DISPLAY AUTHINFO

Use the MQSC command DISPLAY AUTHINFO to display the attributes of an authentication information object.


Use MQSC commands

For information on how we use MQSC commands, see Performing local administration tasks using MQSC commands.

We can issue this command from sources 2CR. For an explanation of the source symbols, see Sources from which we can issue MQSC commands on z/OS .

Synonym: DIS AUTHINFO


DISPLAY AUTHINFO

DISPLAY AUTHINFO ( generic-authentication-information-object-name ) WHERE(FilterCondition) ALL AUTHTYPE(ALL)AUTHTYPE(CRLLDAP)AUTHTYPE(IDPWLDAP)1AUTHTYPE(IDPWOS)AUTHTYPE(OCSP)CMDSCOPE(' ')CMDSCOPE(qmgr-name)2CMDSCOPE(*)23QSGDISP(LIVE)QSGDISP(ALL)QSGDISP(QMGR)QSGDISP(COPY)QSGDISP(GROUP)2QSGDISP(PRIVATE)3Requested attrsRequested attrs,ADOPTCTXALTDATEALTTIMEAUTHENMD4AUTHORMDAUTHTYPEBASEDNGBASEDNUCHCKCLNTCHCKLOCLCLASSGRPCLASSUSRCONNAMEDESCRFAILDLAYFINDGRPGRPFIELDLDAPPWDLDAPUSERNESTGRPOCSPURLSECCOMMSHORTUSRUSRFIELDNotes:

  • 1 Not valid on IBM MQ for z/OS.
  • 2 Valid only when the queue manager is a member of a queue sharing group. We can use queue sharing groups only on IBM MQ for z/OS.
  • 3 Valid only on z/OS.
  • 4 Not valid on z/OS and AUTHENMD PAM value valid only on UNIX.


Parameter descriptions for DISPLAY AUTHINFO

    (generic-authentication-information-object-name)
    The name of the authentication information object to be displayed (see Rules for naming IBM MQ objects ). A trailing asterisk (*) matches all authentication information objects with the specified stem followed by zero or more characters. An asterisk (*) on its own specifies all authentication information objects.

    WHERE
    Specify a filter condition to display only those authentication information objects that satisfy the selection criterion of the filter condition. The filter condition is in three parts: filter-keyword, operator, and filter-value:

      filter-keyword
      Almost any parameter that can be used to display attributes for this DISPLAY command. However, we cannot use the CMDSCOPE or QSGDISP parameters as filter keywords.

      operator
      This is used to determine whether an authentication information object satisfies the filter value on the given filter keyword. The operators are:

        LT
        Less than

        GT
        Greater than

        EQ
        Equal to

        NE
        Not equal to

        LE
        Less than or equal to

        GE
        Greater than or equal to

        LK
        Matches a generic string that you provide as a filter-value

        NL
        Does not match a generic string that you provide as a filter-value

      filter-value
      The value that the attribute value must be tested against using the operator. Depending on the filter-keyword, this can be:

      • An explicit value, that is a valid value for the attribute being tested.

        We can use any of the operators except LK and NL.

      • A generic value. This is a character string (such as the character string you supply for the DESCR parameter) with an asterisk at the end, for example ABC*. The characters must be valid for the attribute we are testing. If the operator is LK, all items where the attribute value begins with the string (ABC in the example) are listed. If the operator is NL, all items where the attribute value does not begin with the string are listed. We cannot use a generic filter-value with numeric values. Only a single trailing wildcard character (asterisk) is permitted.

        We can only use operators LK or NL for generic values on the DISPLAY AUTHINFO command.

    ALL
    Specify this to display all the parameters. If this parameter is specified, any parameters that are requested specifically have no effect; all parameters are still displayed.

    This is the default if we do not specify a generic name and do not request any specific parameters.

    On z/OS this is also the default if you specify a filter condition using the WHERE parameter, but on other platforms only requested attributes are displayed.

    CMDSCOPE
    This parameter applies to z/OS only and specifies how the command runs when the queue manager is a member of a queue sharing group. CMDSCOPE must be blank, or the local queue manager, if QSGDISP is set to GROUP.

      ' '
      The command runs on the queue manager on which it was entered. This is the default value.

      qmgr-name
      The command runs on the queue manager you specify, providing the queue manager is active within the queue sharing group.

      We can specify a queue manager name, other than the queue manager on which the command was entered, only if we are using a queue sharing group environment and if the command server is enabled.

      *
      The command runs on the local queue manager and is also passed to every active queue manager in the queue sharing group. The effect of this is the same as entering the command on every queue manager in the queue sharing group.

    We cannot use CMDSCOPE as a filter keyword.

    AUTHTYPE
    Specifies the authentication information type of the objects for which information is to be displayed. Values are:

      ALL
      This is the default value and displays information for objects defined with AUTHTYPE(CRLLDAP) and with AUTHTYPE(OCSP).

      CRLLDAP
      Displays information only for objects defined with AUTHTYPE(CRLLDAP).

      IDPWLDAP
      Displays information only for objects defined with AUTHTYPE(IDPWLDAP).

      IDPWOS
      Displays information only for objects defined with AUTHTYPE(IDPWOS).

      OCSP
      Displays information only for objects defined with AUTHTYPE(OCSP).

    QSGDISP
    Specifies the disposition of the objects for which information is to be displayed. Values are:

      LIVE
      This is the default value and displays information for objects defined with QSGDISP(QMGR) or QSGDISP(COPY).

      ALL
      Displays information for objects defined with QSGDISP(QMGR) or QSGDISP(COPY).

      If there is a shared queue manager environment, and the command is being executed on the queue manager where it was issued, this option also displays information for objects defined with QSGDISP(GROUP).

      If QSGDISP(LIVE) is specified or defaulted, or if QSGDISP(ALL) is specified in a shared queue manager environment, the command might give duplicated names (with different dispositions).

      COPY
      Displays information only for objects defined with QSGDISP(COPY).

      GROUP
      Displays information only for objects defined with QSGDISP(GROUP). This is allowed only if there is a shared queue manager environment.

      PRIVATE
      Displays information for objects defined with QSGDISP(QMGR) or QSGDISP(COPY). Note that QSGDISP(PRIVATE) displays the same information as QSGDISP(LIVE).

      QMGR
      Displays information only for objects defined with QSGDISP(QMGR).

    QSGDISP displays one of the following values:

      QMGR
      The object was defined with QSGDISP(QMGR).

      GROUP
      The object was defined with QSGDISP(GROUP).

      COPY
      The object was defined with QSGDISP(COPY).

    We cannot use QSGDISP as a filter keyword.


Requested parameters

Specify one or more parameters that define the data to be displayed. The parameters can be specified in any order, but do not specify the same parameter more than once.

The default, if no parameters are specified (and the ALL parameter is not specified) is that the object names and their AUTHTYPEs, and, on z/OS, their QSGDISPs, are displayed.

    ADOPTCTX
    Displays the presented credentials as the context for this application.

    ALTDATE
    The date on which the definition was last altered, in the form yyyy-mm-dd

    ALTTIME
    The time at which the definition was last altered, in the form hh.mm.ss

    AUTHENMD
    Authentication method. Possible values are:

      OS
      Displays the traditional UNIX password verification method permissions.

      PAM
      Displays the Pluggable Authentication Method permissions.

      We can set the PAM value only on UNIX and Linux platforms.

    AUTHORMD
    Displays the authorization method. Possible values are:

      OS
      Use operating system groups to determine permissions associated with a user.

      SEARCHGRP
      A group entry in the LDAP repository contains an attribute listing the Distinguished Name of all users belonging to that group.

      SEARCHUSR
      A user entry in the LDAP repository contains an attribute listing the Distinguished Name of all the groups to which the specified user belongs.

      SRCHGRPSN
      A group entry in the LDAP repository contains an attribute listing the short user name of all users belonging to that group.

    AUTHTYPE
    The type of the authentication information

    BASEDNG
    Displays the Base DN for groups.

    BASEDNU
    Displays the base distinguished name to search for users within the LDAP server.

    CHCKLOCL or CHCKCLNT
    These attributes are valid only for an AUTHTYPE of IDPWOS or IDPWLDAP. The possible values are:

      NONE
      Displays all locally bound applications that have no user ID and password authentication.

      OPTIONAL
      Displays the user IDs and passwords provided by an application. Note that it is not mandatory to provide these attributes. This option might be useful during migration, for example.

      REQUIRED
      Displays all applications providing a valid user ID and password.

      REQDADM
      Displays privileged users supplying a valid user ID and password, Non-privileged users are treated as with the OPTIONAL setting. See also the following note. (This setting is not allowed on z/OS systems.)

    CLASSGRP
    Displays the LDAP object class for group records.

    CLASSUSR
    Displays the LDAP object class for user records within the LDAP repository.

    CONNAME
    The host name, IPv4 dotted decimal address, or IPv6 hexadecimal notation of the host on which the LDAP server is running. Applies only to objects with AUTHTYPE(CRLLDAP) or AUTHTYPE(IDPWLDAP).

    DESCR
    Description of the authentication information object.

    FAILDLAY
    Delay in seconds before an authentication failure is returned to an application.

    FINDGRP
    Displays the name of the attribute within an LDAP entry to determine group membership.

    GRPFIELD
    Displays the LDAP attribute that represents a simple name for the group.

    LDAPPWD
    Password associated with the Distinguished Name of the user on the LDAP server. If nonblank, this is displayed as asterisks on all platforms except z/OS. Applies only to objects with AUTHTYPE(CRLLDAP) or AUTHTYPE(IDPWLDAP).

    LDAPUSER
    Distinguished Name of the user on the LDAP server. Applies only to objects with AUTHTYPE(CRLLDAP) or AUTHTYPE(IDPWLDAP).

    NESTGRP
    Displays whether a group is a member of another group..

    OCSPURL
    The URL of the OCSP responder used to check for certificate revocation. Applies only to objects with AUTHTYPE(OCSP).

    SECCOMM
    Displays the method used to connect the LDAP server.

    SHORTUSR
    Displays the user record being used as a short name.

    USRFIELD
    Displays the user record being used in the LDAP user record, only if the user ID does not contain a qualifier.

See Usage notes for DEFINE AUTHINFO for more information about individual parameters.

Parent topic: MQSC commands