SSL errors about host name match in NetOps Portal web server logs
search cancel

SSL errors about host name match in NetOps Portal web server logs

book

Article ID: 236297

calendar_today

Updated On:

Products

DX NetOps CA Performance Management - Usage and Administration

Issue/Introduction

Upgraded DX NetOps Performance Management to 21.2.6.

We now see these errors in the logs.

In the DMService.log we see this for host names:

ERROR | qtp533890770-64713       | 2022-03-03 07:35:29,326 | com.ca.im.portal.common.web.util.GlobalAdminAuthReqList          
      | Exception getting auth requirements for <IP> from https://<PC_Portal_FQHN>:8382/sso/webservices/sar/sar/<IP>.
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching <PC_Portal_FQHN> found.
...
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching <PC_Portal_FQHN> found.

This might be seen for an IP address.

ERROR | qtp1480661582-179392     | 2023-02-01 00:00:04,127 | com.ca.im.portal.common.web.util.GlobalAdminAuthReqList          
      | Exception getting auth requirements for 127.0.0.1 from https://<Portal_IP>:8382/sso/webservices/sar/sar/127.0.0.1
javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address <Portal_IP> found

In the EMService.log:

ERROR | qtp2062432236-45         | 2022-03-03 07:39:29,848 | com.ca.im.portal.common.web.util.GlobalAdminAuthReqList          
      | Exception getting auth requirements for <IP> from https://<PC_Portal_FQHN>:8382/sso/webservices/sar/sar/<IP>
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching <PC_Portal_FQHN> found.
...
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching <PC_Portal_FQHN> found.

Default log locations are:

  • /opt/CA/PerformanceCenter/DM/logs
  • /opt/CA/PerformanceCenter/EM/logs

Environment

All supported DX NetOps Performance Management releases

Cause

The SSL Certificate has a SAN that doesn't match the NetOps Portal web servers Fully Qualified Host Name (FQHN) called out in the log error messages.

Resolution

  1. What is happening?
    • The SSL Certificate in use for the Portal web server is using a different SAN name for the server than it's FQHN.
    • The services try to use the FQHN which isn't found as a match for the SAN in the SSL certificate which generates the error.
  2. How can it be resolved?
    1. Import a new SSL Certificate that uses the FQHN as the SAN or one of it's alternatives.
    2. Configure the Web Service Host value under Performance Center via SsoConfig using Remote Value to match the SSL SAN configured. To fix it using this method take the following steps:
      1. Open a CLI to the Portal web server host.
      2. Run the command (default path shown):
        • /opt/CA/PerformanceCenter/SsoConfig
      3. Enter 1 for DX NetOps.
      4. Enter 3 for Performance Center.
      5. Choose 1 for Remote Value.
      6. Choose property 2 for Web Service Host
      7. Enter u to set update mode.
      8. Enter the new value: <enter name matching SSL Certificate SAN options>
      9. Enter q to quit back to the CLI.
    3. After a short time (10-15 minutes maximum), after the new value is propagated around the system, the logs should no longer return those errors.
Powered by Wolken Software