Sender distinguished names in AMS

The sender distinguished names (DNs) identify users who are authorized to place messages on a queue. A sender uses their certificate to sign a message, prior to placing the message on a queue.

Advanced Message Security ( AMS ) does not check whether a message has been placed on a data-protected queue by a valid user until the message is retrieved. At this time, if the policy stipulates one or more valid senders, and the user that placed the message on the queue is not in the list of valid senders, AMS returns an error to the receiving application, and places the message on the AMS error queue.

A policy can have 0 or more sender DNs specified. If no sender DNs are specified for the policy, any sender can put data-protected messages to the queue providing the sender's certificate is trusted. A sender's certificate is trusted by adding the public certificate to a keystore available to the receiving application.

Sender distinguished names have the following form: 

CN=Common Name,O=Organization,C=Country
Important:
  • All DNs must be in uppercase. All component name identifiers in the DN must be specified in the order shown in the following table:
    Component name Value
    CN The common name for the object of this DN, such as a full name or the intended purpose of a device.
    OU The unit within the organization with which the object of the DN is affiliated, such as a corporate division or a product name.
    O The organization with which the object of the DN is affiliated, such as a corporation.
    L The locality (city or municipality) where the object of the DN is located.
    ST The state or province name where the object of the DN is located.
    C The country where the object of the distinguished name (DN) is located.
  • If one or more sender DNs are specified for the policy, only those users can put messages to the queue associated with the policy.
  • Sender DNs, when specified, must match exactly the DN contained in the digital certificate associated with user putting the message.
  • AMS supports DNs with values only from Latin-1 character set. To create DNs with characters of the set, you must first create a certificate with a DN that is created in UTF-8 coding using UNIX with UTF-8 coding turned on or with the strmqikm GUI. Then you must create a policy from a UNIX platform with UTF-8 coding turned on or use the AMS plug-in to IBM® MQ.
  • The method used by AMS, to convert the name of the sender from x.509 format to DN format, always uses ST= for the State or Province value.
  • The following special characters need escape characters: 
    
     , (comma)   
     + (plus)   
     " (double quote)   
     \ (backslash)   
     < (less than)   
     > (greater than)   
     ; (semicolon)
  • If the Distinguished Name contains embedded blanks, you should enclose the DN in double quotation marks.