Field Notice: FN - 70122 - Cisco Identity Services Engine – Posture and BYOD Package Updates Will Fail Without ISE Trust Store Update to New HydrantID Root Certificates - Software Upgrade Recommended

Available Languages

Updated:January 30, 2018

Document ID:FN70122

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	30-Jan-18	Initial Release

Products Affected

Affected OS Type	Affected Release	Affected Release Number	Comments
NON-IOS	1	1.3, 1.0, 1.1, 1.2, 1.4	All versions
NON-IOS	2	2.3.0, 2.0.1, 2.0, 2.2.0, 2.1.0	All versions

Defect Information

Defect ID	Headline
CSCvh50630	Adding Hydrant certificate chain to ISE default trust certificate store

Problem Description

Cisco Identity Services Engine (ISE) Posture and Bring Your Own Device (BYOD) package updates will fail if the ISE trust store is not updated with the new HydrantID root certificates.

Background

ISE connects to Cisco.com via SSL in order to obtain binary and data updates for Posture and BYOD. On February 14^th, 2018, Cisco will renew the certificate for that SSL connection. The new certificate has a root certificate signed by QuoVadis.

Problem Symptom

Only ISE deployments with Posture or BYOD updates enabled are affected by this change. After Cisco replaces the certificate on the update servers, Posture and BYOD updates will no longer function for systems that have not updated to the new HydrantID root certificates.

Error messages will be displayed when the system has not been updated to new root certificates. Examples of these messages are shown here:

Workaround/Solution

In order to resolve this issue, complete these steps to install the new root certificate chain provided at Cisco.com and trust it for authentication of Cisco Services:

Choose Administration > System > Certificates > Trusted Certificates and click Import.
Browse and choose QuoVadisRootCA2.crt. Check the Trust for authentication of Cisco Services check box and click Submit.
Click Yes in order to accept the SHA-1 warning.
Repeat steps 1 to 3 in order to import the HydrantIDSSLICAG2.crt certificate.

Service is restored. To verify, choose Updates from the Posture option under Administration > System > Settings. In the Posture Updates section, click Update Now. A successful message will display similar to the one in this screenshot:

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Identity Services Engine Software