|Applies To||RSA ClearTrust 5.0.1 Authorization Server (AServer)|
iPlanet 5.1 Directory Server
Keon Certificate Authority 6.0
Microsoft Windows 2000 Server SP3
|Issue||Error: "Certificate unknown" when connecting to iPlanet DS|
RSA ClearTrust Entitlements Server fails to connect to the iPlanet Directory Server (iDS) datastore. The following errors shows up in the Entitlements Server's debug log:
SocketConnector.run: connect() threw: java.net.SocketException: Error creating socket: com.rsa.ssl.AlertedException: certificate unknown
Can't create a SSL socket to the LDAP server, the error message is : Error creating socket: com.rsa.ssl.AlertedException: certificate unknown
|Cause||Absence of a particular certificate extension flag and improper configuration of iPlanet may lead to the above error|
|Resolution||Listed below are things to keep an eye out for when configuring ClearTrust Servers and iDS for authenticated SSL communications:|
1. When generating the SSL server certificate for iDS and the extension "Key Usage" is added to the certificate, ensure that the Digital Signature flag is selected. If Key Usage extension is present but the Digital Signature flag is not set, the above problem would occur. Alternatively, choose not to include the "Key Usage" extension in the SSL server certificate for iDS.
2. The iDS 5.1 online documentation incorrectly instructs to install the SSL server certificate before installing the CA certificate. The CA certificate must be installed/trusted in iDS prior to installing the SSL server certificate. If the SSL server certificate is installed before the CA certificate, iDS console will show broken chain for the SSL server certificate.
|Workaround||Configured ldap.conf to use authenticated SSL from ClearTrust Servers to the datastore. Used certool utility to generate PKCS #12 for ClearTrust Servers, and used iPlanet's recommended procedure to configure it for SSL.|
|Legacy Article ID||a18762|