Mapping an SSL or TLS Distinguished Name to an MCAUSER user ID
We can use a channel authentication record to set the MCAUSER attribute of a channel, according to the Distinguished Name (DN) received.
Before starting
Ensure that channel authentication records are enabled as follows:ALTER QMGR CHLAUTH(ENABLED)
Procedure
Set a channel authentication record using the MQSC command SET CHLAUTH, or the PCF command Set Channel Authentication Record. For example, we can issue the MQSC command:SET CHLAUTH('generic-channel-name') TYPE (SSLPEERMAP) SSLPEER(generic-ssl-peer-name) SSLCERTI(generic-issuer-name) USERSRC(MAP) MCAUSER(user)
- generic-channel-name is either the name of a channel to which we want to control access, or a pattern including the asterisk (*) symbol as a wildcard that matches the channel name.
- generic-ssl-peer-name is a string following the standard IBM MQ rules for SSLPEER values. See IBM MQ rules for SSLPEER values.
- user is the user ID to be used for all connections using the specified DN.
- generic-issuer-name refers to the Issuer DN of the certificate to match. This parameter is optional but we should use it, to avoid spuriously matching the wrong certificate, if multiple certificate authorities are in use.
Related information