SSLPEER (SSL Peer)

The SSLPEER attribute is used to check the Distinguished Name (DN) of the certificate from the peer queue manager or client at the other end of an IBM® MQ channel.

The SSLPEER attribute is valid for all channel types.

Note: An alternative way of restricting connections into channels by matching against the TLS Subject Distinguished Name, is to use channel authentication records. With channel authentication records, different TLS Subject Distinguished Name patterns can be applied to the same channel. If both SSLPEER on the channel and a channel authentication record are used to apply to the same channel, the inbound certificate must match both patterns in order to connect.

If the DN received from the peer does not match the SSLPEER value, the channel does not start.

SSLPEER is an optional attribute. If a value is not specified, the peer DN is not checked when the channel is started.

The maximum length of the SSLPEER attribute depends on the platform:

On z/OS®, the maximum length of the attribute is 256 bytes.
On all other platforms, it is 1024 bytes.

Channel authentication records provide greater flexibility when using SSLPEER and support a maximum length of 1024 bytes on all platforms.

The checking of SSLPEER attribute values also depends on the platform:

On z/OS, the attribute values that are used are not checked. If you enter incorrect values, the channel fails at startup, and error messages are written to the error log at both ends of the channel. A Channel SSL Error event is also generated at both ends of the channel.
On platforms other than z/OS that support SSLPEER, the validity of the string is checked when it is first entered.

You can specify a value for SSLPEER on a non-TLS channel definition, one on which the SSLCIPH attribute is missing or blank. You can use this to temporarily disable TLS for debugging without having to clear and later re-input the TLS parameters.

For more information about using SSLPEER, see SET CHLAUTH and Securing.