SSL Authorization Parameters

MFT Platform Server supports an extension to the standard SSL processing, with which the system administrator can determine which certificates to accept and which to reject. This is done by the creation of an SSLAUTH file. This feature is supported on all MFT Platform Servers. The format of the file is the same on all platforms, but the way in which the file is defined is dependent on each platform.

See the following table for the name of the SSL authorization file on each platform.

Platform Default Location File Name
z/OS SAMPLIB SSLAUTH
Windows C:\tibco\MFT Platform Server Sslauth
UNIX $CFROOT/config SSLAuth
Note: The authorization file checking is in addition to the SSL authorization checking. Only when a certificate is accepted by SSL can the authorization file checking be performed.

The authorization file is compared against the certificate that is received by MFT Platform Server. The authorization file is not used on the client. The components of the Distinguished Namexe "Distinguished Name" (DN) of the certificate are compared to the parameter in the authorization file to determine whether a certificate can be accepted. On many of the parameters, a generic character is supported. A generic character is defined in a parameter by an asterisk (* ). When a generic character is defined, all characters from that point on are assumed to be a match.

If no authorization file is defined, or a match is not found in the authorization file, the request is accepted. If you want to reject all requests unless defined by the authorization file, you must insert the following statement as the last entry in the authorization file:

REVOKE

The authorization file supports the following two request types:

ACCEPT Accept an SSL request

REVOKE | REJECT Do not accept an SSL request

All of these requests accept a variety of parameters. If a parameter is not defined, it is assumed that the parameter is a match. Parameters can be defined on a single line or they can be continued over multiple lines. If the input record ends with a comma (,), the input record is continued on the next record. All parameter data is case sensitive. Be very careful when entering the values when using mixed case fields.

The following parameters are supported in the authorization file. These parameters must be defined in uppercase.

Parameter Description
/CN Define s the Common Name defined in the Certificate. This is usually the name of the person who is requesting the certificate. Generic entries are supported.

/OU Defines the Organization Unit defined in the Certificate. This is also known as the Department. Generic entries are supported.
/O Defines the Organization defined in the Certificate. This is also known as the Company. Generic entries are supported.
/L Defines the Locality defined in the Certificate. This is also known as the City. Generic entries are supported.
/ST Defines the State/Province defined in the Certificate. Generic entries are supported.
/C Defines the Country defined in the Certificate. Generic entries are supported.
/SN Defines the Serial Number defined in the certificate. Generic entries are not supported.
/SDATE Defines the Start date for the certificate in the format ofccyymmdd. Generic entries are not supported. The start date is compared against the date that the transfer request is received by the platform server. If the start date is before the current date, SSLAUTH processing checks the next parameter. If the start date is after the current date, the transfer request is terminated and an error is sent to the remote system.
/STIME Defines the Start time for the certificate in the format ofhhmm. Generic entries are not supported. The start time is only checked if the SDATE parameter exactly matches the current date. The start time is compared against the time that the transfer request is received by the platform server. If the start time is before the current time, SSLAUTH processing check s the next parameter. If the start time is after the current time, the transfer request is terminated and an error is sent to the remote system.
/EDATE Defines the End date for the certificate in the format ofccyymmdd. Generic entries are not supported. The end date is compared against the date that the transfer request is received by the platform server. If the end date is after the current date, SSLAUTH processing check s the next parameter. If the end date is before the current date, the transfer request is terminated and an error is sent to the remote system.
/ETIME Defines the End time for the certificate in the format ofhhmm. Generic entries are not supported. The end time is only checked if the EDATE parameter exactly matches the current date. The end time is compared against the time that the transfer request is received by the platform server. If the end time is after the current time, SSLAUTH processing check s the next parameter. If the end time is before the current time, the transfer request is terminated and an error is sent to the remote system.
/USER This parameter is supported only by the z/OS system. It supports the administrator to define a user ID that must be used when an SSL certificate is accepted. This user ID overrides the user ID associated with the file transfer. By using this option, the remote user does not have to have any knowledge of a user ID or password on the z/OS system.

The following examples show how authorization file processing works:

Accept /OU=Marketing/O=TIBCO

revoke

MFT Platform Server accepts all certificates defined with an Organization of TIBCO and an Organization Unit of Marketing. It rejects all other certificates.

REVOKE /SN=987654

REVOKE /SN=12:34:56

ACCEPT

MFT Platform Server rejects any certificates with a serial number of 987654 or 123456. It accepts all other certificates.

Accept /OU=ACCT*/O=ACME

revoke

MFT Platform Server accepts all certificates defined with an Organization of ACME and an Organization Unit starting with ACCT. It rejects all other certificates.

Accept /CN=Joe*,

/L=New York,

/ST=NY,

/C=US,

/OU=Dept1,

/O=ACME,

/SDATE=20051201,

/EDATE=20061130

revoke

MFT Platform Server accept s all certificates that match the information defined by the /CN, /L, /ST, /C, /OU , and /O parameters. The certificate is valid from 1 December 2005 until 30 November 2006. If the certificate is received before 1 December 2005 or after 30 November 2006, the request is rejected. All other certificates not matching these criteria are rejected.