Distinguished names

IBM® MQ Advanced Message Security uses the Public Key Infrastructure (PKI) identity to represent a user or an application. This type of identity is used for signing and encrypting messages. The identity is represented by the distinguished name (DN) field in a certificate associated with signed and encrypted messages.

Sender distinguished names

The sender distinguished names (DNs) identify users authorized to place messages on a queue. However, IBM MQ Advanced Message Security does not check whether a message has been placed on a data-protected queue by a valid user until the message is retrieved. At this time, if the policy stipulates one or more valid senders, and the user that placed the message on the queue is not in the list of valid senders, IBM MQ Advanced Message Security returns an error to the getting application, and place the message on its error queue.

A policy can have 0 or more sender DNs specified. If no sender DNs are specified for the policy, any user can put data-protected messages to the queue providing the user's certificate is trusted.

Sender distinguished names have the following form:


CN=Common Name,O=Organization,C=Country

If one or more sender DNs are specified for the policy, only those users can put messages to the queue associated with the policy.

Sender DNs, when specified, must match exactly the DN contained in the digital certificate associated with user putting the message.

Recipient distinguished names

The recipient distinguished names (DN) identify users authorized to retrieve messages from a queue. A policy can have zero or more recipient DNs specified. Recipient distinguished names have this form:


CN=Common Name,O=Organization,C=Country

If no recipient DNs are specified for the policy, any user can get messages from the queue associated with the policy. This implies that the policy does not specify encryption, as a policy with encryption requires recipient DNs to be specified.

If one or more recipient DNs are specified for the policy, only those users can get messages from the queue associated with the policy.

Recipient DNs, when specified, must match exactly the DN contained in the digital certificate associated with user getting the message.

Configuring IBM MQ Advanced Message Security policies involves creating the policies using tools provided with IBM MQ Advanced Message Security.

Note: IBM MQ Advanced Message Security does not allow policies for SYSTEM queues. These are queues with a name that begin with 'SYSTEM.'. If you define a policy for a SYSTEM queue, it is ignored.