×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS 5.5 secondary registration - Registration failed due to Invalid Certificate

Answered Question
Mar 25th, 2014
User Badges:
Correct Answer by Jatin Katyal about 3 years 4 months ago
When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other. After the certificates are verified:
If the certificates in both the primary and secondary ACS instances are valid certificates, the instances establish a secure tunnel between them and register the secondary instance to the primary.
 
I don't think it supports self-signed certificate however you can try installing the self-signed certificate of Primary in the secondary instance CA store and self signed certificate of secondary in the primary instance CA store.
 
For more information on this feature please read it here: Trust communication in distributed deployment
 
Regards,
Jatin Katyal
*Do rate helpful posts*
 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Amjad Abdullah Tue, 03/25/2014 - 22:33
User Badges:
  • Red, 2250 points or more

Hi,

do you have correct time configured on both servers?

If not, configure correct time then try generate new SSC and try again.


HTH

 

Amjad

russell_parker Wed, 03/26/2014 - 07:52
User Badges:

Hi Amjad,

NTP is correctly configured on both systems, both receiving the time from the same source.

 

Rgds

 

Correct Answer
Jatin Katyal Wed, 03/26/2014 - 07:44
User Badges:
  • Cisco Employee,
When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other. After the certificates are verified:
If the certificates in both the primary and secondary ACS instances are valid certificates, the instances establish a secure tunnel between them and register the secondary instance to the primary.
 
I don't think it supports self-signed certificate however you can try installing the self-signed certificate of Primary in the secondary instance CA store and self signed certificate of secondary in the primary instance CA store.
 
For more information on this feature please read it here: Trust communication in distributed deployment
 
Regards,
Jatin Katyal
*Do rate helpful posts*
 
russell_parker Wed, 03/26/2014 - 07:56
User Badges:

Hi Jatin,

That is what I was becoming to believe.

To get around the problem, I turned off the Trust Communications on both systems and this then worked.

I may re-visit the Trust at some later date.

I take your point about self-signed certificates as this is probably not trusted by the systems by its very nature.

 

Many thanks for your help

Jatin Katyal Wed, 03/26/2014 - 08:04
User Badges:
  • Cisco Employee,

that's right...when you turn off the trust, the cert's will not come in picture and you can resgister the nodes without having a secure tunnel. Let me know if you need more help on this.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

Cameron Birky Thu, 10/16/2014 - 16:01
User Badges:

I have geotrust certs on the primary node and on the new secondary node I am trying to add.  do you know why would I still get this error?

ahn-david Tue, 07/01/2014 - 19:49
User Badges:

How do I turn off the trust communications? I've run into the same issue while trying to register a secondary.

Cheers,

 

David

Jatin Katyal Tue, 07/01/2014 - 20:39
User Badges:
  • Cisco Employee,

Step 1 Choose System Administration > Configuration > Global System Options > Trust Communication Settings.

Step 2 Un-Check the Enable Nodes Trust Communication check box.

Step 3 Click Submit.

 

Regards,

Jatin

Actions

This Discussion