DISPLAY CHLAUTH
Use the MQSC command DISPLAY CHLAUTH to display the attributes of a channel authentication record.
Use MQSC commands
For information on how we use MQSC commands, see Performing local administration tasks using MQSC commands.
We can issue this command from sources 2CR. For an explanation of the source symbols, see Sources from which we can issue MQSC commands on z/OS .
Synonym: DIS CHLAUTH
DISPLAY CHLAUTH
Runtime check match blockRequested attributesNotes:- 1 Must be * with TYPE(BLOCKADDR) and cannot be generic with MATCH(RUNCHECK)
- 2 Valid only on z/OS when the queue manager is a member of a queue sharing group.
- 3 Valid only on z/OS.
- 4 Must be combined with TYPE(ALL)
Parameters
- generic-channel-name
- The name of the channel or set of channels to display. We can use the asterisk (*) as a wildcard to specify a set of channels. When an asterisk is used on z/OS, single quotes must be used around the whole value. When MATCH is RUNCHECK this parameter must not be generic.
- ADDRESS
- The IP address to be matched.
This parameter is valid only when MATCH is RUNCHECK, must not be generic and must not be a host name.
- ALL
- Specify this parameter to display all attributes. If this keyword is specified, any attributes
that are requested specifically have no effect; all attributes are still displayed.
This is the default behavior if we do not specify a generic name and do not request any specific attributes.
- CLNTUSER
- The client asserted user ID to be mapped to a new user ID, allowed through unchanged, or
blocked.
This can be the user ID flowed from the client indicating the user ID the client side process is running under, or the user ID presented by the client on an MQCONNX call using MQCSP.
This parameter is valid only with TYPE(USERMAP) and when Match is MQMATCH_RUNCHECK.
The maximum length of the string is MQ_CLIENT_USER_ID_LENGTH.
- CMDSCOPE
- This parameter applies to z/OS only and specifies
how the command is run when the queue manager is a member of a queue sharing group.
- ' '
- The command is run on the queue manager on which it was entered. This is the default value.
- qmgr-name
- The command is run on the queue manager you specify, providing the queue manager is active
within the queue sharing group.
We can specify a queue manager name, other than the queue manager on which the command was entered, only if we are using a queue sharing group environment and if the command server is enabled.
- *
- The command is run on the local queue manager and is also passed to every active queue manager in the queue sharing group. The effect is the same as entering the command on every queue manager in the queue sharing group.
- MATCH
- Indicates the type of matching to be applied.
- RUNCHECK
- Returns the record that is matched by a specific inbound channel at run time if it connects to
this queue manager. The specific inbound channel is described by providing values that are not generic:
- Channel name.
- ADDRESS attribute containing an IP address, that is then reverse looked up as part of running the command to discover the host name, if the queue manager is configured with REVDNS(ENABLED).
- SSLCERTI attribute, only if the inbound channel uses TLS.
- SSLPEER attribute, only if the inbound channel uses TLS.
- QMNAME or CLNTUSER attribute, depending on whether the inbound channel is a client or queue manager channel.
If the record discovered has WARN set to YES, a second record might also be displayed to show the actual record the channel will use at run time. This parameter must be combined with TYPE(ALL).
- EXACT
- Return only those records which exactly match the channel profile name supplied. If there are no asterisks in the channel profile name, this option returns the same output as MATCH(GENERIC).
- GENERIC
- Any asterisks in the channel profile name are treated as wildcards. If there are no asterisks in the channel profile name, this returns the same output as MATCH(EXACT). For example, a profile of ABC* could result in records for ABC, ABC*, and ABCD being returned.
- ALL
- Return all possible records that match the channel profile name supplied. If the channel name is generic in this case, all records that match the channel name are returned even if more specific matches exist. For example, a profile of SYSTEM.*.SVRCONN could result in records for SYSTEM.*, SYSTEM.DEF.*, SYSTEM.DEF.SVRCONN, and SYSTEM.ADMIN.SVRCONN being returned.
- QMNAME
- The name of the remote partner queue manager to be matched
This parameter is valid only when MATCH is RUNCHECK and must not be generic.
- SSLCERTI
-
The Certificate issuer Distinguished Name of the certificate to be matched.
The SSLCERTI field, if not blank, is matched in addition to the SSLPEER value.
This parameter is valid only when MATCH is RUNCHECK and must not be generic.
- SSLPEER
-
The Subject Distinguished Name of the certificate to be matched.
The SSLPEER value is specified in the standard form used to specify a Distinguished Name.
This parameter is valid only when MATCH is RUNCHECK and must not be generic.
- TYPE
- The type of Channel Authentication Record for which to display details. Possible values are:
- ALL
- BLOCKUSER
- BLOCKADDR
- SSLPEERMAP
- ADDRESSMAP
- USERMAP
- QMGRMAP
- WHERE
- Specify a filter condition to display only those channel authentication records that satisfy the
selection criterion of the filter condition. The filter condition is in three parts:
filter-keyword, operator, and filter-value:
- filter-keyword
- Any parameter that can be used to display attributes for this DISPLAY command.
- operator
- This is used to determine whether a channel authentication record satisfies the filter value on
the given filter keyword. The operators are as follows:
- LT
- Less than
- GT
- Greater than
- EQ
- Equal to
- NE
- Not equal to
- LE
- Less than or equal to
- GE
- Greater than or equal to
- LK
- Matches a generic string that you provide as a filter-value
- NL
- Does not match a generic string that you provide as a filter-value
- CT
- Contains a specified item. If the filter-keyword is a list, we can use this to display objects the attributes of which contain the specified item.
- EX
- Does not contain a specified item. If the filter-keyword is a list, we can use this to display objects the attributes of which do not contain the specified item.
- CTG
- Contains an item which matches a generic string that you provide as a filter-value. If the filter-keyword is a list, we can use this to display objects the attributes of which match the generic string.
- EXG
- Does not contain any item which matches a generic string that you provide as a filter-value. If the filter-keyword is a list, we can use this to display objects the attributes of which do not match the generic string.
- filter-value
- The value that the attribute value must be tested against using the operator. Depending on the
filter-keyword, the value can be either explicit or generic:
- An explicit value, that is a valid value for the attribute being tested.
We can use any of the operators except LK and NL. However, if the value is one from a possible set of values returnable on a parameter (for example, the value ALL on the MATCH parameter), we can only use EQ or NE.
- A generic value. This is a character string with an asterisk at the end, for example ABC*. The
characters must be valid for the attribute we are testing. If the operator is LK, all items where
the attribute value begins with the string (ABC in the example) are listed. If the operator is NL,
all items where the attribute value does not begin with the string are listed. We cannot use a
generic filter-value for parameters with numeric values or with one of a set of values.
We can only use operators LK or NL for generic values.
- An item in a list of values. The value can be explicit or, if it is a character value, it can be explicit or generic. If it is explicit, use CT or EX as the operator. For example, if the value DEF is specified with the operator CT, all items where one of the attribute values is DEF are listed. If it is generic, use CTG or EXG as the operator. If ABC* is specified with the operator CTG, all items where one of the attribute values begins with ABC are listed.
- An explicit value, that is a valid value for the attribute being tested.
Note: On z/OS there is a 256 character limit for the filter-value of the MQSC WHERE clause. This limit is not in place for other platforms.
Requested parameters
Specify one or more parameters that define the data to be displayed. The parameters can be specified in any order, but do not specify the same parameter more than once.
- TYPE
- The type of channel authentication record
- SSLPEER
- The Distinguished Name of the certificate.
- ADDRESS
- The IP address
- CHCKCLNT
- Whether a user ID and password are to be supplied by connections which match this rule.
- CLNTUSER
- The client asserted user ID
- QMNAME
- The name of the remote partner queue manager
- MCAUSER
- The user identifier to be used when the inbound connection matches the TLS DN, IP address, client asserted user ID or remote queue manager name supplied.
- ADDRLIST
- A list of IP address patterns which are banned from connecting into this queue manager on any channel.
- USERLIST
- A list of user IDs which are banned from use of this channel or set of channels.
- ALTDATE
- The date on which the channel authentication record was last altered, in the format yyyy-mm-dd.
- ALTTIME
- The time on which the channel authentication record was last altered, in the form hh.mm.ss.
- DESCR
- Descriptive information about the channel authentication record.
- SSLCERTI
- The Certificate issuer Distinguished Name of the certificate to be matched.
- CUSTOM
- Reserved for future use.
Parent topic: MQSC commands
Related reference
Related information