2

We have IBM Sterling Connect Direct 4.2 on Windows 2003 Server, everything is working fine, even the SSL Configuration, we exchange files properly. Now, I have migrated all the configuration to a Windows Server 2008 cluster environment. Everything it's ok... I have configured the IBM Sterling Connect Direct 4.6.0.1 -even the SSL Configuration, we just have made a copy/paste of the certificates, keycerts and trusted files-. Everything it's ok and we are able to receive files under a SSL session. But... there is an exception.. The problem we are facing is when we try to send files to our partners we get this error:

Message ID: CSPA311E
SSL Certificate verification failed, reason= self certificate in certificate chain:

Followed by this error:

Message ID: CSPA309E
SSL3_GET_SERVER_CERTIFICATE certificate verify failed:

We are using exactly the same configuration, except by the IP and server name, that have changed. The certificates in any way are linked to the server name or the IP?

Any hint on this issue is very appreciated.

4

1 回答 1

2

为特定的域名或 IP 地址颁发证书。我很确定这是您错误的原因。您可以使用 JRE 或 JDK 安装附带的 keytool.exe 进行检查,该文件位于/bin目录中。因此,从命令行发出以下命令:

keytool.exe -printcert -file C:\path\to\your\file.crt

这将给出如下输出: 在此处输入图像描述

在第二行中,您可以看到:Owner: CN=localhost, ...这意味着该证书是为 localhost 颁发的。

如果此 CN 条目与新的 IP 地址或域名不同,则有两种可能。

  1. 创建为该特定 IP 或域颁发的新证书。您可以再次使用 java keytool.exe。
  2. 您需要更新检查证书有效性的客户端应用程序。因此,您需要告诉客户端不要根据远程服务器的真实 IP 地址或域名检查证书 CN 名称。(出于安全原因不推荐。)
于 2013-08-17T18:46:01.097 回答