Common Name in Server certificate not valid

Err Msg: nilClientSecureModeS Common Name in server certificate not valid: expected 'Name1', received 'Name2'
Err Msg: ANR0151E Common Name in client certificate not valid: expected 'Name1', received 'Name2'

SYMAPI Client CLI: The remote client/server handshake failed. Please consult symapi and storsrvd log files (symapi.YYYYMMDD.log)

SYMAPI Server Log: ANR0151E (strosrvd.log0)

Solutions Enabler installs self-signed SSL certificates by default on both client and server hosts to secure SSL connections. By default, SYMAPI will create a self-signed certificate with its hostname during installation. When the SYMAPI server is configured to verify client certificate in  the SECURE SYMAPI connection, both sides will try to do a reverse DNS lookup by the IP address of each other. If there is a DNS issue on either side, the IP address or the incorrect Host Name will be returned and triggers a mismatch with the command name of the certificate. This causes a handshake failure and the connection is not established.

You can check the hostname in the SYMAPI certificate by issuing the "manage_server_cert list" command from the ../SYMAPI/config/cert directory. If the name in DNS does not match the name in the certificate, this will trigger this issue.

Workaround:

1. Investigate on the symapi.log and storsrvd.log on the SYMAPI client and server to find out which side certificate has the issue, as well as determine what is the expected certificate name.
2. Check that a DNS reverse lookup (nslookup) is working in both directions from the client to the server, and from the server to the client. Name resolution must be working in both directions to ensure secure communications.
3. Check the certificate on both server and client to validate the names contained in the certificate are known hostnames to the DNS network. To do this, navigate to the cert directory and run the command: "manage_server_cert list"
   1. On Windows: C:\Program Files\EMC\SYMAPI\config\cert
   2. On Linux: /var/symapi/config/cert 
4. Issue the command: "hostname" If this command does not match the value in the manage_server_cert list output, the certificate must be updated. To update the certificate, issue the command:
       manage_server_cert create <hostname>
   
           When prompted, the default lockbox password will be <hostname>@SELockbox1
5. If DNS does not have a reverse lookup entry, you will need to have DNS updated. A PTR (reverse lookup) entry to DNS system must be added so that the IP address DNS-reverse-resolves to the expected hostname, and flush the DNS cache on both DNS server and client. If DNS cannot be updated, the hosts file can be manually updated on the client or the server to manually resolve the hostnames. To configure the Host file:
   1. Linux: /etc/hosts
   2. Windows: \%WIN%\%SYSTEM%\driver\etc\hosts

The error does not apply: SYMAPI_SERVER_SECURITY_LEVEL = NONSECURE
Client Certificate error will not apply: storsrvd:security_clt_secure_lvl = NOVERIFY

Refer to the Solutions Enabler Installation Guide, "Remote Operation - Client/server security," and "SYMAPI Server Daemon Messages."

DNS issue: An nslookup is done for the server each time a command is run on the client. If 2+ A records exist, certificates can be rejected every other time a command is run despite a correct configuration. Limiting the number of A records for a given IP to a total of "1" should resolve the issue. Even configuring multiple FQDNs in the certificate with the manage_server_certs script "-san" option may not help.