Required security for the Web Gateway

There are security configuration steps that you must complete before you can use the Web Gateway. These steps are configuring user roles for the Web Gateway, setting file space permissions, and, if you are using WebSphere® Application Server Version 7.0, setting the correct level of security in the application server.

WebSphere MQ File Transfer Edition has two stages of authorization: user roles and file space permissions. To upload a file or to query transfer information, the user must have the appropriate user role assigned to them. To access a file space the user must have both the appropriate user role assigned to them and have the appropriate level of permission for the file space that they are trying to access.

Application server security

If you are deploying the Web Gateway in WebSphere Application Server Version 7.0, use the Global security panel to enable the correct level of security. Select Enable administrative security and Enable application security. Ensure that Use Java 2 security to restrict application access to local resources is not selected.

User roles for Web Gateway

Web Gateway users must have one or more roles assigned before they can use the Web Gateway. When deploying the Web Gateway to an application server these roles can be mapped to users and groups that exist in that application server.

WebSphere MQ File Transfer Edition defines the following roles:
  • wmqfte-agent-upload
  • wmqfte-filespace-user
  • wmqfte-filespace-create
  • wmqfte-filespace-modify
  • wmqfte-filespace-permissions
  • wmqfte-filespace-delete
  • wmqfte-audit
  • wmqfte-admin
For more information about these roles, see User roles for the Web Gateway.
For example, if your application server defines the groups 'Employees', 'Managers' and 'Administrators', the roles could be assigned to the groups as shown:
Employees
wmqfte-agent-upload
wmqfte-filespace-user
Managers
wmqfte-filespace-create
wmqfte-filespace-modify
wmqfte-filespace-permissions
Administrators
wmqfte-admin
In this example, only users in the Administrators group can delete file spaces.

File space permissions

A Web Gateway user can access a file space if they are the owner of the file space, or if they have been given explicit permission to access the file space. When you create a file space you can specify lists of authorized or unauthorized user names, or Java™ regular expressions to match user names. Users that are in the authorized list can download from and upload to the file space. Users that are in the unauthorized list cannot access the file space, even if they are also in the authorized list, or match a regular expression in the authorized list. For more information, see Example: Creating a file space.


Concept Concept

Feedback

Timestamp icon Last updated: Tuesday, 30 January 2018
http://www.ibm.com/support/knowledgecenter/SSEP7X_7.0.4/com.ibm.wmqfte.doc/web_security_req.htm