Inquire Channel Authentication Records (Response)
The response to the Inquire Channel Authentication Records (MQCMD_INQUIRE_CHLAUTH_RECS) command consists of the response header followed by the requested combination of attribute parameter structures.
- Always returned:
- ChlAuth, Type, Warn(yes)
- Always returned if type is MQCAUT_BLOCKUSER:
- UserList
- Always returned if type is MQCAUT_BLOCKADDR:
- AddrList
- Always returned if type is MQCAUT_SSLPEERMAP:
- Address (unless blanks), MCAUser (unless blanks), SSLCertIssuer, SSLPeer, UserSrc
- Always returned if type is MQCAUT_ADDRESSMAP:
- Address (unless blanks), MCAUser (unless blanks), UserSrc
- Always returned if type is MQCAUT_USERMAP:
- Address (unless blanks), CintUser, MCAUser (unless blanks), UserSrc
- Always returned if type is MQCAUT_QMGRMAP:
- Address (unless blanks), MCAUser (unless blanks), QMName, UserSrc
- Returned if requested:
- Address, AlterationDate, AlterationTime, Custom, Description, MCAUser, SSLPeer, UserSrc, Warn
Response data
- AlterationDate (MQCFST)
- Alteration date (parameter identifier: MQCA_ALTERATION_DATE).
The date when the information was last altered, in the form yyyy-mm-dd.
- AlterationTime (MQCFST)
- Alteration time (parameter identifier: MQCA_ALTERATION_TIME).
The time when the information was last altered, in the form hh.mm.ss.
- Address (MQCFST)
- The filter used to compare with the IP address, or host name, of the partner queue manager or client at the other end of the channel (parameter identifier: MQCACH_CONNECTION_NAME).
- AddrList (MQCFSL)
- A list of up to 100 IP address patterns which are banned from accessing this queue manager on any channel (parameter identifier: MQCACH_CONNECTION_NAME_LIST).
- Chlauth (MQCFST)
- The name of the channel, or pattern that matches a set of channels, to which the channel authentication record applies (parameter identifier: MQCACH_CHANNEL_NAME).
- CheckClient (MQCFIN)
- The user ID and password requirements for the client connection to be successful (parameter identifier: MQIA_CHECK_CLIENT_BINDING).
- ClntUser (MQCFST)
- The client asserted user ID to be mapped to a new user ID, allowed through unchanged, or blocked (parameter identifier: MQCACH_CLIENT_USER_ID).
- Description (MQCFST)
- Descriptive information about the channel authentication record (parameter identifier: MQCA_CHLAUTH_DESC).
- MCAUser (MQCFST)
- The user identifier to be used when the inbound connection matches the TLS DN, IP address, client asserted user ID or remote queue manager name supplied (parameter identifier: MQCACH_MCA_USER_ID).
- QMName (MQCFST)
- The name of the remote partner queue manager to be mapped to a user ID, allowed through unchanged, or blocked (parameter identifier: MQCA_REMOTE_Q_MGR_NAME).
- SSLCertIssuer (MQCFST)
- This parameter is additional to the SSLPeer parameter.
SSLCertIssuer restricts matches to being within certificates issued by a particular Certificate Authority (parameter identifier: MQCA_SSL_CERT_ISSUER_NAME).
- SSLPeer (MQCFST)
- The filter to use to compare with the Distinguished Name of the certificate from the peer queue manager or client at the other end of the channel (parameter identifier: MQCACH_SSL_PEER_NAME).
- Type (MQCFIN)
- The type of channel authentication record for which to set allowed partner details or mappings
to MCAUSER (parameter identifier: MQIACF_CHLAUTH_TYPE). The following values can be returned:
- MQCAUT_BLOCKUSER
- This channel authentication record prevents a specified user or users from connecting.
- MQCAUT_BLOCKADDR
- This channel authentication record prevents connections from a specified IP address or addresses.
- MQCAUT_SSLPEERMAP
- This channel authentication record maps TLS Distinguished Names (DNs) to MCAUSER values.
- MQCAUT_ADDRESSMAP
- This channel authentication record maps IP addresses to MCAUSER values.
- MQCAUT_USERMAP
- This channel authentication record maps asserted user IDs to MCAUSER values.
- MQCAUT_QMGRMAP
- This channel authentication record maps remote queue manager names to MCAUSER values.
- UserList (MQCFSL)
- A list of up to 100 user IDs which are banned from use of this channel or set of channels
(parameter identifier: MQCACH_MCA_USER_ID_LIST). Use the special value *MQADMIN to
mean privileged or administrative users. The definition of this value depends on the operating
system, as follows:
- On Windows, all members of the mqm group, the Administrators group and SYSTEM.
- On UNIX and Linux, all members of the mqm group.
- On IBM i, the profiles (users) qmqm and qmqmadm and all members of the qmqmadm group, and any user defined with the *ALLOBJ special setting.
- On z/OS, the user ID that the channel initiator, queue manager and advanced message security address spaces are running under.
- UserSrc (MQCFIN)
- The source of the user ID to be used for MCAUSER at run time (parameter identifier:
MQIACH_USER_SOURCE). The following values can be returned:
- MQUSRC_MAP
- Inbound connections that match this mapping use the user ID specified in the MCAUser attribute.
- MQUSRC_NOACCESS
- Inbound connections that match this mapping have no access to the queue manager and the channel ends immediately.
- MQUSRC_CHANNEL
- Inbound connections that match this mapping use the flowed user ID or any user defined on the channel object in the MCAUSER field.
- Warn (MQCFIN)
- Indicates whether this record operates in warning mode (parameter identifier: MQIACH_WARNING).
- MQWARN_NO
- This record does not operate in warning mode. Any inbound connection that matches this record is blocked. This is the default value.
- MQWARN_YES
- This record operates in warning mode. Any inbound connection that matches this record and would therefore be blocked is allowed access. An error message is written and, if events are configured, an event message is created showing the details of what would have been blocked. The connection is allowed to continue.
Parent topic: Definitions of the Programmable Command Formats