SSL/TLS Authorization

MFT Platform Server supports an extension to the standard SSL/TLS processing to allow the system administrator to determine which certificates should be accepted and which should be rejected. This is done by the creation of an SSLAUTH file. This is supported on all MFT Platform Servers. The format of the file is the same on all platforms, but the way that the file is defined is dependent on each platform.

For IBM i, the SSLAUTH file is located in IFS or the MFT Platform Server product library as a source physical file. The path is defined in the MFT Platform Server Global Configuration file (see below).

Note: The authorization file checking is above and beyond the authorization checking performed by SSL/TLS. Only after a certificate is accepted by SSL/TLS, the authorization file processing is performed.

The authorization file is compared against the Certificate that was received by the MFT Platform Server. The authorization file is not used on MFT clients. The components of the Certificate’s Distinguished Name (DN) are compared to the parameter in the authorization file to determine if a certificate should be accepted or rejected. On many of the parameters, a generic character is supported. A generic character is defined in a parameter by an *. When a generic character is defined, all characters from that point on are assumed to be a match.

If no authorization file is defined, or a match is not found in the authorization file, the request is accepted. If you want to reject all requests unless defined by the authorization file, then you should insert the following statement as the last entry in the authorization file:

REVOKE

There are two request types supported within the authorization file:
  • ACCEPT - Accept an SSL/TLS request.
  • REVOKE | REJECT - Do not accept an SSL/TLS request.

All of these requests accept a variety of parameters. If a parameter is not defined, then it is assumed that the parameter is a match. Parameters can be defined on a single line or they can be continued over multiple lines. If the input record ends with a comma (,) then the input record are continued on the next record. All parameter data is case sensitive. Be very careful when entering the values when using mixed case fields.