Skip to main content

 

 

Cisco Defense Orchestrator

Deploy an On-Premise Secure Device Connector

Overview

The Secure Device Connector (SDC) acts as a proxy between Cisco Defense Orchestrator (CDO) cloud services and the device it manages. This article describes how to build your own server and install SDC on it without using our OVA image.

Note: The preferred, easiest, and most reliable way to install an on-premise SDC is to download our SDC OVA image and install it. See Deploy an On-Premises Secure Device Connector Using CDO's VM Image for those instructions.

Prerequisites

  • Users performing this procedure should be comfortable working in a Linux environment and using the vi visual editor for editing files.
  • CDO requires strict certificate checking and does not support a Web/Content Proxy between the SDC and the Internet.
  • The on-premise SDC works best with full outbound access on TCP port 443.
  • Prepare a docker host, either physical or virtual:
    • A CentOS virtual machine with 2GB of memory and 10GB disk space to support the SDC. We support the latest version of CentOS.
    • A physical device requires you to install a Linux server that can run a Docker Engine. The Linux server should have a minimum of 2GB of memory and 10GB disk space to support the SDC.
  • Install the latest version of Amazon AWS CLI on either the virtual or physical machine.

Deploy the On-Premise SDC

To deploy your on-premise SDC, perform these two tasks:

  1. Create the SDC Server
  2. Install the On-Premise SDC

Create the SDC Server

To create the SDC server, follow these instructions:

  1. Enable and start Docker Engine using the following commands:
sudo systemctl enable docker.service
sudo systemctl start docker
  1. Configure DNS (Domain Name Servers).
  2. Configure NTP (Network Time Protocol).
  3. Open /etc/selinux/config in vi and verify what "SELINUX" is set to.
[sdc@cdo-sdc ~]$ vi /etc/selinux/config
  1. If SELINUX is set to SELINUX=enforcing, change it to SELINUX=permissive.
  2. If you had to make a change to the file, save your change and restart the Linux server or CentOS virtual machine.
  3. Prepare an OS user named "sdc" using the following commands:
sudo adduser -d /usr/local/cdo sdc
sudo usermod -aG docker sdc

Important notes for those creating a VM using CentOS 7.4/7.5

  1. If you installed docker on a CentOS 7.4/7.5 VM using  yum install docker, the group name might be dockerroot instead of docker.  In that case, use this sudo usermod command instead of the one above: 
sudo usermod -aG dockerroot sdc
  1. You might also have to create a daemon.json file and edit it. If this is the case follow these instructions:

 

  1. Create the daemon.json file using this command: 
sudo vi /etc/docker/daemon.json
  1. Add these lines to the daemon.json file:
{
    "live-restore": true,
    "group": "dockerroot"
}
  1. Save the daemon.json file by typing:
:wq
  1. Restart docker:
sudo systemctl restart docker
  1. Set ownership of the entire /usr/local/cdo/ directory to the sdc user:
[user1@cdo-sdc ~]$ sudo chown -R sdc:sdc /usr/local/cdo/
  1. Log in as the sdc user:
[user1@cdo-sdc ~]$ sudo su - sdc
  1. Remain logged in to the Linux session while you continue with the next procedure, Install your On-Premises SDC in the VM Enrionment.

Install the On-Premise SDC

  1. Log into your tenant at https://www.defenseorchestrator.com or https://www.defenseorchestrator.eu depending on your region. 
  2. Click your account in the top right-hand corner, and select the Secure Device Connectors option.

sdc menu.png

  1. Select the Request On-Prem SDC option. This creates an SDC entry in the Onboarding state. This state remains until you complete the SDC registration on the VM.

  1. In the dialog box that opens, click Copy Bootstrap Data to copy the entire bootstrap data string and then click OK.
  2. In the docker host, create a bootstrap data file, paste into it the bootstrap data string from step 4, and save the file:
[sdc@cdo-sdc ~]$ vi bootstrapdata
Insert the boostrap data string in the file.
Save the file by typing :wq
  1. Extract the contents of the bootstratpdata file to a new file, called "extractedbootstrapdata"
[sdc@cdo-sdc ~]$ base64 -d bootstrapdata > extractedbootstrapdata
  1. Set the CDO_TOKEN environmental variable: 
[sdc@cdo-sdc ~]$ cat extractedbootstrapdata | awk  -F\" '{print "export " $1 $2}'  >> sdcenv
[sdc@cdo-sdc ~]$ source sdcenv
  1. Get the bootstrap data from your tenant:
[sdc@cdo-sdc ~]$ curl -O -H "Authorization: Bearer $CDO_TOKEN" "$CDO_BOOTSTRAP_URL"
  1. Create the CDO_TENANT environmental variable:
[sdc@cdo-sdc ~]$ export CDO_ZIP=$CDO_TENANT"-SDC"
  1. Extract the bootstrap tarball you just found:
bash-4.2$ tar -xzvf $CDO_ZIP
bootstrap/config.json
bootstrap
bootstrap/bootstrap.sh
bootstrap/common.sh
  1. Run the bootstrap.sh script as the sdc user to start the installation.
bash-4.2$ ./bootstrap/bootstrap.sh
[2016-10-20 09:11:16] environment properly configured
download: s3://onprem-sdc/toolkit/prod/toolkit.tar to toolkit/toolkit.tar
toolkit.sh
common.sh
[2016-10-20 09:11:18] startup new container
d57ebc48b22a2d0a63a2a11bc3ca0a4c9f9ca2ee3432b52a207668a829c1367e
no crontab for sdc

At this point your SDC should show as Active in the CDO GUI. 

on-prem-verify.png

Troubleshooting

If your SDC does not show as Active, and you receive the error, "IPv4 forwarding is disabled. Networking will not work." you may need to enable IPv4 forwarding on the VM. Exit out of the sdc user session, and run the sysctl command with sudo as seen in the example below:

bash-4.2$ exit
exit
[user1@cdo-sdc ~]$ 
[user1@cdo-sdc ~]$ sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

Go back to step 6 to login as the SDC user and repeat the follow the instructions from that point.

  • Was this article helpful?