Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 5.5 secondary registration - Registration failed due to Invalid Certificate

 
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

When you enable Trust

When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other. After the certificates are verified:
If the certificates in both the primary and secondary ACS instances are valid certificates, the instances establish a secure tunnel between them and register the secondary instance to the primary.
 
I don't think it supports self-signed certificate however you can try installing the self-signed certificate of Primary in the secondary instance CA store and self signed certificate of secondary in the primary instance CA store.
 
For more information on this feature please read it here: Trust communication in distributed deployment
 
Regards,
Jatin Katyal
*Do rate helpful posts*
 
~BR Jatin Katyal **Do rate helpful posts**
10 REPLIES

Hi,do you have correct time

Hi,

do you have correct time configured on both servers?

If not, configure correct time then try generate new SSC and try again.


HTH

 

Amjad

Rating useful replies is more useful than saying "Thank you"
Community Member

Hi Amjad,NTP is correctly

Hi Amjad,

NTP is correctly configured on both systems, both receiving the time from the same source.

 

Rgds

 

Cisco Employee

When you enable Trust

When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other. After the certificates are verified:
If the certificates in both the primary and secondary ACS instances are valid certificates, the instances establish a secure tunnel between them and register the secondary instance to the primary.
 
I don't think it supports self-signed certificate however you can try installing the self-signed certificate of Primary in the secondary instance CA store and self signed certificate of secondary in the primary instance CA store.
 
For more information on this feature please read it here: Trust communication in distributed deployment
 
Regards,
Jatin Katyal
*Do rate helpful posts*
 
~BR Jatin Katyal **Do rate helpful posts**
Community Member

Hi Jatin,That is what I was

Hi Jatin,

That is what I was becoming to believe.

To get around the problem, I turned off the Trust Communications on both systems and this then worked.

I may re-visit the Trust at some later date.

I take your point about self-signed certificates as this is probably not trusted by the systems by its very nature.

 

Many thanks for your help

Cisco Employee

that's right...when you turn

that's right...when you turn off the trust, the cert's will not come in picture and you can resgister the nodes without having a secure tunnel. Let me know if you need more help on this.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
Community Member

I have geotrust certs on the

I have geotrust certs on the primary node and on the new secondary node I am trying to add.  do you know why would I still get this error?

Community Member

Re: that's right...when you turn

even with Trust OFF, you have secured comunication between nodes (perhaps using self-signed cert). However your node will trust any certificate for communication (security risk).

 

Community Member

How do I turn off the trust

How do I turn off the trust communications? I've run into the same issue while trying to register a secondary.

Cheers,

 

David

Community Member

ignore that...found it

ignore that...found it

Cisco Employee

Step 1 Choose System

Step 1 Choose System Administration > Configuration > Global System Options > Trust Communication Settings.

Step 2 Un-Check the Enable Nodes Trust Communication check box.

Step 3 Click Submit.

 

Regards,

Jatin

~BR Jatin Katyal **Do rate helpful posts**
6907
Views
30
Helpful
10
Replies
CreatePlease to create content