We have two different ldap providers in two different physical office locations.
我们在两个不同的物理办公地点有两个不同的ldap提供商。
When I connect my laptop to one location and I 'retrieve from port' (in Websphere 6.1) to import the ssl cert of the ldap provider, I can authenticate to the respective ldap with no problems. If I take my laptop to the other office (that uses the other ldap provider by default) and I plugin my laptop, my WAS on my laptop will not start because it says 'no trusted ssl cert found'.
当我将笔记本电脑连接到一个位置并且我从端口'(在Websphere 6.1中)检索以导入ldap提供程序的ssl证书时,我可以在没有问题的情况下对相应的ldap进行身份验证。如果我将笔记本电脑带到另一个办公室(默认情况下使用其他ldap提供商)并且我插入笔记本电脑,我的笔记本电脑上的WAS将无法启动,因为它显示“找不到可靠的ssl证书”。
If I 'retrieve from port' again and re import the cert then it works again.
如果我再次从端口'检索并重新导入证书,那么它再次起作用。
Note that my WAS always try to connect to one ldap, it simply has no use for the other one.
请注意,我的WAS总是尝试连接到一个ldap,它对另一个没有用。
If I go back to the other office I get the same error until I reimport from that location. The ldap connection point is ldap.something.com:636 and is pingable in both locations with the same FQDN.
如果我回到另一个办公室,我会得到同样的错误,直到我从该位置重新导入。 ldap连接点是ldap.something.com:636,并且在具有相同FQDN的两个位置都可以ping。
But when pinged it resolves to a different ip address in each office location. Why do I see that behavior?
但是当它被ping时,它会解析为每个办公地点的不同IP地址。为什么我会看到这种行为?
Are SSL Certs somehow bound to a specific IP address?
SSL Certs是否以某种方式绑定到特定的IP地址?
If yes, then I need to maintain a different set of certs for each office location, right?
如果是,那么我需要为每个办公地点维护一套不同的证书,对吧?
Note that, there is no way to adjust the dns servers to resolve the hostname to the same IP address, I checked.
请注意,我检查过无法调整dns服务器以将主机名解析为相同的IP地址。
Can someone provide some insight?
有人能提供一些见解吗?
3 个解决方案
#1
SSL certificates are bound to a 'common name', which is usually a fully qualified domain name but can be a wildcard name (eg. *.domain.com) or even an IP address, but it usually isn't.
SSL证书绑定到“通用名称”,通常是完全限定的域名,但可以是通配符名称(例如。* .domain.com),甚至是IP地址,但通常不是。
In your case, you are accessing your LDAP server by a hostname and it sounds like your two LDAP servers have different SSL certificates installed. Are you able to view (or download and view) the details of the SSL certificate? Each SSL certificate will have a unique serial numbers and fingerprint which will need to match. I assume the certificate is being rejected as these details don't match with what's in your certificate store.
在您的情况下,您通过主机名访问LDAP服务器,听起来您的两个LDAP服务器安装了不同的SSL证书。您是否能够查看(或下载和查看)SSL证书的详细信息?每个SSL证书都有一个唯一的序列号和指纹,需要匹配。我认为证书被拒绝,因为这些详细信息与证书库中的内容不匹配。
Your solution will be to ensure that both LDAP servers have the same SSL certificate installed.
您的解决方案是确保两台LDAP服务器都安装了相同的SSL证书。
BTW - you can normally override DNS entries on your workstation by editing a local 'hosts' file, but I wouldn't recommend this.
顺便说一句 - 您通常可以通过编辑本地“主机”文件来覆盖工作站上的DNS条目,但我不建议这样做。
#2
Most SSL certificates are bound to the hostname of the machine and not the ip address.
大多数SSL证书都绑定到计算机的主机名,而不是IP地址。
You might get a better answer if you ask this question on serverfault.com
如果您在serverfault.com上提出此问题,您可能会得到更好的答案
#3
The SSL certificates are going to be bound to hostname rather than IP if they are setup in the standard way. Hence why it works at one site rather than the other.
如果以标准方式设置SSL证书,它们将绑定到主机名而不是IP。因此,为什么它在一个站点而不是另一个站点工作。
Even if the servers share the same hostname they may well have two different certificates and hence WebSphere will have a certificate trust issue as it won't be able to recognise the certificate on the second server as it is different to the first.
即使服务器共享相同的主机名,它们也可能具有两个不同的证书,因此WebSphere将具有证书信任问题,因为它将无法识别第二台服务器上的证书,因为它与第一台服务器不同。
#1
SSL certificates are bound to a 'common name', which is usually a fully qualified domain name but can be a wildcard name (eg. *.domain.com) or even an IP address, but it usually isn't.
SSL证书绑定到“通用名称”,通常是完全限定的域名,但可以是通配符名称(例如。* .domain.com),甚至是IP地址,但通常不是。
In your case, you are accessing your LDAP server by a hostname and it sounds like your two LDAP servers have different SSL certificates installed. Are you able to view (or download and view) the details of the SSL certificate? Each SSL certificate will have a unique serial numbers and fingerprint which will need to match. I assume the certificate is being rejected as these details don't match with what's in your certificate store.
在您的情况下,您通过主机名访问LDAP服务器,听起来您的两个LDAP服务器安装了不同的SSL证书。您是否能够查看(或下载和查看)SSL证书的详细信息?每个SSL证书都有一个唯一的序列号和指纹,需要匹配。我认为证书被拒绝,因为这些详细信息与证书库中的内容不匹配。
Your solution will be to ensure that both LDAP servers have the same SSL certificate installed.
您的解决方案是确保两台LDAP服务器都安装了相同的SSL证书。
BTW - you can normally override DNS entries on your workstation by editing a local 'hosts' file, but I wouldn't recommend this.
顺便说一句 - 您通常可以通过编辑本地“主机”文件来覆盖工作站上的DNS条目,但我不建议这样做。
#2
Most SSL certificates are bound to the hostname of the machine and not the ip address.
大多数SSL证书都绑定到计算机的主机名,而不是IP地址。
You might get a better answer if you ask this question on serverfault.com
如果您在serverfault.com上提出此问题,您可能会得到更好的答案
#3
The SSL certificates are going to be bound to hostname rather than IP if they are setup in the standard way. Hence why it works at one site rather than the other.
如果以标准方式设置SSL证书,它们将绑定到主机名而不是IP。因此,为什么它在一个站点而不是另一个站点工作。
Even if the servers share the same hostname they may well have two different certificates and hence WebSphere will have a certificate trust issue as it won't be able to recognise the certificate on the second server as it is different to the first.
即使服务器共享相同的主机名,它们也可能具有两个不同的证书,因此WebSphere将具有证书信任问题,因为它将无法识别第二台服务器上的证书,因为它与第一台服务器不同。