Matching the distinguished name (DN)

Matching the distinguished name (DN)

We can enhance server-side certificate verification through distinguished name (DN) matching. To enable server DN matching, we must specify the back-end server DN when creating the SSL junction to that server. Although DN matching is an optional configuration, it provides a higher degree of security with mutual authentication over SSL junctions.
During server-side certificate verification, the DN contained in the certificate is compared with the DN defined by the junction. The connection to the back-end server fails if the two DNs do not match.
To enable the server DN matching, specify the back-end server DN when creating the SSL-based junction using the -D "DN" option. To preserve any blank spaces in the string, surround the DN string with double quotation marks. For example:
-D "CN=Verify Access,OU=SecureWay,O=Tivoli,C=US"

The -D option is appropriate only when used with the -K or -B option.
Parent topic: Mutually authenticated SSL junctions