HTTPS hostname wrong during HR Feed with SSL

Troubleshooting

Problem

When attempting to connect to ISIM over SSL with ITDI for an HR feed, the certificate is rejected with the error: HTTPS hostname wrong: should be This occurs even when the URL used the value specified in the error message.

Symptom

SSL connection fails with:

HTTPS hostname wrong: should be <xxxxx.xxxxx.xxx>

Cause

This error message is coming from the core Java code that implements Secure Sockets Layer. It indicates that the certificate presented by the server process does not match the URL used by the client process, and thus the certificate is not valid.

This can occur for two reasons:
1. If a hostname is used, there is no Subject Alternate Name DNS entry in the certificate, and the CN of the "Issued To:" line doesn't match the hostname used by the client.

2. If an IP address is used, and there is no Subject Alternate Name IP address entry in the certificate.

RFC 2818 provides more details about the Subject Alternate Name field, while RFC 6125 describes some of the problems with issuing certificates to IP addresses rather than DNS names. See the related links below.

Resolving The Problem

When generating a certificate, be sure to fill in the correct values for Subject Alternative Name for IP address or DNS name. These fields are at the bottom of the certificate creating window of ikeyman shipped with WebSphere 7.0:

Related Information

RFC 2818

RFC 6125

[{"Product":{"code":"SSRMWJ","label":"IBM Security Identity Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.0;5.1","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

enRole itim tim isim Identity Manager sim

Was this topic helpful?

Document Information

Modified date:
16 June 2018

UID

swg21659536

Tips