search cancel

LDAPS Error in Spectrum Authentication - Could not connect to the alternate external authentication server.

book

Article ID: 189372

calendar_today

Updated On:

Products

CA Spectrum CA eHealth

Issue/Introduction

Experiencing problems with the certificates for LDAPS.

After receiving a keystore file from corporate CA containing the Server certificate and the certificate chain, it installs successfully with https working.

But when trying the LDAP authentication on the LDAP configuration webpage an error is generated:

"SPC-OCA-10492: Could not connect to the (alternate) external authentication server."

 

A tcpdump shows that the Spectrum server receives the certificate from the LDAP server and replies with an error: "Certificate unknown".

However - the LDAP server certificate was issued by the same intermediate CA, than the spectrum servers Certificate itself and should be trusted!

Even trying to import the LDAP server certificate with the following is successful:

$SPECROOT/Java/bin/keytool -import -alias "ldap" -file ldap.pem -keystore /Spectrum/custom/keystore/xxx.pfx  

And $SPECROOT/Java/bin/keytool -list shows the keystore but connection still fails with the error above.

Cause

LDAP certs need to go in the default location or they will not be recognised.

Environment

Spectrum 10.4 and later

Resolution

We document to go through the OneClick webpage to import cert into OneClick. 
The certs will be placed in the default location of the keystore:

$SPECROOT/custom/keystore/cacerts  


If a different keystore location is configured in the server.xml, the LDAP cert will not be picked up.
The custom location will only be picked up for tomcat certs.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/spectrum/10-2/integrating/common-access-card-authentication/how-to-configure-ca-spectrum-for-ssl-and-cac-authentication/add-intermediate-and-root-certificates-to-ca-spectrum.html