'Host name configured is not listed in subject alternative names of certificate' and 'LDAP_CERT_HOSTNAME_MISMATCH_MSG_SHORT' errors testing/running AD/LDAP Collectors in RSA Identity Governance & Lifecycle
4 years ago
Originally Published: 2020-09-04
Article Number
000042561
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.2.0
 
Issue
When testing a new Active Directory or LDAP Data Collector or an existing Active Directory or LDAP Data Collector that has been migrated from a previous version and/or patch level, the following error occurs in the user interface: (Collectors > {Collector type} > {Collector name} > Test button.) This error occurs whether the certificate is valid or invalid.

Host name configured is not listed in subject alternative names of certificate.Use Skip Certificate validation or fix the certificate to include hostname.

User-added image

The following warning message is logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) when using the Test button: 
09/04/2020 14:54:43.522 WARN  (default task-19) 
[com.aveksa.gui.pages.admin.collector.utils.CollectorUtilsLDAP$1] 
problem testing connection in LDAP collector
com.aveksa.common.ConfigException: LDAP_CERT_HOSTNAME_MISMATCH_MSG_SHORT

If one of the migrated collectors performs a collection run, the following error is logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log): 
09/04/2020 15:27:57.919 ERROR (ApplyChangesPerformQueryThread-164) 
[com.aveksa.server.agent.message.ExceptionMessage] 
com.aveksa.common.ConfigException: LDAP_CERT_HOSTNAME_MISMATCH_MSG_SHORT

Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
 
Cause
This is a known issue reported in engineering ticket ACM-106947.

This issue occurs because the validation of the trusted certificate is case sensitive instead of being case insensitive. It occurs when a valid certificate is used and the hostname matches the Subject Alternative Name (SAN) of the certificate except for the case. For example, one hostname might be in all uppercase and the other all lowercase or one hostname could be mixed case but not the other, etc.
 
Resolution
This issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release. 

The fix will change the behavior of the certificate validation check against the Subject Alternative Name (SAN) attribute in the certificate to ensure it is not case sensitive as per RFC 2549.
 
Workaround
Change one of the following settings in the collector definition under (Collectors > {Collector type} > {Collector name} > Edit button.)
  • Change the value of the Host setting in the Collector to match the mixed case value of the Subject Alternative Name (SAN) attribute in the certificate exactly.
  • Disable (untoggle) the Use SSL setting in the Collector (not advisable in Production)
  • Enable (toggle) the Skip Certificate Validation in the Collector (not advisable in Production)
User-added image
Notes

Note that if the certificate is invalid because it does not match the hostname for reasons other than case sensitivity, this same error will occur.


 

Related Articles

Trending Articles

Don't see what you're looking for?