Skip to main content



Cisco Defense Orchestrator

Deploy an On-Premise Secure Device Connector


The Secure Device Connector (SDC) acts as a proxy between Cisco Defense Orchestrator (CDO) cloud services and the device it manages. This article describes how to build your own server and install SDC on it without using our OVA image.

Note: The preferred, easiest, and most reliable way to install an on-premise SDC is to download our SDC OVA image and install it. See Deploy an On-Premises Secure Device Connector Using CDO's VM Image for those instructions.


  • Users performing this procedure should be comfortable working in a Linux environment and using the vi visual editor for editing files.
  • CDO requires strict certificate checking and does not support a Web/Content Proxy between the SDC and the Internet.
  • The on-premise SDC works best with full outbound access on TCP port 443.
  • Prepare a docker host, either physical or virtual:
    • A CentOS virtual machine with 2GB of memory and 10GB disk space to support the SDC. We support the latest version of CentOS.
    • A physical device requires you to install a Linux server that can run a Docker Engine. The Linux server should have a minimum of 2GB of memory and 10GB disk space to support the SDC.
  • Install the latest version of Amazon AWS CLI on either the virtual or physical machine.
  • If you are installing your on-premise SDC on a CentOS virtual machine, we recommend you to install Yum security patches on a regular basis. Depending on your Yum configuration, to acquire Yum updates, you may need to open outbound access on ports 80 and 443. You will also need to configure yum-cron or crontab to schedule the updates. Work with your security-operations team to determine if any security policies need to change to allow you to get the Yum updates.

Deploy the On-Premise SDC

To deploy your on-premise SDC, perform these two tasks:

  1. Create the SDC Server
  2. Install the On-Premise SDC

Create the SDC Server

To create the SDC server, follow these instructions:

  1. Enable and start Docker Engine using the following commands:
sudo systemctl enable docker.service
sudo systemctl start docker
  1. Configure DNS (Domain Name Servers).
  2. Configure NTP (Network Time Protocol).
  3. Open /etc/selinux/config in vi and verify what "SELINUX" is set to.
[sdc@cdo-sdc ~]$ vi /etc/selinux/config
  1. If SELINUX is set to SELINUX=enforcing, change it to SELINUX=permissive.
  2. If you had to make a change to the file, save your change and restart the Linux server or CentOS virtual machine.
  3. Prepare an OS user named "sdc" using the following commands:
sudo adduser -d /usr/local/cdo sdc
sudo usermod -aG docker sdc

Important notes for those creating a VM using CentOS 7.4/7.5

  1. If you installed docker on a CentOS 7.4/7.5 VM using  yum install docker, the group name might be dockerroot instead of docker.  In that case, use this sudo usermod command instead of the one above: 
sudo usermod -aG dockerroot sdc
  1. You might also have to create a daemon.json file and edit it. If this is the case follow these instructions:


  1. Create the daemon.json file using this command: 
sudo vi /etc/docker/daemon.json
  1. Add these lines to the daemon.json file:
    "live-restore": true,
    "group": "dockerroot"
  1. Save the daemon.json file by typing:
  1. Restart docker:
sudo systemctl restart docker
  1. Set ownership of the entire /usr/local/cdo/ directory to the sdc user:
[user1@cdo-sdc ~]$ sudo chown -R sdc:sdc /usr/local/cdo/
  1. Log in as the sdc user:
[user1@cdo-sdc ~]$ sudo su - sdc
  1. Remain logged in to the Linux session while you continue with the next procedure, Install your On-Premises SDC in the VM Enrionment.

Install the On-Premise SDC

  1. Log into your tenant at or depending on your region. 
  2. Click your account in the top right-hand corner, and select the Secure Device Connectors option.

sdc menu.png

  1. Select the Request On-Prem SDC option. This creates an SDC entry in the Onboarding state. This state remains until you complete the SDC registration on the VM.

  1. In the dialog box that opens, click Copy Bootstrap Data to copy the entire bootstrap data string and then click OK.
  2. In the docker host, create a bootstrap data file, paste into it the bootstrap data string from step 4, and save the file:
[sdc@cdo-sdc ~]$ vi bootstrapdata
Insert the boostrap data string in the file.
Save the file by typing :wq
  1. Extract the contents of the bootstratpdata file to a new file, called "extractedbootstrapdata"
[sdc@cdo-sdc ~]$ base64 -d bootstrapdata > extractedbootstrapdata
  1. Set the CDO_TOKEN environmental variable: 
[sdc@cdo-sdc ~]$ cat extractedbootstrapdata | awk  -F\" '{print "export " $1 $2}'  >> sdcenv
[sdc@cdo-sdc ~]$ source sdcenv
  1. Get the bootstrap data from your tenant:
[sdc@cdo-sdc ~]$ curl -O -H "Authorization: Bearer $CDO_TOKEN" "$CDO_BOOTSTRAP_URL"
  1. Create the CDO_TENANT environmental variable:
[sdc@cdo-sdc ~]$ export CDO_ZIP=$CDO_TENANT"-SDC"
  1. Extract the bootstrap tarball you just found:
bash-4.2$ tar -xzvf $CDO_ZIP
  1. Run the script as the sdc user to start the installation.
bash-4.2$ ./bootstrap/
[2016-10-20 09:11:16] environment properly configured
download: s3://onprem-sdc/toolkit/prod/toolkit.tar to toolkit/toolkit.tar
[2016-10-20 09:11:18] startup new container
no crontab for sdc

At this point your SDC should show as Active in the CDO GUI. 



If your SDC does not show as Active, and you receive the error, "IPv4 forwarding is disabled. Networking will not work." you may need to enable IPv4 forwarding on the VM. Exit out of the sdc user session, and run the sysctl command with sudo as seen in the example below:

bash-4.2$ exit
[user1@cdo-sdc ~]$ 
[user1@cdo-sdc ~]$ sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

Go back to step 6 to login as the SDC user and repeat the follow the instructions from that point.

  • Was this article helpful?