DISPLAY CHLAUTH

Use the MQSC command DISPLAY CHLAUTH to display the attributes of a channel authentication record.

Use MQSC commands

For information on how we use MQSC commands, see Performing local administration tasks using MQSC commands.

We can issue this command from sources 2CR. For an explanation of the source symbols, see Use commands on z/OS®.

Syntax diagram
Parameters

Synonym: DIS CHLAUTH

DISPLAY CHLAUTH

) CMDSCOPE(' ')CMDSCOPE(qmgr-name)

CMDSCOPE(*)2

3 TYPE(ALL)TYPE(BLOCKUSER)TYPE(BLOCKADDR)TYPE(SSLPEERMAP)TYPE(ADDRESSMAP)TYPE(USERMAP)TYPE(QMGRMAP)

MATCH(GENERIC)MATCH(ALL)MATCH(EXACT)MATCH(RUNCHECK)4

Runtime check match block

ALL

WHERE(FilterCondition)

Requested attributes

Runtime check match block

CLNTUSER(user)

SSLPEER ( ssl-peer-name ) SSLCERTI(issuer-name)

Requested attributes

Notes:

¹ Must be * with TYPE(BLOCKADDR) and cannot be generic with MATCH(RUNCHECK)
² Valid only on z/OS when the queue manager is a member of a queue-sharing group.
³ Valid only on z/OS.
⁴ Must be combined with TYPE(ALL)

Parameters

generic-channel-name

The name of the channel or set of channels to display. We can use the asterisk (*) as a wildcard to specify a set of channels. When an asterisk is used on z/OS, single quotes must be used around the whole value. When MATCH is RUNCHECK this parameter must not be generic.

ADDRESS

The IP address to be matched.

This parameter is valid only when MATCH is RUNCHECK, must not be generic and must not be a host name.

ALL

Specify this parameter to display all attributes. If this keyword is specified, any attributes that are requested specifically have no effect; all attributes are still displayed.

This is the default behavior if we do not specify a generic name and do not request any specific attributes.

CLNTUSER

The client asserted user ID to be mapped to a new user ID, allowed through unchanged, or blocked.

This can be the user ID flowed from the client indicating the user ID the client side process is running under, or the user ID presented by the client on an MQCONNX call using MQCSP.

This parameter is valid only with TYPE(USERMAP) and when Match is MQMATCH_RUNCHECK.

The maximum length of the string is MQ_CLIENT_USER_ID_LENGTH.

CMDSCOPE

This parameter applies to z/OS only and specifies how the command is run when the queue manager is a member of a queue sharing group.

' ': The command is run on the queue manager on which it was entered. This is the default value.
qmgr-name: The command is run on the queue manager you specify, providing the queue manager is active within the queue sharing group.
We can specify a queue manager name, other than the queue manager on which the command was entered, only if you are using a queue sharing group environment and if the command server is enabled.
*: The command is run on the local queue manager and is also passed to every active queue manager in the queue sharing group. The effect is the same as entering the command on every queue manager in the queue sharing group.

MATCH

Indicates the type of matching to be applied.

RUNCHECK

Returns the record that is matched by a specific inbound channel at run time if it connects to this queue manager. The specific inbound channel is described by providing values that are not generic:

Channel name.
ADDRESS attribute containing an IP address, that is then reverse looked up as part of running the command to discover the host name, if the queue manager is configured with REVDNS(ENABLED).
SSLCERTI attribute, only if the inbound channel uses TLS.
SSLPEER attribute, only if the inbound channel uses TLS.
QMNAME or CLNTUSER attribute, depending on whether the inbound channel is a client or queue manager channel.

If the record discovered has WARN set to YES, a second record might also be displayed to show the actual record the channel will use at run time. This parameter must be combined with TYPE(ALL).

EXACT

Return only those records which exactly match the channel profile name supplied. If there are no asterisks in the channel profile name, this option returns the same output as MATCH(GENERIC).

GENERIC

Any asterisks in the channel profile name are treated as wildcards. If there are no asterisks in the channel profile name, this returns the same output as MATCH(EXACT). For example, a profile of ABC* could result in records for ABC, ABC*, and ABCD being returned.

ALL

Return all possible records that match the channel profile name supplied. If the channel name is generic in this case, all records that match the channel name are returned even if more specific matches exist. For example, a profile of SYSTEM.*.SVRCONN could result in records for SYSTEM.*, SYSTEM.DEF.*, SYSTEM.DEF.SVRCONN, and SYSTEM.ADMIN.SVRCONN being returned.

QMNAME

The name of the remote partner queue manager to be matched

This parameter is valid only when MATCH is RUNCHECK and must not be generic.

SSLCERTI

The Certificate issuer Distinguished Name of the certificate to be matched.

The SSLCERTI field, if not blank, is matched in addition to the SSLPEER value.

This parameter is valid only when MATCH is RUNCHECK and must not be generic.

SSLPEER

The Subject Distinguished Name of the certificate to be matched.

The SSLPEER value is specified in the standard form used to specify a Distinguished Name.

This parameter is valid only when MATCH is RUNCHECK and must not be generic.

TYPE

The type of Channel Authentication Record for which to display details. Possible values are:

ALL
BLOCKUSER
BLOCKADDR
SSLPEERMAP
ADDRESSMAP
USERMAP
QMGRMAP

WHERE

Specify a filter condition to display only those channel authentication records that satisfy the selection criterion of the filter condition. The filter condition is in three parts: filter-keyword, operator, and filter-value:

filter-keyword

Any parameter that can be used to display attributes for this DISPLAY command.

operator

This is used to determine whether a channel authentication record satisfies the filter value on the given filter keyword. The operators are as follows:

LT: Less than
GT: Greater than
EQ: Equal to
NE: Not equal to
LE: Less than or equal to
GE: Greater than or equal to
LK: Matches a generic string that you provide as a filter-value
NL: Does not match a generic string that you provide as a filter-value
CT: Contains a specified item. If the filter-keyword is a list, we can use this to display objects the attributes of which contain the specified item.
EX: Does not contain a specified item. If the filter-keyword is a list, we can use this to display objects the attributes of which do not contain the specified item.
CTG: Contains an item which matches a generic string that you provide as a filter-value. If the filter-keyword is a list, we can use this to display objects the attributes of which match the generic string.
EXG: Does not contain any item which matches a generic string that you provide as a filter-value. If the filter-keyword is a list, we can use this to display objects the attributes of which do not match the generic string.

filter-value

The value that the attribute value must be tested against using the operator. Depending on the filter-keyword, the value can be either explicit or generic:

An explicit value, that is a valid value for the attribute being tested.
We can use any of the operators except LK and NL. However, if the value is one from a possible set of values returnable on a parameter (for example, the value ALL on the MATCH parameter), we can only use EQ or NE.
A generic value. This is a character string with an asterisk at the end, for example ABC*. The characters must be valid for the attribute you are testing. If the operator is LK, all items where the attribute value begins with the string (ABC in the example) are listed. If the operator is NL, all items where the attribute value does not begin with the string are listed. We cannot use a generic filter-value for parameters with numeric values or with one of a set of values.
We can only use operators LK or NL for generic values.
An item in a list of values. The value can be explicit or, if it is a character value, it can be explicit or generic. If it is explicit, use CT or EX as the operator. For example, if the value DEF is specified with the operator CT, all items where one of the attribute values is DEF are listed. If it is generic, use CTG or EXG as the operator. If ABC* is specified with the operator CTG, all items where one of the attribute values begins with ABC are listed.

Note: On z/OS there is a 256 character limit for the filter-value of the MQSC WHERE clause. This limit is not in place for other platforms.

Requested parameters

Specify one or more parameters that define the data to be displayed. The parameters can be specified in any order, but do not specify the same parameter more than once.

TYPE: The type of channel authentication record
SSLPEER: The Distinguished Name of the certificate.
ADDRESS: The IP address
CHCKCLNT: Whether a user ID and password are to be supplied by connections which match this rule.
CLNTUSER: The client asserted user ID
QMNAME: The name of the remote partner queue manager
MCAUSER: The user identifier to be used when the inbound connection matches the TLS DN, IP address, client asserted user ID or remote queue manager name supplied.
ADDRLIST: A list of IP address patterns which are banned from connecting into this queue manager on any channel.
USERLIST: A list of user IDs which are banned from use of this channel or set of channels.
ALTDATE: The date on which the channel authentication record was last altered, in the format yyyy-mm-dd.
ALTTIME: The time on which the channel authentication record was last altered, in the form hh.mm.ss.
DESCR: Descriptive information about the channel authentication record.
SSLCERTI: The Certificate issuer Distinguished Name of the certificate to be matched.
CUSTOM: Reserved for future use.