Option to skip DNS name verify in cert refresh

servers/zts/conf/zts.properties

@@ -383,3 +383,11 @@ athenz.zts.cert_signer_factory_class=com.yahoo.athenz.zts.cert.impl.SelfCertSign
 # is valid before returning it to the caller. The default value
 # is the recommended query for the Mysql/J Connector
 #athenz.db.pool_validation_query=/* ping */ SELECT 1
+
+# During certificate refresh operation, the server retrieves the
+# certificate that was used for authentication and verifies that
+# the dns names in the certificate match to the values specified
+# in the CSR. Since the provider is responsible for validating
+# the SAN DNS entries, this can be configured as an optional check
+# and can be skipped.
+#athenz.zts.cert_refresh_verify_hostnames=true

servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java

@@ -55,7 +55,7 @@ public final class ZTSConsts {
 
     public static final String ZTS_PROP_CERT_REFRESH_IP_FNAME  = "athenz.zts.cert_refresh_ip_fname";
     public static final String ZTS_PROP_INSTANCE_CERT_IP_FNAME = "athenz.zts.instance_cert_ip_fname";
-    
+
     public static final String ZTS_PROP_CERTSIGN_BASE_URI        = "athenz.zts.certsign_base_uri";
     public static final String ZTS_PROP_CERTSIGN_REQUEST_TIMEOUT = "athenz.zts.certsign_request_timeout";
     public static final String ZTS_PROP_CERTSIGN_CONNECT_TIMEOUT = "athenz.zts.certsign_connect_timeout";
@@ -74,7 +74,8 @@ public final class ZTSConsts {
     public static final String ZTS_PROP_SELF_SIGNER_PRIVATE_KEY_PASSWORD = "athenz.zts.self_signer_private_key_password";
     public static final String ZTS_PROP_SELF_SIGNER_CERT_DN              = "athenz.zts.self_signer_cert_dn";
     public static final String ZTS_PROP_OSTK_HOST_SIGNER_SERVICE         = "athenz.zts.ostk_host_signer_service";
-
+    public static final String ZTS_PROP_CERT_REFRESH_VERIFY_HOSTNAMES    = "athenz.zts.cert_refresh_verify_hostnames";
+
     public static final String ZTS_PROP_CERT_JDBC_STORE              = "athenz.zts.cert_jdbc_store";
     public static final String ZTS_PROP_CERT_JDBC_USER               = "athenz.zts.cert_jdbc_user";
     public static final String ZTS_PROP_CERT_JDBC_PASSWORD           = "athenz.zts.cert_jdbc_password";

servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java

@@ -123,6 +123,7 @@ public class ZTSImpl implements KeyStore, ZTSHandler {
     protected Status successServerStatus = null;
     protected boolean includeRoleCompleteFlag = true;
     protected boolean readOnlyMode = false;
+    protected boolean verifyCertRefreshHostnames = true;
 
     private static final String TYPE_DOMAIN_NAME = "DomainName";
     private static final String TYPE_SIMPLE_NAME = "SimpleName";
@@ -300,7 +301,7 @@ void loadConfigurationSettings() {
 
         statusCertSigner = Boolean.parseBoolean(
                 System.getProperty(ZTSConsts.ZTS_PROP_STATUS_CERT_SIGNER, "false"));
-        
+
         // check to see if we want to disable allowing clients to ask for role
         // tokens without role name thus violating the least privilege principle
 
@@ -389,6 +390,12 @@ void loadConfigurationSettings() {
 
         readOnlyMode = Boolean.parseBoolean(
                 System.getProperty(ZTSConsts.ZTS_PROP_READ_ONLY_MODE, "false"));
+
+        // configure if during certificate refresh we should validate that
+        // the csr and cert contain the exact same set
+
+        verifyCertRefreshHostnames = Boolean.parseBoolean(
+                System.getProperty(ZTSConsts.ZTS_PROP_CERT_REFRESH_VERIFY_HOSTNAMES, "true"));
     }
 
     static String getServerHostName() {
@@ -2025,10 +2032,12 @@ InstanceIdentity processProviderX509RefreshRequest(ResourceContext ctx, final Pr
 
         // retrieve the certificate that was used for authentication
         // and verify that the dns names in the certificate match to
-        // the values specified in the CSR
-
+        // the values specified in the CSR. Since the provider is
+        // responsible for validating the SAN DNS entries, this is
+        // configured as an optional check and can be skipped.
+
         X509Certificate cert = principal.getX509Certificate();
-        if (!certReq.compareDnsNames(cert)) {
+        if (verifyCertRefreshHostnames && !certReq.compareDnsNames(cert)) {
             throw requestError("dnsName attribute mismatch in CSR", caller, domain);
         }