LDAPS Error in Spectrum Authentication - Could not connect to the alternate external authentication server.
Article ID: 189372
Updated On:
Products
Issue/Introduction
Experiencing problems with the certificates for LDAPS.
After receiving a keystore file from corporate CA containing the Server certificate and the certificate chain, it installs successfully with https working.
But when trying the LDAP authentication on the LDAP configuration webpage an error is generated:
"SPC-OCA-10492: Could not connect to the (alternate) external authentication server."
A tcpdump shows that the Spectrum server receives the certificate from the LDAP server and replies with an error: "Certificate unknown".
However - the LDAP server certificate was issued by the same intermediate CA, than the spectrum servers Certificate itself and should be trusted!
Even trying to import the LDAP server certificate with the following is successful:
$SPECROOT/Java/bin/keytool -import -alias "ldap" -file ldap.pem -keystore /Spectrum/custom/keystore/xxx.pfx
And $SPECROOT/Java/bin/keytool -list shows the keystore but connection still fails with the error above.
Environment
Support versions of DX NetOps Spectrum
Cause
Resolution
We document to go through the OneClick webpage to import cert into OneClick.
The certs will be placed in the default location of the keystore:
$SPECROOT/custom/keystore/cacerts
If a different keystore location is configured in the server.xml, the LDAP cert will not be picked up.
The custom location will only be picked up for tomcat certs.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/spectrum/10-2/integrating/common-access-card-authentication/how-to-configure-ca-spectrum-for-ssl-and-cac-authentication/add-intermediate-and-root-certificates-to-ca-spectrum.html
Attachments
Feedback
