Enabling host name verification

When you use FQDN-based certificates, the host name verification step of SSL protocol is bypassed due to application discovery service scope definition restrictions. When you use IP-based certificates, you can enable the host name verification to fully secure the SSL connection.

About this task

application discovery service scope definition is IP-address-based, not FQDN-based. Any FQDN value that is provided during the scope creation is immediately resolved to the IP address. The FQDN is not passed to the sensor when running the discovery. The sensor must use the IP address when trying to connect to the Data Power appliance. When the Data Power appliance certificate is FQDN-based, normally the SSL protocol error is raised to indicate a possible mismatch between the provided IP address and the FQDN of the service read from the certificate. To avoid this problem, the host name verification step is disabled by default.

When you use IP-based certificates, you can enable the host name verification step to fully secure the SSL connection.

Procedure

  1. Choose the discovery profile used for your DataPower appliances discovery.
  2. Select DataPowerSensor from the sensor list and click New.
  3. Change the value of the bypassHostnameVerification property to false, enable the configuration, and save it.
  4. Save the discovery profile.

Results

When you run a discovery by using the profile that you created, the DataPower sensor is strictly compliant with SSL protocol. The IP address provided on the application discovery service scope must exactly match the IP address stated in the certificate of the Data Power appliance for the discovery to be successful.