VERIFY_HOST_NAME - UDM Manager configuration option
Description
The VERIFY_HOST_NAME option specifies whether or not the Universal Broker's X.509 certificate identity is verified.
- For a two-party transfer session, VERIFY_HOST_NAME option specifies whether or not the UDM Manager originating the session should verify the UDM server's Universal Broker X.509 certificate identity.
- For a three-party transfer session, VERIFY_HOST_NAME option specifies whether or not the UDM Manager originating the session should verify the primary server's Universal Broker X.509 certificate identity.
Verification consists of verifying that the certificate is issued by a trusted CA. The CA_CERTIFICATES option specifies which CA certificates are considered trusted.
The identity is verified by matching the value specified by VERIFY_HOST_NAME to the Universal Broker's certificate host value.
The following certificate fields can be matched:
- X.509 commonName attribute of the subject field's Distinguished Name (DN) value
- X.509 v3 dNSName field of the subjectAltName extension value
- X.509 v3 iPAddress field of the subjectAltName extension value
One of these fields must match for identification to be considered successful. If either verification or identification fails, the session is rejected and the UCMD Manager terminates.
Usage
Method | Syntax | IBM i | UNIX | Windows | z/OS |
Command Line, Short Form | n/a | ||||
Command Line, Long Form | -verify_host_name option | ||||
Environment Variable | UDMVERIFYHOSTNAME=option | ||||
Configuration File Keyword | verify_host_name option | ||||
STRUCM Parameter | n/a |
Values
option is the specification for whether or not the X.509 certificate identity is verified.
Valid values for option are:
- no
Certificate identity is not verified. - yes
UDM Manager will verify the host name of the UDM Server (two-party transfer), or Primary server will verify the host name of the Secondary server (three-party transfer), against the name contained in the server's Broker X.509 certificate. - host name
Certificate identity is verified using the host name.
Default is no.