VERIFY_HOST_NAME - UDM Manager configuration option

Description

The VERIFY_HOST_NAME option specifies whether or not the Universal Broker's X.509 certificate identity is verified.

  • For a two-party transfer session, VERIFY_HOST_NAME option specifies whether or not the UDM Manager originating the session should verify the UDM server's Universal Broker X.509 certificate identity.
  • For a three-party transfer session, VERIFY_HOST_NAME option specifies whether or not the UDM Manager originating the session should verify the primary server's Universal Broker X.509 certificate identity.

Verification consists of verifying that the certificate is issued by a trusted CA. The CA_CERTIFICATES option specifies which CA certificates are considered trusted.

The identity is verified by matching the value specified by VERIFY_HOST_NAME to the Universal Broker's certificate host value.

The following certificate fields can be matched:

  • X.509 commonName attribute of the subject field's Distinguished Name (DN) value
  • X.509 v3 dNSName field of the subjectAltName extension value
  • X.509 v3 iPAddress field of the subjectAltName extension value

One of these fields must match for identification to be considered successful. If either verification or identification fails, the session is rejected and the UCMD Manager terminates.

Usage

Method

Syntax

IBM i

UNIX

Windows

z/OS

Command Line, Short Form

n/a





Command Line, Long Form

-verify_host_name option


(tick)

(tick)

(tick)

Environment Variable

UDMVERIFYHOSTNAME=option


(tick)

(tick)


Configuration File Keyword

verify_host_name option


(tick)

(tick)

(tick)

STRUCM Parameter

n/a





Values

option is the specification for whether or not the X.509 certificate identity is verified.

Valid values for option are:

  • no
    Certificate identity is not verified.
  • yes
    UDM Manager will verify the host name of the UDM Server (two-party transfer), or Primary server will verify the host name of the Secondary server (three-party transfer), against the name contained in the server's Broker X.509 certificate.
  • host name
    Certificate identity is verified using the host name.


Default is no.