MCAUserIdentifier
Every instance of a channel that is current has an associated channel definition structure, MQCD. The initial values of the fields in MQCD are determined by the channel definition that is created by a WebSphere MQ administrator. In particular, the initial value of one of the fields, MCAUserIdentifier, is determined by the value of the MCAUSER parameter on the DEFINE CHANNEL command, or by the equivalent to MCAUSER if the channel definition is created in another way.
The MQCD structure is passed to a channel exit program when it is called by an MCA. When a security exit is called by an MCA, the security exit can change the value of MCAUserIdentifier, replacing any value that was specified in the channel definition.
On i5/OS, UNIX systems, and Windows systems, unless the value of MCAUserIdentifier is blank, the queue manager uses the value of MCAUserIdentifier as the user ID for authority checks when an MCA attempts to access the queue manager's resources after it has connected to the queue manager. If the value of MCAUserIdentifier is blank, the queue manager uses the default user ID of the MCA instead. This applies only to receiving MCAs and server connection MCAs, and assumes that the PUTAUT parameter is set to DEF in the channel definition. The queue manager always uses the default user ID of a sending MCA for authority checks, even if the value of MCAUserIdentifier is not blank.
On z/OS, the queue manager might use the value of MCAUserIdentifier for authority checks, provided it is not blank. For receiving MCAs and server connection MCAs, whether the queue manager uses the value of MCAUserIdentifier for authority checks depends on:
- The value of the PUTAUT parameter in the channel definition
- The RACF profile used for the checks
- The access level of the channel initiator address space user ID to the RESLEVEL profile
For sending MCAs, it depends on:
- Whether the sending MCA is a caller or a responder
- The access level of the channel initiator address space user ID to the RESLEVEL profile
The user ID that a security exit stores in MCAUserIdentifier can be acquired in various ways. Here are some examples:
- Provided there is no security exit at the client end of an MQI channel, a user ID associated with the WebSphere MQ client application flows from the client connection MCA to the server connection MCA when the client application issues an MQCONN call. The server connection MCA stores this user ID in the RemoteUserIdentifier field in the channel definition structure, MQCD. If the value of MCAUserIdentifier is blank at this time, the MCA stores the same user ID in MCAUserIdentifier. If the MCA does not store the user ID in MCAUserIdentifier, a security exit can do it subsequently by setting MCAUserIdentifier to the value of RemoteUserIdentifier.
If the user ID that flows from the client system is entering a new security domain and is not valid on the server system, the security exit can substitute the user ID for one that is valid and store the substituted user ID in MCAUserIdentifier.
- The user ID can be sent by the partner security exit in a security message.
On a message channel, a security exit called by the sending MCA can send the user ID under which the sending MCA is running. A security exit called by the receiving MCA can then store the user ID in MCAUserIdentifier. Similarly, on an MQI channel, a security exit at the client end of the channel can send the user ID associated with the WebSphere MQ client application. A security exit at the server end of the channel can then store the user ID in MCAUserIdentifier. As in the previous example, if the user ID is not valid on the target system, the security exit can substitute the user ID for one that is valid and store the substituted user ID in MCAUserIdentifier.
If a digital certificate is received as part of the identification and authentication service, a security exit can map the Distinguished Name in the certificate to a user ID that is valid on the target system. It can then store the user ID in MCAUserIdentifier.
- If SSL is used on the channel, the partner's Distinguished Name (DN) is passed to the exit in the SSLPeerNamePtr field of the MQCD, and the DN of the issuer of that certificate is passed to the exit in the SSLRemCertIssNamePtr field of the MQCXP.
For more information about the MCAUserIdentifier field, the channel definition structure, MQCD, and the channel exit parameter structure MQCXP, see WebSphere MQ Intercommunications. For more information about how the MCAUserIdentifier field is used for authority checks on z/OS, see the WebSphere MQ for z/OS System Setup Guide. For more information about the user ID that flows from a client system on an MQI channel, see WebSphere MQ Clients.
Parent topic:
Access control
sy11230_