Download   Report
  1. No category

NAC (CCA): How to Fix Certificate Errors on the Contents Introduction

NAC (CCA): How to Fix Certificate Errors on the
CAM/CAS After Upgrade to 4.1.6
Document ID: 107909
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Procedure
Related Information
Introduction
This document describes how to fix certificate errors on the Clean Access Manager (CAM)/Clean Access
Server (CAS) with version 4.1.6.
Prerequisites
Requirements
Cisco recommends that you have knowledge of the upgrade process for the Cisco Network Admission Control
(NAC) Appliance.
Components Used
The information in this document is based on the Cisco NAC Appliance version 4.1.6 with CAM/CAS.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Procedure
These certificate errors are found in either /perfigo/logs/perfigo−redirect.log0.log.0 or
/perfigo/logs/perfigo−log0.log.0.
Here is an example of a certificate error:
SEVERE: RMISocketFactory:Creating RMI socket failed to host
10.1.20.10:sun.security.validator.ValidatorException:
Certificate chaining error
Aug 1, 2008 1:41:22 PM com.perfigo.wlan.web.admin.ConnectorClient connect
SEVERE: Communication Exception : java.rmi.ConnectIOException: Exception
creating connection to: 10.1.20.10; nested exception is:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: Certificate chaining error
These errors are a result of security enhancements made in 4.1.6. In 4.1.6, the CAS and CAM act as client and
server to each other and must trust each other. Each one requires the root and intermediate certificates from
the other. For example, if the CAS has a Verisign certificate and the CAM has a Perfigo (temporary)
certificate, both the CAS and CAM need the Verisign chain (root and intermediates) and the Perfigo root.
Complete these steps in order to fix the certificate errors:
1. Back up any installed certificates that are not temporary certificates.
a. On the CAM, open the web interface, and go to Administration > CCA Manager > SSL >
X509 Certificate.
b. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to
Administration > SSL > X509 Certificate.
c. Choose Export CSR/Private Key/Certificate from the Choose an action drop−down list.
d. Click Export located next to Currently Installed Certificate, and save this file.
e. Click Export located next to Currently Installed Private Key, and save this file.
2. After the backup, if the CAS and CAM do not already use temporary certificates, generate them.
a. On the CAM, open the web interface, and go to Administration > CCA Manager > SSL >
X509 Certificate.
b. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to
Administration > SSL > X509 Certificate.
c. Choose Generate Temporary Certificate from the drop−down list.
d. Fill out the fields listed, and click Generate.
Note: This no longer requires a reboot to take effect.
3. Remove all Trusted Certificate Authorities from the CAS and CAM. This step makes it easier to
manage and improve security.
a. On the CAM, go to Administration > CCA Manager > SSL > Trusted Certificate
Authorities.
b. On the CAS, go to Administration > SSL > Trusted Certificate Authorities.
c. Create a filter to exclude the Perfigo certificate.
d. Choose Distinguished Name from the Add filter drop−down list.
e. Choose contains not from the drop−down list that appears next to Distinguished Name.
f. Type Perfigo in the text field, and then click Filter.
g. Choose 100 from the drop−down list located next to the Delete Selected button.
h. Click the check box below the Delete Selected drop−down list in order to select all the
certificate authorities (CAs) in the list.
i. Click Delete Selected in order to delete all the CAs in the list.
j. Continue to click the box, and click Delete Selected until all the CAs are deleted.
4. After you remove all CAs, the root and intermediate certificates must be imported.
a. On the CAM, go to Administration > CCA Manager > SSL > Trusted Certificate
Authorities.
b. On the CAS, go to Administration > SSL > Trusted Certificate Authorities.
c. Click Browse, and choose the Root Certificate first.
Note: The subject and issuer should be set to the same value.
d. Click Import, and the CA should appear in the list below.
e. Perform the same procedure for any intermediate certificates.
5. Install the CAS and CAM certificates that you backed up in the first step.
a. On the CAM, open the web interface, and go to Administration > CCA Manager > SSL >
X509 Certificate.
b. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to
Administration > SSL > X509 Certificate.
c. Choose Import Certificate from the drop−down list.
d. Click Browse, and choose the certificate saved from step 1.
e. Click Upload.
f. Click Browse again, and choose the private key that was saved from step 1.
g. Choose Private Key from the File type drop−down list, and then click Upload.
h. Click Verify and Install Uploaded Certificates.
Note: This error message is not be fixed by these procedures:
SEVERE: SSLFilter:access deniedCN=cas1.domain.com,
OU=Information Technologies, O=Company, ST=State,
C=US:Netscape cert type does not permit use for SSL client
If the logs contain this message, you must contact the certificate provider. The certificate must be
reissued with the Netscape Cert Type field set to both SSL server and SSL client.
Related Information
• Cisco NAC Appliance Support Page
• Technical Support & Documentation − Cisco Systems
Contacts & Feedback | Help | Site Map
© 2009 − 2010 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
Updated: Sep 08, 2008
Document ID: 107909
How to choose a Certificate Authority for safer web security White paper

How to choose a Certificate Authority for safer web security White paper

TO: TENNESSEE SALES AND USE TAX BLANKET CERTIFICATE OF

TO: TENNESSEE SALES AND USE TAX BLANKET CERTIFICATE OF

TENNESSEE SALES OR USE TAX BLANKET CERTIFICATE OF RESALE TO:

TENNESSEE SALES OR USE TAX BLANKET CERTIFICATE OF RESALE TO:

DO NOT WRITE IN THIS SPACE SEE INSTRUCTIONS AND APPLICABLE FEES BELOW

DO NOT WRITE IN THIS SPACE SEE INSTRUCTIONS AND APPLICABLE FEES BELOW

Document 42690

Document 42690

How to write a business plan for Small Businesses.

How to write a business plan for Small Businesses.

Document 54679

Document 54679

Document 66335

Document 66335

APPLICATION FOR BIRTH CERTIFICATE OR REGISTRATION PHOTOCOPY MAILING ADDRESS INFORMATION

APPLICATION FOR BIRTH CERTIFICATE OR REGISTRATION PHOTOCOPY MAILING ADDRESS INFORMATION

STATE OF GEORGIA DEPARTMENT OF REVENUE GEORGIA PURCHASER OR DEALER

STATE OF GEORGIA DEPARTMENT OF REVENUE GEORGIA PURCHASER OR DEALER

Document 51585

Document 51585

OFFICE OF THE UNIVERSITY REGISTRAR Padre Faura Street, Manila

OFFICE OF THE UNIVERSITY REGISTRAR Padre Faura Street, Manila

Advanced CAS: How to utilize the new ACCA National Conference

Advanced CAS: How to utilize the new ACCA National Conference

Thawte SSL Certificate Enrollment Guide

Thawte SSL Certificate Enrollment Guide

SPON R E

SPON R E

Secure Socket Layer (SSL)

Secure Socket Layer (SSL)

How to configure HTTPS proxying in Zorp 3 F5

How to configure HTTPS proxying in Zorp 3 F5

How to build a PKI that works Peter Gutmann University of Auckland

How to build a PKI that works Peter Gutmann University of Auckland

How to perform a Heartbleed Attack (new revision) 1 - Introduction

How to perform a Heartbleed Attack (new revision) 1 - Introduction

abcdocz.com

© Copyright 2024