Best practices for Server Identity Validation

Last Updated : Jun 05, 2026 |

1. Enable Server Identity Validation

To avoid man-in-the-middle (MITM) attack, it is strongly recommended to enable Server Identity Validation when Experience Portal components use TLS connections to connect to external servers.

Note:

Server Identity Validation is a global setting that applies to the entire Experience Portal system. It is a good approach to disable Server Identity Validation temporarily to avoid interruption of services. Services may get interrupted if some external servers still send valid certificates lacking valid Common Name or Subject Alternate Name. Contact the external servers vendors for correction of their certificates.

2. Identity certificate requirement of external servers

For Experience Portal to successfully validate an external server's identity, the identity certificates of the external servers must have the following attributes:

  • Valid Subject Common Name that represents the external server fully qualified hostname.

  • The X509 V3 Subject Alternate Name (SAN) extension must include valid DNS and IP Address entries associated with the external server domain name and actual IP address.

    Note:
    • For Speech server, SIP Proxy server, and Application server, the SAN extension with both valid DNS and IP Address entries are required to pass the Server Identity Validation.

    • The DNS entry in the Subject Alternate Name extension can contain the wildcard * (asterisk) character, which can match any single domain name component or component fragment. For example, *.avaya.com matches ep.avaya.com, but it does not match bar.ep.avaya.com. e*.com matches ep.com, but it does not match bar.com.

    • A wildcard in DNS entry is not valid for the SIP server.