forked from cloud-native-toolkit/mq-infra
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Hemankita Perabathini <phemankita@gmail.com>
- Loading branch information
1 parent
2bdf2fb
commit bbc63bc
Showing
4 changed files
with
53 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
DEFINE QLOCAL(IBM.DEMO.Q) BOQNAME(IBM.DEMO.Q.BOQ) BOTHRESH(3) REPLACE | ||
DEFINE QLOCAL(IBM.DEMO.Q.BOQ) REPLACE | ||
* Use a different dead letter queue, for undeliverable messages | ||
DEFINE QLOCAL('DEV.DEAD.LETTER.QUEUE') REPLACE | ||
ALTER QMGR DEADQ('DEV.DEAD.LETTER.QUEUE') | ||
* NOACCESS for connection from any IP for inbound connection | ||
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('Back-stop rule - Blocks everyone') ACTION(REPLACE) | ||
DEFINE CHANNEL(QMLDAP_SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) | ||
* Allow access on LDAP channel | ||
SET CHLAUTH(QMLDAP_SVRCONN) TYPE(BLOCKUSER) ACTION(REPLACE) USERLIST('nobody') | ||
* Remove default admin rule | ||
* SET CHLAUTH(*) TYPE(BLOCKUSER) USERLIST(*MQADMIN) ACTION(REMOVE) | ||
* Define LDAP config | ||
DEFINE AUTHINFO(USE.LDAP) + | ||
AUTHTYPE(IDPWLDAP) + | ||
CONNAME('openldap.openldap(389)') + | ||
LDAPUSER('cn=admin,dc=ibm,dc=com') LDAPPWD('admin') + | ||
SECCOMM(NO) + | ||
USRFIELD('uid') + | ||
SHORTUSR('uid') + | ||
BASEDNU('ou=people,dc=ibm,dc=com') + | ||
AUTHORMD(SEARCHGRP) + | ||
BASEDNG('ou=groups,dc=ibm,dc=com') + | ||
GRPFIELD('cn') + | ||
CLASSGRP('groupOfUniqueNames') + | ||
FINDGRP('uniqueMember') + | ||
CHCKCLNT(REQUIRED) + | ||
REPLACE | ||
ALTER QMGR CONNAUTH(USE.LDAP) | ||
REFRESH SECURITY | ||
*** mTLS *** | ||
* DEFINE CHANNEL('IBM.APP.SVRCONN') CHLTYPE(SVRCONN) MCAUSER('mqapp') SSLCAUTH(REQUIRED) SSLCIPH('ECDHE_RSA_AES_256_CBC_SHA384') TRPTYPE(TCP) REPLACE | ||
*** TLS *** | ||
DEFINE CHANNEL('IBM.APP.SVRCONN') CHLTYPE(SVRCONN) MCAUSER('mqapp') SSLCAUTH(OPTIONAL) SSLCIPH('ECDHE_RSA_AES_256_CBC_SHA384') TRPTYPE(TCP) REPLACE | ||
* allowing access to this channel for the user "mqapp" | ||
SET CHLAUTH(IBM.APP.SVRCONN) TYPE(USERMAP) CLNTUSER('mqapp') USERSRC(MAP) MCAUSER('mqapp') ACTION(ADD) | ||
* allow "mqapp" user to connect to queue manager | ||
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('mqapp') AUTHADD(CONNECT,INQ,SETALL) | ||
* allow "mqapp" user to interact with the queue | ||
SET AUTHREC PROFILE(IBM.DEMO.Q) PRINCIPAL('mqapp') OBJTYPE(QUEUE) AUTHADD(PUT, GET, PASSALL, BROWSE, INQ) | ||
SET AUTHREC PROFILE(IBM.DEMO.Q.BOQ) PRINCIPAL('mqapp') OBJTYPE(QUEUE) AUTHADD(PUT, GET, PASSALL, BROWSE, INQ) | ||
REFRESH QMGR TYPE(CONFIGEV) OBJECT(AUTHINFO) | ||
REFRESH QMGR TYPE(CONFIGEV) OBJECT(AUTHREC) | ||
REFRESH SECURITY |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -80,6 +80,7 @@ template: | |
|
||
configmap: | ||
path: config | ||
pathWithSecurity: security | ||
|
||
cert: | ||
secretName: mq-server-cert | ||
|