(CSA) Support Tip: Use subjectAltName properly
If you intend to generate and use a certificate with SAN (subjectAltName), please make sure that all (hostnames and/or IP addresses) are present in SAN, please see e.g. here:
CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software. So if you set subjectAltName, you have to use it for all host names, email addresses, etc., not just the "additional" ones.
If the above is not honored in CSA certificate, the following can happen (here 4.6 was used for a test but it should be similar/same in other versions):
Let's assume CSA applicationContext-security.xml contains this:
<beans:bean id="idmConfig" class="com.hp.ccue.identity.rp.IdentityServiceConfig">
<beans:property name="protocol" value="https"/>
<beans:property name="hostname" value="host.test.com"/>
<beans:property name="port" value="8444"/>
and SAN of the CSA certificate is missing: ‘host.test.com’ which is the FQDN of a machine where CSA is installed.
Users would not be able to log in to the UI as CSA would not be able to connect to IDM and the following would appear in csa.log (with DEBUG enabled) :
[default task-28] DEBUG  RPHttpConnectionImpl : Unable to connect to identity service.
java.io.IOException: HTTPS hostname wrong: should be <host.test.com>
at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:649) ~[?:?]
that is basically the failing hostname check: the certificate from server side does not appear to come from host.test.com (that itself is taken from the request and corresponds to the applicationContext-security.xml settings above).
The same is indicated also in browser that reports the following issue for the certificate: The security certificate presented by this website was issued for a different website's address.