Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
0
Helpful
3
Replies

Error starting Internal CA on ISE 1.3 Patch 4

smp
Level 4
Level 4

‎08-18-2015 11:24 AM - edited ‎03-10-2019 10:59 PM

It seems our Internal CA is unable to start because of a missing keystore password file. We tried disabling/enabling the Internal CA which did not help. We'd like to regenerate the Internal CA certificate, but we are getting a "No message defined" error, presumably because the CA service is not running properly. Anyone know of a way to force ISE to generate the missing file?

 

[2015-05-26 16:13:11,582] [] [WARN]
could not read from /opt/CSCOcpm/appsrv/apache-tomcat-ca/conf/ca_nssdb_password.txt
java.io.FileNotFoundException: /opt/CSCOcpm/appsrv/apache-tomcat-ca/conf/ca_nssdb_password.txt (No such file or directory)
at java.io.RandomAccessFile.open(Native Method)
at java.io.RandomAccessFile.<init>(Unknown Source)
at java.io.RandomAccessFile.<init>(Unknown Source)
at com.cisco.cpm.caservice.DataUtil.loadFile(DataUtil.java:83)
at com.cisco.cpm.caservice.CaStore.load(CaStore.java:133)
at com.cisco.cpm.caservice.CaStore.init(CaStore.java:113)
at com.cisco.cpm.caservice.CaStore.<init>(CaStore.java:67)
at com.cisco.cpm.caservice.CaStore.<clinit>(CaStore.java:60)
at com.cisco.cpm.caservice.bootstrap.CaServerSeeding.main(CaServerSeeding.java:43)
[2015-05-26 16:13:11,598] [] [WARN]
could not initialize KeyStore
com.cisco.cpm.caservice.CARuntimeException: java.lang.NullPointerException
at com.cisco.cpm.caservice.CaStore.load(CaStore.java:155)
at com.cisco.cpm.caservice.CaStore.init(CaStore.java:113)
at com.cisco.cpm.caservice.CaStore.<init>(CaStore.java:67)
at com.cisco.cpm.caservice.CaStore.<clinit>(CaStore.java:60)
at com.cisco.cpm.caservice.bootstrap.CaServerSeeding.main(CaServerSeeding.java:43)
Caused by: java.lang.NullPointerException
at java.lang.String.<init>(Unknown Source)
at com.cisco.cpm.caservice.CaStore.load(CaStore.java:133)
... 4 more
Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎08-18-2015 12:12 PM

Hi Scott,

 

I see a similar issue being reported after an internal search and a DDTS was opened:

CSCus54289    OCSP Services not running and Internal CA certs missing post 1.3 upgrade

Workaround- Reimage the device with 1.3 and that resolved the issue.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

smp
Level 4
Level 4
In response to Kanwaljeet Singh

‎08-19-2015 06:14 AM

Thank you for the response Kanwal, but I sure want to avoid reimaging the device. Our deployment is pretty large, and would cause quite a disruption in service. I'm pursuing a couple of different avenues ATM, but that bug number will be a helpful reference. I will post something back if I find a successful alternative.

0 Helpful

smp
Level 4
Level 4

‎08-19-2015 11:28 AM

We were able to fix this after some conversation between our Solution Architect and a BU engineer, without re-imaging the device. At a high level:

  • Install root patch
  • Remove three security db files
  • restart the internal CA service (which generates the missing password file)
  • restart the Tomcat service
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents