Cannot login into MATGUI server with SSLEnabled connector
search cancel

Cannot login into MATGUI server with SSLEnabled connector

book

Article ID: 277656

calendar_today

Updated On:

Products

Mainframe Application Tuner

Issue/Introduction

Updated the server.xml file of MATGUI server started task to work with the SSLEnabled connector. 

<Connector SSLEnabled="true" 
    acceptCount="100" algorithm="IbmX509" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false"                                
    keystoreFile="safkeyring://CERTIF01/KEY01" keystoreType="JCERACFKS"              
    maxHttpHeaderSize="8192" maxSwallowSize="104857600" maxThreads="150"             
    minSpareThreads="25" port="51916" scheme="https"                                  
    secure="true" sslEnabledProtocols="+TLSv1.2" redirectPort="nnnn"                 
    sslImplementationName="com.ca.sslsocket.CASSLImplementation" 
    sslProtocol="TLS"/>   


Started the MATGUI server started task, the port 51916 could be opened but when a user tried to logon using a RACF UserID, for example with RACF UserID USER01, got the following error message in the Web browser.
 
Possible invalid UserID or Password
  
Additionally in the MATGUI server started task log there are the warning exception messages: 

WARNING: Exception java.security.cert.CertificateException: No subject alternative DNS name matching MVS1 found. detected while executing cmnd=check&epassw=-7bb79394434c161c&user=USER01
 
WARNING: Exception java.security.cert.CertificateException: No subject alternative DNS name matching MVS1 found. detected while processing server response for cmnd=check&epassw=-7bb79394434c161c&user=USER01
   

Cause

The "No subject alternative DNS name matching" error typically occurs during SSL/TLS handshake when the hostname (DNS name) in the server's SSL certificate does not match the hostname you are trying to connect to. This can happen if the Common Name (CN) or Subject Alternative Name (SAN) field in the certificate does not include the expected hostname.

Resolution

Use the correct hostname when the certificate is generated.

  • Make sure you are using the correct hostname. It must match the CN or SAN in the server's SSL certificate.
  • If the certificate is not correct or does not include the necessary information, obtain a new certificate with the correct hostname information.
  • Ensure that there are no DNS configuration issues preventing the correct resolution of the hostname.
  • From the warning error messages check for the referred host name <MVS1>, this was the incorrect value for the hostname, and as a result it is failing to find a DNS matching.

Then restart the  MATGUI server started task. 

    

Powered by Wolken Software