Obtain the server certificate DN value

The ssl-valid-server-dn in the [dsess-cluster] stanza of the WebSEAL configuration file requires the value of the DN found in a valid server certificate sent by the distributed session cache during its communication with WebSEAL.

We can obtain the DN value from the distributed session cache administrator directly.

Alternatively, we can indirectly determine the value by performing the following procedure:

Steps

1. Enable the distributed session cache for WebSEAL:

   [session] dsess-enabled = yes

2. Ensure the distributed session cache is configured for SSL. The URL to the distributed session cache requires the HTTPS protocol:

   [dsess-cluster] server = https://server/DSess/services/DSess

3. Follow the procedures for configuring the ssl-keyfile, ssl-keyfile-stash, and ssl-keyfile-label stanza entries in the [dsess-cluster] stanza of the WebSEAL configuration file. See Configure the WebSEAL key database.

4. Enter a test value for the ssl-valid-server-dn stanza entry. For example:

   [dsess-cluster] ssl-valid-server-dn = test

5. Restart the WebSEAL server.

6. WebSEAL returns the following error message:

   The DN contained within the server certificate, <DN>, is not a configured DN.

   The DN listed in the message is the DN of the certificate presented by the distributed session cache.

   Use this value to correctly specify the value for the ssl-valid-server-dn stanza entry.

7. To verify we are communicating with the right SSL server, confirm, with the distributed session cache administrator, the value for the DN returned in the error message.

   Once we are sure we have the right value for the DN of the distributed session cache server certificate, use that DN for the value of the ssl-valid-server-dn stanza entry.

Parent topic: Specify the SSL certificate distinguished name (DN)