cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
115
Views
0
Helpful
3
Replies
Highlighted
smp Enthusiast
Enthusiast

Error starting Internal CA on ISE 1.3 Patch 4

It seems our Internal CA is unable to start because of a missing keystore password file. We tried disabling/enabling the Internal CA which did not help. We'd like to regenerate the Internal CA certificate, but we are getting a "No message defined" error, presumably because the CA service is not running properly. Anyone know of a way to force ISE to generate the missing file?

 

[2015-05-26 16:13:11,582] [] [WARN]
could not read from /opt/CSCOcpm/appsrv/apache-tomcat-ca/conf/ca_nssdb_password.txt
java.io.FileNotFoundException: /opt/CSCOcpm/appsrv/apache-tomcat-ca/conf/ca_nssdb_password.txt (No such file or directory)
at java.io.RandomAccessFile.open(Native Method)
at java.io.RandomAccessFile.<init>(Unknown Source)
at java.io.RandomAccessFile.<init>(Unknown Source)
at com.cisco.cpm.caservice.DataUtil.loadFile(DataUtil.java:83)
at com.cisco.cpm.caservice.CaStore.load(CaStore.java:133)
at com.cisco.cpm.caservice.CaStore.init(CaStore.java:113)
at com.cisco.cpm.caservice.CaStore.<init>(CaStore.java:67)
at com.cisco.cpm.caservice.CaStore.<clinit>(CaStore.java:60)
at com.cisco.cpm.caservice.bootstrap.CaServerSeeding.main(CaServerSeeding.java:43)
[2015-05-26 16:13:11,598] [] [WARN]
could not initialize KeyStore
com.cisco.cpm.caservice.CARuntimeException: java.lang.NullPointerException
at com.cisco.cpm.caservice.CaStore.load(CaStore.java:155)
at com.cisco.cpm.caservice.CaStore.init(CaStore.java:113)
at com.cisco.cpm.caservice.CaStore.<init>(CaStore.java:67)
at com.cisco.cpm.caservice.CaStore.<clinit>(CaStore.java:60)
at com.cisco.cpm.caservice.bootstrap.CaServerSeeding.main(CaServerSeeding.java:43)
Caused by: java.lang.NullPointerException
at java.lang.String.<init>(Unknown Source)
at com.cisco.cpm.caservice.CaStore.load(CaStore.java:133)
... 4 more
Everyone's tags (1)
3 REPLIES 3
Cisco Employee

Hi Scott, I see a similar

Hi Scott,

 

I see a similar issue being reported after an internal search and a DDTS was opened:

CSCus54289    OCSP Services not running and Internal CA certs missing post 1.3 upgrade

Workaround- Reimage the device with 1.3 and that resolved the issue.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

smp Enthusiast
Enthusiast

Thank you for the response

Thank you for the response Kanwal, but I sure want to avoid reimaging the device. Our deployment is pretty large, and would cause quite a disruption in service. I'm pursuing a couple of different avenues ATM, but that bug number will be a helpful reference. I will post something back if I find a successful alternative.

smp Enthusiast
Enthusiast

We were able to fix this

We were able to fix this after some conversation between our Solution Architect and a BU engineer, without re-imaging the device. At a high level:

  • Install root patch
  • Remove three security db files
  • restart the internal CA service (which generates the missing password file)
  • restart the Tomcat service