IBM Support

AMAPDUPL using HTTPS to connect to www.ecurep.ibm.com with an AT-TLS policy to secure the connection, fails with "checkServerCert: Certificate not valid for DNS name"

Troubleshooting


Problem

When using AMAPDUPL along with an AT-TLS policy to connect to the www.ecurep.ibm.com HTTPS server, the following certificate may be presented by the server during the handshake,
issued from
  DigiCert TLS RSA SHA256 2020 CA1
Issued to (subject) 
  prod.esupport.ibm.com      

Then, once the connection is made and the client tries to validate the server identify using the above certificate presented by the server, this check will fail with following error in the AMAPDUPL output:
     An error occurred: checkServerCert: Certificate not valid for DNS name

Cause

The www.ecurep.ibm.com server, while having one IP address 192.148.6.11, shares 2 hostnames, www.ecurep.ibm.com and prod.esupport.ibm.com
So if one is connecting to it with the intent to reach www.ecurep.ibm.com, the client has to let the server know that, through SNI (Server Name Indication).
-With AMAPDUPL using HTTPS and without an AT-TLS policy to secure the connection, SNI is always enabled so there is no issue here as the right certificate "*.ecurep.ibm.com" is presented by the server.
-When AMAPDUPL is used along with an AT-TLS policy to secure the connection, SNI is OFF by default; the (non sni) certificate (prod.esupport.ibm.com) then presented by the server is causing the failure to validate the server identity.

Resolving The Problem

Enable SNI when connecting to www.ecurep.ibm.com, by Modifying the AT-TLS rule with the following addition to the TTLSConnectionAdvancedParms section:
ClientHandshakeSNI Optional
ClientHandshakeSNIMatch Optional
ClientHandshakeSNIlist www.ecurep.ibm.com

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB56","label":"Z HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG90","label":"z\/OS"},"ARM Category":[{"code":"a8m0z0000000AETAA2","label":"z\/OS-\u003EService Aids-\u003EAMATERSE\/AMASPZAP\/PDDU"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions"}]

Document Information

Modified date:
05 March 2025

UID

ibm17184870

Page Feedback