Start of change
IBM App Connect Enterprise, Version 11.0.0.2 Operating Systems: Windows, Linux


Configuring authorization for an integration node by modifying the node.conf.yaml file

You can configure integration nodes (and the integration servers that they manage) to use either file-based authorization or queue-based authorization, by setting the security properties in the node.conf.yaml configuration file.

Before you begin

About this task

You control access to an integration node by setting file-based or queue-based permissions. You can set file-based permissions by setting properties in the node.conf.yaml configuration file for the integration node, or you can set queue-based permissions by using IBM® MQ authorization queues on the queue manager that is specified on the integration node.

When you enable administration security for an integration node, the default mode of authorization depends on whether a queue manager is specified on the integration node. If a queue manager has been specified, administration security for the integration node is based on WebSphere MQ queues by default (mq mode), and the required queues used for setting authorization are created automatically when the integration node is created. If you create an integration node without specifying an associated queue manager, file-based administration security is used by default (file mode).

For information about controlling access to an independent integration server, see Configuring authorization for an integration server by modifying the server.conf.yaml file.

You configure authorization for an integration node (and its managed integration servers) by setting permissions in the Security section of the integration node's node.conf.yaml file:
 # Admin Security
  #  Authentication
  #basicAuth: true                    # Clients web user name and password will be authenticated when set true
  #  Authorization
  #adminSecurity: inactive            # Clients web user role will be authorized when set active
  #authMode: file                     # Set admin authorization mode. Choose 1 of : file or mq

Security:
  Node:
    Permissions:
      # Set Admin Security Authorization file permissions for the integration node by role using 'read+:write+:execute+' , or 'all+'
      # '+' grants permission, '-' denies permission
      # e.g. define the following roles 'viewOnly' and 'admin'
      #viewOnly:  'read+:write-:execute-'
      #admin:     'all+'
  Server:
    # Set Admin Security Authorization file permissions for each named integration server
    # e.g. define the following roles 'viewRole' and 'adminRole' for integration server 'server01'
    #server01:
      #Permissions:
        #viewRole:  'read+:write-:execute-'
        #adminRole: 'all+'

If you set permissions for the integration node, the settings are inherited by each of its managed integration servers that have not had specific permissions set. Any permissions that are set for named integration servers will override those that are set on the integration node.

Procedure

Configure the authorization mode for an integration node by completing the following steps:

  1. Stop the integration node by using the web user interface or by running the mqsistop command.
  2. Open the node.conf.yaml configuration file for your integration node, by using a YAML editor.

    If you do not have access to a YAML editor, you can edit the file by using a plain text editor; however, you must ensure that you do not include any tab characters, because they are not valid in YAML and would cause your configuration to fail. If you are using a plain text editor, ensure that you use a YAML validation tool to validate the content of your file.

  3. If administration security has not already been enabled, enable it now by setting the adminSecurity property in the node.conf.yaml file to active:
    adminSecurity: active
  4. Specify the authorization mode that you require, by setting the authMode property to either file or mq. For example, to configure the integration node to use file-based authorization, set the following value:
    authMode: file
  5. Assign permissions to the defined roles, by specifying a combination of read, write, and execute, or all, with + to grant permission, and - to deny permission; for example:
    viewRole:  'read+:write-:execute-'
    adminRole: 'all+'
    where the viewRole has only read permission, and the adminRole has permission for all actions.
  6. Save the modified node.conf.yaml file.
  7. Start the integration node for the changes to take effect, by using the web user interface or the mqsistart command.

What to do next

For information about specifying the authorization mode for an integration node by using the mqsichangeauthmode (instead of modifying the node.conf.yaml file), see Configuring authorization by using the mqsichangeauthmode command. You can then set permissions as described in Setting file-based permissions or Setting queue-based permissions on Linux and Windows systems.


bn28624_.htm | Last updated 2018-11-02 14:46:30
End of change