Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
Highlighted
igort Trusted Contributor.
Trusted Contributor.
153 views

(CSA) Support Tip: Use subjectAltName properly

If you intend to generate and use a certificate with SAN (subjectAltName), please make sure that all (hostnames and/or IP addresses) are present in SAN, please see e.g. here:

http://wiki.cacert.org/FAQ/subjectAltName:

CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software. So if you set subjectAltName, you have to use it for all host names, email addresses, etc., not just the "additional" ones.

If the above is not honored in CSA certificate, the following can happen (here 4.6 was used for a test but it should be similar/same in other versions):

Let's assume CSA applicationContext-security.xml contains this:

 <beans:bean id="idmConfig" class="com.hp.ccue.identity.rp.IdentityServiceConfig">

               <beans:property name="protocol" value="https"/>

               <beans:property name="hostname" value="host.test.com"/>

               <beans:property name="port" value="8444"/>

 

and SAN of the CSA certificate is missing: ‘host.test.com’ which is the FQDN of a machine where CSA is installed.

Users would not be able to log in to the UI as CSA would not be able to connect to IDM and the following would appear in csa.log (with DEBUG enabled) :

 

[default task-28] DEBUG [] RPHttpConnectionImpl : Unable to connect to identity service.

java.io.IOException: HTTPS hostname wrong:  should be <host.test.com>

        at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:649) ~[?:?]

 

that is basically the failing hostname check: the certificate from server side does not appear to come from host.test.com (that itself is taken from the request and corresponds to the applicationContext-security.xml settings above).

The same is indicated also in browser that reports the following issue for the certificate:  The security certificate presented by this website was issued for a different website's address.

Labels (2)
Tags (1)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.