Why you need to check that SSLPEER values have correctly ordered OU entries

This section details with why you will have to change the order of your SSLPEER values if you migrating from a WebSphere® MQ Version 5.3 Fix Pack 7 or earlier installation.

Every SSL certificate contains a Distinguished Name (DN), used to uniquely identify the person or organization the certificate was issued to. The following attribute types are commonly found in the certificate's Distinguished Name field:

CN
Common Name
T
Title
O
Organization Name
OU
Organizational Unit Name
L
Locality Name
ST (or SP or S)
State or Province Name
C
Country

The certificate Distinguished Name can contain multiple OU attributes, listed in descending hierarchical order. For example, a certificate Distinguished Name could be specified as:

CN='QM2', O='IBM', C='GB', L='Hursley', OU='Software Group', OU='Middleware', OU='MQ'

If a WebSphere MQ SSL channel has been configured with an optional SSLPEER value, after an SSL handshake, this value is compared to the Distinguished Name in any certificate received. If these values match then the connection is allowed, otherwise the connection is refused. In WebSphere MQ Version 5.3 Fix Pack 7 or earlier, channel definitions containing SSLPEER values with multiple OUs were entered in ascending hierarchical order on Windows® only. All other platforms were in descending hierarchical order. For example on Windows:

CN='QM2', O='IBM', C='GB', L='Hursley', OU='MQ', OU='Middleware', OU='Software Group'

These differing approaches to specifying multiple OUs were resolved at Fix Pack 8 - multiple OUs are now always specified in descending hierarchical order in the SSLPEER value on all platforms.