In trying to get secure rest services to work on Open Liberty in a container, I get the following error: CWPKI0824E: SSL HANDSHAKE FAILURE: Host name verification error while connecting to host [hostname]. The host name used to access the server does not match the server certificate's SubjectDN or Subject Alternative Name information. The extended error message from the SSL handshake exception is: [No name matching hostname found].
Relevant portion of the server.xml:
<featureManager>
<feature>appSecurity-3.0</feature>
<feature>jca-1.7</feature>
<feature>jdbc-4.1</feature>
<feature>jndi-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>mpConfig-1.3</feature>
<feature>passwordUtilities-1.0</feature>
<feature>ssl-1.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<sslDefault sslRef="DefaultSSLConfig" httpHostNameVerification="false"/>
<ssl id="DefaultSSLConfig" keyStoreRef="DefaultKeyStore" trustStoreRef="DefaultTrustStore" trustDefaultCerts="true" verifyHostname="false"/>
<keyStore id="DefaultKeyStore" location="liberty-default-key.p12" type="PKCS12" password="password"/>
<keyStore id="DefaultTrustStore" location="liberty-default-trust.p12" type="PKCS12" password="password"/>
<ldapRegistry id="ldapRegistry" realm="Standalone LDAP Registry" ldapType="IBM Tivoli Directory Server"
host="server" port="123"
baseDN="baseDN" bindDN="bindDN" bindPassword="password"
recursiveSearch="true"
sslEnabled="true" sslRef="DefaultSSLConfig">
<idsFilters>
...
</idsFilters>
</ldapRegistry>
As you can see verifyHostname has the value 'false', but the check is done anyway. What am I missing?
The JDK has handles LDAP separately and hostname verification is enabled by default by the JDK. To disable LDAP hostname verification you need to set the system property com.sun.jndi.ldap.object.disableEndpointIdentification to true. So in the jvm.options in your server directory add -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to disable hostname verification on an LDAP connention.