"peer not authenticated" when using TCKEYGEN

  • 3273063
  • 31-Aug-2007
  • 26-Apr-2012


Novell Tomcat on NetWare 4.0
Novell NetWare 6.5


The following error is encountered on the LOGGER screen after running TCKEYGEN :

Exporting the Host certificate from:localhost
Error importing certificate to keystore: sys:\adminsrv\conf\.keystore
com.novell.ecb.CommandException: peer not authenticated
at com.novell.ecb.security.RetrieveHostCertificates.retrieveHostCertificates(Unknown Source)
at com.novell.ecb.security.RetrieveHostCertificates.execute(Unknown Source)
at com.novell.application.tomcat.util.EDirectoryIntegrator.retrieveAllHostCertificates(EDirectoryIntegrator.java:942)
at com.novell.application.tomcat.util.EDirectoryIntegrator.performKeystoreWork(EDirectoryIntegrator.java:888)
at com.novell.application.tomcat.util.EDirectoryIntegrator.integrate(EDirectoryIntegrator.java:526)
at com.novell.application.tomcat.util.EDirectoryIntegrator.main(EDirectoryIntegrator.java:122)


This is a result of the LDAP server requiring specific criteria to be met, and should be resolvable using the following process :
  1. Open the "LDAP Server - SERVERNAME" object using ConsoleOne .
  2. Click onto the "NDS Rights" tab (the sub tab should be"Trustees of this Object").
  3. Ensure that the NCP Server object is listed as a trustee. If not, add it.
  4. Select the NCP Server object in the trustee list and click on"Assigned Rights".
  5. Ensure that "[All Attributes Rights]" is in the property list, and that the assigned rights are "Supervisor", "Compare", "Read","Write", and "Add Self". Simply, all rights should be given.
  6. Ensure that "[Entry Rights]" is in the property list, and that all assigned rights are given (e.g., "Supervisor", "Browse","Create" (should be grayed out), "Rename", and "Delete" should all be checked).
  7. Click "OK".
  8. Click onto the "SSL/TLS Configuration" tab.
  9. Ensure that "Client Certificate" is set to "Not Requested" (or"Requested") and not "Required".
  10. Populate the SSL Certificate field with the server's "SSL CertificateDNS", (even if you're not requiring SSL).
  11. Apply the settings (it may be desired to unload and reload the NLDAP module to ensure that it has refreshed).
  12. Rerun the TCKEYGEN utility.

Additional Information

"Peer Not Authenticated" is an SSL error that occurs during the SSL handshake. If the certificate is valid and this error occurs, it is typically a result of the NLDAP's SSL handshake due to a missing parameter, which may result from insufficient rights to read the parameters. "Peer Not Authenticated" typically translates to "I could not validate a certificate due to either a missing certificate or an invalid certificate authority".

Change Log

Added the step "Populate the SSL Certificate field with the server's "SSL CertificateDNS", (even if you're not requiring SSL)." per SR# 10497575951.