Bitesize Blogging: MQ V8 - SSL Certificate Issuer checking
Morag Hughson 110000EQPN Visits (3499)
We're starting a series of bitesize blog posts about features in MQ V8. Check out the whole series here.
When you're running SSL/TLS channels in MQ, you place the Certification Authority (CA) certificate(s) that you are willing to accept for authentication in your Key Database file (or Keyring on z/OS). If your queue manager accepts connections from partners that present certificates signed by different CAs and so has more than one CA certificate installed in the Key Database file (or keyring), you might be interested in a new feature added to MQ V8 which this post is going to tell you about.
In MQ V8, this is extended to allow you to also check the Issuer's DN. After all, the Subject's DN is only half the story. This allows you to fully qualify the certificate you are referring to in your CHLAUTH rule by providing both parts and is especially useful if you have more than one CA in your Key Database file (or keyring). Here s an example using both fields:-
You can also have rules where you only match on the SSLCERTI, leaving the SSLPEER to match on everything, equivalent to SSLPEER('CN=*')