Configuring Acitive Directory integration for the Web Console

[aheyers]

We are trying to integrate the web console with Active Directory but encountering issues. I checked the path /var/mqm/web/installations/Installation1/servers/mqweb/ but there is no change in configuration.

We have created below config map and gave its reference in IBM MQ helm chart.

We defined this in the values.yaml as in the example.

``
values.yaml

web:
enabled: true
manualConfig:
configMap:
name: mywebconfig
items:

• mqwebuser.xml

And added a configmap.

mywebconfig.yaml

kind: ConfigMap
apiVersion: v1
metadata:
name: mywebconfig
data:
mqwebuser.xml: |-

    <!--
    This sample grants the following role mappings:

    1) MQWebAdmin role access to the 'MQWebAdminGroup' LDAP group. When a user is
    a member of this group, all MQ commands issued by the MQ Console and
    REST API use the security context of the operating system user running
    the application server.

    2) MQWebAdminRO role access to the 'mqreader' LDAP user. The 'mqreader'
    user uses the security context of the operating system user running
    the application server for all read-only MQ commands, such as DISPLAY
    CHANNEL, QUEUE, etc, issued by the MQ Console or REST API.

    3) Grants MQWebUser role access to all authenticated users. This role
    is used by authenticated users where no other role is applicable, for
    example the 'mqreader' user attempting to define a new queue. All MQ
    commands issued by the MQ Console and REST API use the security
    context of the principal and so the user must be known to the queue
    manager and authorized to issue the command.

    4) MFTWebAdmin role access to the 'mftadmin' LDAP user. The 'mftadmin'
    user uses the security context of the operating system user running
    the application server for all Managed File Transfer commands,
    such as list agent, list transfer etc, issued by the REST API.

    5) MFTWebAdminRO role access to the 'mftreader' user. The 'mftreader'
    user uses the security context of the operating system user running the
    application server for all read-only Managed File Transfer commands,
    such as list agent, list transfer etc, issued by the REST API.

    In addition the sample enables HTTP Basic Authentication.
    -->

<!--
Enable features
-->
<featureManager>
    <feature>appSecurity-2.0</feature>
    <feature>ldapRegistry-3.0</feature>
    <feature>basicAuthenticationMQ-1.0</feature>
</featureManager>

<!--
Roles for the MQ Console
-->
<enterpriseApplication id="com.ibm.mq.console">
    <application-bnd>
        <security-role name="MQWebAdmin">
            <group name="CN=somegroup,OU=Application,OU=Groups,OU=Common,DC=domain,DC=company,DC=com" realm="MyOrganizationRealm"/>
        </security-role>
        <security-role name="MQWebUser">
                    <group name="CN=somegroup,OU=Application,OU=Groups,OU=Common,DC=domain,DC=company,DC=com" realm="MyOrganizationRealm"/>

        </security-role>
    </application-bnd>
</enterpriseApplication>

<!--
Roles for the MQ REST API
-->
<!--
<enterpriseApplication id="com.ibm.mq.rest">
    <application-bnd>
        <security-role name="MQWebAdmin">
            <group                      

name="CN=somegroup,OU=Application,OU=Groups,OU=Common,DC=domain,DC=company,DC=com" realm="MyOrganizationRealm"/>

-->

<!--
Example LDAP Registry
-->
<ldapRegistry id="ldap"
    realm="MyOrganizationRealm"
    host="somehostname.company.com"
    port="636"
    ignoreCase="true"
    certificateMapMode="EXACT_DN"
    bindDN="CN=serviceaccount,OU=Acconts,OU=Common,DC=domain,DC=company,DC=com" 
    bindPassword="XXXXXXXXXXXXXXXXXXXX" 
    baseDN="OU=Common,DC=domain,DC=company,DC=com"
    ldapType="Microsoft Active Directory"
    sslEnabled="true"
    sslRef="thisSSLConfig">
    <activedFilters
        userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))"
        groupFilter="(&amp;(cn=%v)(objectcategory=group))" 
        userIdMap="user:sAMAccountName" 
        groupIdMap="*:cn" 
        groupMemberIdMap="memberOf:member" >
    </activedFilters>
    </ldapRegistry>


<!--
Enable HTTPS on a specific port by uncommenting the line below and providing the required port number.
-->
<variable name="httpsPort" value="9443"/>

<!--
By default the server listens for HTTP/HTTPS requests on localhost only. To
listen on all available network interfaces uncomment the line below. To listen
on a specific IP address or hostname replace the * with an appropriate value.
-->
<variable name="httpHost" value="*"/>

<!--
Uncomment the following variable, and modify the list of hostAlias, to specify the
allowed hostname and port combinations that can access the application server.
-->
<!--
<virtualHost allowFromEndpointRef="defaultHttpEndpoint" id="default_host">
    <hostAlias>localhost:9080</hostAlias>
</virtualHost>
-->

<!--
Default MQ SSL configuration allows TLS v1.2 ONLY, refer to
IBM Documentation on "IBM MQ Console and REST API security"
for details of how to configure security.
-->
<sslDefault sslRef="mqDefaultSSLConfig"/>

<!--
Enable client certificate authentication by uncommenting the
block below and creating and populating a trust.jks store.
Certificate DN mapping can be configured to match the DN
exactly or using a pattern filter (certificateMapMode).

Passwords for both defaultKeyStore and defaultTrustStore should
be changed and encoded using the securityUtility tool, refer
to the following developerWorks article for further information;

https://developer.ibm.com/wasdev/docs/configuring-ssl-liberty/
-->
<!--
<keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="password"/>
<keyStore id="defaultTrustStore" location="trust.jks" type="JKS" password="password"/>
<ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="defaultKeyStore" serverKeyAlias="default" trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2"/>
<sslDefault sslRef="thisSSLConfig"/>
-->

<!--
Uncomment the following two variables, and adjust them, to change the default CORS settings.
-->
<!--
<variable name="mqRestCorsAllowedOrigins" value="https://localhost:9883"/>
<variable name="mqRestCorsMaxAgeInSeconds" value="120"/>
-->

<!-- Include TLS config from IBM container build scripts -->
<include location="tls.xml"/>

`` So my question is if the file somewhere else or is there some missing step to apply changes? What is the correct configuration needed to successfully integrate the web console with AD?

[arthurbarr]

You mention that you are using a Helm chart. Are you using the sample Helm chart here? The formatting of the YAML in your example has gotten lost, but the documentation on supplying web configuration doesn't specify an items element. The indentation is also important here.

From a container perspective (rather than the Helm chart perspective), then the files from /etc/mqm/web/ are copied over to /var/mqm/web when the container starts up. The Helm chart mounts the ConfigMap into that location. So the file should be showing up under /var/mqm/web/installations/Installation1/servers/mqweb/mqwebuser.xml — if it's not, then the problem is probably with the Helm chart mounting it correctly (you can also check in /etc/mqm/web.