client channel definition table, authentication information object, namelist, SSLCRLNameList attribute, CRL information, creating CRL information in a client channel definition file, WebSphere MQ utility program (CSQUTIL), CSQUTIL" />
Home
Using a client channel definition table
On a server queue manager, we can create one or more authentication information objects. The attributes of an authentication object contain all the information that is needed to access an LDAP server that holds CRLs. One of the attributes specifies the host address or IP address of a system on which an LDAP server runs. This address can be followed by an optional port number enclosed in parentheses. The default port number is 389.
To enable a WebSphere MQ client to access LDAP servers that hold CRLs, the attributes of one or more authentication information objects can be included in a client channel definition table. This is done in the following ways:
- On the server platforms AIX, HP-UX, Linux, i5/OS, Solaris, and Windows
- We can create a namelist that contains the names of one or more authentication information objects. You can then set the queue manager attribute, SSLCRLNameList, to the name of this namelist. By doing this, you enable the WebSphere MQ SSL support for the queue manager to access the LDAP servers that hold CRLs.
The attributes of the authentication information objects identified by the namelist are referred to collectively here as the CRL information. When you set the queue manager attribute, SSLCRLNameList, to the name of the namelist, the CRL information is copied into the client channel definition table associated with the queue manager. If the client channel definition table can be accessed from a client system as a shared file, or if the client channel definition table is then copied to a client system, the WebSphere MQ client on that system can use the CRL information in the client channel definition table to access LDAP servers that hold CRLs.
If the CRL information of the queue manager is changed subsequently, the change is reflected in the client channel definition table associated with the queue manager. If the queue manager attribute, SSLCRLNameList, is set to blank, all the CRL information is removed from the client channel definition table. These changes are not reflected in any copy of the table on a client system.
If you require the CRL information at the client and server ends of an MQI channel to be different, and the server queue manager is the one that is used to create the CRL information, we can do the following:
- On the server queue manager, create the CRL information for use on the client system.
- Copy the client channel definition table containing the CRL information to the client system.
- On the server queue manager, change the CRL information to what is required at the server end of the MQI channel.
- On the server platform z/OS
- On z/OS, a client channel definition table is generated by the MAKECLNT parameter of the COMMAND function of the WebSphere MQ utility program, CSQUTIL. The DISPLAY CHANNEL commands in the input data set determine which client-connection channel definitions are included in the table. Likewise, the DISPLAY AUTHINFO commands in the input data set determine which authentication information objects are used to form the CRL information in the table.
The contents of a client channel definition table generated on z/OS do not depend on the value of any queue manager attributes, such as SSLCRLNameList, and cannot be updated dynamically. The only way we can change the CRL information in a client channel definition table is to generate a new table by running CSQUTIL again.
Home