Multi-valued certificate Distinguished Name OU properties

We can match multiple organizational unit (OU) values in certificate Distinguished Names.

The following route properties now support the matching of multiple OU values:

SSLClientDN_OU
SSLClientSiteDN_OU
SSLServerDN_OU
SSLServerSiteDN_OU

To match multiple OU values, use a comma as a separator in the route property value. For example:

SSLClientDN_OU=Sales, Europe

This matches certificates with both OU=Sales and OU=Europe. The OU values are matched in the same sequence as multiple OU values in IBM MQ SSLPEER filters. Do not specify the same route property more than once in the [route] section. The correct way to match multiple OU values is to specify the property once, as shown in the preceding example. If you enter the same attribute more than once in the same mqipt.conf section, the last value takes effect. For example, the following entries would result in only matching Europe because the second line overrides the first:

SSLClientDN_OU=Sales
SSLClientDN_OU=Europe

If we must match a literal comma inside an OU value, insert a backslash (\) as an escape character immediately before the comma. For example:

SSLClientDN_OU=Sales\, Europe

This matches a single value: OU=Sales, Europe. A backslash that is not immediately followed by a comma matches a literal backslash.

If we are upgrading from a previous release of MQIPT and rely on the ability to match commas in OU values, we must insert backslash escape characters into the OU route properties in order to preserve the previous behavior.

Parent topic: SSL/TLS support