LDAPS Error in Spectrum Authentication - Could not connect to the alternate external authentication server.

Experiencing problems with the certificates for LDAPS.

After receiving a keystore file from corporate CA containing the Server certificate and the certificate chain, it installs successfully with https working.

But when trying the LDAP authentication on the LDAP configuration webpage an error is generated:

"SPC-OCA-10492: Could not connect to the (alternate) external authentication server."

A tcpdump shows that the Spectrum server receives the certificate from the LDAP server and replies with an error: "Certificate unknown".

However the LDAP server certificate was issued by the same intermediate CA, then the spectrum servers Certificate itself and should be trusted!

Even trying to import the LDAP server certificate with the following is successful:

$SPECROOT/Java/bin/keytool -import -alias "ldap" -file ldap.pem -keystore /Spectrum/custom/keystore/xxx.pfx  

And $SPECROOT/Java/bin/keytool -list shows the keystore but connection still fails with the error above.

All supported versions of DX NetOps Spectrum

LDAP certs need to go in the default location or they will not be recognized.

We recommend using the OneClick webpage to import the certificate into OneClick. Log in to the OneClick administration web page. Go to Administration->LDAP Configuration. Use the Add Certificate button to import the LDAP servers SSL Certificate. Engage your LDAP administration team to obtain a copy of the certificate.

The certs will be placed in the default location of the keystone: $SPECROOT/custom/keystore/cacerts

If a different keystore location is configured in the server.xml the LDAP server certificate will not be recognized. The custom location will used for tomcat web server certificates.

Import an Existing Self-Signed Certificate for the OneClick Server