or system and verifying that the identity is valid. You can control access to the IBM® Integration Bus administration interfaces by using the authentication capabilities that are provided with the product.
Before you begin
About this task
- IBM Integration Bus web user interface.
- IBM Integration Bus RESTful application programming interface (API).
- IBM Integration Toolkit (when configured to make a remote connection to the integration node).
- IBM Integration Bus commands. Some IBM Integration Bus commands allow you to provide
security credentials when you are connecting to a remote host. You
provide the user ID and password as a URI, by using the -i URI parameter,
as shown in the following example:
If your password contains URI reserved characters, you must convert these characters to the percent-encoded format. For more information, see A correct URL and password returns error BIP1939 when you attempt to connect to a remote host name in Resolving problems when running commands. If you issue a command without specifying security credentials, the integration node accepts the system user ID and uses it to check against authorization queues.-i tcp://userid:password@hostname
If administration security is enabled, users of the web user interface and the RESTful API must log in with a user ID and password. If the user account is defined with a local password, the user ID and password are checked against the credentials held in the integration node. If the user account does not have a local password, and the integration node is configured to use an LDAP server, then the user ID and password are authenticated by the LDAP server. Users' access to data and integration node resources is controlled by the permissions that are associated with their role.
If administration security is not enabled, web users can interact with the web user interface without logging on; they interact with the web UI as the 'default' user and can access all data and integration node resources. For users of the RESTful API, all REST requests are unrestricted if administration security is not enabled.
For the following administration interfaces, authentication is provided only by the system login; no additional authentication is carried out by the integration node:
- IBM Integration Toolkit (when making a local connection, specifying only the integration node name)
- IBM Integration API
- IBM Integration Bus commands (when making a local connection, specifying only the integration node name)
If file-based or queue-based authorization is enabled, when you access the integration node locally through these interfaces, the system user ID that ran the Toolkit, application, or command is passed to the integration node, and it uses this system ID as the role name to check for configured file or mq mode permissions. If no explicit permission is granted through the configured file mode permissions, the integration node checks whether the system ID is a member of the mqbrkrs group, or is the same ID that the integration node runs under, and if so all permissions are granted.
If LDAP authorization is enabled, the integration node checks whether the system ID is a member of the mqbrkrs group, or is the same ID that the integration node runs under, and if so all permissions are granted.
For more information about authenticating users for integration node administration, see Managing web user accounts and Accessing the web user interface.
For information about authenticating web user accounts by using LDAP, see Enabling an integration node to use LDAP for authentication.
For information about authorizing users based on the role to which they are assigned, see Authorizing users for administration.