Matching the distinguished name (DN)

About this task

You can enhance server-side certificate verification through distinguished name (DN) matching. To enable server DN matching, you must specify the back-end server DN when you create the SSL junction to that server. Although DN matching is an optional configuration, it provides a higher degree of security with mutual authentication over SSL junctions.

During server-side certificate verification, the DN contained in the certificate is compared with the DN defined by the junction. The connection to the back-end server fails if the two DNs do not match.

Procedure

To enable the server DN matching, specify the back-end server DN when you create the SSL-based junction using the –D "DN" option. To preserve any blank spaces in the string, surround the DN string with double quotation marks.

Note: The DN string is case sensitive.

For example:

-D "CN=Verify Access,OU=SecureWay,O=Tivoli,C=US"

The –D option is appropriate only when used with the –K or –B option.