Category:Cisco Systems -> Security
Trust Communication in a Distributed Deployment
ACS introduces the Trust Communication feature, which provides additional security for communication between the ACS instances in your deployment. You can use this feature to establish a secure tunnel for communication between the primary and secondary ACS instances in a deployment. You can enable Trust Communication on both the primary and secondary ACS instances or on either instance. However, for increased security, Cisco recommends that you enable Trust Communication on all nodes in your deployment. After the deployment is ready, you cannot edit the Enable Nodes Trust Communication settings on secondary ACS instances. The changes that you make in the Trust Communication settings of the primary ACS instance will be replicated to all secondary ACS instances.
In ACS 5.5, when you register a secondary instance to a primary instance, both the primary and secondary instances verify each other’s certificates before establishing a secure tunnel for communication. All subsequent transactions between these two nodes happen through the established secure tunnel.
By default, Trust Communication is enabled on a fresh ACS instance. If you do not need this type of security, you can uncheck the Enable Nodes Trust Communication check box in the Trust Communication Settings page.
When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other. After the certificates are verified:
– If the certificates in both the primary and secondary ACS instances are valid certificates, the instances establish a secure tunnel between them and register the secondary instance to the primary.– If any of the certificates in the primary instance are invalid, the secondary ACS instance stops the registration process.
– If any of the certificates in the secondary instance are invalid, the primary ACS instance rejects the register request from the secondary ACS instance.
When you enable Trust Communication only in the primary ACS instance and register a secondary to this primary, then this primary instance verifies the secondary’s certificates. If the certificates are valid, the primary registers the new ACS instance as a secondary instance. The secondary does not verify the primary’s certificates.
When you enable Trust Communication only in the secondary ACS instance and register this instance to the primary instance, then this secondary instance verifies the primary’s certificates during registration. If the certificates are valid, the secondary instance proceeds with the registration process. The primary instance does not verify the secondary’s certificates.Note If the certificates that you have used for ACS instances in a deployment are invalid (such as expired certificates, revoked certificates, and not yet valid certificates), then the primary and secondary ACS instances cannot communicate and the system will not work as expected.
Configuring Trust Communication in a Distributed DeploymentBefore You Begin
Before enabling Trust Communication between nodes in a distributed deployment, you need to make sure that you have done the following:
1. Add a trusted Certificate Authority (CA) certificate in your Primary ACS instance. For more information, see Adding a Certificate Authority.
2. Add a management server certificate duly signed by a valid CA to the primary ACS instance. For more information, see Configuring Local Server Certificates.
3. Add a trusted CA to the ACS instance which is going to be registered as a secondary ACS instance. For more information, see Adding a Certificate Authority.
4. Add a management server certificate duly signed by a valid CA to the ACS instance that is going to be registered as a secondary ACS instance. For more information, see Configuring Local Server Certificates.
5. Make sure that the CA that issued the server certificate of the secondary instance is present in the primary instance and that the CA that issued the server certificate of the primary instance is present in the secondary instance.
To configure Trust Communication between nodes in a distributed deployment.
Step 1 Choose System Administration > Configuration > Global System Options > Trust Communication Settings.
Step 2 Check the Enable Nodes Trust Communication check box.
Step 3 Click Submit.
Trust Communication between the nodes is enabled now. You can now register a secondary instance to the primary. For more information, see Registering a Secondary Instance to a Primary Instance.
Screenshots:
**********************************************
** Restricted access! For private use only! **
**********************************************
Evil_TTL> enable
Password:
