ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Connector Xpress Test connection to Layer7 endpoint returning "Data source test failed: javax.net.ssl.PeerUnverifiedException: peer not authorized" - The same error that get when try explore the endpoint.

book

Article ID: 237161

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

 

Trying to Explore Layer7/SCIM endpoint and getting peer not auehtnicated error in Provisioning Server side

:ETA_E_0257<ECT>, Error listing Groups objects: Connector Server Add failed: code 53 (UNWILLING_TO_PERFORM): failed to add entry eTDYNDirectoryName=<Endpoint Name>,eTNamespaceName=<Endpoint Type Name>dc=im,dc=etasa: [email protected]: SCIM: peer not authenticated (ldaps://<hostname of connector server>:20411)

Cause

  • Api Gateway / Layer7 when configured to require a certificate to authenticate and Certificate Store in Connector Server in IM does not have the certificate
  • Also we need that firewall rules allow communication 

Environment

Release : 14.4

Component :

Resolution

Identified that problem was related the certificate stores of CX/CS/IM were without the Api Gateway (Layer7) imported.

The issue was the missing certificate in 14.4. Imported the ApiGateway Certificate in IM side (CS) this resolved the issue.

Following some certificates types that IM need imported as example including the Api gateway certificate locations

  • In Connector Xpress: - > Insert custom_root.cer / custom_intermediate.cer / Windows_CS.cer / API_GATEWAY.cer certificates got from Api Gateway. This will allow Test Connection via Connector Xpress and the Layer7 datasource type

    Location in Connector Xpress: File ...\Virtual Appliance Tools 14.4\CA-IM_ConnectorXpress\software\confssl.keystore password: changeit

  • In Windows  Connector Server : - > Insert custom_root.cer / custom_intermediate.cer / Windows_CS.cer / API_GATEWAY.cer got from Api Gateway. This will allow the Connector Server itself communicates with layer7 endpoint type created in Cx;

    Location in Windows Connector Server:  File ...\Connector Server\jcs\conf\ssl.keystore - > Insert custom_root.cer / custom_intermediate.cer / Windows_CS.cer / API_GATEWAY.cer

  • API GATEWAY    - > Insert custom_root.cer / custom_intermediate.cer / Windows_CS.cer (same that were inserted in CX and Windows Connector Server)

    Location in Api Gateway: Menu Tasks/certificates/ Manage certificates where can get the API Gateway certificate and also do other tasks related to Certificates. In this example Api gateway also having same certificates that IM as  root cert, custom intermediate and their windows certificate. This menu also allows export the API_GATEWAY.cer mentioned in above examples.

  • vApp nodes:

    Each vApp on the cluster must have those commands to import any certificate that company needs including here the API Gateway certificate to communicate with a Layer7 type endpoint:
    /opt/CA/openjdk1.8/jre/lib/security/cacerts

1 – upload all certificates to /home/config folder
2 - Now in the console of each server, run this commands (adapting the 'custom_root' and 'custom_intermediate' adapting the names to the reality of the environment

keytool -import -file /home/config/custom_root.cer -alias 'custom_root' -keystore /opt/CA/openjdk1.8/jre/lib/security/cacerts -storepass changeit  -noprompt
keytool -import -file /home/config/custom_intermediate.cer -alias 'custom_intermediate' -keystore /opt/CA/openjdk1.8/jre/lib/security/cacerts -storepass changeit
keytool -import -file /home/config/Windows_CS.cer -alias 'Windows_CS' -keystore /opt/CA/openjdk1.8/jre/lib/security/cacerts -storepass changeit
keytool -import -file /home/config/API_GATEWAY.cer -alias 'API_GATEWAY' -keystore /opt/CA/openjdk1.8/jre/lib/security/cacerts -storepass changeit

 

  • Connector Server Ports to Communicate with External Another point is to check if External Windows Connector Server have firewall ports blocking communication. (please see link SYMANTEC IDENTITY MANAGER 14.4 - Default Ports for Identity Manager and Associated Components). 

    To allow the ports (in case this are blocked by Windows Firewall) please use the commands below with monitoring of the windows administrator.

    Check if ports talking with ApiGateway are allowed in local firewall. If not also include in the list of added ports.

    Example allowing ports in Windows Connector Server.

netsh firewall add portopening TCP 20390 "CA-CS SERVER 20390"
netsh firewall add portopening TCP 20410 "CA-CS LDAP 20410"
netsh firewall add portopening TCP 20411 "CA-CS LDAPS 20411"
netsh firewall add portopening TCP 22001 "CA-CS Broker-HTTP 22001"
netsh firewall add portopening TCP 22002 "CA-CS BROKER-HTTPS 22002"
netsh firewall add portopening TCP 20080 "CA-CS WEB-HTTP 20080"
netsh firewall add portopening TCP 20443 "CA-CS WEB-HTTPS 20443"
netsh firewall add portopening TCP 22099 "CA-CS RMI 22099"