"Cannot send EM topology due: SSLPeerUnverifiedException" message in the EM log after upgrading to 10.7

Document ID : KB000093503
Last Modified Date : 30/04/2018
Show Technical Document Details
Issue:
After upgrading to 10.7, the below exception is reported in the Introscope EM log. What is the meaning?

[INFO] [RemoteHttpCallServiceExecutor-20] [Manager.AppMap.RemoteHttp] SSLPeerUnverifiedException: Host name '...' does not match the certificate subject provided by the peer (CN=.., OU=.., O=.., C=..)
[INFO] [Thread-ClusterTopologyPoller] [Manager.AppMap] Cannot send EM topology due: 'SSLPeerUnverifiedException: Host name '...' does not match the certificate subject provided by the peer (CN=.., OU=.., O=.., C=..)' Will retry.
 
Cause:
In 10.7 the security is more strict, we have added the below New functionality which make the EM behave like http-client to same/another EM which causes the errors in case of invalid certificates:

a) ClusterTopologyPoller which send APM Infrastructure topology (EM -> EM -> agents graph) 
b) SQL REST API which is called by ApmSqlServer to allow query of metric data by SQL-like way 

With invalid certificate we report the above message or exception in the Introscope EM log and the above two features will not work, so the impact of invalid certificate is not small, but it is not catastrophic - EM starts, collects metrics, returns map, AT works, etc.

The documentation has been updated to explicitly stress that trusted certificate have to be used.

https://docops.ca.com/ca-apm/10-7/en/administrating/configure-enterprise-manager/configure-enterprise-manager-communications/

"Important! The Enterprise Managers are also clients when communicating over SSL. The Enterprise Managers require a valid certificate or a trusted self-signed certificate with the correct hostname in the Java truststore. You must use a valid certificate. For testing purposes, you can use a self-signed certificate, but you must generate a certificate for your hostname and domain. Add the certificate to the global Java truststore. The Enterprise Manager as a client uses the global Java truststore to verify trusted servers."
Resolution:
Use valid certificate or a trusted self-signed certificate with the correct hostname in the Java truststore

NOTE: 
In coming 10.7SP1, we enhanced the EM code (DE341744) to reuse the SSL Context created for Jetty Webserver so you can disable hostname validation in em-jetty-config.xml to prevent the above exception by setting:

<Set name="verifyHostnames">false</Set>