AnsweredAssumed Answered

LDAP Collector reports "No subject alternative names matching IP address n.n.n.n found"

Question asked by Ronald Roberts on Apr 9, 2019
Latest reply on Apr 11, 2019 by Najeeb Peracha

I'm working on an upgrade of RSA IG&L to v7.1 SP1, and upgraded the JDK to 1.8.0_u191.The upgrade was successful, however...

 

Now Active Directory collectors fail with an error  "Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address x.x.x.x found" unless I check the "Skip SSL Certificate validation".

 

I've found and read this KB article: 000036712 - LDAP Collector reports "No subject alternative names matching IP address n.n.n.n found" in RSA Identity Governance &Lifecycle , and verified the certificate returned by the AD server contains the domain name used in the collector configuration.

 

For example,

Collector configuration: Host: subdomain.domain.com

Certificate presented contains:

Subject: C=US, O=OrgName, OU=Department, CN=dc-hostname.subdomain.domain.com

X509v3 Subject Alternative Name:
                DNS:dc-hostname.subdomain.domain.com, DNS:subdomain.domain.com, DNS:dc-hostname

 

Given those details, the collector should verify the certificate matches the round-robin domain name included in the collector configuration. The cacerts truststore contains both the root and intermediate certificate authorities, and are also manually added to the OS certificate truststore in /var/lib/certificates. Using the "openssl verify certificate.pem" command does verify the server certificate as OK.

 

Are Microsoft Active Directory certificates (or LDAPS certificates) required to have the IP address listed as a Subject Alternative Names? I cannot find any documentation that says so. None of our other domain controllers have certificates with IP addresses.

 

Is the LDAP collector process not properly receiving and comparing the hostname/domain name to the received certificate from the collector configuration? Is it only receiving the IP address and cannot compare the hostname/domain name provided in the collector configuration?

Outcomes