search cancel

LDAPS Error in Spectrum Authentication - Could not connect to the alternate external authentication server.


Article ID: 189372


Updated On:


CA Spectrum CA eHealth


Experiencing problems with the certificates for LDAPS.

After receiving a keystore file from corporate CA containing the Server certificate and the certificate chain, it installs successfully with https working.

But when trying the LDAP authentication on the LDAP configuration webpage an error is generated:

"SPC-OCA-10492: Could not connect to the (alternate) external authentication server."


A tcpdump shows that the Spectrum server receives the certificate from the LDAP server and replies with an error: "Certificate unknown".

However - the LDAP server certificate was issued by the same intermediate CA, than the spectrum servers Certificate itself and should be trusted!

Even trying to import the LDAP server certificate with the following is successful:

$SPECROOT/Java/bin/keytool -import -alias "ldap" -file ldap.pem -keystore /Spectrum/custom/keystore/xxx.pfx  

And $SPECROOT/Java/bin/keytool -list shows the keystore but connection still fails with the error above.


LDAP certs need to go in the default location or they will not be recognised.


Spectrum 10.4 and later


We document to go through the OneClick webpage to import cert into OneClick. 
The certs will be placed in the default location of the keystore:


If a different keystore location is configured in the server.xml, the LDAP cert will not be picked up.
The custom location will only be picked up for tomcat certs.