Peer not authenticated: SSL problems

mdmcginn · April 16, 2008, 5:06pm

After setting up SSL, I’m able to connect to the Content Explorer using https: and port 9443 (though publishing is a problem). But when I try to connect to the Workbench, Server Administrator, or Multi-Server Manager, using port 9443 and ticking/checking the “Use SSL” box, I get the message that “An unexpected error has occurred: peer not authenticated” or “Server error: could not connect to server (myserver.edu)” Should I be trying this?

Jay · April 17, 2008, 8:41am

You should be able to connect those client applications via SSL. What product version and patch level are you on?

mdmcginn · April 17, 2008, 9:06am

Rhythmyx 6.5.2 and patch RX-13277

I can log in on port 9992 as usual, but not 9443.

jitendra · April 17, 2008, 10:31am

Have you imported your SSL cert to java (Rhythmyx\JRE\lib\security\cacerts) using keytool?

darrell.wells · April 17, 2008, 10:53am

~/Rhythmyx/AppServer/server/rx/deploy/jbossweb-tomcat55.sar/server.xml

In the connector for port 9943, you’ll need to specify the keystore and keystore pass. Another useful note, is that if you used a password on the cert, then the password on the keystore must match the cert password.

And, as Jit said, you also have to import your cert into ~/Rhythmyx/JRE/lib/security/cacerts

That should be enough, after restart, to get CX over SSL. If you want the Server Admin tool, Workbench, etc. to also connect, you’ll need to import your cert into the JRE/lib/security/cacerts on the client machine.

mdmcginn · April 17, 2008, 2:02pm

Oh, I was already able to connect to CX (though I get an error when publishing). But I hadn’t imported the cert into my local client machine using keytool as I had into my servers. Yet even after doing that, rebooting and restarting, I can use port 9443 only for Content Explorer, not for MSM, Workbench, or Server Administrator.

Here is the first part of my server.xml file:

<?xml version="1.0" encoding="utf-8"?>
<Server>
   <Service className="org.jboss.web.tomcat.tc5.StandardService" name="jboss.web">
      <Connector URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" connectionTimeout="20000" disableUploadTimeout="true" emptySessionPath="true" enableLookups="false" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="250" minSpareThreads="25" port="9992" redirectPort="8443" scheme="http" strategy="ms"/>
      <Connector URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="/home/rhythmyx/Rhythmyx/AppServer/server/rx/conf/rhythmyxkey.keystore" keystorePass="mypass" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="9443" scheme="https" secure="true" sslProtocol="TLS"/>
      <Connector address="${jboss.bind.address}" emptySessionPath="true" enableLookups="false" port="10010" protocol="AJP/1.3" redirectPort="8443"/>

darrell.wells · April 17, 2008, 10:59pm

The installation of the Developer Tools on your client should target its own JRE within its folder structure. We found it necessary to specify the exact JRE in the Windows shortcut by specifying the target as

C:\Rhythmyx-6.5.2\RhythmyxWorkbench.exe -is:javahome “C:\Rhythmyx-6.5.2\JRE”

Note that your base directory is probably C:\Rhythmyx. We were in 6.5, then upgraded to 6.5.2, so I needed separated directories on my client.

mdmcginn · April 21, 2008, 11:17am

I’m getting the same error messages. This is how I imported the signed certificate into the Rhythmyx server:

rhythmyx@cmsserver:~/Rhythmyx/JRE/bin> ./keytool -import -noprompt -trustcacerts -alias servercer -storepass changeit -file mysigned.csr -keystore /data/rhythmxcms/Rhythmyx/JRE/lib/security/cacerts
Certificate was added to keystore
rhythmyx@cmsserver:~/Rhythmyx/JRE/bin>

I also imported our university’s root certificate into the server and into my client machine:


C:\Rhythmyx\JRE\bin>keytool  -import -noprompt -trustcacerts -alias mysigned.csr -
storepass changeit -file mysigned.csr -keystore C:\Rhythmyx\JRE\lib\securi
ty\cacerts
Certificate was added to keystore

C:\Rhythmyx\JRE\bin>keytool  -import -noprompt -trustcacerts -alias rootcer -st
orepass changeit -file myroot.cer -keystore C:\Rhythmyx\JRE\lib\security\cacerts
Certificate was added to keystore

C:\Rhythmyx\JRE\bin>

jitendra · April 21, 2008, 12:06pm

I assume that you are also using the shortcut that specifies which JRE (the Javahome directory) to use as indicated by Darrell?

If its the default JRE and not the one that is packages with Rhythmyx for the client, then importing the cert in the default JRE location (eg. C:\Program Files\Java…) would also work…but i highly recommend going the shortcut route.

mdmcginn · April 21, 2008, 2:19pm

Yes, I’m specifying the JRE in my Windows shortcut as indicated by Darrell. I also imported the certs into C:\Program Files\Java\ then restarted everything, with the same results.

mdmcginn · June 11, 2008, 12:15pm

It’s working now. With the help of Tech Support, I realized that I had failed to copy the keystore file from Rhythmyx/JRE/bin/myserver.keystore to
Rhythmyx/AppServer/server/rx/conf/myserver.keystore which is where it really belongs.