Why we need to check that SSLPEER values have correctly ordered OU entries
This section details why you have to change the order of your SSLPEER values if you are migrating from a WebSphere MQ V5.3 Fix Pack 7 or earlier installation.
Every SSL certificate contains a Distinguished Name (DN), used to uniquely identify the person or organization the certificate was issued to. The following attribute types are commonly found in the certificate's Distinguished Name field:
- CN
- Common Name
- T
- Title
- O
- Organization Name
- OU
- Organizational Unit Name
- L
- Locality Name
- ST (or SP or S)
- State or Province Name
- C
- Country
The certificate Distinguished Name can contain multiple OU attributes, listed in descending hierarchical order. For example, a certificate Distinguished Name could be specified as:
CN='QM2', O='IBM', C='GB', L='Hursley', OU='Software Group', OU='Middleware', OU='MQ'
If a WebSphere MQ SSL channel has been configured with an optional SSLPEER value, after an SSL handshake, this value is compared to the Distinguished Name in any certificate received. If these values match then the connection is allowed, otherwise the connection is refused. In WebSphere MQ V5.3 Fix Pack 7 or earlier, channel definitions containing SSLPEER values with multiple OUs were entered in ascending hierarchical order on Windows only. All other platforms were in descending hierarchical order. For example on Windows:
CN='QM2', O='IBM', C='GB', L='Hursley', OU='MQ', OU='Middleware', OU='Software Group'
These differing approaches to specifying multiple OUs were resolved at Fix Pack 8 - multiple OUs are now always specified in descending hierarchical order in the SSLPEER value on all platforms.
Parent topic:
Step 4: Ensuring SSLPEER values have correctly ordered Organizational Unit entries
mi10440_