DaaS connector returned error (487)

  • 7023658
  • 21-Jan-2019
  • 07-Feb-2019


Identity Governance (Access Review) 3.5


Identity/Application collector encounters SSL error when using IP address and secure port in the service parameters

Unable to connect to your server: DaaS connector returned error (487): 
Target authentication failure: Failed Authentication:
java.security.cert.CertificateException: No subject alternative names matching IP address found :


1. Create/edit the server certificate to contain the IP address of the host in the SANs (Subject Alternative Name)
2. Create a /etc/hosts entry to map the IP address of the actual server to a hostname and then change the collector configuration to use the hostname for the"host" parameter.


The Zulu JVM used in IG 3.5.x, performs host name validation for SSL connections. This means that the host name/address used for the host parameter in the collector configuration must be one of the entries in the Subject Alternative Names (SANs) in the certificate. It appears that this problem will mostly affect AD collectors over secure port, because the AD server certificates do not include the IP address by default in the SANs(Subject Alternative Name) .