Alternate Connection was added with version 6.7.3 of the connection manager (bundled with WGS 10.1) and provides a new model for connecting user actions to the remote systems.
There are 2 types of requests made by the connection manager.
- Collecting data for the WGS
- Running actions including any message actions including browsing
When using the standard connection model, the connection manager connects to the queue manager once and this is used for all activity. When collecting data for the WGS, the connection runs under the connection attributes as configured in the remote connection. When running an action, it uses alternate IBM MQ authority to assign those requests to the user requesting the change.
When running with alternate connection, specifying +a, the connection manager still connects to the queue manager using the remote connection user and uses this to inquire data for the WGS. The difference comes when actions are requested. In this case, a new connection is created, passing the user that made the request. The actions are passed as is to the queue manager as if they came from that user. Once the action is completed, that connection is terminated.
The main purpose of this change is to remove the requirement for alternate user permissions for the user associated with connection manager. Most other security will be the same in both cases.
The channels must be configured with ADOPTCTX since this is what triggers IBM MQ to use the user ID passed from the connection manager. Without ADOPTCTX , the user from the MCAUSER or the user that is running connection manager is passed by IBM MQ. The channel initiator itself still uses alternate user options to impersonate the user and must be configured in the security system to allow this.