Rogue connection from being established using a

This preview shows page 85 - 88 out of 332 pages.

rogue connection from being established, using a certificate that does not have the proper issuer DN. When a CHLAUTH command is implemented, the SSLCERTI field is a qualifier that limits the SSLPEERMAP match to certificates whose issuer DN matches the SSLCERTI field. A blank SSLCERTI is like a wildcard and will match any issuer DN. SSLPEER matching checks that the subject’s DN of the presented certificate matches one set in a CHLAUTH rule. By combining checks for the SSLPEER and SSLCERTI parameters, a CHLAUTH rule for TYPE(SSLPEERMAP) enables MQ to fully confirm that the DNs for both the subject and issuer. In this scenario, the Linux queue manager is acting as an TLS/SSL client for the handshake. The SSLPEER and SSLCERTI channel status fields are populated from the remote personal certificate and then CHLAUTH SSLPEERMAP matching occurs. The CHLAUTH rule allows connections only from certificates that identify the IBM US entity. To match the issuer’s certificate information for the certificate created previously in our scenario, the SSLCERTI attribute of the channel will contain the following information: "CN=IBMUS, O=IBM, L=Atlanta, C=US"
68 IBM MQ V8 Features and Enhancements The next example shows how to implement this through the MQ Explorer. Select the channel properties and supply the DN matching information on the SSL tab, as shown in Figure 4-15. Figure 4-15 The SSLCERTI fields for CHLAUTH SSLPEERMAP checking may be populated through Explorer as part of the channel’s SSL properties To create the CHLAUTH rule through runmqsc commands instead of MQ Explorer, we use the following example of parameters within the command: SET CHLAUTH('APPLICATION.SVRCONN') TYPE(SSLPEERMAP) SSLPEER('CN="IBMUS",O="IBM",L=”Atlanta”') SSLCERTI('CN="IBMUS",O="IBM",L=”Atlanta”') MCAUSER('vlampkin') If the channel connection is attempted with a certificate that does not match the DN information, the MQ error logs can be checked for errors. On UNIX, the log might show AMQ9643 , indicating an SSLPEER name error on the remote end, or an AMQ9636 error, indicating that SSL DN does not match the peer name. The AMQ9636 error also provides the channel name and DN information for investigation. On the z/OS platform, the CHINIT job shows the CSQX636E error as in this example: CSQX636E -CSQ1 CSQXRESP Distinguished name does not match peer name, channel LNXV8.CSQ1.SSL.US name='SERIALNUMBER=53:A0:1F:1E,CN=IBMUS,O=IBM,L=Atl...'
Chapter 4. TLS/SSL Digital Certificate Management 69 4.6 Additional TLS/SSL improvements across platforms IBM MQ V8 has extended security features to make them more robust for various platforms. The SHA-2 support that was provided in previous releases of IBM MQ is extended in MQ V8. SHA-2 support now includes a wide range of SHA-2 CipherSuites for MQ Explorer, JAVA and JMS, Telemetry, and Managed File Transfer components.

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture