04-29-2013 03:11 PM - edited 03-10-2019 08:22 PM
Hi Everyone,
I wanted to note an issue I ran into today with our MS Windows 7 workstations and 2008 servers being unable to access the web management interface on our instance of ACS 5.3 and its solution, which is outlined below:
########################
### The Problem ###
########################
When I tried accessing the web management interface on our ACS 5.3 appliance, the browser was unable to connect. NMS applications showed that the device was up and I was able access it via SSH. I then tried connecting to 443 via telnet on my workstation and was successful in establishing a connection. I proceeded to issue the "show application status acs" command showed all associated processes running. I had a co-worker attempt to access it and he ran into the same issue. I then proceeded to restart the ACS application by stopping and starting the associated processes. After the processes were back up, attempts to connect to the web management interface still failed. I then proceeded to reboot the appliance. Again, after the applicance and processes were back up, attempts to connect continued to fail. As a last ditch effort I used a portable version of Firefox to connect and was then successfully able to connect.
########################
### The Source ###
########################
After additional troubleshooting, it was discovered that the MS Internet Explorer patch associated with MS Security Advisory 2661254 just so happened to be the culprit. This restricts the use of certificates with RSA keys less than 1024 bits in length. The default management certificate just so happens to be 512 bits in length.
########################
### The Fix ###
########################
Using FireFox, I navigated to System Administration > Configuration > Local Server Certificates > Local Certificates. I then proceeded to add a certificate in the following steps:
The ACS server should then generate the new certifcate, replace the existing management certificate, and restart the ACS processes. After everything is back up, you shouldn't have any issues in accessing the web interface.
Cheers,
Dan
04-29-2013 03:19 PM
Great job.
To add to it, here is the workaround (if the cert cannot be replaced immediately):
certutil -setreg chain\minRSAPubKeyBitLength 512
Run this on the PC accessing the page.
Rate if useful
04-30-2013 10:45 PM
Hello Dan,
Thank you for trying to share the information you have.
Note please if you want to share information you can post a document, not a discussion.
You can convert this discussion into a document from the right pane menu.
Greetings,
Amjad
Rating useful replies is more useful than saying "Thank you"
05-13-2013 05:10 AM
Thanks Daniel for posting this information as a Document https://supportforums.cisco.com/docs/DOC-32664.
Regards,
Vinay Sharma
Community Manager
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide