Authentication information properties
You can set attributes for all types of authentication information objects. Some of the attributes do not apply to all types of authentication information objects, and some attributes are specific to z/OS® authentication information objects.
The following tables list the attributes that you can set:
For each attribute, there is a brief description of when you might need to configure it. The tables also give the equivalent MQSC parameter for the ALTER AUTHINFO and DISPLAY AUTHINFO commands. For more information about MQSC commands, see Script (MQSC) Commands in the IBM® MQ online product documentation.
General page
The following table lists the attributes that you can set on the General page of the Authentication Information properties dialog.
| Attribute | Meaning | MQSC parameter |
|---|---|---|
| Authinfo name | Read-only. You cannot change the name of an authentication information object after it has been created. | AUTHINFO |
| Authinfo type | Read-only. You cannot change the type of an authentication information object after it has been created. | AUTHTYPE |
| Description | Type a meaningful description of the purpose of the authentication information object. See Entering strings in MQ Explorer. | DESCR |
| QSG disposition | Read-only. The queue-sharing group disposition of the authentication
information object. You cannot change the disposition of an authentication
information object after it has been created. Queue manager means that the object definition is available only to the queue
manager that hosts it; Group means that the object
definition is stored on the shared repository and each queue manager
in the queue-sharing group has a copy of the definition; Copy means that the object definition is the queue manager's copy of
a definition in the shared repository. |
QSGDISP |
LDAP page
The following table lists the attributes that you can set on the LDAP page of the CRL LDAP or IDPW LDAP Authentication Information properties dialog. The LDAP page displays the name and authentication information for the LDAP server.
| Attribute | Meaning | MQSC parameter |
|---|---|---|
| LDAP Server Name | Type the host name, IPv4 dotted decimal address, or IPv6 hexadecimal notation of the host on which the LDAP server is running, with an optional port number. If you specify the connection name as an IPv6 address, only systems that are running IBM WebSphere® MQ 6.0 authentication information objects. with an IPv6 stack are able to resolve this address. If the authentication information object is part of the queue manager's CRL namelist, ensure that any clients that are using the client channel table that is generated by the queue manager are capable of resolving the connection name. On z/OS, to use a connection name that resolves to an IPv6 network address, the level of z/OS must support IPv6 for connecting to an LDAP server. | CONNAME |
| User ID | Type the Distinguished Name of the user who is accessing the
LDAP server, with the following limitations:
|
LDAPUSER |
| Password | Type the password that is associated with the Distinguished Name of the user who is accessing the LDAP server. The maximum length is 32 characters. | LDAPPWD |
OCSP page
The following table lists the attributes that you can set on the OCSP page of the OCSP Authentication Information properties dialog.
| Attribute | Meaning | MQSC parameter |
|---|---|---|
| OCSP responder URL | The URL at which the OCSP responder can be contacted. This attribute takes priority over a URL in an AuthorityInfoAccess (AIA) certificate extension. |
OCSPURL |
LDAP User Repository page
The following table lists the attributes that you can set on the LDAP User Repository page of the IDPW LDAP Authentication Information properties dialog.
| Attribute | Meaning | MQSC parameter |
|---|---|---|
| Equivalent short user | A field in the LDAP user record to be used as a short user name for this connection. | SHORTUSR |
| User ID base DN | The base DN used to locate user records in an LDAP server. | BASEDNU |
| Use secure communication | Whether the connection to the LDAP server will be made using SSL/TLS. | SECCOMM |
| User Object Class | The LDAP object class used for user records in the LDAP repository. | CLASSUSR |
| Qualifying user field | A qualification to allow user IDs provided by applications to be identified as a field in the LDAP user record. | USRFIELD |
![[V8.0.0.2 Feb 2015]](ng8002.gif)
LDAP Authorization
The following table lists the attributes that you can set on the LDAP Authorization page of the IDPW LDAP Authentication Information properties dialog.
| Attribute | Meaning | MQSC parameter |
|---|---|---|
| Authorization method | Whether authorization is done using user IDs
and groups from the Operating System or from LDAP. The possible values
are: Operating System. Authorization is done using user IDs and groups from the Operating System. Search group. Authorization is done using user IDs and groups from LDAP. The group entry in the LDAP repository contains an attribute listing all the users who belong to the group. Search user. Authorization is done using user IDs and groups from LDAP. The user entry in the LDAP repository contains an attribute listing all the groups to which the user belongs. |
AUTHORMD |
| Allow nested groups | Whether nested groups are allowed. The possible
values are: No. Nested groups are not allowed. Yes. Nested groups are allowed. The group list is searched recursively to enumerate all groups a user belongs to. |
NESTGRP |
| Group base DN | The base DN used to locate group records in an LDAP server. | BASEDNG |
| Group object class | The LDAP object class used for group records in the LDAP repository. | CLASSGRP |
| Qualfying group field | A qualification to allow group to be identified as a field in the LDAP group record. | GRPFIELD |
| Group membership field | Name of the attribute used within an LDAP user or group record to determine group membership. | FINDGRP |
User ID + Password page
The following table lists the attributes that you can set on the User ID + Password page of the IDPW OS or IDPW LDAP Authentication Information properties dialog.
| Attribute | Meaning | MQSC parameter |
|---|---|---|
| Check locally bound connections | Whether connections made by using local bindings, connections must supply a
user ID and password for validation. The possible values are: None. No user ID and password are required. Optional. No user ID and password are required but if provided, they are checked. Required for administrators. User ID and password are required for privileged users. Required for all. User ID and password are required for all users. Setting CHCKLOCL to Required for
administrators or Required for all results in the inability to locally
administer the queue manager by way of the runmqsc commands unless you specify
the -u UserID parameter on the runmqsc command line. If you do
not specify this parameter, you see error message To specify a user name and password, right-click the local queue
manager object, and select from the menu. In the |
CHCKLOCL |
| Check client connections | Whether connections made using client connections
must supply a user ID and password for validation. The possible values
are: None. No user ID and password are required. Optional. No user ID and password are required but if provided, they will be checked. Required for administrators. User ID and password are required for privileged users. Required for all. User ID and password are required for all users. |
CHCKCLNT |
| Adopt the authenticated user | Whether
to adopt the user ID that was provided with a password as the context
for this connection. The possible values are: Yes. The validated user ID will be adopted as the context for this connection. If the user ID presented is an LDAP user ID, and authorization checks are done using operating system user IDs, the SHORTUSR associated with the user entry in LDAP will be adopted as the credentials for authorization checks to be done against. No. The validated user ID will not be adopted as the context for this connection. |
ADOPTCTX |
| Authentication failure delay | This attribute specifies how long to delay before returning the failure return code to the application, for example, if no response is received by a mqmconnx request. This is the length of time in seconds, which can be 0 - 60. A value of zero means that no delay is added. | FAILDLAY |
Statistics page
The following table lists the attributes that you can set on the Statistics page of the Authentication Information properties dialog. The Statistics page displays information about the history of the authentication information object. You cannot edit the values of any of these attributes.
| Attribute | Meaning | MQSC parameter |
|---|---|---|
| Alteration date | Read-only. This is the date on which the authentication information object attributes were last altered. | ALTDATE |
| Alteration time | Read-only. This is the time at which the authentication information object attributes were last altered. | ALTTIME |