SSL Peer (SSLPEER)
This attribute is used to check the Distinguished Name (DN) of the certificate from the peer queue manager or client at the other end of an IBM MQ channel.
Note: An alternative way of restricting connections into channels by matching against the TLS Subject Distinguished Name, is to use channel authentication records. With channel authentication records, different TLS Subject Distinguished Name patterns can be applied to the same channel. If both SSLPEER on the channel and a channel authentication record are used to apply to the same channel, the inbound certificate must match both patterns in order to connect.If the DN received from the peer does not match the SSLPEER value, the channel does not start.
SSLPEER is an optional attribute. If a value is not specified, the peer DN is not checked when the channel is started.
On z/OSĀ®, the maximum length of the attribute is 256 bytes. On all other platforms, it is 1024 bytes. Channel authentication records provide greater flexibility when using SSLPEER and support 1024 bytes on all platforms.
On z/OS, the attribute values used are not checked. If you enter incorrect values, the channel fails at startup, and error messages are written to the error log at both ends of the channel. A Channel SSL Error event is also generated at both ends of the channel. On platforms that support SSLPEER, other than z/OS, the validity of the string is checked when it is first entered.
We can specify a value for SSLPEER on a non-TLS channel definition, one on which SSLCIPH is missing or blank. We can use this to temporarily disable TLS for debugging without having to clear and later re-input the TLS parameters.
For more information about using SSLPEER, see SET CHLAUTH and Securing.
This attribute is valid for all channel types.