Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-37296

Did KMIP CN requirement change to SAN?

    • Type: Icon: Question Question
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 3.6.6
    • Component/s: None
    • None
    • Security 2018-10-08

      Hello, we're working with a customer trying to close a mongodb enterprise sale. They are connecting to our key management server via KMIP.

       

      Previously (v 3.2), the CN had to exactly match the KMIP hostname specified in the mongo configuration. Now, the error is as follows:

      2018-09-17T17:36:50.040+0800 E STORAGE  [initandlisten] Unable to retrieve key .system, error: socket exception [CONNECT_ERROR] for The server certificate does not match the host name. Hostname: [<hostname>] does not match SAN(s): akm
      

       

      Did the requirement change that the hostname must now be in the subject alternative name? If so when did it change? And can this information be documented in the KMIP docs?

       

      If the requirement did not change and the CN already matches the hostname, what would cause it to reject the SAN?

       

      I'm supposed to tag Kenn White on this issue, but see no way to do that.

       

      Thank you,

      Nick

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            nicholasbayle Nicholas Bayle
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: