[PAM][TAP] TA 2.2.x - X.509 Certificate Subject CN does not match the Entity Name (certificate-common-name-mismatch)
search cancel

[PAM][TAP] TA 2.2.x - X.509 Certificate Subject CN does not match the Entity Name (certificate-common-name-mismatch)

book

Article ID: 209640

calendar_today

Updated On:

Products

CA Threat Analytics for PAM

Issue/Introduction

Vulnerability Scan on Threat Analytics 2.2.3 found that it has a "CN=$HOSTNAME"

 

Port: 443/tcp, 3000/tcp, 8443/tcp | CN: $HOSTNAME

X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)

 

 

Environment

Threat Analytics for PAM

Cause

By default, TAP(Threat Analytics for PAM) is shipped with a default (self-signed) certificate which has "CN=$HOSTNAME"

CN = $HOSTNAME
OU = Engineering
O = CA Technologies
L = New York
S = New York
C = US

 

The certificate is required so TAP is shipped with HTTPS enabled.

Resolution

After deploying TAP you need to install a proper certificate, use the Create a Java Key Store File section to create a jks file.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-5/introduction-to-the-threat-analytics-console/integrate-with-ca-threat-analytics/deploy-ca-threat-analytics-server.html

Follow the documented steps to create a jks and upload to TAP server.

Then restart both "Threat Analytics Engine" and "Threat Analytics Admin App". (A reboot may be required)

Perform the VA scan against the 443,3000,8443 ports again.

 

Powered by Wolken Software