Scribd
Upload
155 views22 pages

HowTo-100-CA Signed PxGridClient Selfsigned PxGridISEnode

This document outlines the steps to configure a pxGrid client certificate signed by a Certificate Authority and the ISE self-signed certificate for the ISE pxGrid node. It includes generating certificates, importing them into the appropriate keystores, and enabling the pxGrid persona on ISE.

Uploaded by

Toua Lor
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
155 views22 pages

HowTo-100-CA Signed PxGridClient Selfsigned PxGridISEnode

This document outlines the steps to configure a pxGrid client certificate signed by a Certificate Authority and the ISE self-signed certificate for the ISE pxGrid node. It includes generating certificates, importing them into the appropriate keystores, and enabling the pxGrid persona on ISE.

Uploaded by

Toua Lor
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Deploying Certificates with Cisco pxGrid

Certificate Authority (CA)-Signed pxGrid client and self-signed ISE


pxGrid node certificate

SECURE ACCESS HOW-TO GUIDES

Table of Contents
About this Document ...................................................................................................................................................... 3
Introduction ..................................................................................................................................................................... 4
Example Certificate Configuration .............................................................................................................. 5
Self-signed ISE pxGrid node certificate & pxGrid persona configuration.................................................... 5
pxGrid Client Certificate Configuration ....................................................................................................... 8
Testing pxGrid client and ISE pxGrid node .............................................................................................. 12
Viewing Keystore Entries ......................................................................................................................... 13
Troubleshooting ....................................................................................................................................... 18

Cisco Systems 2015

Page 2

SECURE ACCESS HOW-TO GUIDES

About this Document


This document illustrates the configuration steps required for configuring a pxGrid client using a certificate signed by
a CA authority and the ISE self signed certificate for the ISE for the ISE pxGrid node. This document is intended for
Cisco field engineers, technical marketing engineers, partners and customers deploying Cisco pxGrid. Familiarity with
pxGrid is required. If the reader is not familiar with pxGrid, please see
Configure_and_Test_Integration_with_Cisco_pxGrid.pdf:
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-84Configure_and_Test_Integration_with_Cisco_pxGrid.pdf
Obtain the pxGrid sdk from your Cisco account team.
It is assumed that Cisco Identity Services Engine (ISE) 1.3 is installed. A MAC running OSX 10.8.5 will be used as
the pxGrid client. A Linux OS can also be used. The Oracle Java Development Kit 7 or 8 is required for the pxGrid
client.
There are two other documents in Deploying pxGrid with Certificates series:

Using CA-Signed Certificates with ISE pxGrid node and pxGrid client

Using Self-Signed Certificates with ISE pxGrid node and ISE pxGrid client

Cisco Systems 2015

Page 3

SECURE ACCESS HOW-TO GUIDES

Introduction
This section details the CA signed certificate configuration for a pxGrid client and an ISE pxGrid node in an ISE
Stand-alone deployment. In this case, the pxGrid client may contain a certificate signed by a public CA such as
Entrust. Please note that a customized pxGrid template having an Enhanced Key Usage (EKU) ISO- defined object
identifier (OID) for both client authentication (1.3.6.5.5.7.3.2) and server authentication (1.3.6.1.5.5.7.3.1) must be
created. The ISE pxGrid node contains the self-signed ISE identity certificate in the ISE trusted certificate store.
Microsoft Enterprise CA 2008 R2 will be used as the CA Authority to sign the pxGrid clients certificate. The CA root
certificate from the Microsoft CA authority will be added to the ISE Trusted certificate store. The ISE public
certificate will be added to the pxGrid clients keystore.
When the pxGrid client connects to the ISE pxGrid node both public certificates will be trusted for Simple
Authentication and Security Layer (SASL) for a successful pxGrid connection.
The following diagram represents the certificate flow of information.

Cisco Systems 2015

Page 4

SECURE ACCESS HOW-TO GUIDES

Example Certificate Configuration


This displays the certificate example used in this document.

Self-signed ISE pxGrid node certificate & pxGrid persona configuration


Here we will import the ISE self-signed certificate into the ISE trusted certificate store. Once the ISE identity
certificate is in the trusted certificate store, you can enable the pxGrid persona on the ISE node, and make this the
primary node. The published nodes will appear in pxGrid Services View.
Step 1

Export the Self Signed ISE identity certificate and save as a .pem file.
Administration->System->Certificates->select ISE identity cert->Export (public key only)

Step 2

Import the saved ISE .pem file into the ISE trusted certificate store
Administration->System->Certificates->Trusted Certificates->Browse and upload file->Submit

Cisco Systems 2015

Page 5

SECURE ACCESS HOW-TO GUIDES

You will see the import ISE trusted certificate

Step 3

Download and upload the CA root certificate into the ISE Trusted Certificate Store and enable trust for
ISE communication

Cisco Systems 2015

Page 6

SECURE ACCESS HOW-TO GUIDES


Administration->System->Certificates->Trusted Certificates->Import & Upload the CA root
certificate

Step 4

Enable the pxGrid persona in ISE.


Administration->System->Deployment->Enable pxGrid->Change role to Primary->Save

Note: It is not required to change the role to primary

Step 5

Verify that the published services have started.


Administration->pxGrid Services

Cisco Systems 2015

Page 7

SECURE ACCESS HOW-TO GUIDES

Note: There may be a delay before the ISE publishing nodes appear. The certificates must be installed before the pxGrid persona is enabled.

pxGrid Client Certificate Configuration


This section steps through the pxGrid client self certificate generation process. Once the certificate public/private keypair is generated, a PKCS12 file will be created from the private key, self2.key.
The PKCS12 file will be imported into the identity keystore, self1.jks. This identity keystore and associated password
will serve as the keystoreFilename and keystorePassword for the pxGrid scripts. The pxGrid client certificate self2.cer
will be added the identity keystore as well.
Both the ISE identity certificate, isemnt, required for bulk session downloads, and the CA root certificate will be added
to the trust keystore, root.jks. This trust keystore and associated password will serve as the truststoreFilename and
truststorePassword for the pxGrid scripts.
Step 1

Generate a private key (i.e. self2.key) for the pxGrid client.

openssl genrsa -out self2.key 4096


Generating RSA private key, 4096 bit long modulus
........++
.............................................................................................................
...............++
e is 65537 (0x10001)

Step 2

Generate the CSR (i.e. self2.csr) request to the CA Authority. Provide a challenge password (i.e. cisco123)

openssl req -new -key self2.key -out self2.csr


You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
Cisco Systems 2015

Page 8

SECURE ACCESS HOW-TO GUIDES

to be sent with your certificate request


A challenge password []:cisco123
An optional company name []:Eppich,Inc

Note: Keep the same password throughout this documnent, easier to maintain, and cut down on errors

Step 3

The CA authority must service the user certificate by using a customized template (i.e. pxGrid) containing
Enhanced Key Usage (EKU) ISO-defined object identifiers (OIDs) one for client authentication and one for
server authentication.

Note: The pxGrid template was created in the CA authority. This was a duplicated user template, using Windows 2003 format which
makes it appear in the Certificate Template drop down. Both EKUs Client Authentication and Server Authentication were added to the
template.

Step 4

Create a pxGrid client .pkcs12 file (i.e. self2.p12) from the private key in the pxGrid client certificate (i.e.
self2.cer). This will be used for keystore management. Include the CA root file (i.e. ca_root.cer).

openssl pkcs12 -export -out self2.p12 -inkey self2.key -in self2.cer -chain -CAfile ca_root.cer
Enter Export Password: cisco123
Verifying - Enter Export Password: cisco123
Johns-MacBook-Pro:pxGridsdk jeppich$

Note: cisco123 is the password used throught this document

Cisco Systems 2015

Page 9

SECURE ACCESS HOW-TO GUIDES


Step 5

Create the pxGrid client identity keystore (i.e.self2.jks). This will serve as the keystoreFilename and
associated keystorePassword for pxGrid script examples

keytool -importkeystore -srckeystore self2.p12 -destkeystore self2.jks -srcstoretype PKCS12


Enter destination keystore password: cisco123
Re-enter new password: cisco123
Enter source keystore password: cisco123
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Step 6

Export only the public ISE Identity certificate into the pxGrid client, note that this will be in .pem format.
You can rename the file with .pem extension to make it easier to read. In this example, the file was
renamed to isemnt.pem.

Step 7

Convert the .pem file to .der format

openssl x509 -outform der -in isemnt.pem -out isemnt.der

Step 8

Add the ISE identity cert to the trust keystore (i.e.root.jks). This will become the truststoreFilename and
associated truststorePassword used in the pxGrid scripts.

keytool -import -alias mnt -keystore root.jks -file isemnt.der


Enter keystore password: cisco123
Re-enter new password: cisco123
Owner: CN=ise.lab6.com
Issuer: CN=ise.lab6.com
Serial number: 548502f500000000ec27e53c1dd64f46
Valid from: Sun Dec 07 17:46:29 PST 2014 until: Mon Dec 07 17:46:29 PST 2015
Certificate fingerprints:
MD5: 04:7D:67:04:EC:D2:F5:BC:DC:79:4D:0A:FF:62:09:FD
SHA1: 5A:7B:02:E4:07:A1:D2:0B:7D:A5:AE:83:27:3B:E7:33:33:30:1E:32
SHA256:
C4:21:6C:6F:5B:06:F3:2C:D7:26:35:CB:BE:2B:1B:FF:0E:EE:09:91:F6:B6:54:0C:6F:63:CB:43:1F:77:F2:37
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
Cisco Systems 2015

Page 10

SECURE ACCESS HOW-TO GUIDES

#2: ObjectId: 2.5.29.37 Criticality=false


ExtendedKeyUsages [
serverAuth
clientAuth
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
Key_Agreement
Key_CertSign
]
#4: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL server
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C4 F3 1A 9E 7B 1B 14 4F
51 9E A4 88 33 07 7A AC
0010: 75 37 36 D4
]
]

.......OQ...3.z.
u76.

Trust this certificate? [no]: yes


Certificate was added to keystore
Johns-MacBook-Pro:pxGridsdk jeppich$

Step 9

Import the pxGrid client certificate into the identity keystore.

keytool -import -alias pxGridclient -keystore self2.jks -file self2.cer


Enter keystore password: cisco123
Certificate already exists in keystore under alias <1>
Do you still want to add it? [no]: no
Certificate was not added to keystroke

Step 10

Add the CA Root certificate to the trust keystore. Both certificates need to reside in the trust keystore.

keytool -import -alias root -keystore root.jks -file ca_root.cer


Enter keystore password: cisco123
Owner: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 448a6d6486c91cb14c6888c127d16c4e
Valid from: Thu Nov 13 17:47:06 PST 2014 until: Wed Nov 13 17:57:06 PST 2019
Certificate fingerprints:
MD5: 41:10:8A:F5:36:76:79:9C:2C:00:03:47:55:F8:CF:7B
SHA1: 9D:DA:06:AF:06:3F:8F:5E:84:C7:F4:58:50:95:03:22:64:48:96:9F
SHA256:
DB:28:50:D6:47:CA:C0:6A:E9:7B:87:B4:0E:9C:3A:C1:A2:61:EA:D1:29:8B:45:B4:76:4B:DA:2A:F1:D8:E0:A3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00

...

#2: ObjectId: 2.5.29.19 Criticality=true

Cisco Systems 2015

Page 11

SECURE ACCESS HOW-TO GUIDES

BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]

...&..7..Z.6&...
j.y,

Trust this certificate? [no]: yes


Certificate was added to keystore

Step 11

Copy identity keystore (i.e. self2.jks) and trust keystore (i.e. root.jks) into /samples/bin folder.

Testing pxGrid client and ISE pxGrid node


Sample pxGrid scripts register.sh and session_download.sh will be run to ensure pxGrid client connection and pxGrid
registration. Session downloads will ensure that there are no issues with the ISE MNT certificates and pxGrid client.
Step 1

Register pxGrid client

./register.sh -keystoreFilename self2.jks -keystorePassword cisco123 -truststoreFilename root.jks -truststorePassword cisco123 -group
Session -description test -hostname 10.0.0.96 -username JohnMACbook
------- properties ------version=1.0.0
hostnames=10.0.0.96
username=JohnMACbook
descriptipon=test
keystoreFilename=self2.jks
keystorePassword=cisco123
truststoreFilename=root.jks
truststorePassword=cisco123
-------------------------registering...
connecting...
connected.
done registering.
connection closed

Step 2

Run Session Download

Cisco Systems 2015

Page 12

SECURE ACCESS HOW-TO GUIDES

./session_download.sh -keystoreFilename self2.jks -keystorePassword cisco123 -truststoreFilename root.jks truststorePassword cisco123 -hostname 10.0.0.96 -username JohnMACbook
------- properties ------version=1.0.0
hostnames=10.0.0.96
username=JohnMACbook
keystoreFilename=self2.jks
keystorePassword=cisco123
truststoreFilename=root.jks
truststorePassword=cisco123
filter=null
start=null
end=null
-------------------------connecting...
connected.
starting at Wed Dec 10 09:55:36 PST 2014...
session (ip=10.0.0.18, Audit Session Id=0A0000020000000B006E1086, User Name=jeppich, AD User DNS
Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling
station id=00:0C:29:D1:8D:90, Session state= STARTED, Epsstatus=null, Security Group=null, Endpoint
Profile=VMWare-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/15, RADIUSAVPairs=[ Acct-SessionId=00000002], Posture Status=null, Posture Timestamp=, Session Last Update Time=Wed Dec 10 08:27:59 PST 2014
)... ending at: Wed Dec 10 09:55:36 PST 2014
--------------------------------------------------downloaded 1 sessions in 100 milliseconds
--------------------------------------------------connection closed

Viewing Keystore Entries


By viewing the keystore entries you can view the trusted certificate entries for the identity and trust keystores.
keytool -list -v -keystore self2.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: isecert
Creation date: Dec 10, 2014
Entry type: trustedCertEntry
Owner: CN=ise.lab6.com
Issuer: CN=ise.lab6.com
Serial number: 548502f500000000ec27e53c1dd64f46
Valid from: Sun Dec 07 17:46:29 PST 2014 until: Mon Dec 07 17:46:29 PST 2015
Certificate fingerprints:
MD5: 04:7D:67:04:EC:D2:F5:BC:DC:79:4D:0A:FF:62:09:FD
SHA1: 5A:7B:02:E4:07:A1:D2:0B:7D:A5:AE:83:27:3B:E7:33:33:30:1E:32
SHA256:
C4:21:6C:6F:5B:06:F3:2C:D7:26:35:CB:BE:2B:1B:FF:0E:EE:09:91:F6:B6:54:0C:6F:63:CB:43:1F:77:F2:37
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647

Cisco Systems 2015

Page 13

SECURE ACCESS HOW-TO GUIDES

]
#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
Key_Agreement
Key_CertSign
]
#4: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL server
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C4 F3 1A 9E 7B 1B 14 4F
51 9E A4 88 33 07 7A AC
0010: 75 37 36 D4
]
]

.......OQ...3.z.
u76.

*******************************************
*******************************************

Alias name: 1
Creation date: Dec 10, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 6105dce600000000000a
Valid from: Wed Dec 10 09:01:44 PST 2014 until: Sat Dec 10 09:11:44 PST 2016
Certificate fingerprints:
MD5: 76:3E:43:48:A7:FD:2C:5B:A3:FD:76:3F:6E:DF:2D:B8
SHA1: A9:E4:66:D9:34:C6:62:67:2B:C0:AF:E1:68:83:EA:36:3D:2A:23:CC
SHA256:
0E:D8:04:30:39:3E:0B:06:D5:3E:29:94:ED:C7:76:7A:5E:27:1C:14:CF:CD:1E:4D:10:AF:22:A7:54:E5:52:7B
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.2.840.113549.1.9.15 Criticality=false
0000: 30 35 30 0E 06 08 2A 86
48 86 F7 0D 03 02 02 02
0010: 00 80 30 0E 06 08 2A 86
48 86 F7 0D 03 04 02 02
0020: 00 80 30 07 06 05 2B 0E
03 02 07 30 0A 06 08 2A
0030: 86 48 86 F7 0D 03 07

050...*.H.......
..0...*.H.......
..0...+....0...*
.H.....

#2: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false


0000: 30 32 30 0A 06 08 2B 06
01 05 05 07 03 01 30 0A
0010: 06 08 2B 06 01 05 05 07
03 02 30 0A 06 08 2B 06
0020: 01 05 05 07 03 04 30 0C
06 0A 2B 06 01 04 01 82
0030: 37 0A 03 04

020...+.......0.
..+.......0...+.
......0...+.....
7...

#3: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false


0000: 30 2D 06 25 2B 06 01 04
01 82 37 15 08 DC FD 1A
0010: 87 CB EB 79 81 89 9D 2D
86 E6 FC 53 86 82 A1 38

0-.%+.....7.....
...y...-...S...8

Cisco Systems 2015

Page 14

SECURE ACCESS HOW-TO GUIDES

0020: 5E 86 D1 B8 23 85 FC EF

40 02 01 64 02 01 03

^...#[email protected]...

#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false


AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=lab6-WIN-BG7GPQ053IDCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?cACertificate?base?objectCla
ss=certificationAuthority
]
]
#5: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]

...&..7..Z.6&...
j.y,

#6: ObjectId: 2.5.29.31 Criticality=false


CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=lab6-WIN-BG7GPQ053ID-CA,CN=WINBG7GPQ053ID,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?certificateRevocati
onList?base?objectClass=cRLDistributionPoint]
]]
#7: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[] ]
]
#8: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
emailProtection
1.3.6.1.4.1.311.10.3.4
]
#9: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 36 E2 1A 09 D1 51 72 4D
C3 6A 18 C1 C4 EB AE B5
0010: E4 48 39 4E
]
]

6....QrM.j......
.H9N

Certificate[2]:
Owner: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 448a6d6486c91cb14c6888c127d16c4e
Valid from: Thu Nov 13 17:47:06 PST 2014 until: Wed Nov 13 17:57:06 PST 2019
Certificate fingerprints:
MD5: 41:10:8A:F5:36:76:79:9C:2C:00:03:47:55:F8:CF:7B
SHA1: 9D:DA:06:AF:06:3F:8F:5E:84:C7:F4:58:50:95:03:22:64:48:96:9F
SHA256:
DB:28:50:D6:47:CA:C0:6A:E9:7B:87:B4:0E:9C:3A:C1:A2:61:EA:D1:29:8B:45:B4:76:4B:DA:2A:F1:D8:E0:A3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
Cisco Systems 2015

Page 15

SECURE ACCESS HOW-TO GUIDES

#1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false


0000: 02 01 00

...

#2: ObjectId: 2.5.29.19 Criticality=true


BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]

...&..7..Z.6&...
j.y,

*******************************************
*******************************************

keytool -list -v -keystore root.jks


Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: root
Creation date: Dec 10, 2014
Entry type: trustedCertEntry
Owner: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 448a6d6486c91cb14c6888c127d16c4e
Valid from: Thu Nov 13 17:47:06 PST 2014 until: Wed Nov 13 17:57:06 PST 2019
Certificate fingerprints:
MD5: 41:10:8A:F5:36:76:79:9C:2C:00:03:47:55:F8:CF:7B
SHA1: 9D:DA:06:AF:06:3F:8F:5E:84:C7:F4:58:50:95:03:22:64:48:96:9F
SHA256:
DB:28:50:D6:47:CA:C0:6A:E9:7B:87:B4:0E:9C:3A:C1:A2:61:EA:D1:29:8B:45:B4:76:4B:DA:2A:F1:D8:E0:A3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00

...

#2: ObjectId: 2.5.29.19 Criticality=true


BasicConstraints:[
CA:true
PathLen:2147483647

Cisco Systems 2015

Page 16

SECURE ACCESS HOW-TO GUIDES

]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]

...&..7..Z.6&...
j.y,

*******************************************
*******************************************

Alias name: mnt


Creation date: Dec 10, 2014
Entry type: trustedCertEntry
Owner: CN=ise.lab6.com
Issuer: CN=ise.lab6.com
Serial number: 548502f500000000ec27e53c1dd64f46
Valid from: Sun Dec 07 17:46:29 PST 2014 until: Mon Dec 07 17:46:29 PST 2015
Certificate fingerprints:
MD5: 04:7D:67:04:EC:D2:F5:BC:DC:79:4D:0A:FF:62:09:FD
SHA1: 5A:7B:02:E4:07:A1:D2:0B:7D:A5:AE:83:27:3B:E7:33:33:30:1E:32
SHA256:
C4:21:6C:6F:5B:06:F3:2C:D7:26:35:CB:BE:2B:1B:FF:0E:EE:09:91:F6:B6:54:0C:6F:63:CB:43:1F:77:F2:37
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
Key_Agreement
Key_CertSign
]
#4: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL server
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C4 F3 1A 9E 7B 1B 14 4F
51 9E A4 88 33 07 7A AC
0010: 75 37 36 D4
Cisco Systems 2015

.......OQ...3.z.
u76.
Page 17

SECURE ACCESS HOW-TO GUIDES

]
]

*******************************************
*******************************************

Troubleshooting
This section describes some troubleshooting tips:

Avoid pxGrid scripting error messages by verifying that the pxGrid client hostname and ISE pxGrid are
resolvable via DNS.

If there changes to the truststore, and receive similar error messages stop and restart ISE application from the
ISE VM.

./register.sh -keystoreFilename self1.jks -keysrePassword cisco123 -truststoreFilename root1.jks truststorePassword cisco123 -username pxGridclient -hostname 10.0.0.96 -group Session -description test1
------- properties ------version=1.0.0
hostnames=10.0.0.96
username=pxGridclient
descriptipon=test1
keystoreFilename=self1.jks
keystorePassword=cisco123
truststoreFilename=root1.jks
truststorePassword=cisco123
-------------------------registering...
connecting...
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1991)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1104)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at org.jivesoftware.smack.XMPPConnection.proceedTLSReceived(XMPPConnection.java:806)
at org.jivesoftware.smack.PacketReader.parsePackets(PacketReader.java:267)
at org.jivesoftware.smack.PacketReader.access$000(PacketReader.java:43)
at org.jivesoftware.smack.PacketReader$1.run(PacketReader.java:70)
Exception in thread "main" com.cisco.pxgrid.GCLException: SASL authentication failed:
at com.cisco.pxgrid.GridConnection.connect(GridConnection.java:197)
at com.cisco.pxgrid.samples.ise.Register.main(Register.java:99)
Caused by: SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:281)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:206)
at com.cisco.pxgrid.Configuration.connect(Configuration.java:194)
at com.cisco.pxgrid.GridConnection.connect(GridConnection.java:134)
... 1 more

Restarting ISE services

application stop ise


application start ise

Cisco Systems 2015

Page 18

SECURE ACCESS HOW-TO GUIDES

Verify pxGrid processes are initializing

sh application status ise

If you see a similar error message, the root certificate needs to be added to the truststoreFilename keystore, in
this case root3.jks.

./register.sh -keystoreFilename pxGridClient.jks -keystorePassword cisco123 -truststoreFilename root3.jks truststorePassword cisco123 -group Session -description MACBOOK -username Macbook_PRO -hostname 10.0.0.96
------- properties ------version=1.0.0
hostnames=10.0.0.96
username=Macbook_PRO
descriptipon=MACBOOK
keystoreFilename=pxGridClient.jks
keystorePassword=cisco123
truststoreFilename=root3.jks
truststorePassword=cisco123
-------------------------registering...
connecting...
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: root certificate not trusted of
[ise.lab6.com]
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1471)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:936)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:871)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at org.jivesoftware.smack.XMPPConnection.proceedTLSReceived(XMPPConnection.java:806)
at org.jivesoftware.smack.PacketReader.parsePackets(PacketReader.java:267)
at org.jivesoftware.smack.PacketReader.access$000(PacketReader.java:43)
at org.jivesoftware.smack.PacketReader$1.run(PacketReader.java:70)
Caused by: java.security.cert.CertificateException: root certificate not trusted of [ise.lab6.com]
at org.jivesoftware.smack.ServerTrustManager.checkServerTrusted(ServerTrustManager.java:144)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:865)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1453)
... 11 more

If you see this error message below, ensure that pxGrid Client and ISE pxGrid FQDN names are resolvable via
DNS.

./session_download.sh -keystoreFilename jeppich.jks -keystorePassword cisco123 -truststoreFilename


trust007.jks -truststorePassword cisco123 -hostname 10.0.0.96 -username mac2
------- properties ------version=1.0.0
hostnames=10.0.0.96
username=mac2
keystoreFilename=jeppich.jks
keystorePassword=cisco123
truststoreFilename=trust007.jks
truststorePassword=cisco123
filter=null
start=null
end=null

Cisco Systems 2015

Page 19

SECURE ACCESS HOW-TO GUIDES

-------------------------connecting...
connected.
20:18:07.181 [main] WARN o.a.cxf.phase.PhaseInterceptorChain - Interceptor for
{https://ise.lab6.com/pxgrid/mnt/sd}WebClient has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSende
rInterceptor.java:64) ~[cxf-api-2.7.3.jar:2.7.3]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) ~[cxf-api2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.AbstractClient.doRunInterceptorChain(AbstractClient.java:581) [cxf-rtfrontend-jaxrs-2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:904) [cxf-rt-frontendjaxrs-2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:772) [cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:759) [cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:355) [cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.post(WebClient.java:381) [cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at com.cisco.pxgrid.stub.identity.impl.SessionIteratorImpl.open(SessionIteratorImpl.java:128)
[pxgrid-identity-client-stub-1.0.0.jar:1.0.0]
at com.cisco.pxgrid.samples.ise.SessionDownload.main(SessionDownload.java:132) [pxgrid-sdk1.0.0.jar:1.0.0]
Caused by: java.net.UnknownHostException: UnknownHostException invoking
https://ise.lab6.com/pxgrid/mnt/sd/getSessionListByTime: ise.lab6.com
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_25]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
~[na:1.8.0_25]
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
~[na:1.8.0_25]
at java.lang.reflect.Constructor.newInstance(Constructor.java:408) ~[na:1.8.0_25]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338)
~[cxf-rt-transports-http-2.7.3.jar:2.7.3]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322) ~[cxfrt-transports-http-2.7.3.jar:2.7.3]
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) ~[cxf-api-2.7.3.jar:2.7.3]
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622) ~[cxf-rt-transports-http2.7.3.jar:2.7.3]
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSende
rInterceptor.java:62) ~[cxf-api-2.7.3.jar:2.7.3]
... 9 common frames omitted
Caused by: java.net.UnknownHostException: ise.lab6.com
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) ~[na:1.8.0_25]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_25]
at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25]
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) ~[na:1.8.0_25]
at sun.net.NetworkClient.doConnect(NetworkClient.java:175) ~[na:1.8.0_25]
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) ~[na:1.8.0_25]
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) ~[na:1.8.0_25]
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:275) ~[na:1.8.0_25]
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:371) ~[na:1.8.0_25]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnec
tion.java:191) ~[na:1.8.0_25]
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1103)
~[na:1.8.0_25]
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:997)
~[na:1.8.0_25]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java
:177) ~[na:1.8.0_25]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1281)
~[na:1.8.0_25]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1256)
~[na:1.8.0_25]
Cisco Systems 2015

Page 20

SECURE ACCESS HOW-TO GUIDES

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
~[na:1.8.0_25]
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(UR
LConnectionHTTPConduit.java:170) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3]
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1282
) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1233)
~[cxf-rt-transports-http-2.7.3.jar:2.7.3]
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConne
ctionHTTPConduit.java:183) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3]
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) ~[cxfapi-2.7.3.jar:2.7.3]
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
~[cxf-api-2.7.3.jar:2.7.3]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295) ~[cxfrt-transports-http-2.7.3.jar:2.7.3]
... 12 common frames omitted
20:18:07.185 [main] WARN c.c.p.s.i.impl.SessionIteratorImpl - unsuccessful attempt made to session directory
ise.lab6.com
javax.ws.rs.client.ClientException: javax.ws.rs.client.ClientException: org.apache.cxf.interceptor.Fault:
Could not send Message.
at org.apache.cxf.jaxrs.client.WebClient.doResponse(WebClient.java:946) ~[cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:905) ~[cxf-rt-frontendjaxrs-2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:772) ~[cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:759) ~[cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:355) ~[cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.post(WebClient.java:381) ~[cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at com.cisco.pxgrid.stub.identity.impl.SessionIteratorImpl.open(SessionIteratorImpl.java:128)
~[pxgrid-identity-client-stub-1.0.0.jar:1.0.0]
at com.cisco.pxgrid.samples.ise.SessionDownload.main(SessionDownload.java:132) [pxgrid-sdk1.0.0.jar:1.0.0]
Caused by: javax.ws.rs.client.ClientException: org.apache.cxf.interceptor.Fault: Could not send Message.
at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:522) ~[cxf-rtfrontend-jaxrs-2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.AbstractClient.preProcessResult(AbstractClient.java:508) ~[cxf-rtfrontend-jaxrs-2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.doResponse(WebClient.java:941) ~[cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
... 7 common frames omitted
Caused by: org.apache.cxf.interceptor.Fault: Could not send Message.
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSende
rInterceptor.java:64) ~[cxf-api-2.7.3.jar:2.7.3]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) ~[cxf-api2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.AbstractClient.doRunInterceptorChain(AbstractClient.java:581) ~[cxfrt-frontend-jaxrs-2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:904) ~[cxf-rt-frontendjaxrs-2.7.3.jar:2.7.3]
... 6 common frames omitted
Caused by: java.net.UnknownHostException: UnknownHostException invoking
https://ise.lab6.com/pxgrid/mnt/sd/getSessionListByTime: ise.lab6.com
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_25]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
~[na:1.8.0_25]
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
~[na:1.8.0_25]
at java.lang.reflect.Constructor.newInstance(Constructor.java:408) ~[na:1.8.0_25]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338)
~[cxf-rt-transports-http-2.7.3.jar:2.7.3]

Cisco Systems 2015

Page 21

SECURE ACCESS HOW-TO GUIDES

at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322) ~[cxfrt-transports-http-2.7.3.jar:2.7.3]
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) ~[cxf-api-2.7.3.jar:2.7.3]
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622) ~[cxf-rt-transports-http2.7.3.jar:2.7.3]
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSende
rInterceptor.java:62) ~[cxf-api-2.7.3.jar:2.7.3]
... 9 common frames omitted
Caused by: java.net.UnknownHostException: ise.lab6.com
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) ~[na:1.8.0_25]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_25]
at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25]
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) ~[na:1.8.0_25]
at sun.net.NetworkClient.doConnect(NetworkClient.java:175) ~[na:1.8.0_25]
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) ~[na:1.8.0_25]
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) ~[na:1.8.0_25]
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:275) ~[na:1.8.0_25]
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:371) ~[na:1.8.0_25]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnec
tion.java:191) ~[na:1.8.0_25]
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1103)
~[na:1.8.0_25]
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:997)
~[na:1.8.0_25]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java
:177) ~[na:1.8.0_25]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1281)
~[na:1.8.0_25]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1256)
~[na:1.8.0_25]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
~[na:1.8.0_25]
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(UR
LConnectionHTTPConduit.java:170) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3]
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1282
) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1233)
~[cxf-rt-transports-http-2.7.3.jar:2.7.3]
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConne
ctionHTTPConduit.java:183) ~[cxf-rt-transports-http-2.7.3.jar:2.7.3]
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) ~[cxfapi-2.7.3.jar:2.7.3]
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
~[cxf-api-2.7.3.jar:2.7.3]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295) ~[cxfrt-transports-http-2.7.3.jar:2.7.3]
... 12 common frames omitted
Exception in thread "main" java.io.IOException: unsuccessful attempts made to all session directories
at com.cisco.pxgrid.stub.identity.impl.SessionIteratorImpl.open(SessionIteratorImpl.java:148)
at com.cisco.pxgrid.samples.ise.SessionDownload.main(SessionDownload.java:132)

Cisco Systems 2015

Page 22

You might also like