Portal Sync with gateway

Document ID : KB000098414
Last Modified Date : 30/05/2018
Show Technical Document Details
Issue:
Unable to sync the portal with gateway due to SSL certificate mismatch
Environment:
Api Developer Portal 3.5
Cause:
Below is the error seen in catalina.out

SEVERE: java.security.cert.CertificateException: No subject alternative names present
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
Resolution:
This occurs when you are using IP addresses, and the certificate doesn't contain a subject alternative name (SAN). Based on the RFC  "When using an IP address, there must be a Subject Alternative Name entry (of type IP address, not DNS name) in the certificate."

There are two solutions to this:

1. Generate a private key for use with a SAN, and maintain the IP addresses. You would need to do this with openssl from the command line, as the Policy Manager doesn't have that capability to generate CSR's with a Subject Alternative Name. We have a knowledge base article here with instructions to accomplish this:
https://comm.support.ca.com/kb/generating-client-certificates-with-subject-alternate-names-san/kb000057521

2. Create hostnames for the systems to use (and new keys), and simply make entries in /etc/hosts, and have the CN values of the certificates match with those hostnames, while also specifying the Gateway hostname in the following file:
/opt/Deployments/lrs/server/webapps/ROOT/plugins/lrsgateway-conf.xml