Re: ISE certificate export problem (stops ISE App Server process

Nicholas Poole · ‎04-16-2013

I am trying to export certs for backup on a distributed ISE deployment.On every box of every type of node when I attempt a backup with or without the private key, nothing happens, but the GUI stops. After checking the "sh app status ise" on the CLI I notice that it now says "ISE Application Server process is not running." After a few minutes the process starts again by itself and the GUI starts working by I dont recive any cert export.

Anybody got any ideas?

thanks

Nick

Tarik Admani · ‎04-16-2013

Hi,

What version of ISE is your deployment currently at?

Thanks,

Tarik Admani
*Please rate helpful posts*

jwmolenaar · ‎05-14-2013

Hi ,

I have the same issue. I'm running 1.1.0.665 without any patches.

We would like to export the certificates before we hit the upgrade process.

Best Regards,

Jan-Willem Molenaar

Jatin Katyal · ‎05-14-2013

I tried this on two different version of ISE in a stand alone mode but I couldn't repoduce this issue.

Version : 1.1.1.268

Version : 1.0.4.573

Have you tried the same thing on any stand alone box?

Jatin Katyal
- Do rate helpful posts -

~Jatin

jwmolenaar · ‎05-16-2013

Hi Jatin,

I've a stand alone node in the LAB running 1.1.2.145 where I can export the certificates succesfully.

Since the upgrade of a spilt deployment requires a deregister of the ISE nodes I'll try to export the certificates as soon as they are running as a stand alone node.

I'll keep you updated.

Jan-Willem Molenaar

Jatin Katyal · ‎05-16-2013

No worries. I've seen this issue few times only when we have ISE in deployment.

Jatin Katyal

- Do rate helpful posts -

~Jatin

jwmolenaar · ‎05-18-2013

Hi Jatin,

I did an upgrade of a distributed deployment today. After a deregister of the first admin/monitoring node I was able to export the certificate including the keys for this machine. Hower this didn't work for the PSN nodes in standalone mode. Also after the upgrade to version 1.1.4 - patch 1, trying to export the identity certificate with the keys included causes a stop/start of the ISE application. It doesn't matter if the units are in standalone mode or added to the deployment. The only difference is that the PSN nodes run as a VM wereas the pap/mnt nodes are 3395 appliances.

Sent from Cisco Technical Support iPhone App

harvisin · ‎05-15-2013

Hello,

I went through your query and found the below link which would help to solve your query:-

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

jwmolenaar · ‎05-16-2013

Hi Harvinder,

Thanks for your support.

I went through this document before and follow the procedure, which work on other deployments but not for this one

Tarik Admani · ‎05-19-2013

Hi,

Can you try to run the command "show logging system tail" (you might have to run through the interactive prompts to get this right). This should show why the application is restarting. Your best bet might be to open a TAC case, I recently exported certs from a customer box (1.1.2 patch 2) and I didnt experience the issues.

Also what key length are you certs and were they imported as pem or der format?

Thanks,

Tarik Admani
*Please rate helpful posts*

jrodriguez · ‎10-02-2013

Hi,

I had this problem to, in a standalone ISE running 1.1.4 patch 6. I was able to export the selfsigned certificate but not the ones imported form an external CA. As happens with yours when I tried to export it the GUI restarted its self.

I oppened a TAC case and it was open for 2 months. At the end they detected a bug when tried to export the certificate, and a problem with the certificate conversion with the openssl

Jatin Katyal · ‎10-02-2013

Yeah, we finally filed a defect on this.

CSCuh37674 ISE application server reloads while exporting EAP certificate

Symptom:

ISE engine reloads when trying to export EAP certificate.

Conditions:

First seen on ISE 1.1.4 patch 1.

Workaround:

N/A

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

ISE certificate export problem (stops ISE App Server process?)