Summary
This error can occur if a new version of java is used that is configured to restrict the cryptographic algorithms being used and the HPSA mesh in question was upgraded from a version when these restricted cryptographic algorithms were still in use..
Error
When using CBT on a server that is not an HPSA slice server, you might end up getting an error like the following:
com.opsware.clients.intf.XMLRPCRemoteException: peer not authenticated
at com.opsware.clients.impl.XMLRPCClient.apply(XMLRPCClient.java:196)
at com.opsware.clients.impl.XMLRPCClient.apply(XMLRPCClient.java:127)
at com.opsware.clients.impl.XMLRPCClient.xmlrpc(XMLRPCClient.java:82)
at com.opsware.clients.impl.XMLRPCClient.invoke(XMLRPCClient.java:56)
at com.sun.proxy.$Proxy0.authenticate(Unknown Source)
at com.opsware.clients.impl.SpikeAuthenticator.renew(SpikeAuthenticator.java:61)
at com.opsware.clients.impl.SpikeAuthenticator.authenticate(SpikeAuthenticator.java:39)
at com.opsware.clients.config.Configurator.setUserToken(Configurator.java:218)
at com.opsware.clients.intf.APIFactory.initializeUserToken(APIFactory.java:84)
at com.opsware.cbt.apps.CBT.setupUserToken(CBT.java:693)
at com.opsware.cbt.apps.CBT.setupAPIFactory(CBT.java:797)
at com.opsware.cbt.apps.CBT.imprt(CBT.java:442)
at com.opsware.cbt.apps.CBT.main(CBT.java:239)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:470)
at HTTPClient.HTTPConnection.checkCert(HTTPConnection.java:3371)
at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:3020)
at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:2837)
at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:2629)
at HTTPClient.HTTPConnection.ExtensionMethod(HTTPConnection.java:1425)
at HTTPClient.HttpURLConnection.connect(HttpURLConnection.java:806)
at HTTPClient.HttpURLConnection.getOutputStream(HttpURLConnection.java:628)
at com.loudcloud.spinclient.xmlrpc.MethodCall.executeInner(MethodCall.java:396)
at com.loudcloud.spinclient.xmlrpc.MethodCall.execute(MethodCall.java:341)
at com.opsware.clients.impl.XMLRPCClient.apply(XMLRPCClient.java:167)
... 12 more.
Cause
This error can occur if a new version of java is used that is configured to restrict the cryptographic algorithms being used and the HPSA mesh in question was upgraded from a version when these restricted cryptographic algorithms were still in use.
For example, the current restrictions of java 1.7 specified by the "jre/lib/security/java.security" file are:
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, EC keySize < 224
jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768, \
EC keySize < 224
If you attempt to access an upgraded HPSA mesh that is using MD5 or MD5withRSA, then this error will be triggered.
You can check the crypto algorithms used in your HPSA mesh's certificates with the following commands:
[root@slice0 ~]# openssl x509 -in /var/opt/opsware/crypto/twist/spog.pkcs8 -text -noout | grep Algorithm
Signature Algorithm: md5WithRSAEncryption
Public Key Algorithm: rsaEncryption
Signature Algorithm: md5WithRSAEncryption
[root@slice0 ~]# openssl x509 -in /var/opt/opsware/crypto/twist/opsware-ca.crt -text -noout | grep Algorithm
Signature Algorithm: md5WithRSAEncryption
Public Key Algorithm: rsaEncryption
Signature Algorithm: md5WithRSAEncryption
In the above case, the "MD5" algorithm is in use and will trigger the "peer not authenticated" error.
Fix
There are three ways to resolve this problem:
(1) Use the same version of java that is in use on the core. For example, HPSA 10.20 is using "1.7.0_21-b11". You can find out the current version by running "/opt/opsware/jdk1.7/java -version" or "/opt/opsware/openjdk/bin/java -version".
(2) Edit the "jre/lib/security/java.security" file of your newer java bundle and remove the MD% restrictions.
(3) Regenerate the certificates of the HPSA mesh so that it does not use restricted crypto algorithms.