When connecting EMS Server to LDAP Server via LDAPS, we need to have the Common Name (CN) field of the SSL Certificate to match the URL that we used to access the LDAP Server.Why?
Article ID: KB0090327
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Resolution:
EMS LDAP functionality is built upon OpenLDAP and OpenLDAP SSL client checks the server hostname (by default SSL client expects the Server Certificate to contain CN that is matching to the hostname in the Server URL).
OpenLDAP does not provide any facility nor any option to change this behavior.
In general, the hostname is checked by either:
a/ verifying the subjectAltName field in the Certificate, or
b/ comparing the hostname of the LDAP server (URL) with the CN in the certificate.
The verification of subjectAltName has not been implemented in TIBCO EMS.
EMS LDAP functionality is built upon OpenLDAP and OpenLDAP SSL client checks the server hostname (by default SSL client expects the Server Certificate to contain CN that is matching to the hostname in the Server URL).
OpenLDAP does not provide any facility nor any option to change this behavior.
In general, the hostname is checked by either:
a/ verifying the subjectAltName field in the Certificate, or
b/ comparing the hostname of the LDAP server (URL) with the CN in the certificate.
The verification of subjectAltName has not been implemented in TIBCO EMS.
Issue/Introduction
When connecting EMS Server to LDAP Server via LDAPS, we need to have the Common Name (CN) field of the SSL Certificate to match the URL that we used to access the LDAP Server.Why?
Feedback
Yes
No
Powered by
