Like may questions the answer is it depends.
You can set up your mqweb environment
- Certificates are required – you cannot use userid and passwords
- If a valid certificate is found use that, else prompt for userid and password
- Do not use certificates – just use userid and passwords.
This is described in the Liberty documentation.
It says for the <ssl…> tag
- If you specify
clientAuthentication="true", the server requests that a client sends a certificate. However, if the client does not have a certificate, or the certificate is not trusted by the server, the handshake does not succeed.
- If you specify
clientAuthenticationSupported="true", the server requests that a client sends a certificate. However, if the client does not have a certificate, or the certificate is not trusted by the server, the handshake might still succeed.
- If you do not specify either
clientAuthenticationSupported, or you specify
clientAuthenticationSupported="false", the server does not request that a client send a certificate during the handshake.
No matter how you logon, the web server creates a LTPA* cookie with encrypted information about the logon. The mqwebuser.xml attribute ltpaExpiration says how long this cookie is valid for. If the time is exceeded you have to logon again, and it generates a new cookie.
If you are using certificates, the server sends down a list of valid self signed certificates or CA certificates, and the browser compares this list with the certificates in its store. If the certificate in the browser’s store is acceptable, it is added to a list
The list is displayed, and the end user selects a certificate. For subsequent requests with the same http://url:port combination, in the same or a different tab within the browser window, the same certificate is used, and the browser does not prompt.
If the ltpa cookie expires then the same certificate is used, invisibly to the end user. A new cookie is generate and sent down.
If there are no valid certificates in the list, then depending clientAuthentication, it may prompt for a userid and password.
You cannot logoff from the page as there is no option to do so.
Userid and password.
When userid and password are passed up in a header (not in the URL as some web servers accept) the ltpa token is returned. When the ltpa token expires, the user is prompted to re-logon. They need to enter the userid and password again. You can also logoff from the web page.
What are the implications of certificates and userid with password
- The web browser can logon, and although the ltpa token expires, it is automatically logged on again. This is useful for a “big screen monitor” in the operations room, where you want the display active all day.
- Someone can create a file with some HTML in it to browse a queue (if authorised). So if they are authorised to the queue for their normal job, they could easily create a web page to display the queue contents. This could be the end user, or an evil person saying “click this link”.
- If the user is using the mqconsole web pages, then periodically they will get logged off – and they will have to logon again.
- If they try to access a queue from an HTML page, they will be asked for userid and password. Depending on what the end user is doing, this may give them notification than there is some unusual activity. If they are hacking they will enter the userid and password anyway.
- The person may have access to the same information without using the mqweb console interface, so there is no change to the threat level.
What do I recommend?
- I think long running monitors need to use certificates
- End users should logon with userid and password, with an expiry period of about an hour or less.
- You may want to have a Certificate Authority just for the mqweb browsers, to stop your corporate certificates from being used to access the mqweb server.
Because it is easy to create an html page and browse a queue, I would allow administration over mqrest, and not allow processing messages over REST.
As I said in another posting
- The admin API authorisation is managed through <security-role name=”MQWebAdmin”> and <security-role name=”MQWebAdminRO”> sections in the mqwebuser.xml file.
- The messaging API authorisation is managed through <security-role name=”MQWebUser”> sections.
To stop messaging over the rest interface, have no entries in the <security-role name=”MQWebUser”> section. This applies to both certificates, and userid and password.
Personally I would have called<security-role name=”MQWebUser”> as <security-role name=”MQWebMessaging”> to make the roles clearer.
Update from Gwydion…
- Operations performed by users in the MQWebAdmin* roles take place under the context of the mqweb server user ID.
- Operation performed by users in the MQWebUser role take place under the context of the user logged into the REST API.