Hi

We have the following setup:

ACE (loadbalancer) - IHS - WAS

ACE certificate  was signed by the internal CA.

IHS certificate signed by internal CA.

ACE certificate imported to IHS kdb as Signer Certificate including root cert.  The default certificate under Personal Certificates is still IHS cert.

Issue:  When we hit the application via ACE load balancer we get Certificate Error :  Mismatched Address.  The mismatch is between ACE cert  an IHS cert.

Please assist

Regards,

Mziwandile

It is not clear to me where you get the certificate error? On the ACE or in the browser? Does it work if you access the IHS directly? Which certificate do you get in that case? Does the ACE trust the signer of the certificate sent by the IHS? Does the hostname used to access the IHS from the ACE match the label of certificate?

What does the SSL configuration on the IHS look like? In you IHS httpd.conf do you have a separate vHost for the SSL configuration or are you using the global SSL config only? You can use the SSLServerCert directive to specify which certificate is sent by the IHS (usually based on the vHost).

You need to look in you httpd.conf

Did you put an SSLServerCert directive for your label?

This cert for this label must match the ACE cert the serial number

Use 

gsk8capicmd -cert -list -db <database name> [-pw <password>]

Peter T

Please clearly explain the load balancing setup between ACE and IHS.

Are you using ACE load balancer as a pure IP sprayer without doing the SSL offload? In that case when you connect to the application using the ACE IP address or server name the SSL handshake will happen between browser and IHS and IHS will present it's certificate where the CN will not match the server name for ACE.

--Sunit

Thank Guys, it sorted.  I used the same name that in IHS that is used by ACE and the issue was resolved.

Much appreciated.