IBM Support

IT43418: ENABLE TLS HOSTNAME CHECKING IN ACE TOOLKIT

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as new function.

Error description

  • Connecting to an integration node which has SSL enabled and has
a proper TLS certificate using an address mentioned in the SAN
field of the certificate through ACE toolkit works fine as
expected whereas using a different address(like IP address) to
connect to this Node, and address that is not in the SAN field
of the cert, the connection still works without warning.

The ACE Toolkit is not throwing a warning that the cert
presented by the SSL Server is not for the address called.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
All users of App Connect Enterprise V12 which enables hostname
checking in the toolkit when connecting to an integration node
by setting the JVMSystem property <span
style="color:#ce9178">com.ibm.iapi.hostcheck</span> in the
eclipse.ini file.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
Connecting to an integration node which has SSL enabled and has
a proper TLS certificate using an address mentioned in the SAN
field of the certificate through ACE toolkit works fine as
expected whereas using a different address( for example: IP
address) to
connect to the Integration Node, and address that is not in the
SAN field
of the certificate, the connection still works without warning.

The ACE Toolkit is not throwing a warning that the certificate
presented by the SSL Server is not for the address called.

    



Problem conclusion


    

  • The product has been modified such that  hostname checking is
enabled in the toolkit so that when user tries to connect to an
integration node which has SSL enabled using a different
address(for example, IP address) that is not present in the SAN
field of the certificate will now throw a warning that the
certificate presented by the SSL Server is not for the address
called.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v12.0      12.0.9.0

The latest available maintenance can be obtained from:
http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg27006041

If the maintenance level is not yet available,information on
its planned availability can be found on:
http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27006308
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT43418
    • 

  • Reported component name
    APP CONN ENT TL
    • 

  • Reported component ID
    5724J0561
    • 

  • Reported release
    C00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-03-23
    • 

  • Closed date
    2023-06-28
    • 

  • Last modified date
    2023-06-28
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    APP CONN ENT TL
    • 

  • Fixed component ID
    5724J0561
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDR5J","label":"IBM App Connect Enterprise"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"C00","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            29 June 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback