IBM Support

Guardium Data Encryption Registration Error: "server name sent by agent does not match the name of the security server"



Unable to register host agent during registration process with the error message: "server name sent by agent does not match the name of the security server". This issue arises as a mismatch between the name provided in the Certificate Signing Request ("CSR") and the name presented by the Certificate Authority ("CA").


Installation of the agent fails.

Registration of the agent fails during certificate signing as follows:

Welcome to the Vormetric Encryption Expert File System Agent
Registration Program.
Generating certificate signing request for the kernel component...done.

Signing certificate...unsuccessful.

The server returned an error:

--> 400 Security server name sent by agent, "gde-dsm" does not match the name of the security server, ""

The server returned an error - 400 Security server name sent by agent, "gde-dsm" does not match the name of the security server, ""

Certificate signing was unsuccessful.

Agent registration was unsuccessful.


The Guardium Data Encryption Expert ("GDEE", "GDE", "DEE") Data Security Manager ("DSM") generates a self-signed security Certificate Authority ("CA") which it uses to sign all other certificates used within the system. During registration, the agent generates several certificates and submits a Certificate Signing Request ("CSR") to the DSM CA for each one. In order for the certificate signing requestor to trust the CA, the name specified in the CSR and the name presented by the CA must match. In the case of this particular error, the names do not match.

Diagnosing The Problem

If a new agent installation has failed, view the latest install logs in /var/log/vormetric/install.fs.log.<date stamp>. The last few lines of the install log will match the message shown in the above section, "Symptoms".

The end user controls the name presented in the CSR and can thus validate the information in the CSR.

The information presented by the Certificate Authority cannot be directly viewed however, a certificate for the Management Console interface is signed by the CA. To view the DSM certificate, run the following command from a linux/Unix environment or a CYGWIN terminal in Windows. Note that in the example command and output below, the server name "" should be replaced with the name of the hostname of the DSM.

$ echo | openssl s_client -connect gde-dsm:8445 2>/dev/null | openssl x509 -noout -text
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=CG CA (S) on, OU=dm-support, O=IBM, L=san jose, ST=ca, C=US
Not Before: Nov 6 03:25:06 2014 GMT
Not After : Nov 6 03:25:06 2024 GMT
Subject:, OU=dm-support, O=IBM, L=san jose, ST=ca, C=US
... output truncated ...
If the name of the DSM provided during registration does not match the name presented in this certificate, the CSR will be rejected.

Resolving The Problem

There are two different ways to resolve this problem, depending upon the situation.

If the name presented by the CA is not the correct name (a short name or an alias, for example), regenerate the Certificate Authority as shown below.

Regenerating the Certificate Authority will invalidate ALL existing certificates and this step cannot be undone. All existing hosts and High Availability ("HA") failover servers will cease communication with the security server and must be re-registered.
1. Connect to the DSM Command-Line Interface ("DSM-CLI", "CLI") as the "cliadmin" user.
$ ssh -l cliadmin

0000: vormetric$

2. Switch to the "system" command menu and run "security genca" and follow the prompts. All of the data shown in the "Issuer" line of the certificate come from this script. To accept the default value (shown in brackets), leave the field blank.

If the default hostname is not the desired hostname, this indicates an underlying problem with name resolution and will cause different problems with the security server software. Complete the program, fix the network name issues and re-run this command.

0000: vormetric$ system

0001: system$ security genca

WARNING: All Agents and Peer node certificates will need to be re-signed after CA and server certificate regenerated, and the security server software will be restarted automatically!
Continue? (yes|no)[no]:yes
This computer may have multiple IP addresses. All the agents will have to connect to Security Server using same IP.
Enter the host name of this computer. This will be used by Agents to talk to this Security Server.
This Security Server host name[]:
Please enter the following information for key and certificate generation.
What is the name of your organizational unit? []:dm-support
What is the name of your organization? []:IBM
What is the name of your City or Locality? []:san jose
What is the name of your State or Province? []:ca
What is your two-letter country code? [US]:
Regenerating the CA and server certificates now...

SUCCESS: The CA and security certificates are re-generated and the Security Server software is restarted.

Regenerating CA will make certificates at failover servers and agents invalid. You may need to:
- Re-sign certificates at each failover server
- Cleanup and re-register each agent
3. Re-register all existing agents.
  • On the DSM, navigate to the host by logging in to the Management Console and navigating to the "hosts" page, and then by clicking on the hostname.
    1. Clear the existing registration by unchecking the "Registration Allowed" checkbox.
    2. Dismiss the Javascript pop-up and click on "Apply".
    3. Check the "Registration Allowed" checkbox and click on "Apply".
    4. Check the "Communication Enabled" checkbox if appropriate to your security posture.
  • On each host, run the registration cleanup command followed by the registration command as root:
  • # /opt/vormetric/DataSecurityExpert/agent/vmd/bin/register_host clean

    ... output truncated ...

    # /opt/vormetric/DataSecurityExpert/agent/vmd/bin/register_host

    ... output truncated ...

4. Re-configure High Availability failover servers. A full description of failover configuration is outside of the scope of this document.

If the name presented by the CA is the correct name, retry the agent registration with the following command on linux/Unix:

# /opt/vormetric/DataSecurityExpert/agent/vmd/bin/register_host
On Windows, host registration is performed by right-clicking on the Vormetric icon in the system tray and selecting "Register Host" from the pop-up menu.

[{"Product":{"code":"SSSPPK","label":"IBM Guardium Data Encryption"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018