TLS Certificate Requirements for IP Address Connections in GCC Environments (FIPS Compliance)<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Error Message: “Error: No subject alternative names matching IP address found.” This error is documented in KB2127118. While the KB specifically addresses Rubrik server discovery, the guidance is applicable to any external system integration where IP addresses are used in certificate-based TLS communication. Cause: In GCC (Government Community Cloud) environments, all ServiceNow instances are FIPS (Federal Information Processing Standards) compliant. FIPS compliance mandates stricter security requirements for TLS connections, including: Java Hostname Verification must be enforced. The Subject Alternative Name (SAN) in the TLS certificate must exactly match the host used for the connection. If connecting via IP address, the certificate must include an IP-type SAN entry. If the certificate includes only DNS-type SAN entries (i.e., Fully Qualified Domain Names), and an IP address is used to connect, the handshake fails immediately. Fallback to Common Name (CN) is not permitted under FIPS enforcement. This differs from commercial environments, where FIPS is not enforced in the same manner, and such connections might still succeed by falling back to the CN field. Resolution: To resolve this error and establish a successful TLS connection in a GCC environment: Ensure that the TLS certificate includes both: DNS-type SAN entries for FQDNs (e.g., server.example.com), and IP-type SAN entries for any direct IP address access (e.g., 192.168.1.10). Confirm that the hostname or IP used for connection matches the SAN entry in the certificate exactly. This configuration is not a product defect but is expected behavior due to FIPS enforcement and applies across all GCC ServiceNow instances.