KB Article #178403
DNUSER expression doesn’t match with user DN
Problem
The following scenario:
The Gateway had changed their user certificate, the root and inter are unchanged.
From Gateway to CFT the transfer doesn’t work.
When the Gateway tries to send a file to the CFT the following message appears in the CFT log:
CFTY20I PROT=PROTSSL_PART SSL=MYPART _SERVER opening server session CTX=20009b on task PID=6776
CFTY25I CTX=20009b remote address HOST=xxx.xxx.xxx.xxx
CFTY24I CTX=20009b Server certificate ID=AB ROOT=CERTIF_ROOT
CFTY18E CTX=20009b CFTSSL= MYPART_S DNUSER expression doesn’t match with user DN
CFTY18E CTX=20009b INTERNAL PKI ERROR PHASE=CHKCERT REASON=49
CFTY18E CTX=20009b ACCESS DENIED: DNUSER=(“CFT1.DOMAIN.COM”) (found
CFTY18E /C=LU/ST=LUXEMBOURG/L=LUXEMBOURG/O=MYPART COMPANY/OU=GOS/CN=CFT.DOMAIN.COM)
CFTY18E CTX=20009b Check_Certificate error
…
Resolution
In the log there is this message: “DNUSER expression doesn’t match with user DN”.
In the Transport Security Profile of type SERVER in CFT you can specify: DNUSER and DNISSUER. With the changes on the user certificate on partner side, the DNUSER has changed.
As the example log illustrates, in the Transport Security Profile of type SERVER in CFT on DNUSER parameter it is written CFT1.DOMAIN.COM, but the remote certificate has this one CFT.DOMAIN.COM.
In order to solve the issue, in the CFT object Transport Security Profile of type SERVER you need to put the actual DNUSER that the partner uses now. In the current example it is CFT.DOMAIN.COM.
Restart the CFT so that the changes would be taken into account.