cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12218
Views
30
Helpful
10
Replies

ACS 5.5 secondary registration - Registration failed due to Invalid Certificate

russell_parker
Level 1
Level 1
1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee
When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other. After the certificates are verified:
If the certificates in both the primary and secondary ACS instances are valid certificates, the instances establish a secure tunnel between them and register the secondary instance to the primary.
 
I don't think it supports self-signed certificate however you can try installing the self-signed certificate of Primary in the secondary instance CA store and self signed certificate of secondary in the primary instance CA store.
 
For more information on this feature please read it here: Trust communication in distributed deployment
 
Regards,
Jatin Katyal
*Do rate helpful posts*
 
~Jatin

View solution in original post

10 Replies 10

Amjad Abdullah
VIP Alumni
VIP Alumni

Hi,

do you have correct time configured on both servers?

If not, configure correct time then try generate new SSC and try again.


HTH

 

Amjad

Rating useful replies is more useful than saying "Thank you"

Hi Amjad,

NTP is correctly configured on both systems, both receiving the time from the same source.

 

Rgds

 

Jatin Katyal
Cisco Employee
Cisco Employee
When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other. After the certificates are verified:
If the certificates in both the primary and secondary ACS instances are valid certificates, the instances establish a secure tunnel between them and register the secondary instance to the primary.
 
I don't think it supports self-signed certificate however you can try installing the self-signed certificate of Primary in the secondary instance CA store and self signed certificate of secondary in the primary instance CA store.
 
For more information on this feature please read it here: Trust communication in distributed deployment
 
Regards,
Jatin Katyal
*Do rate helpful posts*
 
~Jatin

Hi Jatin,

That is what I was becoming to believe.

To get around the problem, I turned off the Trust Communications on both systems and this then worked.

I may re-visit the Trust at some later date.

I take your point about self-signed certificates as this is probably not trusted by the systems by its very nature.

 

Many thanks for your help

that's right...when you turn off the trust, the cert's will not come in picture and you can resgister the nodes without having a secure tunnel. Let me know if you need more help on this.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin

I have geotrust certs on the primary node and on the new secondary node I am trying to add.  do you know why would I still get this error?

even with Trust OFF, you have secured comunication between nodes (perhaps using self-signed cert). However your node will trust any certificate for communication (security risk).

 

How do I turn off the trust communications? I've run into the same issue while trying to register a secondary.

Cheers,

 

David

ignore that...found it

Step 1 Choose System Administration > Configuration > Global System Options > Trust Communication Settings.

Step 2 Un-Check the Enable Nodes Trust Communication check box.

Step 3 Click Submit.

 

Regards,

Jatin

~Jatin