IDM 4.5.4 on RedHat, with eDir 8.8.8.8 and OSP 6.0.03

I have a workflow with an Integration Activity calling the UA SOAP
endpoint to Create/Delete/Modify Roles.

The Start Workflow call from the engine server, uses a GCV that works to
start the process.

The workflow begins, only activity is the Integration Activity.

The integration activity uses the same GCV (Copied to UA driver, so not
actual same GCV, but same name and same value) to call the SOAP
endpoint.

cacerts (engine and UA server) has the public key of the UA's private
key. That key has 12 Subject Alternate Names (poor mans wildcard cert).
It has the public key of the eDir CA, the public key of OSP, the public
key of Tomcat.

osp.jks has the OSP private key, the eDir CA public key, the tomcat
public key.

tomcat.keystore has the Tomcat private key (with the 12 SAN's). The OSP
public key, and the eDir CA public key.

The IA throws an error that the name idmtomcat.acme.com does not match
myid.acme.com but I called idmhome.acme.com.

idmtomcat is the CN= name in the cert, which is not real nor in DNS, but
the 12 SAN's are all real and in DNS and the names myid.acme.com and
idmhome.acme.com are in the SAN list.

When I add a /etc/hosts entry of idmtomcat.acme.com to point at the UA
local (have to do this on each UA box) the IA works.

This leads me to think that Integration Activity's have an issue when
the Source NAme of the Cert does not match the name you use in the SOAP
call. This seems like it is NOT honoring Subject Alternate Names
properly.

Anyone else ever seen something like this?


--
relgis
------------------------------------------------------------------------
relgis's Profile: https://forums.netiq.com/member.php?userid=12955
View this thread: https://forums.netiq.com/showthread.php?t=57006