I'm working on an upgrade of RSA IG&L to v7.1 SP1, and upgraded the JDK to 1.8.0_u191.The upgrade was successful, however...
Now Active Directory collectors fail with an error "Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address x.x.x.x found" unless I check the "Skip SSL Certificate validation".
I've found and read this KB article: 000036712 - LDAP Collector reports "No subject alternative names matching IP address n.n.n.n found" in RSA Identity Governance &Lifecycle , and verified the certificate returned by the AD server contains the domain name used in the collector configuration.
Collector configuration: Host: subdomain.domain.com
Certificate presented contains:
Subject: C=US, O=OrgName, OU=Department, CN=dc-hostname.subdomain.domain.com
X509v3 Subject Alternative Name:
DNS:dc-hostname.subdomain.domain.com, DNS:subdomain.domain.com, DNS:dc-hostname
Given those details, the collector should verify the certificate matches the round-robin domain name included in the collector configuration. The cacerts truststore contains both the root and intermediate certificate authorities, and are also manually added to the OS certificate truststore in /var/lib/certificates. Using the "openssl verify certificate.pem" command does verify the server certificate as OK.
Are Microsoft Active Directory certificates (or LDAPS certificates) required to have the IP address listed as a Subject Alternative Names? I cannot find any documentation that says so. None of our other domain controllers have certificates with IP addresses.
Is the LDAP collector process not properly receiving and comparing the hostname/domain name to the received certificate from the collector configuration? Is it only receiving the IP address and cannot compare the hostname/domain name provided in the collector configuration?