Has anyone had any experience using the new "Trust Communication" feature in ACS 5.5 ?
I am wanting to know if this will work with self signed certs, or even a public wildcard cert, i.e. *.domain.com
I have tried exporting the self signed certs and then importing on the other appliances which I want to register against, but every time ACS states that the certificate is invalid, leading me to think that this will only work using certs which have been signed by a trusted 3rd party.
Have you tried importing the self-signed cert of primary on secondary and vice-versa?
When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other.
Configuring Trust Communication in a Distributed Deployment
Before enabling Trust Communication between nodes in a distributed deployment, you need to make sure that you have done the following:
1.Add a trusted Certificate Authority (CA) certificate in your Primary ACS instance.
2.Add a management server certificate duly signed by a valid CA to the primary ACS instance.
3.Add a trusted CA to the ACS instance which is going to be registered as a secondary ACS instance.
4.Add a management server certificate duly signed by a valid CA to the ACS instance that is going to be registered as a secondary ACS instance.
5.Make sure that the CA that issued the server certificate of the secondary instance is present in the primary instance and that the CA that issued the server certificate of the primary instance is present in the secondary instance.
Yes, I have exported the self signed cert and private key from the primary, and imported onto the secondary, and visa versa. When I try and register the secondary to the primary I get an error message saying "invalid cert". I am wondering if the self signed cert that was originally generated during the installation is incorrect because it doesnt contain the FQDN of the server in its CN field (for both the primary and secondary servers)
I will try and re-create it with the FQDN in the CN.
I'm not interested in waking up a dead thread, but since this gives context to my own experience from today I thought I should write something up for posterity.
I read in a few threads across the forums that a private key was necessary and that the public keys for primary server had to be loaded on the primary and secondaries. That was not my experience. What was necessary to get it to work in my use case was:
1) Add the public keys for root CA and intermediate CA certificates under Certificate Authorities
2) For each ACS server:
2.1) Under Local Certificates, generate a CSR with a CN of CN=servername
2.2) Submit the CSR at your CA and export the DER/PEM certificate
2.3) Install the certificate in the relevent ACS server using Add and Bind-CA
2.4) Enable Trust Communications
3) Cluster the servers together through Deployment (standard procedure)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...