Security: SSLPEER and SSLCERTI changes
IBM® WebSphere® MQ 7.1 or later obtains the Distinguished Encoding Rules (DER) encoding of the certificate and uses it to determine the subject and issuer distinguished names. The subject and issuer distinguished names are used in the SSLPEER and SSLCERTI fields. A SERIALNUMBER attribute is also included in the subject distinguished name and contains the serial number for the certificate of the remote partner. Some attributes of subject and issuer distinguished names are returned in a different sequence from releases before Version 7.1.
The change to subject and issuer distinguished names affects channel security exits. It also affects aplications which depend upon the subject and issuer distinguished names that are returned by the PCF programming interface. Channel security exits and applications that set or query SSLPEER and SSLCERTI must be examined, and possibly changed. The fields that are affected are listed in Table 1 and Table 2.
Channel status attribute | PCF channel parameter type |
---|---|
SSL Peer (SSLPEER) | MQCACH_SSL_SHORT_PEER_NAME |
SSLCERTI |
MQCACH_SSL_CERT_ISSUER_NAME |
Channel data structure | Field |
---|---|
MQCD - Channel definition | SSLPeerNamePtr (MQPTR) |
MQCXP - Channel exit parameter | SSLRemCertIssNamePtr (PMQVOID) |
Existing peer name filters specified in the SSLPEER field of a channel definition are not affected. They continue to operate in the same manner as in earlier releases. The peer name matching algorithm has been updated to process existing SSLPEER filters. It is not necessary to alter any channel definitions.