Administration security overview

Administration security controls users' permissions to access an integration node and its resources, and to complete administrative tasks.

Administration security is an optional feature of the integration node; it is not enabled by default. You can enable administration security and select the required authorization mode by using the mqsichangefileauth command. For more information, see Enabling administration security.

You can control access to integration node resources through the web user interface and REST application programming interface (API) by associating web users with roles. A role is a set of security permissions that control access to an integration node and its resources, and each web user account is associated with a particular role. The permissions are checked to determine a web user's authorization to perform tasks in the web user interface or the REST application programming interface (API). For more information about roles, see Role-based security, and for information about how to create and assign roles to web users, see Managing web user accounts.

The following aspects of administration security are supported by IBM® Integration Bus:

Authentication
Authorization

Authentication

Authentication is the process of establishing the identity of a user or system and verifying that the identity is valid. IBM Integration Bus provides authentication support for the following administration interfaces:

IBM Integration Bus web user interface
IBM Integration Bus RESTful application programming interface (API)
IBM Integration Toolkit (when configured to make a remote connection to the integration node)
IBM Integration Bus commands. Some commands allow you to provide security credentials when you are connecting to a remote host, by providing an ID and password as a URI, on the -i URI parameter.

For these the administration interfaces, authentication is performed by one of the following entities:

Integration node: To use the integration node to authenticate a user, you create a web user account with a local password. The user ID and password are then checked against the credentials that are held in the integration node.
LDAP server: To use an external LDAP server to authenticate a user, you must configure your integration node to use the LDAP server for authentication and then create a web user account with no local password, and with a user name that matches an entry in the LDAP server. The user ID and password are then checked against the credentials that are held in the LDAP server.

For commands that are run locally, and for a locally connected Toolkit, the system user ID that is running the command or the Toolkit is passed to the integration node, where it is used as a pre-authenticated system user or role name.

For more information about the authentication support that is provided by IBM Integration Bus, see Authenticating users for administration.

Authorization

Authorization is the process of controlling users' access to resources, by verifying that they have the required permissions to carry out the requested actions against the specified resources.

When administration security is enabled, you can control users' access to the integration node and its resources, by setting permissions that allow user IDs associated with specified roles to perform actions on specified resources. The integration node checks the authorizations when it receives a request to view or change its properties or resources. If the user ID associated with the request is not authorized, the integration node refuses the request. Permissions are checked for all actions performed by users of the following interfaces:

IBM Integration Bus
IBM Integration Toolkit sessions
Java™ programs that use the REST API to perform operations on the integration node
Java programs that use the IBM Integration API to perform operations on the integration node
All the following commands:
- mqsichangeresourcestats
- mqsicreateexecutiongroup
- mqsideleteexecutiongroup
- mqsideploy
- mqsilist
- mqsimode
- mqsireloadsecurity
- mqsireportresourcestats
- mqsistartmsgflow
- mqsistopmsgflow
- mqsiwebuseradmin
For additional authorization required for these commands, see Commands and authorizations for administration security.

You can run all commands that are not stated here only on the computer on which the integration node is running. When you run any unlisted commands, the user ID that is used to run the commands must be a member of the security group mqbrkrs, or it must be the same user ID that is running the integration node.

Users of the web user interface and the IBM Integration Toolkit who do not have read, write, and execute permissions for the integration node or integration servers, have only restricted access to those resources. An icon is displayed against each resource to indicate that user authority is restricted. The actions that the user can request against a resource are determined by the restricted authority that is in place for that user.

When a user connects to the web user interface or the IBM Integration Toolkit, the displayed resources and their available actions are determined by the current permissions assigned to the user's role. When LDAP authorization is enabled, a user can be mapped to a single role or multiple roles. If the permissions are changed during the session, the displayed resources and actions are not updated. However, the permissions are checked each time the user requests an action or attempts to expand the properties of a resource in the interface. As a result, if a permission has been removed since the session began, the user is still able to request the action, but the request fails as a result of being unauthorized. When the user reconnects and starts a new session, the icon representing the action is no longer displayed. When additional permissions are granted, the user must log out and start a new session so that the additional action icons are displayed in the interface.

For a custom integration application connecting to BrokerProxy object, the set of objects that can be obtained is determined at connection time. The connection should be reestablished following a change in permissions, but each action is authorized against the current permissions, so the application must be able to handle return codes resulting from unauthorized requests.

Three modes of authorization are provided in IBM Integration Bus, and you use the mqsichangeauthmode command to enable administration security for the integration node and to specify the required authorization mode:

File-based authorization (file mode)

File-based authorization (file mode) is selected by default if there is no queue manager specified on the integration node.

If an integration node is configured to use file-based authorization, you can grant permissions to a role by using the -r role parameter of the mqsichangefileauth command. For more information, see Role-based security and Setting file-based or LDAP-based permissions.

If no permission is found for the role name, a check is conducted to see if the name matches a system user ID, and if that system user is a member of the mqbrkrs group, full permissions are given.

Queue-based authorization (mq mode)

Queue-based authorization (mq mode) is selected by default if WebSphere® MQ Server is installed and a queue manager is specified on the integration node.

If the queue-based mode of administration security is set for the integration node, you specify permissions on authorization queues, which are defined on the queue manager that is specified on the integration node:

SYSTEM.BROKER.AUTH. This queue represents the integration node and its properties. Only one queue exists of this name for each integration node. This queue is defined as a local queue.
One SYSTEM.BROKER.AUTH.EG for each integration server that you define on the integration node, where EG is the name of the integration server. These queues are defined as alias queues.

Read, write, and execute authorities are granted automatically to the user group mqbrkrs on the SYSTEM.BROKER.AUTH queue.

When you create an integration server on an integration node for which you have enabled security, the integration server authorization queue SYSTEM.BROKER.AUTH.EG is created, where EG is the name of the integration server. Read, write, and execute authorities are automatically granted to the user group mqbrkrs on this queue.

If the integration node is configured to use queue-based authorization, you must create a system user ID on the operating system on which your integration node is running. You then assign permissions to the system user ID, and this set of permissions represents a role with a name that corresponds to the name of the system user ID. For example, the set of permissions that you define for a system user called ibmuser form a role called ibmuser. For information about setting permissions for queue-based authorization, see Role-based security and Setting queue-based permissions.

LDAP authorization mode

LDAP authorization can be configured for integration nodes and their managed integration servers. If an integration node or integration server is configured to use LDAP authorization, you can grant permissions to a role by setting permissions in the -r role property of the mqsichangefileauth command. For more information, see Configuring authorization by using LDAP groups.

For more information about the authorization support provided by IBM Integration Bus, see Authorizing users for administration.

For information about authorization on z/OS®, see Authorization on z/OS.

See the following topics for more information about security permissions: