It is not so rare to see customers facing the SSSLERR_SERVER_CERT_MISMATCH error in their Webdispatcher/ICM traces. Therefore, I’ll clarify better regarding such error.

The SSSLERR_SERVER_CERT_MISMATCH error means that the server is using a certificate where the CN part does not matches the hostname of URL server that client is trying to access. For a correct setup, the certificate CN and the host being accessed must match.

Whenever increasing the ICM/Webdispatcher trace level to 2, we’ll be able to see a more detailed information, such as:

[Thr XXXX]   MatchTargetName(<your FQDN>, CN=<your certificate CN>) MISmatch

Therefore, the solution is:

Either ensure that the server’s FQDN is correctly set or create a SSL Certificate where the CN matches it.

An workaround when using a webdispatcher is to set the following parameter to ignore this mismatch:

wdisp/ssl_ignore_host_mismatch = 1

NOTE: The wdisp/ssl_ignore_host_mismatch = 1 will ignore the mismatch error, but it will not solve it. Therefore, the error message will still be visible in the traces, but the system will not stop the communication because of the error.

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

    1. Guilherme Limongi de Oliveira Post author

      Hello Parag,

       

      There is no parameter in the ICM layer that can bypass the mismatch issue. You can also refer to SAP Note 1318906 for further information on how to proceed then.

       

      Best Regards,
      Guilherme de Oliveira

      (0) 

Leave a Reply