User authentication and authorization for IBM MQ in containers

IBM® MQ in containers can be configured to authenticate users through LDAP, Mutual TLS, or a custom MQ plugin.

Note that the IBM MQ Operator does not allow the use of operating system users and groups within the container image. For more information, see Security constraints on the use of operating system users in containers.

LDAP

For information about configuring IBM MQ to use an LDAP user repository, see Connection authentication: User repositories and LDAP authorization.

Mutual TLS

If you configure incoming connections to a queue manager to require a TLS certificate (mutual TLS), you can map the distinguished name of the certificate to a user name. You need to do two things:

Configure a channel authentication record to create the mapping to a user name, using SSLPEER. For more information, see Mapping an SSL or TLS Distinguished Name to an MCAUSER user ID.
Configure the queue manager to allow you to define authority records for a user name that is not known to the system. For more information, see Service stanza of the qm.ini file.

JSON Web Tokens

For information about configuring IBM MQ to use JSON Web Tokens (JWT), see Working with authentication tokens.

Custom MQ plugin

This is an advanced technique, and requires a lot more work. For more information, see Using a custom authorization service.