The ssl-valid-server-dn in the [dsess-cluster] stanza
of the WebSEAL configuration file requires the value of the DN found
in a valid server certificate sent by the distributed session cache
during its communication with WebSEAL.
About this task
You can obtain the DN value from the distributed session
cache administrator directly.
Alternatively, you can indirectly
determine the value by performing the following procedure:
Procedure
- Enable the distributed session cache for WebSEAL:
[session] dsess-enabled = yes
- Ensure that the distributed session cache is configured
for SSL. The URL to the distributed session cache requires the HTTPS
protocol:
[dsess-cluster] server = https://server/DSess/services/DSess
- Follow the procedures for configuring the ssl-keyfile, ssl-keyfile-stash,
and ssl-keyfile-label stanza entries in the [dsess-cluster] stanza
of the WebSEAL configuration file. See Configuring the WebSEAL key database.
- Enter a test value for the ssl-valid-server-dn stanza
entry. For example:
[dsess-cluster] ssl-valid-server-dn = test
- Restart the WebSEAL server.
- WebSEAL returns the following error message:
The DN contained within the server certificate, <DN>, is not a configured DN.
The
DN listed in the message is the DN of the certificate presented by
the distributed session cache.
Use this value to correctly specify
the value for the ssl-valid-server-dn stanza entry.
- To verify you are communicating with the right SSL server,
confirm, with the distributed session cache administrator, the value
for the DN returned in the error message.
Once you are
sure you have the right value for the DN of the distributed session
cache server certificate, use that DN for the value of the ssl-valid-server-dn stanza
entry.