VERIFY_HOST_NAME - UCTL Manager configuration option
Description
The VERIFY_HOST_NAME option specifies whether or not the Universal Broker's X.509 certificate identity is verified.
Verification consists of verifying that the certificate is issued by a trusted CA. The CA_CERTIFICATES option specifies which CA certificates are considered trusted.
The identity is verified by matching the value specified by VERIFY_HOST_NAME to the Universal Broker's certificate host value.
The following certificate fields are matched in the order listed:
- X.509 v3 dNSName field of the subjectAltName extension value
- X.509 commonName attribute of the subject field's Distinguished Name (DN) value
- X.509 v3 iPAddress field of the s*ubjectAltName* extension value
One of these fields must match for identification to be considered successful. If either verification or identification fails, the session is rejected and the Universal Control Manager terminates.
Usage
Method | Syntax | IBM i | UNIX | Windows | z/OS |
Command Line, Short Form | n/a | ||||
Command Line, Long Form | -verify_host_name option |
|
|
| |
Environment Variable | UCTLVERIFYHOSTNAME=option |
|
|
| |
Configuration File Keyword | verify_host_name option |
|
|
|
|
STRUCT Parameter | VFYHSTNM(option) |
|
Values
option is the specification for whether or not the X.509 certificate identity is verified.
Valid values for option are:
- yes
Certificate identity is verified using the host name specified by the REMOTE_HOST option. - no
Certificate identity is not verified. - hostname
Certificate identity is verified using hostname. The value hostname can be a DNS host name or an IP address.
Default is no.