User IDs used by the channel initiator
The following sections describe the user IDs used and checked for the following:
- TCP/IP receiving channels.
- LU 6.2 receiving channels.
- Client MQI requests issued over server-connection channels for both TCP/IP and LU 6.2.
We can use the PUTAUT parameter of the receiving channel definition to determine the type of security checking used. To get consistent security checking throughout your WebSphere MQ network, we can use the ONLYMCA and ALTMCA options.
We can use the DISPLAY CHSTATUS command to determine the user identifier used by the MCA. See WebSphere MQ Script (MQSC) Command Reference.
Receiving channels using TCP/IP
- MCA user ID (MCA)
- The user ID specified for the MCAUSER channel attribute at the receiver; if blank, the channel initiator address space user ID of the receiver or requester side is used.
- Channel user ID (CHL)
- On TCP/IP, security is not supported by the communication system for the channel. If the Secure Sockets Layer (SSL) is being used and a digital certificate has been flowed from the partner, the user ID associated with this certificate (if installed), or the user ID associated with a matching filter found by using RACF's Certificate Name Filter (CNF), is used. If no associated user ID is found, or if SSL is not being used, the user ID of the channel initiator address space of the receiver or requester end is used as the channel user ID on channels defined with the PUTAUT parameter set to DEF or CTX.
Note:The use of RACF's Certificate Name Filter (CNF) allows you to assign the same RACF user ID to multiple remote users, for example all the users in the same organization unit, who would naturally all have the same security authority. This means that the server does not have to have a copy of the certificate of every possible remote end user across the world and greatly simplifies certificate management and distribution.If the PUTAUT parameter is set to ONLYMCA or ALTMCA for the channel, the channel user ID is ignored and the MCA user ID of the receiver or requester is used. This also applies to TCP/IP channels using SSL.
- Alternate user ID (ALT)
- The user ID from the context information (that is, the UserIdentifier field) within the message descriptor of the message. This user ID is moved into the AlternateUserID field in the object descriptor before an MQOPENor MQPUT1 call is issued for the target destination queue.
Table 59. User IDs checked against profile name for TCP/IP channels PUTAUT option specified on receiver or requester channel hlq.ALTERNATE.USER.userid profile hlq.CONTEXT.queuename profile hlq.resourcename profile DEF, 1 check - CHL CHL DEF, 2 checks - CHL + MCA CHL + MCA CTX, 1 check CHL CHL CHL CTX, 2 checks CHL + MCA CHL + MCA CHL + ALT ONLYMCA, 1 check - MCA MCA ONLYMCA, 2 checks - MCA MCA ALTMCA, 1 check MCA MCA MCA ALTMCA, 2 checks MCA MCA MCA + ALT Key:
Receiving channels using LU 6.2
- MCA user ID (MCA)
- The user ID specified for the MCAUSER channel attribute at the receiver; if blank, the channel initiator address space user ID of the receiver or requester side is used.
- Channel user ID (CHL)
- Requester-server channels
- If the channel is started from the requester, there is no opportunity to receive a network user ID (the channel user ID).
If the PUTAUT parameter is set to DEF or CTX on the requester channel, the channel user ID is that of the channel initiator address space of the requester because no user ID is received from the network.
If the PUTAUT parameter is set to ONLYMCA or ALTMCA, the channel user ID is ignored and the MCA user ID of the requester is used.
- Other channel types
- If the PUTAUT parameter is set to DEF or CTX on the receiver or requester channel, the channel user ID is the user ID received from the communications system when the channel is initiated.
- If the sending channel is on z/OS, the channel user ID received is the channel initiator address space user ID of the sender.
- If the sending channel is on a different platform (for example, AIX or HP-UX), the channel user ID received is typically provided by the USERID parameter of the channel definition.
If the user ID received is blank, or no user ID is received, a channel user ID of blanks is used.
- Alternate user ID (ALT)
- The user ID from the context information (that is, the UserIdentifier field) within the message descriptor of the message. This user ID is moved into the AlternateUserID field in the object descriptor before an MQOPENor MQPUT1 call is issued for the target destination queue.
Table 60. User IDs checked against profile name for LU 6.2 channels PUTAUT option specified on receiver or requester channel hlq.ALTERNATE.USER.userid profile hlq.CONTEXT.queuename profile hlq.resourcename profile DEF, 1 check - CHL CHL DEF, 2 checks - CHL + MCA CHL + MCA CTX, 1 check CHL CHL CHL CTX, 2 checks CHL + MCA CHL + MCA CHL + ALT ONLYMCA, 1 check - MCA MCA ONLYMCA, 2 checks - MCA MCA ALTMCA, 1 check MCA MCA MCA ALTMCA, 2 checks MCA MCA MCA + ALT Key:
Client MQI requests
This section describes the user IDs checked for client MQI requests issued over server-connection channels for TCP/IP and LU 6.2. The MCA user ID and channel user ID are as for the TCP/IP and LU 6.2 channels described in the previous sections.
For server-connection channels, the user ID received from the client is used if the MCAUSER attribute is blank. However, for the clients that can use the MQ_USER_ID environment variable to supply the user ID, it is possible that no environment variable has been set. In this case, the user ID that started the server channel is used. This is the user ID assigned to the channel initiator started task by the z/OS started procedures table.
See the WebSphere MQ Clients manual for more information.
For client MQOPEN and MQPUT1 requests, use the following rules to determine the profile that is checked:
- If the request specifies alternate-user authority, a check is made against the hlq.ALTERNATE.USER.userid profile.
- If the request specifies context authority, a check is made against the hlq.CONTEXT.queuename profile.
- For all MQOPEN and MQPUT1 requests, a check is made against the hlq.resourcename profile.
When you have determined which profiles are checked, use the following table to determine which user IDs are checked against these profiles.
Table 61. User IDs checked against profile name for LU 6.2 and TCP/IP server-connection channels PUTAUT option specified on server-connection channel Alternate user ID specified on open? hlq.ALTERNATE.USER.userid profile hlq.CONTEXT.queuename profile hlq.resourcename profile DEF, 1 check No - CHL CHL DEF, 1 check Yes CHL CHL CHL DEF, 2 checks No - CHL + MCA CHL + MCA DEF, 2 checks Yes CHL + MCA CHL + MCA CHL + ALT ONLYMCA, 1 check No - MCA MCA ONLYMCA, 1 check Yes MCA MCA MCA ONLYMCA, 2 checks No - MCA MCA ONLYMCA, 2 checks Yes MCA MCA MCA + ALT Key:
Channel initiator example
A user performs an MQPUT1 operation to a queue on queue manager QM01 that resolves to a queue called QB on queue manager QM02. The message is sent on a TCP/IP channel called QM01.TO.QM02. RESLEVEL is set to NONE, and the open is performed with alternate user ID and context checking. The receiver channel definition has PUTAUT(CTX) and the MCA user ID is set. Which user IDs are used on the receiving channel to put the message to queue QB?
Answer: Table 53 shows that two user IDs are checked because RESLEVEL is set to NONE.
Table 59 shows that, with PUTAUT set to CTX and 2 checks, the following user IDs are checked:
- The channel initiator user ID and the MCAUSER user ID are checked against the hlq.ALTERNATE.USER.userid profile.
- The channel initiator user ID and the MCAUSER user ID are checked against the hlq.CONTEXT.queuename profile.
- The channel initiator user ID and the alternate user ID specified in the message descriptor (MQMD) are checked against the hlq.Q2 profile.