topic Re: "Unable to insert secret into keystore" error when enabl in Network Access Control

"Unable to insert secret into keystore" error when enabling TrustSec

rezaalikhani — Sat, 27 Jan 2024 08:46:59 GMT

Hi all;

I have several Catalyst 9200L switches (version 17.09.04a) and want to implement Cisco TrustSec on them, followed by integrating them with Cisco ISE. At the initial step, upon executing the 'cts credentials id' command, the following log messages are displayed:

Unable to insert secret into keystore.

%KEYSTORE-3-NO_KEYSTORE: CTS hardware keystore is not responsive and software emulation is not enabled.

I searched Google, but unfortunately, I did not find useful information.

My questions are:

Does the message pertain to any malfunctioning hardware on the device?
How can I enable software emulation for the same purpose of hardware keystore?
Does this problem relate to the current license of the device?

Thanks

Re: "Unable to insert secret into keystore" error when enabl

Mark Elsen — Sat, 27 Jan 2024 11:45:11 GMT

- Ref : https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/16_xe/smg/xe-16-10/b-sem-16-10-1/b-sem-16-10-1_chapter_0100.html
>...

%KEYSTORE-3-NO_KEYSTORE : CTS hardware keystore is not responsive and software emulation is not enabled.
Explanation	The CTS hardware keystore on the switch has failed and needs to be inspected. Since CTS credentials are stored in the keystore, this means that CTS authentication and authorization operations will fail. The following action is recommended: If the defect is shown on the Active Supervisor, try to switchover to Standby Supervisor. If the defect is shown on Standby Supervisor, try to reset the Standby. If the defect persists, there may be damage to the hardware keystore chip, please take appropriate action. In the meantime, you can configure the switch to use software keystore emulation. After you have enabled software keystore emulation, please re-configure CTS credentials to populate the software keystore.

%KEYSTORE-3-NO_KEYSTORE : CTS hardware keystore is not responsive and software emulation is not enabled.

Explanation

The CTS hardware keystore on the switch has failed and needs to be inspected. Since CTS credentials are stored in the keystore, this means that CTS authentication and authorization operations will fail. The following action is recommended: If the defect is shown on the Active Supervisor, try to switchover to Standby Supervisor. If the defect is shown on Standby Supervisor, try to reset the Standby. If the defect persists, there may be damage to the hardware keystore chip, please take appropriate action. In the meantime, you can configure the switch to use software keystore emulation. After you have enabled software keystore emulation, please re-configure CTS credentials to populate the software keystore.

Re: "Unable to insert secret into keystore" error when enabl

rezaalikhani — Sat, 27 Jan 2024 12:07:03 GMT

Thanks for your reply;

I have reviewed this resource, and as you can see, there are many unanswered questions regarding this problem.

Re: "Unable to insert secret into keystore" error when enabl

Mark Elsen — Sat, 27 Jan 2024 12:29:12 GMT

- Check the output of : # show cts keystore

Re: "Unable to insert secret into keystore" error when enabl

rezaalikhani — Sat, 27 Jan 2024 13:14:19 GMT

Thanks for your reply;

Re: "Unable to insert secret into keystore" error when enabl

Mark Elsen — Sat, 27 Jan 2024 14:22:37 GMT

- Check if you can execute this procedure on your platform too :
https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html#77849

Re: "Unable to insert secret into keystore" error when enabl

rezaalikhani — Sun, 28 Jan 2024 09:22:54 GMT

As you can see below, the device does not have the ability to use emulated keystore:

I think the problem is related to my device license. As you can see below, the device does not have Network Advantage license which is required to support SGT, based on the following Cisco's document:

https://www.cisco.com/c/m/en_us/products/software/dna-subscription-switching/en-sw-sub-matrix-switching.html

Re: "Unable to insert secret into keystore" error when enabl

rezaalikhani — Sat, 24 Feb 2024 14:46:12 GMT

@Mark Elsen Your solution also clearly stated below for Catalyst 9200 switches:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-12/configuration_guide/cts/b_1612_cts_9200_cg/configuring_sgt_mapping.html#reference_y5s_cn1_cjb

Re: "Unable to insert secret into keystore" error when enabl

DamianRCL — Mon, 11 Mar 2024 13:25:03 GMT

Rez,

Did you obtain the Network Advantage License? did it resolve your problem?

Re: "Unable to insert secret into keystore" error when enabl

rezaalikhani — Tue, 12 Mar 2024 07:02:29 GMT

Unfortunately not for now but will be soon. If so i will update this post.

Re: "Unable to insert secret into keystore" error when enabl

MikeMoss — Tue, 28 Jan 2025 22:32:18 GMT

I had this exact same issue, with all the same results people posted above. I wanted to confirm/let others know that my C9200 switch was also using a DNA Essentials license. I upgraded the device's license to Advantage from within Catalyst Center and once the device restarted the command(s) worked as they should.