"No subject alternative DNS name matching <FQDN> found" while configuring LDAPS for Mart (4346417)

Error Message:   No subject alternative DNS name matching <FQDN> found

Symptoms:

This error can appear while configuring LDAPS for Mart as described here: https://support.erwin.com/hc/en-us/articles/360025097372-How-to-Configure-LDAPS-in-Mart-Server-

Specifically this error occurs while Mart is validating the LDAP instance’s SSL certificate if debug logging is enabled: https://support.erwin.com/hc/en-us/articles/360038894891-How-to-Enable-Debug-Logging-for-SSL-Errors-in-Mart-

Subject Alternative Names (SAN) specify which hosts are validated by a specific certificate file. When this error occurs, the SAN specified in the certificate file does not match the LDAP server that Mart is connecting to and the handshake is terminated. In the logging, you’ll see entries such as…

 javax.net.ssl|DEBUG|40|Thread-4|2020-02-13 11:10:53.769 CST|CertificateMessage.java:358|Consuming server Certificate handshake message (

"Certificates": [

  "certificate" : {

    "version"            : "v3",

    "serial number"      : "<serial number>",

    "signature algorithm": "SHA256withRSA",

    "issuer"             : "<issuer>",

    "not before"         : "2019-12-04 08:24:40.000 CST",

    "not  after"         : "2020-12-03 08:24:40.000 CST",

    "subject"            : "<subject>",

    "subject public key" : "RSA",

    "extensions"         : [

      ...

      {

        ObjectId: 2.5.29.17 Criticality=false

        SubjectAlternativeName [

          Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.4.1.311.25.1

          DNSName: <FQDN>

        ]

      }

                  ...

javax.net.ssl|ERROR|40|Thread-4|2020-02-13 11:10:53.816 CST|TransportContext.java:313|Fatal (CERTIFICATE_UNKNOWN): No subject alternative DNS name matching <FQDN> found. (

"throwable" : {

  java.security.cert.CertificateException: No subject alternative DNS name matching <FQDN> found.

Resolution

• To resolve this issue, the customer should recreate their certificate file with a proper SAN. In some cases, this is not possible, or the customer doesn’t want to. In those circumstances, we can disable the check on SAN by adding the following JVM argument…

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Example with Mart running as a Windows Service…

1- Stop Mart Service
2- Remove Mart Service: C:\Program Files\erwin\Mart Server r9\Tomcat64\Remove MartServer Win Service.bat
3- Edit C:\Program Files\erwin\Mart Server r9\Tomcat64\bin\service.bat and add the bolded....
    --StopParams stop ^
    --JvmOptions "-Dcatalina.home=%CATALINA_HOME%;-Dcatalina.base=%CATALINA_BASE%;-D%ENDORSED_PROP%=%CATALINA_HOME%\endorsed;-Djava.io.tmpdir=%CATALINA_BASE%\temp;-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager;-Djava.util.logging.config.file=%CATALINA_BASE%\conf\logging.properties;-Dcom.sun.management.jmxremote.port=5555;-Dcom.sun.management.jmxremote.authenticate=false;-Dcom.sun.management.jmxremote.ssl=false;-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true;-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true;-Djavax.net.debug=ssl,handshake;-Dcom.sun.management.jmxremote.ssl=false;-Djavax.net.ssl.trustStore=<keystore>;-Djavax.net.ssl.trustStorePassword=<password>;-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true;%JvmArgs%" ^
    --JvmOptions9 "--add-opens=java.base/java.lang=ALL-UNNAMED#--add-opens=java.base/java.io=ALL-UNNAMED#--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED" ^

4- Run Create Mart Service: C:\Program Files\erwin\Mart Server r9\Tomcat64\Create MartServer Win Service.bat
5- Run Mart Configuration and provide LDAPS details
6- Restart Mart

Note that all arguments added for LDAP SSL and debugging are in bold.