DISPLAY CHLAUTH

Use the MQSC command DISPLAY CHLAUTH to display the attributes of a channel authentication record.


Use MQSC commands

For information on how we use MQSC commands, see Performing local administration tasks using MQSC commands.

We can issue this command from sources 2CR. For an explanation of the source symbols, see Sources from which we can issue MQSC commands on z/OS .

Synonym: DIS CHLAUTH


DISPLAY CHLAUTH

DISPLAY CHLAUTH ( generic-channel-name1 ) CMDSCOPE(' ')CMDSCOPE(qmgr-name)2CMDSCOPE(*)23 TYPE(ALL)TYPE(BLOCKUSER)TYPE(BLOCKADDR)TYPE(SSLPEERMAP)TYPE(ADDRESSMAP)TYPE(USERMAP)TYPE(QMGRMAP) MATCH(GENERIC)MATCH(ALL)MATCH(EXACT)MATCH(RUNCHECK)4Runtime check match block ALLWHERE(FilterCondition)Requested attributesRuntime check match block ADDRESS ( ip-address ) QMNAME(qmgr-name)CLNTUSER(user) SSLPEER ( ssl-peer-name ) SSLCERTI(issuer-name) Requested attributes,TYPESSLPEERSSLCERTIADDRESSCHCKCLNTCLNTUSERQMNAMEADDRLISTUSERLISTMCAUSERALTDATEALTTIMEDESCRCUSTOMNotes:

  • 1 Must be * with TYPE(BLOCKADDR) and cannot be generic with MATCH(RUNCHECK)
  • 2 Valid only on z/OS when the queue manager is a member of a queue sharing group.
  • 3 Valid only on z/OS.
  • 4 Must be combined with TYPE(ALL)


Parameters

    generic-channel-name
    The name of the channel or set of channels to display. We can use the asterisk (*) as a wildcard to specify a set of channels. When an asterisk is used on z/OS, single quotes must be used around the whole value. When MATCH is RUNCHECK this parameter must not be generic.

    ADDRESS
    The IP address to be matched.

    This parameter is valid only when MATCH is RUNCHECK, must not be generic and must not be a host name.

    ALL
    Specify this parameter to display all attributes. If this keyword is specified, any attributes that are requested specifically have no effect; all attributes are still displayed.

    This is the default behavior if we do not specify a generic name and do not request any specific attributes.

    CLNTUSER
    The client asserted user ID to be mapped to a new user ID, allowed through unchanged, or blocked.

    This can be the user ID flowed from the client indicating the user ID the client side process is running under, or the user ID presented by the client on an MQCONNX call using MQCSP.

    This parameter is valid only with TYPE(USERMAP) and when Match is MQMATCH_RUNCHECK.

    The maximum length of the string is MQ_CLIENT_USER_ID_LENGTH.

    CMDSCOPE
    This parameter applies to z/OS only and specifies how the command is run when the queue manager is a member of a queue sharing group.

      ' '
      The command is run on the queue manager on which it was entered. This is the default value.

      qmgr-name
      The command is run on the queue manager you specify, providing the queue manager is active within the queue sharing group.

      We can specify a queue manager name, other than the queue manager on which the command was entered, only if we are using a queue sharing group environment and if the command server is enabled.

      *
      The command is run on the local queue manager and is also passed to every active queue manager in the queue sharing group. The effect is the same as entering the command on every queue manager in the queue sharing group.

    MATCH
    Indicates the type of matching to be applied.

      RUNCHECK
      Returns the record that is matched by a specific inbound channel at run time if it connects to this queue manager. The specific inbound channel is described by providing values that are not generic:

      • Channel name.
      • ADDRESS attribute containing an IP address, that is then reverse looked up as part of running the command to discover the host name, if the queue manager is configured with REVDNS(ENABLED).
      • SSLCERTI attribute, only if the inbound channel uses TLS.
      • SSLPEER attribute, only if the inbound channel uses TLS.
      • QMNAME or CLNTUSER attribute, depending on whether the inbound channel is a client or queue manager channel.

      If the record discovered has WARN set to YES, a second record might also be displayed to show the actual record the channel will use at run time. This parameter must be combined with TYPE(ALL).

      EXACT
      Return only those records which exactly match the channel profile name supplied. If there are no asterisks in the channel profile name, this option returns the same output as MATCH(GENERIC).

      GENERIC
      Any asterisks in the channel profile name are treated as wildcards. If there are no asterisks in the channel profile name, this returns the same output as MATCH(EXACT). For example, a profile of ABC* could result in records for ABC, ABC*, and ABCD being returned.

      ALL
      Return all possible records that match the channel profile name supplied. If the channel name is generic in this case, all records that match the channel name are returned even if more specific matches exist. For example, a profile of SYSTEM.*.SVRCONN could result in records for SYSTEM.*, SYSTEM.DEF.*, SYSTEM.DEF.SVRCONN, and SYSTEM.ADMIN.SVRCONN being returned.

    QMNAME
    The name of the remote partner queue manager to be matched

    This parameter is valid only when MATCH is RUNCHECK and must not be generic.

    SSLCERTI

    The Certificate issuer Distinguished Name of the certificate to be matched.

    The SSLCERTI field, if not blank, is matched in addition to the SSLPEER value.

    This parameter is valid only when MATCH is RUNCHECK and must not be generic.

    SSLPEER

    The Subject Distinguished Name of the certificate to be matched.

    The SSLPEER value is specified in the standard form used to specify a Distinguished Name.

    This parameter is valid only when MATCH is RUNCHECK and must not be generic.

    TYPE
    The type of Channel Authentication Record for which to display details. Possible values are:

    • ALL
    • BLOCKUSER
    • BLOCKADDR
    • SSLPEERMAP
    • ADDRESSMAP
    • USERMAP
    • QMGRMAP

    WHERE
    Specify a filter condition to display only those channel authentication records that satisfy the selection criterion of the filter condition. The filter condition is in three parts: filter-keyword, operator, and filter-value:

      filter-keyword
      Any parameter that can be used to display attributes for this DISPLAY command.

      operator
      This is used to determine whether a channel authentication record satisfies the filter value on the given filter keyword. The operators are as follows:

        LT
        Less than

        GT
        Greater than

        EQ
        Equal to

        NE
        Not equal to

        LE
        Less than or equal to

        GE
        Greater than or equal to

        LK
        Matches a generic string that you provide as a filter-value

        NL
        Does not match a generic string that you provide as a filter-value

        CT
        Contains a specified item. If the filter-keyword is a list, we can use this to display objects the attributes of which contain the specified item.

        EX
        Does not contain a specified item. If the filter-keyword is a list, we can use this to display objects the attributes of which do not contain the specified item.

        CTG
        Contains an item which matches a generic string that you provide as a filter-value. If the filter-keyword is a list, we can use this to display objects the attributes of which match the generic string.

        EXG
        Does not contain any item which matches a generic string that you provide as a filter-value. If the filter-keyword is a list, we can use this to display objects the attributes of which do not match the generic string.

      filter-value
      The value that the attribute value must be tested against using the operator. Depending on the filter-keyword, the value can be either explicit or generic:

      • An explicit value, that is a valid value for the attribute being tested.

        We can use any of the operators except LK and NL. However, if the value is one from a possible set of values returnable on a parameter (for example, the value ALL on the MATCH parameter), we can only use EQ or NE.

      • A generic value. This is a character string with an asterisk at the end, for example ABC*. The characters must be valid for the attribute we are testing. If the operator is LK, all items where the attribute value begins with the string (ABC in the example) are listed. If the operator is NL, all items where the attribute value does not begin with the string are listed. We cannot use a generic filter-value for parameters with numeric values or with one of a set of values.

        We can only use operators LK or NL for generic values.

      • An item in a list of values. The value can be explicit or, if it is a character value, it can be explicit or generic. If it is explicit, use CT or EX as the operator. For example, if the value DEF is specified with the operator CT, all items where one of the attribute values is DEF are listed. If it is generic, use CTG or EXG as the operator. If ABC* is specified with the operator CTG, all items where one of the attribute values begins with ABC are listed.

    Note: On z/OS there is a 256 character limit for the filter-value of the MQSC WHERE clause. This limit is not in place for other platforms.


Requested parameters

Specify one or more parameters that define the data to be displayed. The parameters can be specified in any order, but do not specify the same parameter more than once.

    TYPE
    The type of channel authentication record

    SSLPEER
    The Distinguished Name of the certificate.

    ADDRESS
    The IP address

    CHCKCLNT
    Whether a user ID and password are to be supplied by connections which match this rule.

    CLNTUSER
    The client asserted user ID

    QMNAME
    The name of the remote partner queue manager

    MCAUSER
    The user identifier to be used when the inbound connection matches the TLS DN, IP address, client asserted user ID or remote queue manager name supplied.

    ADDRLIST
    A list of IP address patterns which are banned from connecting into this queue manager on any channel.

    USERLIST
    A list of user IDs which are banned from use of this channel or set of channels.

    ALTDATE
    The date on which the channel authentication record was last altered, in the format yyyy-mm-dd.

    ALTTIME
    The time on which the channel authentication record was last altered, in the form hh.mm.ss.

    DESCR
    Descriptive information about the channel authentication record.

    SSLCERTI
    The Certificate issuer Distinguished Name of the certificate to be matched.

    CUSTOM
    Reserved for future use.

Parent topic: MQSC commands


Related reference


Related information