To create a security profile that ensures that each message has
an authenticated ID and is authorized for the flow, enter the mqsicreateconfigurableservice command
on the command line. For example: mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP
-n authentication,authenticationConfig,authorization,authorizationConfig
-v "LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com\",LDAP,
\"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,o=acme.com\""
As shown in the example above, you must enclose the LDAP URL
(which contains commas) by escaped double quotes \" and \" so
that the URL commas are not confused with the comma separator of the value
parameter of mqsicreateconfigurableservice.
If
the LDAP URL includes an element name with a space, in this case cn=All
Sales, the set of values after the -v flag must be surrounded in
double quotes, ("), so that the command interpreter views
it as a single parameter, rather than seeing the space as a parameter separator.
For
more information about the structure of the command, refer to mqsicreateconfigurableservice command.
You
define the security-specific parts of the command in the following way:
- Set the authentication to LDAP. This ensures that
the incoming identity will be validated.
- Set the authorization to LDAP. This ensures that
the incoming identity will be checked for group membership in LDAP.
- Set the authenticationConfig using the following syntax:
ldap[s]://server[:port]/baseDN[?[uid_attr][?[base|sub]]]
For
example:
ldap://ldap.acme.com:389/ou=sales,o=acme.com
ldaps://localhost:636/ou=sales,o=acme?cn?base
- ldap:
- Required. Fixed protocol string
- s:
- Optional. Specifies whether or not SSL should be used. Default is not
to use SSL.
- server:
- Required. The name or IP address of the LDAP server to contact.
- port:
- Optional. The port to connect to. Default is 389 (non-SSL). For LDAP servers
with SSL enabled, the port is typically 636.
- baseDN
- Required. String defining the base distinguished name of all users in
the directory.
- uid_attr:
- Optional. String defining the attribute to which the incoming username
should map, typically uid, CN, or email address. Default is uid.
- base|sub:
- Optional. Defines whether to perform a base or subtree search. If base is
defined, the authentication is faster because the DN of the user can be constructed
from uid_att + username + baseDN. If sub is selected, a search must
be performed before the DN can be resolved. Default is sub.
- Set the authorizationConfig using the following syntax:
ldap[s]://server[:port]/groupDN[?[member_attr][?[base|sub][?[x-userBaseDN=baseDN,x-uid_attr=uid_attr]]]]
For example:
ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,o=acme.com?uniquemember?sub?x-userBaseDN=ou=sales%2co=ibm.com,x-uid_attr=emailaddress
- ldap:
- Required. Fixed protocol string
- s:
- Optional. Specifies whether or not SSL should be used. Default is not
to use SSL.
- server:
- Required. The name or IP address of the LDAP server to contact.
- port:
- Optional. The port to connect to. Default is 389 (non-SSL). For LDAP servers
with SSL enabled, the port is typically 636.
- groupDN
- Required. Fully defined distinguished name of the group in which users
must be members to be granted access.
- member_attr:
- Optional. The attribute of the group used to filter the search. Default
is to look for both member and uniquemember attributes.
The following options are required only if authentication
has not preceded the authorization and the authentication configuration string
has not been specified. If the authentication configuration string has been
specified, the following parameters are ignored and the ones provided by the
baseDN, uid_attr, and [base|sub] for authentication are used instead:
- base|sub:
- Optional. Defines whether to perform a base or subtree search. If base is
defined, the authentication is faster because the DN of the user can be constructed
from uid_att + username + baseDN. If sub is selected, a search must
be performed before the DN can be resolved. Default is sub.
- baseDN
- Optional. String defining the base distinguished name of all users in
the directory. Must be preceded by the string x-userBaseDN.
Any commas in the BaseDN must be rendered as %2c.
- x-uid_attr:
- Optional. String defining the attribute to which the incoming username
should map, typically uid, CN, or email address. Default is uid. Must be preceded
by the string x-uid_attr.
When you submit the command from a batch (.bat) file or command (.cmd)
file, if the LDAP URL includes an extension with LDAP URL percent hex hex
escaped characters (for example, a comma replaced by
%2c,
or a space replaced by
%20), these percent signs
must be escaped from the batch interpreter with an extra percent sign (
%%).
For example:
mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP_URI_FUN -n
authentication,authenticationConfig,authorization,authorizationConfig -v
"LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com?emailaddress?sub\",TRUE,LDAP,
\"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,
o=acme.com?report?base?x-BaseDN=ou=sales%%2co=acme.com,x-uid_attr=emailaddress\""
The
selected group must be defined on the LDAP server, and all of the required
users must be members of the group.