IBM MQ rules for SSLPEER values

The SSLPEER attribute is used to check the Distinguished Name (DN) of the certificate from the peer queue manager or client at the other end of an IBM MQ channel. IBM MQ uses certain rules when comparing these values

Attention: The only peer values allowed for use in an SSLPEER filter are those shown in the table in Distinguished Names. When SSLPEER values are compared with DNs, the rules for specifying and matching attribute values are as follows:
  1. We can use either a comma or a semicolon as a separator.
  2. Spaces before or after the separator are ignored. For example:
    CN=John Smith, O=IBM,OU=Test, C=GB
    
  3. The values of attribute types SERIALNUMBER, MAIL, E, UID OR USERID, CN, T, OU, DC, O, STREET, L, ST, SP, S, PC, C, UNSTRUCTUREDNAME, UNSTRUCTUREDADDRESS, DNQ are text strings that typically include only the following:

    • Uppercase and lowercase alphabetic characters A through Z and a through z
    • Numeric characters 0 through 9
    • The space character
    • Characters, . ; ' " ( ) / -

    To avoid conversion problems between different platforms, do not use other characters in an attribute value. The attribute types, for example CN, must be in uppercase characters.

  4. Strings containing the same alphabetic characters match irrespective of case.
  5. Spaces are not allowed between the attribute type and the = character.

  6. Optionally, we can enclose attribute values in double quotation marks, for example CN="John Smith". The quotation marks are discarded when matching values.
  7. Spaces at either end of the string are ignored unless the string is enclosed in double quotation marks.
  8. The comma and semicolon attribute separator characters are considered to be part of the string when enclosed in double quotation marks.
  9. The names of attribute types, for example CN or OU, are considered to be part of the string when enclosed in double quotation marks.
  10. Any of the attribute types ST, SP, and S can be used for the State or Province name.
  11. Any attribute value can have an asterisk ( *) as a pattern-matching character at the beginning, the end, or in both places. The asterisk character substitutes for any number of characters at the beginning or end of the string to be matched. This character enables your SSLPEER value specification to match a range of Distinguished Names. For example, OU=IBM* matches every Organizational Unit beginning with IBM, such as IBM Corporation.

    The asterisk character can also be a valid character in a Distinguished Name. To obtain an exact match with an asterisk at the beginning or end of the string, the backslash escape character ( \) must precede the asterisk: \*. Asterisks in the middle of the string are considered to be part of the string and do not require the backslash escape character.

  12. The DN can contain multiple OU attributes and multiple DC attributes.
  13. When multiple OU attributes are specified, all must exist and be in descending hierarchical order. For an example, see DEFINE CHANNEL.
  14. A digital certificate Subject DN can additionally contain multiple attributes of the same type other than OU or DC, but only if the SSLPEER value does not filter on the repeated attribute type. For example, consider a certificate with the following Subject DN:
    CN=First, CN=Second, O=IBM, C=US
    
    An SSLPEER value of O=IBM, C=US does not filter on CN, so matches this certificate and allows the connection. An SSLPEER value of CN=First, O=IBM, C=US fails to match this certificate because the certificate contains multiple CN attributes. We cannot match multiple CN values.
  15. The value of the SERIALNUMBER attribute should consist of colon separated bytes as hexadecimal, for example A1:B2:C3.

Parent topic: Security reference


Related information