07-05-2018 03:56 AM
Hello All,
I have a few queries regarding integrating ISE with IPAM solution from Infoblox.
Since, certificates are pretty important to integrate ISE with other solutions using certificates.
I am going integrate the production instance of IPAM with my test instance of ISE here.
So, what is that, the certificates on IPAM are signed by Commodo, while certificates for ISE are signed by internal intermediate CA server.
Earlier, I had done integration with self-signed certificates, but again those were in test labs, for this one the case is a little different.
The question that I have now is that, if I import the Commodo root certificate and the IPAM application certificate to ISE trusted certificate store and vice versa for IPAM.
Will that still work to allow authentication between ISE pxGrid and IPAM?
Or do I need to have the certificate signed from the CA in order for this integration to work?
Any pointers or ideas?
Solved! Go to Solution.
07-05-2018 05:51 AM
No under your pxGrid services in ISE you generate the cert/private key for Infoblox. A screen shot is attached.
If you are doing this in Chrome the pop-up to download the .zip file may not work. In the .zip file, when you get it, should be the Infoblox cert and private key in PEM format along with the ISE internal root cert. There will also be the root cert for the Admin GUI, but Infoblox shouldn’t need that from what I am reading.
07-05-2018 05:25 AM
The certificate running the GUI has nothing to do with the certificate that will be used to join the pxGrid. You should be running your pxGrid using the internal CA running on the ISE servers. Then you issue a certificate/private key that will be used on Infoblox to join the grid. You install that certificate/private key combination along with the ISE internal CA root cert into Infoblox when configuring the pxGrid connection.
07-05-2018 05:47 AM
If I get this correct, then this certificate here, that has only pxgird enabled for is the one that I need to export with the key to Infoblox?
Just doing the confirmation, since I am really not that good with certificates though….
Or do I need to export the following that has authentication and other enabled on it to Infoblox?
Thank you,
Dinesh
07-05-2018 05:51 AM
No under your pxGrid services in ISE you generate the cert/private key for Infoblox. A screen shot is attached.
If you are doing this in Chrome the pop-up to download the .zip file may not work. In the .zip file, when you get it, should be the Infoblox cert and private key in PEM format along with the ISE internal root cert. There will also be the root cert for the Admin GUI, but Infoblox shouldn’t need that from what I am reading.
07-05-2018 06:22 AM
Well, this is new for me and never had used this feature before as well...
So, I see that I select Generate Single certificate without signing request
And here at the common name, do I need to enter the CN of the ISE server or the Infoblox server?
Further then import these certificates in Infoblox and it should be good to subscribe to the pxGrid service on ISE, right?
07-05-2018 06:26 AM
The common name can be whatever you want. If you want to put the FQDN of the Infoblox in there that is fine. You can use a generic CN like I showed in the screen shots. This is how you get a certificate/private key to join pxGrid.
07-05-2018 06:35 AM
Thank you for the quick reply, I will go ahead and try this out and update the thread with results!
07-05-2018 06:51 AM
There is again one query though, I see that the bundle has also created .key certificate.
I had never used such a kind of certificate before, if possible can you direct me how to use it while importing it in Infoblox?
07-05-2018 06:57 AM
You can’t use a certificate without a private key. I think the Infoblox wants the cert and key in the same file. Put them together in a file and import that.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: