Authentication information properties
We can set properties for all types of authentication information objects. Some of the properties do not apply to all types of authentication information objects, and some properties are specific to z/OS authentication information objects.
The following tables list the properties that we can set:
For each property, there is a brief description of when you might need to configure it. The tables also give the equivalent MQSC parameter for the DEFINE, ALTER and DISPLAY AUTHINFO commands. For more information about MQSC commands, see Administration using MQSC commands.
General page
The following table lists the properties that we can set on the General page of the Authentication Information properties dialog.
Property Meaning MQSC parameter Authinfo name Read-only. We cannot change the name of an authentication information object after it has been created. AUTHINFO Authinfo type Read-only. We cannot change the type of an authentication information object after it has been created. AUTHTYPE Description Type a meaningful description of the purpose of the authentication information object. See Entering strings in MQ Explorer. DESCR QSG disposition Read-only. The queue sharing group disposition of the authentication information object. We cannot change the disposition of an authentication information object after it has been created. Queue manager means that the object definition is available only to the queue manager that hosts it; Group means that the object definition is stored on the shared repository and each queue manager in the queue sharing group has a copy of the definition; Copy means that the object definition is the queue manager's copy of a definition in the shared repository. QSGDISP
LDAP page
The following table lists the properties that we can set on the LDAP page of the CRL LDAP or IDPW LDAP Authentication Information properties dialog. The LDAP page displays the name and authentication information for the LDAP server.
Property Meaning MQSC parameter LDAP Server Name Type the host name, IPv4 dotted decimal address, or IPv6 hexadecimal notation of the host on which the LDAP server is running, with an optional port number. If you specify the connection name as an IPv6 address, only systems that are running IBM WebSphere MQ Version 6.0 authentication information objects. with an IPv6 stack are able to resolve this address. If the authentication information object is part of the queue manager's CRL namelist, ensure that any clients that are using the client channel table that is generated by the queue manager are capable of resolving the connection name. On z/OS, to use a connection name that resolves to an IPv6 network address, the level of z/OS must support IPv6 for connecting to an LDAP server. CONNAME User ID Type the Distinguished Name of the user who is accessing the LDAP server, with the following limitations:
- On IBM i, UNIX, and Windows, the maximum length is 1024 characters.
- On z/OS, the maximum length is 256 characters.
- If we use asterisks (*) in the user name, they are treated as literal characters, and not as wildcards, because the LDAP user ID is a specific name and not a string used for matching.
LDAPUSER Password Type the password that is associated with the Distinguished Name of the user who is accessing the LDAP server. The maximum length is 32 characters. LDAPPWD
OCSP page
The following table lists the properties that we can set on the OCSP page of the OCSP Authentication Information properties dialog.
Property Meaning MQSC parameter OCSP responder URL The URL at which the OCSP responder can be contacted. This property takes priority over a URL in an AuthorityInfoAccess (AIA) certificate extension.
OCSPURL
LDAP User Repository page
The following table lists the properties that we can set on the LDAP User Repository page of the IDPW LDAP Authentication Information properties dialog.
Property Meaning MQSC parameter Equivalent short user A field in the LDAP user record to be used as a short user name for this connection. SHORTUSR User ID base DN The base DN used to locate user records in an LDAP server. BASEDNU Use secure communication Whether the connection to the LDAP server will be made using TLS. SECCOMM User Object Class The LDAP object class used for user records in the LDAP repository. CLASSUSR Qualifying user field A qualification to allow user IDs provided by applications to be identified as a field in the LDAP user record. USRFIELD
LDAP Authorization
The following table lists the properties that we can set on the LDAP Authorization page of the IDPW LDAP Authentication Information properties dialog.
Property Meaning MQSC parameter Authorization method Whether authorization is done using user IDs and groups from the Operating System or from LDAP. The possible values are: Operate System. Authorization is done using user IDs and groups from the Operating System.
Search group. Authorization is done using user IDs and groups from LDAP. The group entry in the LDAP repository contains an property listing the Distinguished Name of all the users who belong to the group.
Search user. Authorization is done using user IDs and groups from LDAP. The user entry in the LDAP repository contains an property listing all the Distinguished Name of the groups to which the user belongs.
Search group short name. Authorization is done using user IDs and groups from LDAP. The group entry in the LDAP repository contains an property listing the short user name of all the users who belong to the group.
AUTHORMD Allow nested groups Whether nested groups are allowed. The possible values are: No. Nested groups are not allowed.
Yes. Nested groups are allowed. The group list is searched recursively to enumerate all groups a user belongs to.
NESTGRP Group base DN The base DN used to locate group records in an LDAP server. BASEDNG Group object class The LDAP object class used for group records in the LDAP repository. CLASSGRP Qualfying group field A qualification to allow group to be identified as a field in the LDAP group record. GRPFIELD Group membership field Name of the property used within an LDAP user or group record to determine group membership. FINDGRP
User ID + Password page
The following table lists the properties that we can set on the User ID + Password page of the IDPW OS or IDPW LDAP Authentication Information properties dialog.
Property Meaning MQSC parameter Check locally bound connections Whether connections made by using local bindings, connections must supply a user ID and password for validation. The possible values are: None. No user ID and password are required.
Optional. No user ID and password are required but if provided, they are checked.
Required for administrators. User ID and password are required for privileged users.
Required for all. User ID and password are required for all users.
Set CHCKLOCL to Required for administrators or Required for all results in the inability to locally administer the queue manager by way of the runmqsc commands unless you specify the -u UserID parameter on the runmqsc command line. If you do not specify this parameter, you see error message AMQ8135: Not authorized. Similarly, when you run IBM MQ Explorer on your local system, you might see error AMQ4036: Access not permitted when we are attempting to connect to a queue manager.
To specify a user name and password, right-click the local queue manager object, and select Connection Details > Properties from the menu. In the UserID section, enter the user name and password, and then click OK.
CHCKLOCL Check client connections Whether connections made using client connections must supply a user ID and password for validation. The possible values are: None. No user ID and password are required.
Optional. No user ID and password are required but if provided, they will be checked.
Required for administrators. User ID and password are required for privileged users.
Required for all. User ID and password are required for all users.
CHCKCLNT Adopt the authenticated user Whether to adopt the user ID that was provided with a password as the context for this connection. The possible values are: Yes. The validated user ID will be adopted as the context for this connection. If the user ID presented is an LDAP user ID, and authorization checks are done using operating system user IDs, the SHORTUSR associated with the user entry in LDAP will be adopted as the credentials for authorization checks to be done against.
No. The validated user ID will not be adopted as the context for this connection.
ADOPTCTX Authentication failure delay This property specifies how long to delay before returning the failure return code to the application, for example, if no response is received by a mqmconnx request. This is the length of time in seconds, which can be 0 - 60. A value of zero means that no delay is added. FAILDLAY
Statistics page
The following table lists the properties that we can set on the Statistics page of the Authentication Information properties dialog. The Statistics page displays information about the history of the authentication information object. We cannot edit the values of any of these properties.
Parent topic: Properties
Property Meaning MQSC parameter Alteration date Read-only. This is the date on which the authentication information object properties were last altered. ALTDATE Alteration time Read-only. This is the time at which the authentication information object properties were last altered. ALTTIME
Related tasks
Related reference