Created 01-19-2018 05:17 AM
Issue with Ranger Admin SSL with Internal CA with SAN entries where CN is not FQDN of ranger host, SAN entry contains Ranger Admin host entry.
Ranger Admin is stuck at.
2018-01-19 05:05:15,951 [alpha1.openstacklocal-startStop-1] DEBUG org.apache.ranger.biz.ServiceDBStore (ServiceDBStore.java:341) - <== ServiceDefDBStore.initStore() 2018-01-19 05:05:16,244 [alpha1.openstacklocal-startStop-1] DEBUG apache.ranger.security.web.authentication.RangerAuthenticationEntryPoint (RangerAuthenticationEntryPoint.java:66) - AjaxAwareAuthenticationEntryPoint(): constructor 2018-01-19 05:05:16,350 [alpha1.openstacklocal-startStop-1] INFO apache.ranger.security.web.filter.RangerCSRFPreventionFilter (RangerCSRFPreventionFilter.java:81) - Adding cross-site request forgery (CSRF) protection
So, For Ranger Admin is it necessary to have CN as FQDN of Ranger admin host.
SAN entry's are check first than CN entry right?
I think this is what you want to know:
When browsers connect to your server using HTTPS, they check to make sure your SSL Certificate matches the host name in the address bar.
There are three ways for browsers to find a match:
If i get it right, Ranger Admin can't connect to Ranger backend (database?) after you connected to Ranger UI? In this second case it is possible that the Ranger UI (or the Apache server running it) simply doesn't use the SAN information, as this is something that the client/initiator of the connection (normally the browser in https) validates.