Skip to main content

 

 

Cisco Defense Orchestrator

Deploy an On-Premise Secure Device Connector

Cisco Defense Orchestrator (Defense Orchestrator) enables direct communication between supported devices and services to Defense Orchestrator via the Secure Device Connector (SDC). The SDC enables this communication by acting as a proxy between a remote location and Defense Orchestrator cloud services.

This procedure describes how to create an SDC for Defense Orchestrator, installed on-premise, without using Defense Orchestrator's OVA image. 

Note: The preferred, easiest, and most reliable way to install an on-premise SDC is to download our SDC OVA image and install it. See Deploy an On-Premises Secure Device Connector Using CDO's VM Image for those instructions.

Prerequisites

  • We require allowing the SDC full outbound access on TCP port 443
  • Users performing this procedure should be comfortable working in a Linux environment and using the vi visual editor for editing files.
  • Defense Orchestrator requires strict certificate checking and does not support a Web/Content Proxy between the SDC and the Internet.
  • If you are installing your on-premise SDC on a CentOS virtual machine, we recommend you install Yum security patches on a regular basis. Depending on your Yum configuration, to acquire Yum updates, you may need to open outbound access on ports 80 and 443. You will also need to configure yum-cron or crontab to schedule the updates. Work with your security-operations team to determine if any security policies need to change to allow you to get the Yum updates.

Procedure

  1. From the Secure Device Connectors page, select the “Deploy an On-Premises Secure Device Connector” option

deploy an sdc screen.png

  1. Copy the bootstrap data in step 2 on the window to a notepad.
  2. Install a CentOS 7 virtual machine with at least the following RAM and disk space alotted to the SDC: 
  • 2GB of RAM
  • 10GB disk space
  1. Once installed, configure basic networking such as specifying the IP address for the SDC, the subnet mask, and gateway.
  2. Configure a DNS (Domain Name Server) server.
  3. Configure a NTP (Network Time Protocol) server.
  4. Install an SSH server on CentOS for easy interaction with SDC’s CLI.
  5. Run a Yum update and then install the packages: open-vm-tools, nettools, and bind-utils
[root@sdc-vm ~]# yum update -y
[root@sdc-vm ~]# yum install -y open-vm-tools net-tools bind-utils
  1. Install the AWS CLI package

Note: Do not use the --user flag

  1. Install the Docker CE packages

Note: Use the “Install using the repository” method

  1. Start the Docker service and enable it to start on boot:
[root@sdc-vm ~]# systemctl start docker
[root@sdc-vm ~]# systemctl enable docker
Created symlink from /etc/systemd/system/multiuser.target.wants/docker.service to
    /usr/lib/systemd/system/docker.service.
  1.  Create two users: "cdo" and "sdc." The cdo user will be the one you log in with to run administrative functions (so you don’t need to use the root user directly), and the sdc user will be the user to run the SDC docker container.
[root@sdc-vm ~]# useradd cdo
[root@sdc-vm ~]# useradd sdc –d /usr/local/cdo
  1. Set a password for the cdo user.
[root@sdc-vm ~]# passwd cdo 
Changing password for user cdo. 
New password: <type password> 
Retype new password: <type password> 
passwd: all authentication tokens updated successfully.
  1. Add the cdo user to the “wheel” group to give it administrative (sudo) privileges.
[root@sdc-vm ~]# usermod -aG wheel cdo
[root@sdc-vm ~]#
  1. When Docker is installed, there is a user group created. Depending on the version of CentOS/Docker, this may be called either “docker” or “dockerroot”. Check the /etc/group file to see which group was created, and then add the sdc user to this group.
[root@sdc-vm ~]# grep docker /etc/group
docker:x:993:
[root@sdc-vm ~]#
[root@sdc-vm ~]# usermod -aG docker sdc
[root@sdc-vm ~]#
  1. If the /etc/docker/daemon.json file does not exist, create it, and populate with the contents below. Once created, restart the docker daemon.

Note: Make sure that the group name entered in the “group” key matches the group you found in the /etc/group file in step 15.

[root@sdc-vm ~]# cat /etc/docker/daemon.json
{
     "live-restore": true,
     "group": "docker”
}
[root@sdc-vm ~]# systemctl restart docker
[root@sdc-vm ~]#
  1. If you are currently using a vSphere console session, switch over to SSH and log in with the “cdo” user. Once logged in, change to the ”sdc” user. When prompted for a password, enter the password for the ”cdo” user.
[cdo@sdc-vm ~]$ sudo su – sdc 
[sudo] password for cdo: <type password for cdo user>
[sdc@sdc-vm ~]$
  1. Change directories to /usr/local/cdo.
  2. Create a new file called bootstrapdata and paste the bootstrap data from step 2 into this file. Save the file. You can use vi or nano to create the file.
  3. The bootstrap data comes encoded in base64. Decode it and export it to a file called extractedbootstrapdata
[sdc@sdc-vm ~]$ base64 -d /usr/local/cdo/bootstrapdata > /usr/local/cdo/extractedbootstrapdata
[sdc@sdc-vm ~]$

The decoded data should look something like this:

CDO_TOKEN="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2ZXIiOiIwIiwic3Vic2NyaXB0aW9ucyI6WyJoeWJyaWQtMi4wIiwibmdmdyIsInZpc2liaWxpdHkiLCJJVEQtQmFzZSJdLCJ1c2VyX25hbWUiOiJhZ2l1bnRhQGNpc2NvLmNvbSIsInNjb3BlIjpbInRydXN0IiwicmVhZCIsIndyaXRlIiwiMmUxZjU5MjEtMDRjYy00NmIzLWEzNWItYzRjOWMzYjc4Mzc3Il0sImlzcyI6Iml0ZCIsImlkIjoiZjJmYTYyZTUtOGUyNy00MTdiLWFlZTctY2FkMDU4ODQ5ODFmIiwic3BpZCI6IkNETyIsInN1YmplY3RUeXBlIjoidXNlciIsImF1dGPTWRerBUPCEz3ELArxY11d-0cfWYk-QBc5JEcpF7EE3F4LXz4bcXRBOesCTzxwSxEoME0jdBuvjStBKOB_TlvFuzcXZ32dn4mqmaCKezk7--vyZhcwr6VUfxkHjTUHkFUBLXyy0OnU4nS2eMILdiuHsLBQzMp3OTw6Lkp4bUZ0DwFneg3KzoKAyXrVbj53lJJ0_i4Qvv8_7Kp7feJxV_zJrIiqI9rKx2_AF5rM985s4tuQ9ykI9vFXJvdCxJQicX8wrc2gWb_pJjr0l7wps1Kc7svYe0RxQAAAN3O_-Mg6bXUZE_yxybLfQNqawQtFN_Jtg”

CDO_DOMAIN=www.defenseorchestrator.com

CDO_TENANT="tenant_name

CDO_BOOTSTRAP_URL="https://www.defenseorchestrator.com/sdc/bootstrap/tenant-name/tenant-name-SDC"

  1. Run the following command to export the sections of the decoded bootstrap data to environment variables.
[sdc@sdc-vm ~]$ sed -e 's/^/export /g' extractedbootstrapdata > sdcenv && source sdcenv
[sdc@sdc-vm ~]$
  1. Download the bootstrap bundle from CDO.
[sdc@sdc-vm ~]$ curl -O -H "Authorization: Bearer $CDO_TOKEN" "$CDO_BOOTSTRAP_URL"
100 10314 100 10314 0 0 10656 0 --:--:-- --:--:-- --:--:-- 10654
[sdc@sdc-vm ~]$ ls -l /usr/local/cdo/*SDC
-rw-rw-r--. 1 sdc sdc 10314 Jul 23 13:48 /usr/local/cdo/tenant-name-SDC
  1. Extract the SDC tarball, and run the bootstrap.sh file to install the SDC package.
[sdc@sdc-vm ~]$ tar xzvf /usr/local/cdo/tenant-name-SDC
<snipped – extracted files>
[sdc@sdc-vm ~]$
[sdc@sdc-vm ~]$ /usr/local/cdo/bootstrap/bootstrap.sh
[2018-07-23 13:54:02] environment properly configured
download: s3://onprem-sdc/toolkit/prod/toolkit.tar to toolkit/toolkit.tar
toolkit.sh
common.sh
[2018-07-23 13:54:04] startup new container
Unable to find image 'ciscodefenseorchestrator/sdc_prod:latest' locally
sha256:d98f17101db10e66db5b5d6afda1c95c29ea0004d9e4315508fd30579b275458: Pulling from
ciscodefenseorchestrator/sdc_prod
08d48e6f1cff: Pull complete
ebbd10b629b1: Pull complete
d14d580ef2ed: Pull complete
45421d451ab8: Pull complete
<snipped – downloads>
no crontab for sdc

The SDC should now show "Active" in Defense Orchestrator.