Troubleshooting
Problem
When attempting to connect to ISIM over SSL with ITDI for an HR feed, the certificate is rejected with the error:
HTTPS hostname wrong: should be
Symptom
SSL connection fails with:
HTTPS hostname wrong: should be <xxxxx.xxxxx.xxx>
Cause
This error message is coming from the core Java code that implements Secure Sockets Layer. It indicates that the certificate presented by the server process does not match the URL used by the client process, and thus the certificate is not valid.
This can occur for two reasons:
1. If a hostname is used, there is no Subject Alternate Name DNS entry in the certificate, and the CN of the "Issued To:" line doesn't match the hostname used by the client.
2. If an IP address is used, and there is no Subject Alternate Name IP address entry in the certificate.
RFC 2818 provides more details about the Subject Alternate Name field, while RFC 6125 describes some of the problems with issuing certificates to IP addresses rather than DNS names. See the related links below.
Resolving The Problem
When generating a certificate, be sure to fill in the correct values for Subject Alternative Name for IP address or DNS name. These fields are at the bottom of the certificate creating window of ikeyman shipped with WebSphere 7.0:
Product Synonym
enRole itim tim isim Identity Manager sim
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21659536