000020750 - Error: 'Certificate unknown' when connecting to iPlanet DS

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020750
Applies ToRSA ClearTrust 5.0.1 Authorization Server (AServer)
iPlanet 5.1 Directory Server
Keon Certificate Authority 6.0
Microsoft Windows 2000 Server SP3
IssueError: "Certificate unknown" when connecting to iPlanet DS
RSA ClearTrust Entitlements Server fails to connect to the iPlanet Directory Server (iDS) datastore. The following errors shows up in the Entitlements Server's debug log:

SocketConnector.run: connect() threw: java.net.SocketException: Error creating socket: com.rsa.ssl.AlertedException: certificate unknown
Can't create a SSL socket to the LDAP server, the error message is : Error creating socket: com.rsa.ssl.AlertedException: certificate unknown
CauseAbsence of a particular certificate extension flag and improper configuration of iPlanet may lead to the above error
ResolutionListed below are things to keep an eye out for when configuring ClearTrust Servers and iDS for authenticated SSL communications:

1. When generating the SSL server certificate for iDS and the extension "Key Usage" is added to the certificate, ensure that the Digital Signature flag is selected. If Key Usage extension is present but the Digital Signature flag is not set, the above problem would occur. Alternatively, choose not to include the "Key Usage" extension in the SSL server certificate for iDS.

2. The iDS 5.1 online documentation incorrectly instructs to install the SSL server certificate before installing the CA certificate. The CA certificate must be installed/trusted in iDS prior to installing the SSL server certificate. If the SSL server certificate is installed before the CA certificate, iDS console will show broken chain for the SSL server certificate.
WorkaroundConfigured ldap.conf to use authenticated SSL from ClearTrust Servers to the datastore. Used certool utility to generate PKCS #12 for ClearTrust Servers, and used iPlanet's recommended procedure to configure it for SSL.
Legacy Article IDa18762

Attachments

    Outcomes