![[z/OS]](ngzos.gif)
Client MQI requests
Various user IDs can be used, depending on which user IDs and environment variables have been set. These user IDs are checked against various profiles, depending on the PUTAUT option used and whether an alternate user ID is specified.
This section describes the user IDs checked for client MQI requests issued over server-connection channels for TCP/IP and LU 6.2. The MCA user ID and channel user ID are as for the TCP/IP and LU 6.2 channels described in the previous sections.
For server-connection channels, the user ID received from the client is used if the MCAUSER attribute is blank.
See Access control for clients for more information.
- If the request specifies alternate-user authority, a check is made against the hlq.ALTERNATE.USER. userid profile.
- If the request specifies context authority, a check is made against the hlq.CONTEXT. queuename profile.
- For all MQOPEN, MQSUB, and MQPUT1 requests, a check is made against the hlq.resourcename profile.
When you have determined which profiles are checked, use the following table to determine which user IDs are checked against these profiles.
| PUTAUT option specified on server-connection channel | Alternate user ID specified on open? | hlq.ALTERNATE.USER.userid profile | hlq.CONTEXT.queuename profile | hlq.resourcename profile |
|---|---|---|---|---|
| DEF, 1 check | No | - | CHL | CHL |
| DEF, 1 check | Yes | CHL | CHL | CHL |
| DEF, 2 checks | No | - | CHL + MCA | CHL + MCA |
| DEF, 2 checks | Yes | CHL + MCA | CHL + MCA | CHL + ALT |
| ONLYMCA, 1 check | No | - | MCA | MCA |
| ONLYMCA, 1 check | Yes | MCA | MCA | MCA |
| ONLYMCA, 2 checks | No | - | MCA | MCA |
| ONLYMCA, 2 checks | Yes | MCA | MCA | MCA + ALT |
- MCA (MCA user ID)
- The user ID specified for the MCAUSER channel attribute at the server-connection; if blank, the channel initiator address space user ID is used.
- CHL (Channel user ID)
- On TCP/IP, security is not supported by the communication system for the channel. If Transport
Layer Security (TLS) is being used and a digital certificate has been flowed from the partner, the
user ID associated with this certificate (if installed), or the user ID associated with a matching
filter found by using RACF® Certificate Name
Filtering (CNF), is used. If no associated user ID is found, or if TLS is not being used, the user
ID of the channel initiator address space is used as the channel user ID on channels defined with
the PUTAUT parameter set to DEF or CTX. Note: The use of RACF Certificate Name Filtering (CNF) allows you to assign the same RACF user ID to multiple remote users, for example all the users in the same organization unit, who would naturally all have the same security authority. This means that the server does not have to have a copy of the certificate of every possible remote user across the world, and greatly simplifies certificate management and distribution.
If the PUTAUT parameter is set to ONLYMCA or ALTMCA for the channel, the channel user ID is ignored and the MCA user ID of the server-connection channel is used. This also applies to TCP/IP channels using TLS.
- ALT (Alternate user ID)
- The user ID from the context information (that is, the
UserIdentifierfield) within the message descriptor of the message. This user ID is moved into theAlternateUserIDfield in the object or subscription descriptor before an MQOPEN, MQSUB or MQPUT1 call is issued on behalf of the client application.