Let's say your http_plugin.log contains something like this.
Certificate provided by dmgr.example.com:9443 failed the hostname validation checks. Use the information following to help make corrections.
Plugin-cfg.xml values used, Transport hostname: dmgr.example.com, hostalias: dmgr.example.com, GlobalHostAlias: Not provided
Certificate values: PARTNER CERTIFICATE: DN=[CN=websphere.example.com,O=Acme,L=LA,ST=California,C=US], Serial=[48:00:00:04:81:30:f5:96:ee:d4:9c:0c:0e:00:01:00:00:04:81], Issuer=[CN=foo,DC=bar,DC=com]
Certificate values: CN=[was.example.com] SAN_CN=[was.example.com] SAN_IP=[]
This probably means you have an IBM IHS HTTP server added to your WebSphere deployment manager and you are using the web server plugin (plugin-cfg.xml) and there is some SSL issue between your IBM IHS HTTP server added to your WebSphere deployment manager. Check out my article IBM WebSphere - Getting Started with the web server plugin (plugin-cfg.xml) for more details on the web server plugin (plugin-cfg.xml).
Notice in this example, the http_plugin.log has two different hostnames
- dmgr.example.com
- was.example.com
When you generate the web server plugin (plugin-cfg.xml), the plugin-cfg.xml file will contain the hostname and port of one or more of your WebSphere Application Servers. For example, the plugin-cfg.xml file may have something like this, which shows that the plugin-cfg.xml is configured to communicate with the WebSphere Application Server that has port 12345.
<Transport ConnectionTTL="28" Hostname="dmgr.example.com" HostnameAlias="dmgr.example.com" Port="9443" Protocol="https">
<Property Name="keyring" Value="/opt/WebSphere/Plugins/config/mywebserver/plugin-key.kdb"/>
<Property Name="stashfile" Value="/opt/WebSphere/Plugins/config/mywebserver/plugin-key.sth"/>
</Transport>
For example, in the WebSphere admin console, at Servers > Server Types > WebSphere application servers. > your application server > Ports we can see that the WC_defaulthost_secure port is 9443, the same port in the plugin-cfg.xml file.
In this example, the WC_defaulthost_secure virtual host is using CellDefaultSSLSettings.
Then, if you go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates you should have a certificate chain containing the root certificate, intermediate certificate, and server certificate being used in the SSL connection from your IBM IHS HTTP web server to WebSphere. Let's say.
- dmgr.example.com is the hostname of your WebSphere deployment manager
- was.example.com is the alias of the server certificate in your CellDefaultKeyStore
When I had this setup, I got this error in http_plugin.log.
Certificate provided by dmgr.example.com:9443 failed the hostname validation checks. Use the information following to help make corrections.
Of course, it would have been ideal to get the hostname of the deployment manager and the certificate alias to match, and then I'd be good to go. But that wasn't as easy as this quick fix.
In my WebSphere deployment manager, at Servers > Server Types > Web servers > your IBM IHS HTTP web server > Plug-in properties > Custom properties I created a custom property with key GlobalHostAlias and used value was.example.com. I then regenerated and propagated the plugin-cfg.xml file, restarted my IBM IHS HTTP web server, and I no longer had the errors in my logs. Nice!
Did you find this article helpful?
If so, consider buying me a coffee over at