Peer not authenticated: SSL problems

After setting up SSL, I’m able to connect to the Content Explorer using https: and port 9443 (though publishing is a problem). But when I try to connect to the Workbench, Server Administrator, or Multi-Server Manager, using port 9443 and ticking/checking the “Use SSL” box, I get the message that “An unexpected error has occurred: peer not authenticated” or “Server error: could not connect to server (” Should I be trying this?

You should be able to connect those client applications via SSL. What product version and patch level are you on?

Rhythmyx 6.5.2 and patch RX-13277

I can log in on port 9992 as usual, but not 9443.

Have you imported your SSL cert to java (Rhythmyx\JRE\lib\security\cacerts) using keytool?


In the connector for port 9943, you’ll need to specify the keystore and keystore pass. Another useful note, is that if you used a password on the cert, then the password on the keystore must match the cert password.

And, as Jit said, you also have to import your cert into ~/Rhythmyx/JRE/lib/security/cacerts

That should be enough, after restart, to get CX over SSL. If you want the Server Admin tool, Workbench, etc. to also connect, you’ll need to import your cert into the JRE/lib/security/cacerts on the client machine.

Oh, I was already able to connect to CX (though I get an error when publishing). But I hadn’t imported the cert into my local client machine using keytool as I had into my servers. Yet even after doing that, rebooting and restarting, I can use port 9443 only for Content Explorer, not for MSM, Workbench, or Server Administrator.

Here is the first part of my server.xml file:

<?xml version="1.0" encoding="utf-8"?>
   <Service className="org.jboss.web.tomcat.tc5.StandardService" name="jboss.web">
      <Connector URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" connectionTimeout="20000" disableUploadTimeout="true" emptySessionPath="true" enableLookups="false" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="250" minSpareThreads="25" port="9992" redirectPort="8443" scheme="http" strategy="ms"/>
      <Connector URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="/home/rhythmyx/Rhythmyx/AppServer/server/rx/conf/rhythmyxkey.keystore" keystorePass="mypass" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="9443" scheme="https" secure="true" sslProtocol="TLS"/>
      <Connector address="${jboss.bind.address}" emptySessionPath="true" enableLookups="false" port="10010" protocol="AJP/1.3" redirectPort="8443"/>

The installation of the Developer Tools on your client should target its own JRE within its folder structure. We found it necessary to specify the exact JRE in the Windows shortcut by specifying the target as

C:\Rhythmyx-6.5.2\RhythmyxWorkbench.exe -is:javahome “C:\Rhythmyx-6.5.2\JRE”

Note that your base directory is probably C:\Rhythmyx. We were in 6.5, then upgraded to 6.5.2, so I needed separated directories on my client.

I’m getting the same error messages. This is how I imported the signed certificate into the Rhythmyx server:

rhythmyx@cmsserver:~/Rhythmyx/JRE/bin> ./keytool -import -noprompt -trustcacerts -alias servercer -storepass changeit -file mysigned.csr -keystore /data/rhythmxcms/Rhythmyx/JRE/lib/security/cacerts
Certificate was added to keystore

I also imported our university’s root certificate into the server and into my client machine:

C:\Rhythmyx\JRE\bin>keytool  -import -noprompt -trustcacerts -alias mysigned.csr -
storepass changeit -file mysigned.csr -keystore C:\Rhythmyx\JRE\lib\securi
Certificate was added to keystore

C:\Rhythmyx\JRE\bin>keytool  -import -noprompt -trustcacerts -alias rootcer -st
orepass changeit -file myroot.cer -keystore C:\Rhythmyx\JRE\lib\security\cacerts
Certificate was added to keystore


I assume that you are also using the shortcut that specifies which JRE (the Javahome directory) to use as indicated by Darrell?

If its the default JRE and not the one that is packages with Rhythmyx for the client, then importing the cert in the default JRE location (eg. C:\Program Files\Java…) would also work…but i highly recommend going the shortcut route.

Yes, I’m specifying the JRE in my Windows shortcut as indicated by Darrell. I also imported the certs into C:\Program Files\Java\ then restarted everything, with the same results.

It’s working now. With the help of Tech Support, I realized that I had failed to copy the keystore file from Rhythmyx/JRE/bin/myserver.keystore to
Rhythmyx/AppServer/server/rx/conf/myserver.keystore which is where it really belongs.