Introduction:

This document explains about the secondary ACS registration issue with the Primary ACS.

problem:

When user tries get the secondary ACS registered to primary ACS, the error "This System Failure occured: Registration failed due to Invalid Certificate. Your changes have not been saved. Click OK to return to the list page" is seen. How this error can be solved? The same works fine with ACS 5.4.

Solution:

Support for Trust Communication between Nodes in a Deployment—ACS introduces the Trust Communication feature to provide additional security for communication between the ACS instances in your deployment. When you enable trust communication in an ACS deployment, the primary and the secondary ACS instances verify their respective CA certificates before establishing a secure tunnel for communication. If the corresponding CAs are valid, they establish a secure tunnel between them. After a successful registration, the primary instance database is replicated to the newly added secondary instance. If the CA of an ACS instance is invalid, the ACS deployment rejects that ACS instance. You can enable trust communication on both the primary and secondary ACS instances. Or, you can enable it on either the primary ACS instance or the secondary ACS instance. However, for increased security, Cisco recommends that you enable trust communication on all the nodes in your deployment.

If trust communication between nodes is enabled then there is no need to import the server certificate of the node joining the deployment in the trust list.

Source:

https://supportforums.cisco.com/discussion/12010171/problems-acs-55-trial-and-primary-secondary-node-registration