"peer not authenticated" error when using CBT.

  • KM02762719
  • 29-Mar-2017
  • 09-Apr-2021

Summary

This error can occur if a new version of java is used that is configured to restrict the cryptographic algorithms being used and the HPSA mesh in question was upgraded from a version when these restricted cryptographic algorithms were still in use..

Error

When using CBT on a server that is not an HPSA slice server, you might end up getting an error like the following:

 
com.opsware.clients.intf.XMLRPCRemoteException: peer not authenticated
    at com.opsware.clients.impl.XMLRPCClient.apply(XMLRPCClient.java:196)
    at com.opsware.clients.impl.XMLRPCClient.apply(XMLRPCClient.java:127)
    at com.opsware.clients.impl.XMLRPCClient.xmlrpc(XMLRPCClient.java:82)
    at com.opsware.clients.impl.XMLRPCClient.invoke(XMLRPCClient.java:56)
    at com.sun.proxy.$Proxy0.authenticate(Unknown Source)
    at com.opsware.clients.impl.SpikeAuthenticator.renew(SpikeAuthenticator.java:61)
    at com.opsware.clients.impl.SpikeAuthenticator.authenticate(SpikeAuthenticator.java:39)
    at com.opsware.clients.config.Configurator.setUserToken(Configurator.java:218)
    at com.opsware.clients.intf.APIFactory.initializeUserToken(APIFactory.java:84)
    at com.opsware.cbt.apps.CBT.setupUserToken(CBT.java:693)
    at com.opsware.cbt.apps.CBT.setupAPIFactory(CBT.java:797)
    at com.opsware.cbt.apps.CBT.imprt(CBT.java:442)
    at com.opsware.cbt.apps.CBT.main(CBT.java:239)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:470)
    at HTTPClient.HTTPConnection.checkCert(HTTPConnection.java:3371)
    at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:3020)
    at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:2837)
    at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:2629)
    at HTTPClient.HTTPConnection.ExtensionMethod(HTTPConnection.java:1425)
    at HTTPClient.HttpURLConnection.connect(HttpURLConnection.java:806)
    at HTTPClient.HttpURLConnection.getOutputStream(HttpURLConnection.java:628)
    at com.loudcloud.spinclient.xmlrpc.MethodCall.executeInner(MethodCall.java:396)
    at com.loudcloud.spinclient.xmlrpc.MethodCall.execute(MethodCall.java:341)
    at com.opsware.clients.impl.XMLRPCClient.apply(XMLRPCClient.java:167)
    ... 12 more.

Cause

This error can occur if a new version of java is used that is configured to restrict the cryptographic algorithms being used and the HPSA mesh in question was upgraded from a version when these restricted cryptographic algorithms were still in use.
 
For example, the current restrictions of java 1.7 specified by the "jre/lib/security/java.security" file are:
 
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
    DSA keySize < 1024, EC keySize < 224
 
jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768, \
    EC keySize < 224
 
If you attempt to access an upgraded HPSA mesh that is using MD5 or MD5withRSA, then this error will be triggered.
 
You can check the crypto algorithms used in your HPSA mesh's certificates with the following commands:
 
[root@slice0 ~]# openssl x509 -in /var/opt/opsware/crypto/twist/spog.pkcs8 -text -noout | grep Algorithm
        Signature Algorithm: md5WithRSAEncryption
            Public Key Algorithm: rsaEncryption
    Signature Algorithm: md5WithRSAEncryption
 
[root@slice0 ~]# openssl x509 -in /var/opt/opsware/crypto/twist/opsware-ca.crt -text -noout | grep Algorithm
        Signature Algorithm: md5WithRSAEncryption
            Public Key Algorithm: rsaEncryption
    Signature Algorithm: md5WithRSAEncryption
 
In the above case, the "MD5" algorithm is in use and will trigger the "peer not authenticated" error.

Fix

There are three ways to resolve this problem:
 
(1) Use the same version of java that is in use on the core.  For example, HPSA 10.20 is using "1.7.0_21-b11".  You can find out the current version by running "/opt/opsware/jdk1.7/java -version" or "/opt/opsware/openjdk/bin/java -version".
 
(2) Edit the "jre/lib/security/java.security" file of your newer java bundle and remove the MD% restrictions.
 
(3) Regenerate the certificates of the HPSA mesh so that it does not use restricted crypto algorithms.