IBM WebSphere MQ Telemetry rules for SSLPEER values
The SSLPEER attribute is used to check the Distinguished Name (DN) of the certificate from the peer queue manager or client at the other end of an IBM® WebSphere® MQ channel. IBM WebSphere MQ uses certain rules when comparing these values
When SSLPEER values are compared with DNs, the rules for specifying
and matching attribute values are as follows:
- You can use either a comma or a semicolon as a separator.
- Spaces before or after the separator are ignored. For example:
CN=John Smith, O=IBM ,OU=Test , C=GB
- The values of attribute types
SERIALNUMBER, MAIL, E, UID OR USERID, CN, T, OU, DC, O, STREET, L, ST, SP, S, PC, C, UNSTRUCTUREDNAME, UNSTRUCTUREDADDRESS, DNQ
are text strings that typically include only the following:- Uppercase and lowercase alphabetic characters
A
throughZ
anda
throughz
- Numeric characters
0
through9
- The space character
- Characters
, . ; ' " ( ) / -
CN
, must be in uppercase characters. - Uppercase and lowercase alphabetic characters
- Strings containing the same alphabetic characters match irrespective of case.
- Spaces are not allowed between the attribute type and the
=
character. - Optionally, you can enclose attribute values in double quotation
marks, for example
CN="John Smith"
. The quotation marks are discarded when matching values. - Spaces at either end of the string are ignored unless the string is enclosed in double quotation marks.
- The comma and semicolon attribute separator characters are considered to be part of the string when enclosed in double quotation marks.
- The names of attribute types, for example
CN
orOU
, are considered to be part of the string when enclosed in double quotation marks. - Any of the attribute types
ST
,SP
, andS
can be used for the State or Province name. - Any attribute value can have an asterisk (
*
) as a pattern-matching character at the beginning, the end, or in both places. The asterisk character substitutes for any number of characters at the beginning or end of the string to be matched. This character enables your SSLPEER value specification to match a range of Distinguished Names. For example,OU=IBM*
matches every Organizational Unit beginning with IBM, such as IBM Corporation.The asterisk character can also be a valid character in a Distinguished Name. To obtain an exact match with an asterisk at the beginning or end of the string, the backslash escape character (
\
) must precede the asterisk:\*
. Asterisks in the middle of the string are considered to be part of the string and do not require the backslash escape character. - The DN can contain multiple OU attributes and multiple DC attributes.
- When multiple OU attributes are specified, all must exist and be in descending hierarchical order. For an example, see DEFINE CHANNEL.
- A digital certificate Subject DN can additionally
contain multiple attributes of the same type other than OU or DC,
but only if the SSLPEER value does not filter on the repeated attribute
type. For example, consider a certificate with the following Subject
DN:
An SSLPEER value ofCN=First, CN=Second, O=IBM, C=US
O=IBM, C=US
does not filter on CN, so matches this certificate and allows the connection. An SSLPEER value ofCN=First, O=IBM, C=US
fails to match this certificate because the certificate contains multiple CN attributes. You cannot match multiple CN values.