Receiving channels using TCP/IP
The user IDs checked depend on the PUTAUT option of the channel and on whether one or two checks are to be performed.
| PUTAUT option specified on receiver or requester channel | hlq.ALTERNATE.USER.userid profile | hlq.CONTEXT.queuename profile | hlq.resourcename profile |
|---|---|---|---|
| DEF, 1 check | - | CHL | CHL |
| DEF, 2 checks | - | CHL + MCA | CHL + MCA |
| CTX, 1 check | CHL | CHL | CHL |
| CTX, 2 checks | CHL + MCA | CHL + MCA | CHL + ALT |
| ONLYMCA, 1 check | - | MCA | MCA |
| ONLYMCA, 2 checks | - | MCA | MCA |
| ALTMCA, 1 check | MCA | MCA | MCA |
| ALTMCA, 2 checks | MCA | MCA | MCA + ALT |
Key:
- MCA (MCA user ID)
- The user ID specified for the MCAUSER channel attribute at the receiver; if blank, the channel initiator address space user ID of the receiver or requester side is used.
- CHL (Channel user ID)
- On TCP/IP, security is not supported by the communication system for the channel. If the Secure Sockets Layer (SSL) is being used and a digital certificate has been flowed from the partner, the user ID associated with this certificate (if installed), or the user ID associated with a matching filter found by using RACF® Certificate Name Filtering (CNF), is used. If no associated user ID is found, or if SSL is not being used, the user ID of the channel initiator address space of the receiver or requester end is used as the channel user ID on channels defined with the PUTAUT parameter set to DEF or CTX.
Note: The use of RACF Certificate Name Filtering (CNF) allows you to assign the same RACF user ID to multiple remote users, for example all the users in the same organization unit, who would naturally all have the same security authority. This means that the server does not have to have a copy of the certificate of every possible remote end user across the world and greatly simplifies certificate management and distribution.
If the PUTAUT parameter is set to ONLYMCA or ALTMCA for the channel, the channel user ID is ignored and the MCA user ID of the receiver or requester is used. This also applies to TCP/IP channels using SSL.
- ALT (Alternate user ID)
- The user ID from the context information (that is, the
UserIdentifierfield) within the message descriptor of the message. This user ID is moved into theAlternateUserIDfield in the object descriptor before an MQOPEN or MQPUT1 call is issued for the target destination queue.