Re: Cisco ISE integration into Identity Collector

Bernhard_Sayer · ‎2018-06-05

Hi,

has everyone ever implemented a Cisco ISE into Identity Collector? I could not find any information about the certificate field with required *.jks certificates ....

BR,

Bernhard

Houssameddine_1 · ‎2018-06-05

I think you might contact cisco support to get help on how to generate the jks certificate format for ISE and the Identity collector. You might check with checkpoint support for internal documentation but they will not support it.

In the meantime you can check the following link

To Use keytool to Create a ServerCertificate (The Java EE 6 Tutorial)

Thanks

Houssameddine_1 · ‎2018-06-05

Please check this link

How To: Deploying Certificates with pxGrid: | Cisco Communities

lolith · ‎2023-04-18

Hello,

Sorry to ask my query in this old post. But i could only see this one more relevant to my query:

Checkpoint IDC - 81.028.000

Checkpoint PDP and PEP: R80.40

I have integrate IDC with Cisco Pxgrid v2 (Cisco ISE3.1.0.518) and is working quite well for learning the SGT and enforcing the SGT in access policy. The problem is the IDC only learns the ISE logs in bulk and not instantly.

The ia_ise_extension.log says the below error:

[3728][0015][2023.04.18 15:16:55.569] GatheringManager::updateSessions: failed to query session 10.xx.xx.xx from ISE rnxx1tc1xxxxx.xxxx-01.net
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.checkpoint.ISE.GatheringManager.PxgridControl.sendRequest(PxgridControl.java:53)
at com.checkpoint.ISE.GatheringManager.PxgridControl.getSessionByIP(PxgridControl.java:167)
at com.checkpoint.ISE.GatheringManager.ISEServerPxgV2.querySessionByIp(ISEServerPxgV2.java:197)
at com.checkpoint.ISE.GatheringManager.GatheringManager.updateSessions(GatheringManager.java:485)
at com.checkpoint.ISE.GatheringManager.GatheringManager.access$000(GatheringManager.java:33)
at com.checkpoint.ISE.GatheringManager.GatheringManager$UpdateSessionDBTimerTask.run(GatheringManager.java:79)
at java.util.TimerThread.mainLoop(Unknown Source)
at java.util.TimerThread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)

But every 30 mins or so, it does a bulk import and gets all the machine records:

[3728][0031][2023.04.18 15:16:56.178] GatheringManager::processSession: new event received during bulk download, will exclude 10.xx.xx.xx from further bulk download operations

I tried to play around with certificate, but unable to find a solution.

I have created the jks cert using this white paper document and as you see, it works partially. Anyone has any idea how to fix this issue to pass on the instant machine authentication records to IDC.

Regards,

Lolith

lolith · ‎2023-05-03

Hello,

The issue got fixed after importing the self signed cert chain into java keystore.

The problem I had was that the pxgrid cert was signed using system and IDC was not trusting the pxgrid cert.

Also the ISE ver 3 with patch 3 was having a bug that everytime you patch/upgrade ISE, the self signed cert also get renewed, which is fixed in patch 4 and above.

Conclusion, the IDC and PxGrid 2 works fine with right set of certs in the java keystore.

Thanks and Regards,

Lolith

Are you a member of CheckMates?

Cisco ISE integration into Identity Collector