[OPENAM-14862] Need a warning about Configuring CTS in Admin Console Created: 02/May/19  Updated: 11/Sep/19  Resolved: 13/May/19

Status: Resolved
Project: OpenAM
Component/s: documentation
Affects Version/s: 6.5.1, 7.0.0
Fix Version/s:, 6.5.2, 5.5.2, 7.0.0

Type: Bug Priority: Minor
Reporter: William Hepler Assignee: Cristina Herraz
Resolution: Fixed Votes: 0
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

AM 6.5.1

Rank: 1|hzkh47:
Sprint: AM 2019.7 - Lighthouse
Story Points: 0.5
Needs backport:
Support Ticket IDs:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
No (add reasons in the comment)


Bug description


This section needs a strong warning, that if you configure this incorrectly, you will be unable to access the AM console. 

How to reproduce the issue


  1. It should be assumed but we need to warn that If using LDAPS to configure Certificates, The certificate must match the hostname
  2. Bind Account should be checked as well
Expected behaviour
Documentation may want to warn to have a backup available. 
Current behaviour
Multiple customers getting stuck with no console access

Work around

Edit dn: ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig

in the configuration store to remove the improper configurations



Comment by Cristina Herraz [ 03/May/19 ]

The certificate should match the FQDN of the CTS store exactly, I think. No *.example.com, etc. Can you confirm, William Hepler?

Comment by William Hepler [ 03/May/19 ]

I believe there is a Hostname match that happens now. A wild card cert I'm not sure we don't mention it in the two links:

One step in verifying the certificate's validity is checking that the subject's FQDN matches the FQDN obtained from DNS.


Comment by Cristina Herraz [ 13/May/19 ]

Fixed in master and backported up to 5.5.x

Generated at Tue Mar 02 14:26:49 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.