000039284 - 'Host name configured is not listed in subject alternative names of certificate' and 'LDAP_CERT_HOSTNAME_MISMATCH_MSG_SHORT' errors testing/running AD/LDAP Collectors in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Sep 4, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039284
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.2.0
IssueWhen testing a new Active Directory or LDAP Data Collector or an existing Active Directory or LDAP Data Collector that has been migrated from a previous version and/or patch level, the following error occurs in the user interface: (Collectors > {Collector type} > {Collector name} > Test button.) This error occurs whether the certificate is valid or invalid.

Host name configured is not listed in subject alternative names of certificate.Use Skip Certificate validation or fix the certificate to include hostname.

User-added image

The following warning message is logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) when using the Test button:

09/04/2020 14:54:43.522 WARN  (default task-19)
problem testing connection in LDAP collector
com.aveksa.common.ConfigException: LDAP_CERT_HOSTNAME_MISMATCH_MSG_SHORT

If one of the migrated collectors performs a collection run, the following error is logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log):

09/04/2020 15:27:57.919 ERROR (ApplyChangesPerformQueryThread-164)
com.aveksa.common.ConfigException: LDAP_CERT_HOSTNAME_MISMATCH_MSG_SHORT

Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
CauseThis is a known issue reported in engineering ticket ACM-106947.

This issue occurs because the validation of the trusted certificate is case sensitive instead of being case insensitive. It occurs when a valid certificate is used and the hostname matches the Subject Alternative Name (SAN) of the certificate except for the case. For example, one hostname might be in all uppercase and the other all lowercase or one hostname could be mixed case but not the other, etc.
ResolutionThis issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release. 

The fix will change the behavior of the certificate validation check against the Subject Alternative Name (SAN) attribute in the certificate to ensure it is not case sensitive as per RFC 2549.
WorkaroundChange one of the following settings in the collector definition under (Collectors > {Collector type} > {Collector name} > Edit button.)
  • Change the value of the Host setting in the Collector to match the mixed case value of the Subject Alternative Name (SAN) attribute in the certificate exactly.
  • Disable (untoggle) the Use SSL setting in the Collector (not advisable in Production)
  • Enable (toggle) the Skip Certificate Validation in the Collector (not advisable in Production)

User-added image

Note that if the certificate is invalid because it does not match the hostname for reasons other than case sensitivity, this same error will occur.