rogue connection from being established, using a certificate that does not have the proper issuer DN. When a CHLAUTH command is implemented, the SSLCERTI field is a qualifier that limits the SSLPEERMAP match to certificates whose issuer DN matches the SSLCERTI field. A blank SSLCERTI is like a wildcard and will match any issuer DN.SSLPEER matching checks that the subject’s DN of the presented certificate matches one set in a CHLAUTH rule. By combining checks for the SSLPEER and SSLCERTI parameters, a CHLAUTH rule for TYPE(SSLPEERMAP) enables MQ to fully confirm that the DNs for both the subject and issuer. In this scenario, the Linux queue manager is acting as an TLS/SSL client for the handshake. The SSLPEER and SSLCERTI channel status fields are populated from the remote personal certificate and then CHLAUTH SSLPEERMAP matching occurs. The CHLAUTH rule allows connections only from certificates that identify the IBM US entity. To match the issuer’s certificate information for the certificate created previously in our scenario, the SSLCERTI attribute of the channel will contain the following information:"CN=IBMUS, O=IBM, L=Atlanta, C=US"
68IBM MQ V8 Features and EnhancementsThe next example shows how to implement this through the MQ Explorer. Select the channel properties and supply the DN matching information on the SSL tab, as shown in Figure 4-15.Figure 4-15 The SSLCERTI fields for CHLAUTH SSLPEERMAP checking may be populated through Explorer as part of the channel’s SSL propertiesTo create the CHLAUTH rule through runmqsccommands instead of MQ Explorer, we use the following example of parameters within the command:SET CHLAUTH('APPLICATION.SVRCONN')TYPE(SSLPEERMAP)SSLPEER('CN="IBMUS",O="IBM",L=”Atlanta”')SSLCERTI('CN="IBMUS",O="IBM",L=”Atlanta”')MCAUSER('vlampkin')If the channel connection is attempted with a certificate that does not match the DN information, the MQ error logs can be checked for errors. On UNIX, the log might show AMQ9643, indicating an SSLPEER name error on the remote end, or an AMQ9636error, indicating that SSL DN does not match the peer name. The AMQ9636 error also provides the channel name and DN information for investigation. On the z/OS platform, the CHINIT job shows the CSQX636Eerror as in this example: CSQX636E -CSQ1 CSQXRESP Distinguished name does not match peer name, channel LNXV8.CSQ1.SSL.US name='SERIALNUMBER=53:A0:1F:1E,CN=IBMUS,O=IBM,L=Atl...'
Chapter 4. TLS/SSL Digital Certificate Management 694.6 Additional TLS/SSL improvements across platforms IBM MQ V8 has extended security features to make them more robust for various platforms. The SHA-2 support that was provided in previous releases of IBM MQ is extended in MQ V8. SHA-2 support now includes a wide range of SHA-2 CipherSuites for MQ Explorer, JAVA and JMS, Telemetry, and Managed File Transfer components.