cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9542
Views
25
Helpful
8
Replies

Problems with ACS 5.5 Trial and Primary / Secondary node registration

cbeswick
Level 1
Level 1

Hi,

I am currently trialing ACS 5.5. I have two ACS instances which I want to configure as a primary / secondary but whenever I try to register the secondary node to the primary, I get the following message:

"This System Failure occured: Registration failed due to Invalid Certificate. Your changes have not been saved. Click OK to return to the list page"

I have tried exactly the same on ACS5.4 and it works without issue.

Both appliances have a reliable NTP time configuration. I have tried resetting the management interface certificate, and evern re-creating the self signed certificate that controls management and eap, but this seems to just crash the box which cannot be recovered from without rebuilding the appliance.

Can anyone help ?

Thanks.  

1 Accepted Solution

Accepted Solutions

jrabinow
Level 7
Level 7

I think this relates to an additonal security control added in ACS 5.5. From the release notes I think this is the relevant section

Support for Trust Communication between Nodes in a Deployment—ACS introduces the Trust Communication feature to provide additional security for communication between the ACS instances in your deployment. When you enable trust communication in an ACS deployment, the primary and the secondary ACS instances verify their respective CA certificates before establishing a secure tunnel for communication. If the corresponding CAs are valid, they establish a secure tunnel between them. After a successful registration, the primary instance database is replicated to the newly added secondary instance. If the CA of an ACS instance is invalid, the ACS deployment rejects that ACS instance. You can enable trust communication on both the primary and secondary ACS instances. Or, you can enable it on either the primary ACS instance or the secondary ACS instance. However, for increased security, Cisco recommends that you enable trust communication on all the nodes in your deployment.

In other words there is an option to enable trust communicaiton between nodes (which is recommended for security purposes). If this is done need ot import the server certificate of the node joining the deployment in the trust list. If disable trust communication the system will revert to previous 5.4 behavior

View solution in original post

8 Replies 8

jrabinow
Level 7
Level 7

I think this relates to an additonal security control added in ACS 5.5. From the release notes I think this is the relevant section

Support for Trust Communication between Nodes in a Deployment—ACS introduces the Trust Communication feature to provide additional security for communication between the ACS instances in your deployment. When you enable trust communication in an ACS deployment, the primary and the secondary ACS instances verify their respective CA certificates before establishing a secure tunnel for communication. If the corresponding CAs are valid, they establish a secure tunnel between them. After a successful registration, the primary instance database is replicated to the newly added secondary instance. If the CA of an ACS instance is invalid, the ACS deployment rejects that ACS instance. You can enable trust communication on both the primary and secondary ACS instances. Or, you can enable it on either the primary ACS instance or the secondary ACS instance. However, for increased security, Cisco recommends that you enable trust communication on all the nodes in your deployment.

In other words there is an option to enable trust communicaiton between nodes (which is recommended for security purposes). If this is done need ot import the server certificate of the node joining the deployment in the trust list. If disable trust communication the system will revert to previous 5.4 behavior

Brilliant! I didn't spot that, worked a treat, many many thanks!

Chris.

I was able to exchange server certificates, but I get an error that the CA could not be verified (probably because they are self-signed certs...) I could not get a secondary instance to register with 5.5 unless I disabled Trust Communication on the primary and secondary boxes.  Any hints as to how to get primary to trust a CA for a self-signed cert?  I can't find anywhere to add CAs to the box.

Hi Derek,

 

I have been unable to get trust communication working with self signed certs. If you are unable to use an approved third party to sign your root CA, then try openssl - this worked well for me.

 

Chris.

very  usefull

ChrisCraft
Level 1
Level 1

This is a very good thanks for the assistance. Would there be any issues if you turned off the trust feature on both appliance?

hoyleanderson
Level 1
Level 1

System Administration -> Configuration -> Global System options -> Trust communication settings -> uncheck the checkbox on both nodes.

This resolved the issue i was having.  Thank you for the information in your post.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: