Using z/OSMF accessing via a browser, getting message NET::ERR_CERT_COMMON_NAME_INVALID.

Release : 16.0

The PERSONAL Server certificate for the IZUSVR server needs to specify the z/OS host name that the IZUSVR server is running on in the certificate's SUBJSDN and the ALTNAME. The 'host name' is part of the URL that is entered in the browser when connecting to z/OSMF.

To determine the host name, browse the IZUSRV server started task and do a FIND for IZUG349I to find the URL which would contain the host name. For example:

IZUG349I: The z/OSMF AUTOSTART Server home page can be accessed at   
        : https://your.hostname.net/zosmf                 
        : after the z/OSMF server is started on your system.    

Here is a sample GENCERT with the host name specified in the SUBJSDN and the ALTNAME of the certificate.

ACF
GENCERT IZUSVR.CERT01 SIGNWITH(CERTAUTH LABEL(zOSMFCA)) SUBJSDN(CN=DOMAIN=your.hostname.net,OU='IZUDFLT') LABEL(DefaultzOSMFCert.IZUDFLT) ALTNAME(DOMAIN=your.hostname.net)
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS

The IZUSVR1 task will need to be re-started in order to read in the changes to the keyring.

IBM Configuring the z/OSMF server certificate and key ring RACF GENCERT:

//* Create the server certificate for the z/OSMF server       */
//* Change HOST NAME in CN field to the real host name.        */
//* Usually the format of the host name is 'XXXX.XXX.XXX.XXX'     */      
RACDCERT ID(IZUSVR) GENCERT SUBJECTSDN(CN('HOST NAME') O('IBM') OU('IZUDFLT')) + 
   ALTNAME(DOMAIN(‘HOST NAME’)) +
 WITHLABEL('DefaultzOSMFCert.IZUDFLT') SIGNWITH(CERTAUTH LABEL('zOSMFCA')) +
 NOTAFTER(DATE(2021/06/02)) 

IBM

Matching the common name (CN) and subject alternative name (SAN)
 
You can enhance server-side certificate verification through common name (CN) and subject alternative name (SAN) matching.