Create channel authentication records with an SSL/TLS Distinguished Name identity

We can use the channel authentication records widget to create allowing, blocking, and warning channel authentication records with an SSL/TLS Distinguished Name identity. The SSL/TLS distinguished name identity matches to users who present an SSL or TLS personal certificate that contains a specified Distinguished Name.


Before starting

We must create a channel authentication records widget before we can use it. For more information about creating IBM MQ object widgets, see Work with IBM MQ objects.


Procedure

To add a channel authentication record:
  1. Click the create icon in the channel authentication record widget toolbar.
  2. Select the Rule Type to indicate what type of rule we want on the channel authentication record:

    • Select Allow to allow access to inbound connections.
    • Select Block to block access to inbound connections.
    • Select Warn to warn about access to inbound connections that would be blocked. The connection is allowed access, and an error message is reported. If events are configured, an event message is created that shows the details of what would be blocked. Only matched rules are reported.

  3. Select the SSL/TLS Distinguished Name identity type from the list.
  4. Click Next
  5. Specify a Channel profile. The channel profile is the name of the channel or set of channels for which we are setting the channel authentication. The profile can contain wildcards so that we can block a range of channels. For example, the profile alphadelta* blocks channels named alphadelta1, alphadelta2, alphdelta3 and so on.
  6. Specify the Peer name. For example, CN=John Smith, O=IBM ,OU=Test, C=GB. For more information about peer names, see WebSphere MQ rules for SSLPEER values.
  7. Optional: Specify the Address filter that is used. The address is the IP address that is expected at the other end of the channel.
  8. Optional: Specify the SSL cert issuer name. The SSL cert issuer name is the name of the certificate authority that the SSL/TLS certificate must be issued by.
  9. Optional: Click Next.
  10. Optional: For an Allow rule type, we can optionally specify the User source for the channel authentication record. The user source specifies the source of the user ID that is used when the inbound connection matches the SSL/TLS Distinguished Name.

    • The Channel option specifies that inbound connections that match the mapping use the flowed user ID or any user that is defined on the channel object.
    • The Map option specifies that inbound connections that match the mapping use the user ID that is specified in the MCA user ID field.

  11. Optional: Click Next.
  12. Optional: Specify a Description for the channel authentication record.
  13. Click Create. The new channel authentication record is created.

Parent topic: Work with channel authentication records