SSL Authorization Parameters

See the following table for the SSL authorization file on each platform.

Platform	File Name	Default Location
z/OS	SSLAUTH	SAMPLIB
Windows	SslAuth	C:\Program Files\TIBCO\FTMSSVR or C:\Program Files\TIBCO\Fusion SslAuth
UNIX	SSLAUTH	/MFT Platform Server/samples

The authorization file is compared against the certificate that is received by the Platform Server. The authorization file is not used on Platform Server clients. The components of the certificate Distinguished Name (DN) are compared to the parameter in the authorization file to determine if a certificate is accepted or rejected.

On many of the parameters, a generic character is supported. A generic character is defined in a parameter by an asterisk (*). When a generic character is defined, all characters from that point on are assumed to be a match.

If no authorization file is defined, or a match is not found in the authorization file, the request is accepted. If you want to reject all requests unless defined by the authorization file, then you must insert the following statement as the last entry in the authorization file:

REVOKE

The following two request types are supported within the authorization file:

• ACCEPT: Accepts an SSL request.
• REVOKE | REJECT: Does not accept an SSL request.

All of these requests accept a variety of parameters. If a parameter is not defined, then it is assumed that the parameter is a match. Parameters can be defined on a single line and can be continued over multiple lines. If the input record ends with a comma (,), then the input record is continued on the next record. All parameter data is case sensitive. You have to be careful when entering the values using mixed case fields.

See the following table for parameters you can define in the authorization file.

Parameter	Description
/CN	Defines the common name defined in the certificate. This is usually the name of the person who is requesting the certificate. Generic entries are supported.
/OU	Defines the organization unit defined in the certificate. This is also known as the department. Generic entries are supported.
/O	Defines the organization defined in the certificate. This is also known as the company. Generic entries are supported.
/L	Defines the locality defined in the certificate. This is also known as the city. Generic entries are supported.
/ST	Defines the state/province defined in the certificate. Generic entries are supported.
/C	Defines the country defined in the certificate. Generic entries are supported.
/SN	Defines the serial number defined in the certificate. Generic entries are not supported.
/SDATE	Defines the start date for the certificate in the format ccyymmdd. Generic entries are not supported. The start date is compared against the date when the transfer request is received by the Platform Server. If the start date is before the current date, then SSLAUTH processing checks the next parameter. If the start date is after the current date, then the transfer request is terminated and an error is sent to the remote system.
/STIME	Defines the start time for the certificate in the format hhmm. Generic entries are not supported. The start time is only checked if the SDATE parameter exactly matches the current date. The start time is compared against the time when the transfer request is received by the Platform Server. If the start time is before the current time, then SSLAUTH processing checks the next parameter. If the start time is after the current time, then the transfer request is terminated and an error is sent to the remote system.
/EDATE	Defines the end date for the certificate in the format ccyymmdd. Generic entries are not supported. The end date is compared against the date when the transfer request is received by the Platform Server. If the end date is after the current date, then SSLAUTH processing checks the next parameter. If the end date is before the current date, then the transfer request is terminated and an error is sent to the remote system.
/ETIME	Defines the end time for the certificate in the format hhmm. Generic entries are not supported. The end time is only checked if the EDATE parameter exactly matches the current date. The end time is compared against the time when the transfer request is received by the Platform Server. If the end time is after the current time, then SSLAUTH processing checks the next parameter. If the end time is before the current time, then the transfer request is terminated and an error is sent to the remote system.
/USER	Defines a user ID that is used when an SSL certificate is accepted. This parameter is only supported by the z/OS system, and it should only be used by the system administrator. This user ID overrides the user ID associated with the file transfer. Using this option, the remote user does not have to have any knowledge of a user ID and a password on the z/OS system.

See the following examples of authorization file processing:

• Accept /OU=Marketing/O=TIBCO
  revoke

  The Platform Server accepts all certificates defined with an organization of TIBCO and an organization unit of Marketing, while rejects all other certificates.

• REVOKE /SN=987654
  REVOKE /SN=12:34:56
  ACCEPT

  The Platform Server rejects any certificates with a serial number of 987654 or 123456, and accepts all other certificates.

• Accept /OU=ACCT*/O=ACME
  revoke

  The Platform Server accepts all certificates defined with an organization of ACME and an organization Unit starting with ACCT, and rejects all other certificates.

• Accept 	/CN=Joe*, 
  	/L=New York, 
  	/ST=NY, 
  	/C=US, 
  	/OU=Dept1,
  	/O=ACME, 
  	/SDATE=20081201,
  	/EDATE=20091130
  revoke

  The Platform Server accepts all certificates that match the information defined by the /CN, /L, /ST, /C, /OU, and /O parameters. The certificate is valid from December 1, 2008 until November 30, 2009. If the certificate is received before December 1, 2008 or after November 30, 2009, the request is rejected. All other certificates not matching these criteria are rejected.