Client MQI requests

Various user IDs can be used, depending on which user IDs and environment variables have been set. These user IDs are checked against various profiles, depending on the PUTAUT option used and whether an alternate user ID is specified.

This section describes the user IDs checked for client MQI requests issued over server-connection channels for TCP/IP and LU 6.2. The MCA user ID and channel user ID are as for the TCP/IP and LU 6.2 channels described in the previous sections.

For server-connection channels, the user ID received from the client is used if the MCAUSER attribute is blank.

See Access control for clients for more information.

For client MQOPEN, MQSUB, and MQPUT1 requests, use the following rules to determine the profile that is checked:

  • If the request specifies alternate-user authority, a check is made against the hlq.ALTERNATE.USER. userid profile.
  • If the request specifies context authority, a check is made against the hlq.CONTEXT. queuename profile.
  • For all MQOPEN, MQSUB, and MQPUT1 requests, a check is made against the hlq.resourcename profile.

When you have determined which profiles are checked, use the following table to determine which user IDs are checked against these profiles.

PUTAUT option specified on server-connection channel Alternate user ID specified on open? hlq.ALTERNATE.USER.userid profile hlq.CONTEXT.queuename profile hlq.resourcename profile
DEF, 1 check No - CHL CHL
DEF, 1 check Yes CHL CHL CHL
DEF, 2 checks No - CHL + MCA CHL + MCA
DEF, 2 checks Yes CHL + MCA CHL + MCA CHL + ALT
ONLYMCA, 1 check No - MCA MCA
ONLYMCA, 1 check Yes MCA MCA MCA
ONLYMCA, 2 checks No - MCA MCA
ONLYMCA, 2 checks Yes MCA MCA MCA + ALT
Key:

    MCA (MCA user ID)
    The user ID specified for the MCAUSER channel attribute at the server-connection; if blank, the channel initiator address space user ID is used.

    CHL (Channel user ID)
    On TCP/IP, security is not supported by the communication system for the channel. If Transport Layer Security (TLS) is being used and a digital certificate has been flowed from the partner, the user ID associated with this certificate (if installed), or the user ID associated with a matching filter found by using RACF Certificate Name Filtering (CNF), is used. If no associated user ID is found, or if TLS is not being used, the user ID of the channel initiator address space is used as the channel user ID on channels defined with the PUTAUT parameter set to DEF or CTX. Note: The use of RACF Certificate Name Filtering (CNF) allows you to assign the same RACF user ID to multiple remote users, for example all the users in the same organization unit, who would naturally all have the same security authority. This means that the server does not have to have a copy of the certificate of every possible remote user across the world, and greatly simplifies certificate management and distribution.

    If the PUTAUT parameter is set to ONLYMCA or ALTMCA for the channel, the channel user ID is ignored and the MCA user ID of the server-connection channel is used. This also applies to TCP/IP channels using TLS.

    ALT (Alternate user ID)
    The user ID from the context information (that is, the UserIdentifier field) within the message descriptor of the message. This user ID is moved into the AlternateUserID field in the object or subscription descriptor before an MQOPEN, MQSUB or MQPUT1 call is issued on behalf of the client application.

Parent topic: User IDs used by the channel initiator