https://community.cisco.com/t5/network-access-control/error-starting-internal-ca-on-ise-1-3-patch-4/m-p/2726560#M54365 <P>It seems our Internal CA is unable to start because of a missing keystore password file. We tried disabling/enabling the Internal CA which did not help. We'd like to regenerate the Internal CA certificate, but we are getting a&nbsp;"No message defined" error, presumably because the CA service is not running properly. Anyone know of a way to force ISE to generate the missing file?</P><P>&nbsp;</P><DIV>[2015-05-26 16:13:11,582] [] [WARN]</DIV><DIV>could not read from /opt/CSCOcpm/appsrv/apache-tomcat-ca/conf/ca_nssdb_password.txt</DIV><DIV>java.io.FileNotFoundException: /opt/CSCOcpm/appsrv/apache-tomcat-ca/conf/ca_nssdb_password.txt (No such file or directory)</DIV><DIV>at java.io.RandomAccessFile.open(Native Method)</DIV><DIV>at java.io.RandomAccessFile.&lt;init&gt;(Unknown Source)</DIV><DIV>at java.io.RandomAccessFile.&lt;init&gt;(Unknown Source)</DIV><DIV>at com.cisco.cpm.caservice.DataUtil.loadFile(DataUtil.java:83)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.load(CaStore.java:133)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.init(CaStore.java:113)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.&lt;init&gt;(CaStore.java:67)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.&lt;clinit&gt;(CaStore.java:60)</DIV><DIV>at com.cisco.cpm.caservice.bootstrap.CaServerSeeding.main(CaServerSeeding.java:43)</DIV><DIV>[2015-05-26 16:13:11,598] [] [WARN]</DIV><DIV>could not initialize KeyStore</DIV><DIV>com.cisco.cpm.caservice.CARuntimeException: java.lang.NullPointerException</DIV><DIV>at com.cisco.cpm.caservice.CaStore.load(CaStore.java:155)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.init(CaStore.java:113)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.&lt;init&gt;(CaStore.java:67)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.&lt;clinit&gt;(CaStore.java:60)</DIV><DIV>at com.cisco.cpm.caservice.bootstrap.CaServerSeeding.main(CaServerSeeding.java:43)</DIV><DIV>Caused by: java.lang.NullPointerException</DIV><DIV>at java.lang.String.&lt;init&gt;(Unknown Source)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.load(CaStore.java:133)</DIV><DIV>... 4 more</DIV> Mon, 11 Mar 2019 05:59:16 GMT smp 2019-03-11T05:59:16Z https://community.cisco.com/t5/network-access-control/error-starting-internal-ca-on-ise-1-3-patch-4/m-p/2726560#M54365 <P>It seems our Internal CA is unable to start because of a missing keystore password file. We tried disabling/enabling the Internal CA which did not help. We'd like to regenerate the Internal CA certificate, but we are getting a&nbsp;"No message defined" error, presumably because the CA service is not running properly. Anyone know of a way to force ISE to generate the missing file?</P><P>&nbsp;</P><DIV>[2015-05-26 16:13:11,582] [] [WARN]</DIV><DIV>could not read from /opt/CSCOcpm/appsrv/apache-tomcat-ca/conf/ca_nssdb_password.txt</DIV><DIV>java.io.FileNotFoundException: /opt/CSCOcpm/appsrv/apache-tomcat-ca/conf/ca_nssdb_password.txt (No such file or directory)</DIV><DIV>at java.io.RandomAccessFile.open(Native Method)</DIV><DIV>at java.io.RandomAccessFile.&lt;init&gt;(Unknown Source)</DIV><DIV>at java.io.RandomAccessFile.&lt;init&gt;(Unknown Source)</DIV><DIV>at com.cisco.cpm.caservice.DataUtil.loadFile(DataUtil.java:83)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.load(CaStore.java:133)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.init(CaStore.java:113)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.&lt;init&gt;(CaStore.java:67)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.&lt;clinit&gt;(CaStore.java:60)</DIV><DIV>at com.cisco.cpm.caservice.bootstrap.CaServerSeeding.main(CaServerSeeding.java:43)</DIV><DIV>[2015-05-26 16:13:11,598] [] [WARN]</DIV><DIV>could not initialize KeyStore</DIV><DIV>com.cisco.cpm.caservice.CARuntimeException: java.lang.NullPointerException</DIV><DIV>at com.cisco.cpm.caservice.CaStore.load(CaStore.java:155)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.init(CaStore.java:113)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.&lt;init&gt;(CaStore.java:67)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.&lt;clinit&gt;(CaStore.java:60)</DIV><DIV>at com.cisco.cpm.caservice.bootstrap.CaServerSeeding.main(CaServerSeeding.java:43)</DIV><DIV>Caused by: java.lang.NullPointerException</DIV><DIV>at java.lang.String.&lt;init&gt;(Unknown Source)</DIV><DIV>at com.cisco.cpm.caservice.CaStore.load(CaStore.java:133)</DIV><DIV>... 4 more</DIV> Mon, 11 Mar 2019 05:59:16 GMT https://community.cisco.com/t5/network-access-control/error-starting-internal-ca-on-ise-1-3-patch-4/m-p/2726560#M54365 smp 2019-03-11T05:59:16Z https://community.cisco.com/t5/network-access-control/error-starting-internal-ca-on-ise-1-3-patch-4/m-p/2726561#M54366 <P>Hi Scott,</P><P>&nbsp;</P><P>I see a similar issue being reported after an internal search and a DDTS was opened:</P><P><FONT style="font-size: large;"><B><A href="https://cdetsng.cisco.com/webui/#view=CSCus54289">CSCus54289</A></B></FONT><A href="http://wwwin.cisco.com/ops/infra/pds/cbms/cdets/legend.shtml" target="_blank" title="Help"><FONT size="1"><IMG border="0" height="15" src="http://cdetsweb-prd.cisco.com/apps/files/xslt/help.png" width="15" /></FONT></A> &nbsp;&nbsp;&nbsp;<FONT style="font-size: large;"><B>OCSP Services not running and Internal CA certs missing post 1.3 upgrade</B></FONT></P><P><FONT style="font-size: large;"><B>Workaround- Reimage the device with 1.3 and that resolved the issue.</B></FONT></P><P><FONT style="font-size: large;"><B>Regards,</B></FONT></P><P><FONT style="font-size: large;"><B>Kanwal</B></FONT></P><P><FONT style="font-size: large;"><B>Note: Please mark answers if they are helpful.</B></FONT></P> Tue, 18 Aug 2015 19:12:29 GMT https://community.cisco.com/t5/network-access-control/error-starting-internal-ca-on-ise-1-3-patch-4/m-p/2726561#M54366 Kanwaljeet Singh 2015-08-18T19:12:29Z https://community.cisco.com/t5/network-access-control/error-starting-internal-ca-on-ise-1-3-patch-4/m-p/2726562#M54367 <P>Thank you for the response Kanwal, but I sure want to avoid reimaging the device. Our deployment is pretty large, and would cause quite a disruption in service. I'm pursuing a couple of different avenues ATM, but that bug number will be a helpful reference. I will post something back if I find a successful alternative.</P> Wed, 19 Aug 2015 13:14:27 GMT https://community.cisco.com/t5/network-access-control/error-starting-internal-ca-on-ise-1-3-patch-4/m-p/2726562#M54367 smp 2015-08-19T13:14:27Z https://community.cisco.com/t5/network-access-control/error-starting-internal-ca-on-ise-1-3-patch-4/m-p/2726563#M54368 <P>We were able to fix this after some conversation between our Solution Architect and a BU engineer, without re-imaging the device. At a high level:</P><UL><LI>Install root patch</LI><LI>Remove three security db files</LI><LI>restart the internal CA service (which generates the missing password file)</LI><LI>restart the Tomcat service</LI></UL> Wed, 19 Aug 2015 18:28:15 GMT https://community.cisco.com/t5/network-access-control/error-starting-internal-ca-on-ise-1-3-patch-4/m-p/2726563#M54368 smp 2015-08-19T18:28:15Z