Export ISE https-admin CA certificates from old to new ISE system

James.Sakey1 · ‎11-14-2021

We are upgrading ISE - from Version 2.2 (Hardware - SNS-3495-K9) to Version 2.7 (New hardware - SNS-3695-K9) using the Backup /Restore Upgrade Method.

I have a query regarding the Export and Import of certificates..

The Export process from the OLD Version/Hardware is as follows:

1/ We received the below warnings. Is this cosmetic and not to worry about?

log4j:WARN No appenders could be found for logger (org.springframework.core.env.StandardEnvironment).

log4j:WARN Please initialize the log4j system properly.

log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

2/ We received the below audit message from the current SAN. Is this an issue?

AuditMessage: 34149: AdminAudit.AcsInstance=STRAS01.petermac.org.au, AdminAudit.OperationMessageText=HTTPS connection failed to host: STRAS01.petermac.org.au, AdminAudit.AdminName=Unknown

AuditMessage: 34151: AdminAudit.AcsInstance=STRAS01.petermac.org.au, AdminAudit.OperationMessageText=Certificate Validation failed for host: STRAS01.petermac.org.au, AdminAudit.AdminName=Unknown

3/ The main question I have is that the OLD ISE system has particular HOST names and IP addresses and the NEW ISE system, obviously, has a different set of HOST names and IP addresses.

With Importing the certificates into the NEW ISE System, is there an issue due to the HOST names.

4/ What about the ‘System Certificates’?

PARAS01/admin# application configure ise

Selection ISE configuration option

[1]Reset M&T Session Database

[2]Rebuild M&T Unusable Indexes

[3]Purge M&T Operational Data

[4]Reset M&T Database

[5]Refresh Database Statistics

[6]Display Profiler Statistics

[7]Export Internal CA Store

[8]Import Internal CA Store

[9]Create Missing Config Indexes

[10]Create Missing M&T Indexes

[11]Enable/Disable ACS Migration

[12]Generate Daily KPM Stats

[13]Generate KPM Stats for last 8 Weeks

[14]Enable/Disable Counter Attribute Collection

[15]View Admin Users

[16]Get all Endpoints

[17]Enable/Disable Wifi Setup

[18]Reset Config Wifi Setup

[19]Reset Context Visibility

[20]Synchronize Context Visibility With Database

[21]Exit

7

Export Repository Name: pavm-mgftp

Enter encryption-key for export: PeterMac2718

CSCux10404 - ISE 2.0 WARN displayed when ... - Cisco Bug

log4j:WARN No appenders could be found for logger (org.springframework.core.env.StandardEnvironment).

log4j:WARN Please initialize the log4j system properly.

log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

Integritycheck Openssl digest output from verification with Swims release key: Verified OK

Integritycheck Output: Verified signature of integritycheck program with Swims release key

Integritycheck Output: Verified signature of integritycheck.sums file with Swims release key

Integritycheck PASSED

Inside Session facade init

In the init method of PDPFacade

AuditMessage: 34149: AdminAudit.AcsInstance=STRAS01.petermac.org.au, AdminAudit.OperationMessageText=HTTPS connection failed to host: STRAS01.petermac.org.au, AdminAudit.AdminName=Unknown

Time taken for NSFAdminServiceFactory to load3428

AuditMessage: 34151: AdminAudit.AcsInstance=STRAS01.petermac.org.au, AdminAudit.OperationMessageText=Certificate Validation failed for host: STRAS01.petermac.org.au, AdminAudit.AdminName=Unknown

Export in progress...

The following 5 CA key pairs were exported to repository 'pavm-mgftp' at 'ise_ca_key_pairs_of_PARAS01':

Subject:CN=Certificate Services Root CA - PARAS01

Issuer:CN=Certificate Services Root CA - PARAS01

Serial#:0x5c389a5d-22a94f6e-99dfe975-238446f0

Subject:CN=Certificate Services Node CA - PARAS01

Issuer:CN=Certificate Services Root CA - PARAS01

Serial#:0x499066cb-7b754f23-8d103464-094985fc

Subject:CN=Certificate Services Endpoint Sub CA - PARAS01

Issuer:CN=Certificate Services Root CA - PARAS01

Serial#:0x0890523a-643f465d-83f6610a-c572cbf1

Subject:CN=Certificate Services Endpoint RA - PARAS01

Issuer:CN=Certificate Services Endpoint Sub CA - PARAS01

Serial#:0x18822fbb-6cce4146-99da13b8-a4bbe162

Subject:CN=Certificate Services OCSP Responder - PARAS01

Issuer:CN=Certificate Services Root CA - PARAS01

Serial#:0x525e259d-f5d443d4-8f69d185-d59b741a

ISE CA keys export completed successfully

Selection ISE configuration option

[1]Reset M&T Session Database

[2]Rebuild M&T Unusable Indexes

[3]Purge M&T Operational Data

[4]Reset M&T Database

[5]Refresh Database Statistics

[6]Display Profiler Statistics

[7]Export Internal CA Store

[8]Import Internal CA Store

[9]Create Missing Config Indexes

[10]Create Missing M&T Indexes

[11]Enable/Disable ACS Migration

[12]Generate Daily KPM Stats

[13]Generate KPM Stats for last 8 Weeks

[14]Enable/Disable Counter Attribute Collection

[15]View Admin Users

[16]Get all Endpoints

[17]Enable/Disable Wifi Setup

[18]Reset Config Wifi Setup

[19]Reset Context Visibility

[20]Synchronize Context Visibility With Database

[21]Exit

21

PARAS01/admin# sh vers

Cisco Application Deployment Engine OS Release: 3.0

ADE-OS Build Version: 3.0.2.219

ADE-OS System Architecture: x86_64

Hostname: PARAS01

Version information of installed applications

---------------------------------------------

Cisco Identity Services Engine

---------------------------------------------

Version : 2.2.0.470

Build Date : Thu Jan 26 13:52:23 2017

Install Date : Sat Feb 27 23:08:03 2021

Cisco Identity Services Engine Patch

---------------------------------------------

Version : 17

Install Date : Mon Mar 08 05:11:20 2021

PARAS01/admin#

PARAS01/admin# show inventory

NAME: "SNS-3495-K9 chassis", DESCR: "SNS-3495-K9 chassis"

PID: SNS-3495-K9 , VID: A0 , SN: FCH1911V002

Total RAM Memory: 32649964 kB

CPU Core Count: 8

CPU 0: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz

CPU 1: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz

CPU 2: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz

CPU 3: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz

CPU 4: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz

CPU 5: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz

CPU 6: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz

CPU 7: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz

Hard Disk Count(*): 1

Disk 0: Device Name: /dev/sda

Disk 0: Capacity: 599.00 GB

NIC Count: 4

NIC 0: Device Name: eth0:

NIC 0: HW Address: b0:aa:77:60:61:dc

NIC 0: Driver Descr: Intel(R) Gigabit Ethernet Network Driver

NIC 1: Device Name: eth1:

NIC 1: HW Address: b0:aa:77:60:61:dd

NIC 1: Driver Descr: Intel(R) Gigabit Ethernet Network Driver

NIC 2: Device Name: eth2:

NIC 2: HW Address: 00:0a:f7:79:1d:40

NIC 2: Driver Descr: QLogic BCM5706/5708/5709/5716 Driver

NIC 3: Device Name: eth3:

NIC 3: HW Address: 00:0a:f7:79:1d:42

NIC 3: Driver Descr: QLogic BCM5706/5708/5709/5716 Driver

(*) Hard Disk Count may be Logical.

PARAS01/admin#

Arne Bier · ‎11-23-2021

Hello @James.Sakey1

It's a long thread and I didn't delve into the debugs (especially not at the Apache level). When doing an upgrade via a config backup restore file, AND (and this is the crux of it) your new ISE nodes have a different FQDN, then you should not restore the old system certs onto the new nodes. When the new ISE 2.7 were built, they will come out of the box with self-signed certs. If I were you, I'd replace each node's Admin cert with a signed certificate - e.g. *.petermac.org.au (if of course, the ISE nodes' FQDNs use that exact same DNS domain). It doesn't have to be a wildcard cert, but you get the point - install an individual per-node cert, or a single cert that contains ALL the FQDNs in the cert's SAN. If you don't want to cough up for a public signed cert, then create the new ISE Admin cert with your internal PKI.

The only time I would care about restoring any certs from an old ISE node is if you have implemented ISE BYOD (i.e. the Cisco ISE specific BYOD onboarding, where the internal ISE CA hierarchy was used to generate the client certs) - you would have to install that entire CA chain into the new ISE Trusted Certs to allow BYOD (EAP-TLS) clients to connect (because their certs were generated by the old internal CA).

Perhaps there is a smarter way to do this but I don't believe you can overwrite the new ISE Internal CA certs with those of an old ISE system. The new ISE internal CA is based on a completely new Root CA which is generated on the PRIMARY ISE node (your master node).

Oh, obviously you could/might want to re-use any portal certificates (e.g. from a public CA) in the new ISE node. That's easily exported via the GUI of the old PAN.

And if you're doing EAP on the new ISE deployment, then you should really create new EAP System certs to reflect the FQDN of the new nodes - I have not seen many supplicants that validate the FQDN in the EAP System cert - But Android 10+ and Windows have the ability to perform that check - if you re-use the old EAP System certs then clients will reject EAP negotiation with the new PSNs.

Hope that makes sense.