#Here are some sample errors If FTL is started with IP address and tibdg tries to connect using hostname the below error is thrown: ------------------ C:\AS440\as\4.4\bin>tibdg -r https://vviswana-hpz2:8989 --trust-file C:\AS440\as\4.4\bin\meraSecureGridData\ftl-trust.pem --user-password-file ftlcreds.txt -g meraSecureGrid status Warn: Wait for realm max time exceeded, last error: Realm is not reachable Error: Server error 500: Get "https://vviswana-hpz2:8989/api/v1/server": x509: certificate is not valid for any names, but wanted to match vviswana-hpz2 ------------------
2) If FTL is started with hostname and tibdg tries to connect using ipaddress the below error is thrown: -------------- C:\AS440\as\4.4\bin>tibdg -r https://10.0.0.40:8989 --trust-file C:\AS440\as\4.4\bin\meraSecureGridData\ftl-trust.pem --user-password-file ftlcreds.txt -g meraSecureGrid status Warn: Wait for realm max time exceeded, last error: Realm is not reachable Error: Server error 500: Get "https://10.0.0.40:8989/api/v1/server": x509: cannot validate certificate for 10.0.0.40 because it doesn't contain any IP SANs --------------
Issue/Introduction
This article provides some inputs while working with a secure realm service.
Environment
All Supported Platforms
Resolution
The FTL-generated (via tibftlserver --init-security) certificate is not the actual certificate used by the realm server but is a CA (Certificate Authority) certificate used to sign the certificates used by the realm server instance (and by other FTL server instances).
The realm server effectively uses a certificate that has the Subject Alt Name (SAN) extension set to the IP address used to start the corresponding realm server instance
- If the FTLServer is started with hostname, the certificate has the SAN attribute with only the hostname in it. So clients using ipaddress are rejected.
- If the FTLServer is started with ipaddress, the certificate has the SAN attribute with only the ipaddress. So clients using hostname are rejected.(I tested this).
One cannot add IP SANs' to the certs generated using the documented commands