The following sections describe the user IDs used and checked for the following:
You can use the PUTAUT parameter of the receiving channel definition to determine the type of security checking used. To get consistent security checking throughout your WebSphere MQ network, you can use the ONLYMCA and ALTMCA options.
You can use the DISPLAY CHSTATUS command to determine the user identifier used by the MCA. See WebSphere MQ Script (MQSC) Command Reference.
If the PUTAUT parameter is set to ONLYMCA or ALTMCA for the channel, the channel user ID is ignored and the MCA user ID of the receiver or requester is used. This also applies to TCP/IP channels using SSL.
PUTAUT option specified on receiver or requester channel | hlq.ALTERNATE.USER.userid profile | hlq.CONTEXT.queuename profile | hlq.resourcename profile |
---|---|---|---|
DEF, 1 check | - | CHL | CHL |
DEF, 2 checks | - | CHL + MCA | CHL + MCA |
CTX, 1 check | CHL | CHL | CHL |
CTX, 2 checks | CHL + MCA | CHL + MCA | CHL + ALT |
ONLYMCA, 1 check | - | MCA | MCA |
ONLYMCA, 2 checks | - | MCA | MCA |
ALTMCA, 1 check | MCA | MCA | MCA |
ALTMCA, 2 checks | MCA | MCA | MCA + ALT |
Key:
|
If the PUTAUT parameter is set to DEF or CTX on the requester channel, the channel user ID is that of the channel initiator address space of the requester because no user ID is received from the network.
If the PUTAUT parameter is set to ONLYMCA or ALTMCA, the channel user ID is ignored and the MCA user ID of the requester is used.
If the user ID received is blank, or no user ID is received, a channel user ID of blanks is used.
PUTAUT option specified on receiver or requester channel | hlq.ALTERNATE.USER.userid profile | hlq.CONTEXT.queuename profile | hlq.resourcename profile |
---|---|---|---|
DEF, 1 check | - | CHL | CHL |
DEF, 2 checks | - | CHL + MCA | CHL + MCA |
CTX, 1 check | CHL | CHL | CHL |
CTX, 2 checks | CHL + MCA | CHL + MCA | CHL + ALT |
ONLYMCA, 1 check | - | MCA | MCA |
ONLYMCA, 2 checks | - | MCA | MCA |
ALTMCA, 1 check | MCA | MCA | MCA |
ALTMCA, 2 checks | MCA | MCA | MCA + ALT |
Key:
|
This section describes the user IDs checked for client MQI requests issued over server-connection channels for TCP/IP and LU 6.2. The MCA user ID and channel user ID are as for the TCP/IP and LU 6.2 channels described in the previous sections.
For server-connection channels, the user ID received from the client is used if the MCAUSER attribute is blank. However, for the clients that can use the MQ_USER_ID environment variable to supply the user ID, it is possible that no environment variable has been set. In this case, the user ID that started the server channel is used. This is the user ID assigned to the channel initiator started task by the z/OS started procedures table.
See the WebSphere MQ Clients manual for more information.
For client MQOPEN and MQPUT1 requests, use the following rules to determine the profile that is checked:
When you have determined which profiles are checked, use the following table to determine which user IDs are checked against these profiles.
PUTAUT option specified on server-connection channel | Alternate user ID specified on open? | hlq.ALTERNATE.USER.userid profile | hlq.CONTEXT.queuename profile | hlq.resourcename profile |
---|---|---|---|---|
DEF, 1 check | No | - | CHL | CHL |
DEF, 1 check | Yes | CHL | CHL | CHL |
DEF, 2 checks | No | - | CHL + MCA | CHL + MCA |
DEF, 2 checks | Yes | CHL + MCA | CHL + MCA | CHL + ALT |
ONLYMCA, 1 check | No | - | MCA | MCA |
ONLYMCA, 1 check | Yes | MCA | MCA | MCA |
ONLYMCA, 2 checks | No | - | MCA | MCA |
ONLYMCA, 2 checks | Yes | MCA | MCA | MCA + ALT |
Key:
|
A user performs an MQPUT1 operation to a queue on queue manager QM01 that resolves to a queue called QB on queue manager QM02. The message is sent on a TCP/IP channel called QM01.TO.QM02. RESLEVEL is set to NONE, and the open is performed with alternate user ID and context checking. The receiver channel definition has PUTAUT(CTX) and the MCA user ID is set. Which user IDs are used on the receiving channel to put the message to queue QB?
Answer: Table 53 shows that two user IDs are checked because RESLEVEL is set to NONE.
Table 59 shows that, with PUTAUT set to CTX and 2 checks, the following user IDs are checked:
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
csq83bo |