ALTER AUTHINFO

Use the MQSC command ALTER AUTHINFO to alter an authentication information object.

These objects contain the definitions required to perform certificate revocation checking using OCSP or Certificate Revocation Lists (CRLs) on LDAP servers.
UNIX and Linux® Windows
X X

Parameters not specified in the ALTER AUTHINFO command result in the existing values for those parameters being left unchanged.

Synonym: ALT AUTHINFO

ALTER AUTHINFO

Read syntax diagramSkip visual syntax diagramALTER AUTHINFO( name)AUTHTYPE(CRLLDAP)AUTHTYPE(OCSP)CONNAME(string)DESCR(string)LDAPPWD(string)LDAPUSER(string)OCSPURL(string)CMDSCOPE(' ')CMDSCOPE(qmgr-name)1CMDSCOPE(*)21QSGDISP(QMGR)QSGDISP(COPY)QSGDISP(GROUP)2QSGDISP(PRIVATE)1
Notes:
  • 1 Valid only on z/OS®.
  • 2 Valid only when the queue manager is a member of a queue-sharing group. You can use queue-sharing groups only on WebSphere® MQ for z/OS.

Parameter descriptions for ALTER AUTHINFO

name
Name of the authentication information object. This parameter is required.

The name must not be the same as any other authentication information object name currently defined on this queue manager (unless REPLACE or ALTER is specified). See Rules for naming IBM® WebSphere MQ objects.

AUTHTYPE
The type of authentication information.
CRLLDAP
Certificate Revocation List checking is done using LDAP servers.
OCSP
Certificate revocation checking is done using OCSP.

An authentication information object with AUTHTYPE(OCSP) does not apply for use on IBM i or z/OS queue managers. However, it can be specified on those platforms to be copied to the client channel definition table (CCDT) for client use.

This parameter is required.

You cannot define an authentication information object as LIKE one with a different AUTHTYPE. You cannot alter the AUTHTYPE of an authentication information object after you have created it.

CMDSCOPE
This parameter applies to z/OS only and specifies how the command is executed when the queue manager is a member of a queue-sharing group.
CMDSCOPE must be blank, or the local queue manager, if QSGDISP is set to GROUP.
' '
The command is executed on the queue manager on which it was entered.
qmgr-name
The command is executed on the queue manager you specify, providing the queue manager is active within the queue-sharing group.

You can specify a queue manager name other than the queue manager on which it was entered, only if you are using a shared queue environment and if the command server is enabled.

*
The command is executed on the local queue manager and is also passed to every active queue manager in the queue-sharing group. The effect of * is the same as entering the command on every queue manager in the queue-sharing group.
CONNAME(string)
The host name, IPv4 dotted decimal address, or IPv6 hexadecimal notation of the host on which the LDAP server is running, with an optional port number.

CONNAME is required if AUTHTYPE(CRLLDAP) is specified. CONNAME is not valid if AUTHTYPE(CRLLDAP) is not specified.

If you specify the connection name as an IPv6 address, only systems with an IPv6 stack are able to resolve this address. If the AUTHINFO object is part of the CRL namelist of the queue manager, ensure that any clients using the client channel table generated by the queue manager can resolve the connection name.

On z/OS, if a CONNAME is to resolve to an IPv6 network address, a level of z/OS that supports IPv6 for connection to an LDAP server is required.

The syntax for CONNAME is the same as for channels. For example, 
conname('hostname(nnn)')
where nnn is the port number.

The maximum length for the field is 264 characters on IBM i, UNIX systems, and Windows, and 48 characters on z/OS.

DESCR(string)
Plain-text comment. It provides descriptive information about the authentication information object when an operator issues the DISPLAY AUTHINFO command (see DISPLAY AUTHINFO).

It must contain only displayable characters. The maximum length is 64 characters. In a DBCS installation, it can contain DBCS characters (subject to a maximum length of 64 bytes).

Note: If characters are used that are not in the coded character set identifier (CCSID) for this queue manager, they might be translated incorrectly if the information is sent to another queue manager.
LDAPPWD(string)
The password associated with the Distinguished Name of the user who is accessing the LDAP server. Its maximum size is 32 characters.

This parameter is valid only for AUTHTYPE(CRLLDAP).

On z/OS, the LDAPPWD used for accessing the LDAP server might not be the one defined in the AUTHINFO object. If more than one AUTHINFO object is placed in the namelist referred to by the QMGR parameter SSLCRLNL, the LDAPPWD in the first AUTHINFO object is used for accessing all LDAP Servers.

LDAPUSER(string)
The Distinguished Name of the user who is accessing the LDAP server. (See the SSLPEER parameter for more information about distinguished names.)

This parameter is valid only for AUTHTYPE(CRLLDAP).

The maximum size for the user name is 1024 characters on IBM i, UNIX systems, and Windows, and 256 characters on z/OS.

On z/OS, the LDAPUSER used for accessing the LDAP Server might not be the one defined in the AUTHINFO object. If more than one AUTHINFO object is placed in the namelist referred to by the QMGR parameter SSLCRLNL, the LDAPUSER in the first AUTHINFO object is used for accessing all LDAP Servers.

On IBM i, UNIX systems, and Windows, the maximum accepted line length is defined to be BUFSIZ, which can be found in stdio.h.

OCSPURL
The URL of the OCSP responder used to check for certificate revocation. This value must be an HTTP URL containing the host name and port number of the OCSP responder. If the OCSP responder is using port 80, which is the default for HTTP, then the port number can be omitted. HTTP URLs are defined in RFC 1738.
This field is case sensitive. It must start with the string http:// in lowercase. The rest of the URL might be case sensitive, depending on the OCSP server implementation. To preserve case, use single quotation marks to specify the OCSPURL parameter value, for example: 
OCSPURL('http://ocsp.example.ibm.com')

This parameter is applicable only for AUTHTYPE(OCSP), when it is mandatory.

QSGDISP
This parameter applies to z/OS only.

Specifies the disposition of the object to which you are applying the command (that is, where it is defined and how it behaves).

QSGDISP ALTER
COPY The object definition resides on the page set of the queue manager that executes the command. The object was defined using a command that had the parameters QSGDISP(COPY). Any object residing in the shared repository, or any object defined using a command that had the parameters QSGDISP(QMGR), is not affected by this command.
GROUP The object definition resides in the shared repository. The object was defined using a command that had the parameters QSGDISP(GROUP). Any object residing on the page set of the queue manager that executes the command (except a local copy of the object) is not affected by this command. If the command is successful, the following command is generated and sent to all active queue managers in the queue-sharing group to attempt to refresh local copies on page set zero: 

DEFINE AUTHINFO(name) 
REPLACE QSGDISP(COPY)
The ALTER for the group object takes effect regardless of whether the generated command with QSGDISP(COPY) fails.
PRIVATE The object resides on the page set of the queue manager that executes the command, and was defined with QSGDISP(QMGR) or QSGDISP(COPY). Any object residing in the shared repository is unaffected.
QMGR The object definition resides on the page set of the queue manager that executes the command. The object was defined using a command that had the parameters QSGDISP(QMGR). Any object residing in the shared repository, or any local copy of such an object, is not affected by this command.