Problem

The following scenario:

The Gateway had changed their user certificate, the root and inter are unchanged.

From Gateway to CFT the transfer doesn’t work.

When the Gateway tries to send a file to the CFT the following message appears in the CFT log:

CFTY20I PROT=PROTSSL_PART SSL=MYPART _SERVER opening server session CTX=20009b on task PID=6776

CFTY25I CTX=20009b remote address HOST=xxx.xxx.xxx.xxx

CFTY24I CTX=20009b Server certificate ID=AB ROOT=CERTIF_ROOT

CFTY18E CTX=20009b CFTSSL= MYPART_S DNUSER expression doesn’t match with user DN

CFTY18E CTX=20009b INTERNAL PKI ERROR PHASE=CHKCERT REASON=49

CFTY18E CTX=20009b ACCESS DENIED: DNUSER=(“CFT1.DOMAIN.COM”) (found

CFTY18E /C=LU/ST=LUXEMBOURG/L=LUXEMBOURG/O=MYPART COMPANY/OU=GOS/CN=CFT.DOMAIN.COM)

CFTY18E CTX=20009b Check_Certificate error

…

Resolution

In the log there is this message: “DNUSER expression doesn’t match with user DN”.

In the Transport Security Profile of type SERVER in CFT you can specify: DNUSER and DNISSUER. With the changes on the user certificate on partner side, the DNUSER has changed.

As the example log illustrates, in the Transport Security Profile of type SERVER in CFT on DNUSER parameter it is written CFT1.DOMAIN.COM, but the remote certificate has this one CFT.DOMAIN.COM.

In order to solve the issue, in the CFT object Transport Security Profile of type SERVER you need to put the actual DNUSER that the partner uses now. In the current example it is CFT.DOMAIN.COM.

Restart the CFT so that the changes would be taken into account.