DaaS connector returned error (487)

  • 7023658
  • 21-Jan-2019
  • 07-Feb-2019

Environment

Identity Governance (Access Review) 3.5

Situation

Identity/Application collector encounters SSL error when using IP address and secure port in the service parameters

Unable to connect to your server: DaaS connector returned error (487): 
Target authentication failure: Failed Authentication:
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.1.206 found :192.168.1.206:636


Resolution

1. Create/edit the server certificate to contain the IP address of the host in the SANs (Subject Alternative Name)
2. Create a /etc/hosts entry to map the IP address of the actual server to a hostname and then change the collector configuration to use the hostname for the"host" parameter.

Cause

The Zulu JVM used in IG 3.5.x, performs host name validation for SSL connections. This means that the host name/address used for the host parameter in the collector configuration must be one of the entries in the Subject Alternative Names (SANs) in the certificate. It appears that this problem will mostly affect AD collectors over secure port, because the AD server certificates do not include the IP address by default in the SANs(Subject Alternative Name) .

Feedback service temporarily unavailable. For content questions or problems, please contact Support.