| Author |
Message
|
| paulau |
 Posted: Wed May 02, 2018 2:12 am Post subject: CHLAUTH question |
 |
|
Novice
Joined: 06 Feb 2017
Posts: 19
|
Hi,
We have 2000 desktop users that send messages with their login ID in MDMD.Useridentifier. The MQMD.Useridentifier is used to authorise the transactions on CICS.
There is no central LDAP capability. Is there a CHLAUTH feature that would allow us to authorise using a local MQ user mapped from the supplied PKI certificate?
The USERSOURCE option we have tried updates the MQMD.UserIdentifier to the same value as the mapping result. Is there an ADOPTCTX feature like the one for AUTHINFO that would let us authorise with one user wile leaving the MQMD.Useridentifier set to the desktop CLNTUSER value?
Regards
Paul |
|
| Back to top |
|
 |
| Mangesh1187 |
| Posted: Wed May 09, 2018 8:42 am Post subject: |
|
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
Presuming:
1) All the 2000 desktop users are using the same server-con channel OR multiple channels with the fixed pattern.
2) All the 2000 desktop users want same level of authorizations on MQ objects.
3) MQ server is on UNIX/WIN/LINUX with 7.5 or greater version.
(In your query you mentioned CICS and I don't know how chlauth works in CICS MQ)
Requirement :
To map the several SSL cert CN name to the single user on MQ server for further authorizations.
I hope below works:
SET CHLAUTH(channel_Name_Pattern) TYPE(SSLPEERMAP) SSLPEER('CN=*') USERSRC(MAP) MCAUSER('userName') ACTION(ADD) |
|
| Back to top |
|
|
| paulau |
| Posted: Wed Aug 15, 2018 9:01 pm Post subject: |
|
|
Novice
Joined: 06 Feb 2017
Posts: 19
|
Hi Mangesh,
I tried a rule like that but it changes the mqmd.userid and that means that the transaction will be run on z/OS in CICS under the changed userid. We need the clients id to flow thought to z/OS and it seems like this isnt possible with the current CHLAUTh setup.
Paul |
|
| Back to top |
|
|
| belchman |
| Posted: Thu Aug 16, 2018 5:52 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Aug 16, 2018 5:57 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| paulau wrote: |
| I tried a rule like that but it changes the mqmd.userid and that means that the transaction will be run on z/OS in CICS under the changed userid. We need the clients id to flow thought to z/OS and it seems like this isnt possible with the current CHLAUTh setup. |
You could try setting the SSL on the client connection, so that only a client with the correct certificate could connect, making the user id supplied irrelevant.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
