In the default TLS configuration, each connection includes a server name check to verify that the host name in the TLS certificate of the node to which an LDAPS connection is made matches the host name of the target LDAP server. Here are three ways for that check to work:

• the subject in the certificate matches the host name of the LDAP server node
• the Subject Alternative Names (SAN) in the certificate contains the host name of the LDAP server node
• the subject or SAN contains a wildcard, which allows for any host name in the specified domain

In some cases, you might want to disable the name check verification step until you are able to implement one of the above solutions. To disable this step, set the Java option com.sun.jndi.ldap.object.disableEndpointIdentification=true. Here are the steps.

1. Sign in as an administrator to SAS^® Environment Manager.
2. Click Yes to the prompt to opt in to the assumable groups.
3. Select Configuration from the left navigation menu.
4. Select View  ► All Services.
5. Click Identities Service.
6. Click the Edit button for the JVM section, then + Add property.
   Name the property: java_option_ldaps_disablenamecheck
   Set the property to: -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
7. Perform steps 4-6 for SAS Logon Manager.
8. Restart the two services.
   For SAS^® Viya^® 3.x, issue sudo service sas-viya-service-name-default restart. Substitute the correct service name.
   For SAS^® Viya^® 2020.1 and later versions, delete the Kubernetes pod.

Note that the name of the new property is arbitrary, although it must begin with "java_option".

Refer to the following documentation for more information:

• SAS Viya 3.x: Java Virtual Machine (JVM) in SAS^® Viya^® 3.x Administration: Configuration Properties
• SAS Viya 2020.1 and later: Java Virtual Machine (JVM) in SAS^® Viya^® Administration: Configuration Reference

Operating System and Release Information