Inputs when working with secure realm service.

Inputs when working with secure realm service.

book

Article ID: KB0073402

calendar_today

Updated On:

Products

TIBCO ActiveSpaces

Description

#Here are some sample errors
If FTL is started with IP address and tibdg tries to connect using hostname the below error is thrown:
------------------
C:\AS440\as\4.4\bin>tibdg -r https://vviswana-hpz2:8989 --trust-file C:\AS440\as\4.4\bin\meraSecureGridData\ftl-trust.pem --user-password-file ftlcreds.txt -g meraSecureGrid status
Warn: Wait for realm max time exceeded, last error: Realm is not reachable
Error: Server error 500: Get "https://vviswana-hpz2:8989/api/v1/server": x509: certificate is not valid for any names, but wanted to match vviswana-hpz2
------------------

2)
If FTL is started with hostname and tibdg tries to connect using ipaddress the below error is thrown:
--------------
C:\AS440\as\4.4\bin>tibdg -r https://10.0.0.40:8989 --trust-file C:\AS440\as\4.4\bin\meraSecureGridData\ftl-trust.pem --user-password-file ftlcreds.txt -g meraSecureGrid status
Warn: Wait for realm max time exceeded, last error: Realm is not reachable
Error: Server error 500: Get "https://10.0.0.40:8989/api/v1/server": x509: cannot validate certificate for 10.0.0.40 because it doesn't contain any IP SANs
--------------

Issue/Introduction

This article provides some inputs while working with a secure realm service.

Environment

All Supported Platforms

Resolution

The FTL-generated (via tibftlserver --init-security) certificate is not the actual certificate used by the realm server but is a CA (Certificate Authority) certificate used to sign the certificates used by the realm server instance (and by other FTL server instances).

The realm server effectively uses a certificate that has the Subject Alt Name (SAN) extension set to the IP address used to start the corresponding realm server instance

- If the FTLServer is started with hostname, the certificate has the SAN attribute with only the hostname in it.
So clients using ipaddress are rejected.

- If the FTLServer is started with ipaddress, the certificate has the SAN attribute with only the ipaddress.
So clients using hostname are rejected.(I tested this).

One cannot add IP SANs' to the certs generated using the documented commands