ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Certificate for <Server2.Domain1.com> doesn't match any of the subject alternative names: [Server1.Domain1.com]

book

Article ID: 227720

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

User performs a GET to the FQDN "Server1.Domain1.com:443".  The Forwarding Rule on the Access gateway host re-directs "Server2.Domain1.com:443".  A Header Dump on the back-end Server shows the HOST Header is being set to [HOST=Server2.Domain1.com].

Because the web browser is using "Server1.Domain1.com" and the back-end has a Host Header of "Server2.Domain1.com" there is an SSL mismatch and SSL if failing.

ERROR:

javax.net.ssl.SSLPeerUnverifiedException: Certificate for <Server2.Domain1.com> doesn't match any of the subject alternative names: [Server1.Domain1.com]

Cause

This is occurring as designed. 

Environment

Release : ANY

Component : Access Gateway Server

Resolution

You can preserve the HTTP HOST header file and send it to the backend server by using the "enableproxypreservehost" parameter.  When you enable "enableproxypreservehost", the parameter takes precedence over a
filter that is configured to control the HTTP HOST header.

To use the "enableproxypreservehost" parameter, perform the following steps:

1) Logon to the Access Gateway host

2) browse to the 'server.conf' file

WINDOWS: C:\Program Files\CA\secure-proxy\proxy-engine\conf\web.xml

LINUX: <Install_Dir>/CA/secure-proxy/proxy-engine/conf/web.xml

3) Locate the relevant Virtual Server

4) Add the following entries:

enableproxypreservehost="yes"
filteroverridepreservehost="no"

EXAMPLE:

---------------------
<VirtualHostDefaults>
# default session scheme
defaultsessionscheme="default"
enablerewritecookiepath="no"
enablerewritecookiedomain="no"
enableproxypreservehost="yes"
filteroverridepreservehost="no"
# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="4"
#TO-DO: Define any session scheme mappings
#<SessionSchemeMappings>
# user_agent_name=session_scheme_name
#</SessionSchemeMappings>
# Web Agent.conf
<WebAgent>
sminitfile="C:\Program Files\netegrity\secure-proxy\proxy-engine\
conf\defaultagent\WebAgent.conf"
</WebAgent>
</VirtualHostDefaults>
---------------------

5) Restart the Access Gateway Server

Additional Information

https://ftpdocs.broadcom.com/cadocs/0/CA%20SiteMinder%20Secure%20Proxy%20Server%2012%2052-ENU/Bookshelf_Files/PDF/sps_admin_enu.pdf