Inquire Channel Authentication Records

The Inquire Channel Authentication Records (MQCMD_INQUIRE_CHLAUTH_RECS) command retrieves the allowed partner details and mappings to MCAUSER for a channel or set of channels.

HP Integrity NonStop Server	IBM® i	UNIX and Linux®	Windows	z/OS®
				2CR

Required parameters

generic-channel-name (MQCFST): The name of the channel or set of channels on which you are inquiring (parameter identifier: MQCACH_CHANNEL_NAME).; You can use the asterisk (*) as a wildcard to specify a set of channels, unless you set Match to MQMATCH_RUNCHECK. If you set Type to BLOCKADDR, you must set the generic channel name to a single asterisk, which matches all channel names.

Optional parameters

Address (MQCFST)

The IP address to be mapped (parameter identifier: MQCACH_CONNECTION_NAME).

This parameter is valid only when Match is MQMATCH_RUNCHECK and must not be generic.

ByteStringFilterCommand (MQCFBF)

Byte string filter command descriptor. Use this parameter to restrict the output from the command by specifying a filter condition. See MQCFBF - PCF byte string filter parameter for information about using this filter condition.

If you specify a byte string filter, you cannot also specify an integer filter using the IntegerFilterCommand parameter, or a string filter using the StringFilterCommand parameter.

ChannelAuthAttrs (MQCFIL)

Authority record attributes (parameter identifier: MQIACF_CHLAUTH_ATTRS).

You can specify the following value in the attribute list on its own. This is the default value if the parameter is not specified.

MQIACF_ALL: All attributes.

If MQIACF_ALL is not specified, specify a combination of the following values:

MQCA_ALTERATION_DATE: Alteration Date.
MQCA_ALTERATION_TIME: Alteration Time.
MQCA_CHLAUTH_DESC: Description.
MQCA_CUSTOM: Custom.
MQCACH_CONNECTION_NAME: IP address filter.
MQCACH_MCA_USER_ID: MCA User ID mapped on the record.
MQIACH_USER_SOURCE: The source of the user ID for this record.
MQIACH_WARNING: Warning mode.

CheckClient (MQCFIN)

The user ID and password requirements for the client connection to be successful. The following values are valid:

MQCHK_REQUIRED_ADMIN

A valid user ID and password are required for the connection to be allowed if you are using a privileged user ID.

Any connections using a non-privileged user ID are not required to provide a user ID and password.

The user ID and password are checked against the user repository details provided in an authentication information object, and supplied on ALTER QMGR in the CONNAUTH field.

If no user repository details are provided, so that user ID and password checking are not enabled on the queue manager, the connection is not successful.

A privileged user is one that has full administrative authorities for IBM MQ. See Privileged users for more information.

This option is not valid on z/OS platforms.

MQCHK_REQUIRED

A valid user ID and password are required for the connection to be allowed.

The user id and password are checked against the user repository details provided in an authentication information object and supplied on ALTER QMGR in the CONNAUTH field.

If no user repository details are provided, so that user ID and password checking are not enabled on the queue manager, the connection is not successful.

MQCHK_AS_Q_MGR

In order for the connection to be allowed, it must meet the connection authentication requirements defined on the queue manager.

If the CONNAUTH field provides an authentication information object, and the value of CHCKCLNT is REQUIRED, the connection fails unless a valid user ID and password are supplied.

If the CONNAUTH field does not provide an authentication information object, or the value of CHCKCLNT is not REQUIRED, the user ID and password are not required.

Attention: If you select MQCHK_REQUIRED or MQCHK_REQUIRED_ADMIN [z/OS]

( on platforms other than z/OS), and you have not set the Connauth field on the queue manager, or the value of CheckClient is None, the connection fails. You receive message AMQ9793 [z/OS]

on platforms other than z/OS, and message CSQX793E on z/OS.

ClntUser (MQCFST)

The client asserted user ID to be mapped to a new user ID, allowed through unchanged, or blocked (parameter identifier: MQCACH_CLIENT_USER_ID).

This can be the user ID flowed from the client indicating the user ID the client side process is running under, or the user ID presented by the client on an MQCONNX call using MQCSP.

This parameter is valid only with TYPE(USERMAP) and when Match is MQMATCH_RUNCHECK.

CommandScope (MQCFST)

Command scope (parameter identifier: MQCACF_COMMAND_SCOPE). This parameter applies to z/OS only.

Specifies how the command is executed when the queue manager is a member of a queue-sharing group. You can specify one of the following values:

blank (or omit the parameter altogether). The command is executed on the queue manager on which it was entered.
a queue manager name. The command is executed on the queue manager you specify, providing it is active within the queue sharing group. If you specify a queue manager name other than the queue manager on which the command was entered, you must be using a queue-sharing group environment, and the command server must be enabled.
an asterisk (*). The command is executed on the local queue manager and is also passed to every active queue manager in the queue-sharing group.

IntegerFilterCommand (MQCFIF)

Integer filter command descriptor. Use this parameter to restrict the output from the command by specifying a filter condition. See MQCFIF - PCF integer filter parameter for information about using this filter condition.

If you specify an integer filter, you cannot also specify a byte string filter using the ByteStringFilterCommand parameter or a string filter using the StringFilterCommand parameter.

Match (MQCFIN)

Indicates the type of matching to be applied (parameter identifier MQIACH_MATCH). You can specify any one of the following values:

MQMATCH_RUNCHECK: A specific match is made against the supplied channel name and optionally supplied Address, SSLPeer, QMName, and ClntUser attributes to find the channel authentication record that will be matched by the channel at runtime if it connects into this queue manager. If the record discovered has Warn set to MQWARN_YES, a second record might also be displayed to show the actual record the channel will use at runtime. The channel name supplied in this case cannot be generic. This option must be combined with Type MQCAUT_ALL.
MQMATCH_EXACT: Return only those records which exactly match the channel profile name supplied. If there are no asterisks in the channel profile name, this option returns the same output as MQMATCH_GENERIC.
MQMATCH_GENERIC: Any asterisks in the channel profile name are treated as wild cards. If there are no asterisks in the channel profile name, this returns the same output as MQMATCH_EXACT. For example, a profile of ABC* could result in records for ABC, ABC*, and ABCD being returned.
MQMATCH_ALL: Return all possible records that match the channel profile name supplied. If the channel name is generic in this case, all records that match the channel name are returned even if more specific matches exist. For example, a profile of SYSTEM.*.SVRCONN could result in records for SYSTEM.*, SYSTEM.DEF.*, SYSTEM.DEF.SVRCONN, and SYSTEM.ADMIN.SVRCONN being returned.

QMName (MQCFST)

The name of the remote partner queue manager to be matched (parameter identifier: MQCA_REMOTE_Q_MGR_NAME).

This parameter is valid only when Match is MQMATCH_RUNCHECK. The value cannot be generic.

SSLCertIssuer (MQCFST)

This parameter is additional to the SSLPeer parameter.

SSLCertIssuer restricts matches to being within certificates issued by a particular Certificate Authority.

SSLPeer (MQCFST)

The Distinguished Name of the certificate to be matched (parameter identifier: MQCACH_SSL_PEER_NAME).

This parameter is valid only when Match is MQMATCH_RUNCHECK.

The SSLPeer value is specified in the standard form used to specify a Distinguished Name and cannot be a generic value.

The maximum length of the parameter is MQ_SSL_PEER_NAME_LENGTH .

StringFilterCommand (MQCFSF)

String filter command descriptor. Use this parameter to restrict the output from the command by specifying a filter condition. See MQCFSF - PCF string filter parameter for information about using this filter condition.

If you specify a string filter, you cannot also specify a byte string filter using the ByteStringFilterCommand parameter or an integer filter using the IntegerFilterCommand parameter.

Type (MQCFIN)

The type of channel authentication record for which to set allowed partner details or mappings to MCAUSER (parameter identifier: MQIACF_CHLAUTH_TYPE). The following values are valid:

MQCAUT_BLOCKUSER: This channel authentication record prevents a specified user or users from connecting.
MQCAUT_BLOCKADDR: This channel authentication record prevents connections from a specified IP address or addresses.
MQCAUT_SSLPEERMAP: This channel authentication record maps SSL Distinguished Names (DNs) to MCAUSER values.
MQCAUT_ADDRESSMAP: This channel authentication record maps IP addresses to MCAUSER values.
MQCAUT_USERMAP: This channel authentication record maps asserted user IDs to MCAUSER values.
MQCAUT_QMGRMAP: This channel authentication record maps remote queue manager names to MCAUSER values.
MQCAUT_ALL: Inquire on all types of record. This is the default value.