2.2.2.x or 2.2.3.x to 2.3.3.x

Fresh Install from the Catalyst Center ISO Image

Offline Install Workflow

An offline Catalyst Center installation involves the following steps:

  1. Download the image.

  2. Verify the downloaded file.

  3. Create a bootable USB drive.

  4. Install the Catalyst Center ISO image.

  5. Configure the Catalyst Center appliance.

  6. Complete the first-time setup.

  7. Accept the device EULA.

  8. Install the applications.

Download the Image

You or your Cisco account representative must raise a TAC request. A TAC representative then gives you access and instructions for downloading the binary image from a Cisco file server.

Procedure

Step 1

Log in to the Cisco file server, which is accessible via the internet.

Step 2

Download the Catalyst Center image (.iso) from the URL provided by Cisco TAC.

Step 3

Download the Cisco public key (cisco_image_verification_key.pub) for signature verification.

Step 4

Download the secure hash algorithm (SHA512) checksum file for the image.

Step 5

Download the binary image's signature file (.sig).

Verify the Downloaded File

Verify the integrity of the downloaded image using Cisco signature verification and the SHA512 checksum provided on the portal.

Procedure

Step 1

(Optional) Perform SHA verification to determine whether the binary image is corrupted due to a partial download.

Depending on your OS, enter one of the following commands:

  • Linux: 
    sha512sum Catalyst-Center-image-filename
  • Mac: 
    shasum -a 512 Catalyst-Center-image-filename

Microsoft Windows does not include a built-in checksum utility, but you can use the certutil tool:

certutil -hashfile Catalyst-Center-image-filename sha256 | md5

For example:

certutil -hashfile D:\Customers\Catalyst_Center.iso sha256

On Windows, you can also use the Windows PowerShell to generate the digest. For example: 

PS C:\Users\Administrator> Get-FileHash -Path D:\Customers\Catalyst_Center.iso
Algorithm Hash Path
SHA256 B84B6FFD898A370A605476AC7EC94429B445312A5EEDB96166370E99F2838CB5 D:\Customers\Catalyst_Center.iso

Compare the output of the command you run to the SHA512 checksum file that you downloaded. If the command output does not match, download the binary image again and run the appropriate command a second time. If the output still does not match, contact Cisco support.

Step 2

Verify that the binary image is genuine and from Cisco by verifying its signature:

openssl dgst -sha512 -verify cisco_image_verification_key.pub -signature 
signature-filename Catalyst-Center-image-filename

This command works in both Mac and Linux environments. For Windows, you must download and install OpenSSL, if you haven’t done so already.

If the binary image is genuine, entering this command displays a Verified OK message. If this message fails to appear, do not install the binary image and contact Cisco support.

Create a Bootable USB Drive

After confirming that you downloaded a Cisco ISO image, create a bootable USB drive that contains the Catalyst Center ISO image. For details, see the "Create a Bootable USB Flash Drive" topic in the Cisco Catalyst Center Second-Generation Appliance Installation Guide's "Prepare the Appliance for Configuration" chapter.

Install the Catalyst Center ISO Image

Procedure

Step 1

Connect the bootable USB drive with the Catalyst Center ISO image to the appliance.

Step 2

Log in to Cisco IMC and start a KVM session.

Step 3

Power on or power cycle the appliance:

  • If the appliance is not currently running, choose Power > Power On System.

  • If the appliance is already running, choose Power > Power Cycle System (cold boot).

Step 4

In the resulting pop-up window, click Yes to acknowledge that you are about to execute a server control action.

Step 5

When the Cisco logo appears, either press the F6 key or choose Macros > User Defined Macros > F6 from the KVM menu. The boot device selection menu appears.

Step 6

Select your USB drive and then press Enter.

Step 7

In the GNU GRUB bootloader window, choose Cisco DNA Center Installer and then press Enter.

Note

 

The bootloader automatically boots the Maglev installer if you don't make a selection within 30 seconds.

Configure the Catalyst Center Appliance

When installation of the Catalyst Center ISO image completes, the installer reboots and opens the Maglev Configuration wizard's welcome screen. To configure your appliance for day-to-day use in your network, complete the steps described in one of the following sections:

Complete the First-Time Setup

Procedure

Step 1

After the Catalyst Center appliance reboot is completed, launch your browser.

Step 2

Enter the host IP address to access the Catalyst Center GUI, using HTTPS:// and the IP address of the Catalyst Center GUI that was displayed at the end of the configuration process.

After entering the IP address, one of the following messages appears (depending on your browser):

  • Google Chrome: Your connection is not private

  • Mozilla Firefox: Warning: Potential Security Risk Ahead

Step 3

Ignore the message and click Advanced. One of the following messages appears:

  • Google Chrome: This server could not prove that it is GUI-IP-address; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

  • Mozilla Firefox: Someone could be trying to impersonate the site and you should not continue. Websites prove their identity via certificates. Firefox does not trust GUI-IP-address because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

These messages appear because the controller uses a self-signed certificate. For information on how Catalyst Center uses certificates, see the "Certificate and Private Key Support" section in the Cisco Catalyst Center Administrator Guide.

Step 4

Ignore the message and do one of the following:

  • Google Chrome: Click the Proceed to <GUI-IP-address> (unsafe) link.

  • Mozilla Firefox: Click Accept the Risk and Continue.

The Catalyst Center Login window appears.

Step 5

In the Login window, enter the admin's username (admin) and password that you set when you configured Catalyst Center, then click Log In.

The Reset Login window appears.

Step 6

Enter the old password, enter and confirm a new password for the admin superuser, and then click Save.

The Enter Cisco.com ID window appears.

Step 7

(Skip this step) Enter the username and password for the cisco.com user, then click Next. If the cisco.com user login does not match any known Cisco Smart Account user login, the Smart Account window appears.

Step 8

(Skip this step) If the Smart Account window appears, enter the username and password for your organization's Smart Account, or click the corresponding link to open a new Smart Account. After you are finished, click Next.

The IP Address Manager window appears.

Step 9

If your organization uses an external IP address manager (IPAM), do the following and then click Next:

  • Enter your IPAM server's name and URL.

  • Enter the username and password required for server access.

  • Choose your IPAM provider (such as Infoblox).

  • Choose the specific view of IP addresses available in the IPAM server database that you want Catalyst Center to use.

The Enter Proxy Server window appears.

Step 10

Click Next.

The software EULA window appears.

Step 11

Click Next to accept the software End User License Agreement and continue.

The Ready to go! window appears.

Step 12

We recommend that you click the User Management link to display the User Management window. Then click Add to begin adding new Catalyst Center users. After you have entered the new user's name and password, and selected the user's role, click Save to create the new user. Repeat this as needed until you have added all the new users for your initial deployment. Be sure to create at least one user with the NETWORK-ADMIN-ROLE.

Accept the Device EULA

Procedure

Step 1

Log in to the Catalyst Center cluster and change directories to the desired location. For example: 

$ cd /mnt/install-artifacts/eula
$ ls
finalize_offline_installation-1.3.0.147.bin

Step 2

Change the permissions:

$ sudo chmod 755 finalize_offline_installation-1.3.0.147.bin
[sudo] password for maglev:

Step 3

Enter the following command:

$ sudo ./finalize_offline_installation-1.3.0.147.bin -Y

The -Y argument indicates that you are accepting the Catalyst Center software license EULA.

Note

 

In the Catalyst Center GUI under Design > Image Repository, the image EULA is still shown as not accepted, but this is expected and has no functional impact.

Install the Applications

After completing the preceding tasks, the uber ISO has a number of applications that are loaded and must be installed.

Procedure

Step 1

From the top-left corner, click the menu icon and choose System > Software Management.

Note

 
At this point, Catalyst Center performs a connectivity check. If there is a connectivity issue, the Software Management window will not display application updates that are currently available.

Step 2

If any application updates are available, they are displayed at the bottom of the window. Do one of the following:

  • To install all of the available application updates, click the Select All link.
  • To install individual application updates, check the appropriate check boxes.

Note

 
To open a slide-in pane that indicates an update's file size and provides a brief description of the corresponding application, click its More details link.

Step 3

Click Install.

Step 4

After Catalyst Center completes a dependency check, click Continue.

The window displays a progress bar for each application that's being updated. The Software Management window updates after all of the updates have been installed.

Step 5

Click the Currently Installed Applications link and confirm that the applications you selected have been updated.

Update from the Catalyst Center Binary Image

Prerequisites

Before upgrading your installed instance of Catalyst Center, review the following prerequisites:

  • Ensure that Catalyst Center does not have internet connectivity.

  • Only a user with SUPER-ADMIN-ROLE permissions can perform a Catalyst Center software update.

  • Create a backup of your Catalyst Center database. For instructions on creating a backup, see the "Backup and Restore" chapter in the Cisco Catalyst Center Administrator Guide.

  • Have the username and password for a cisco.com user account available for the download. This can be any valid cisco.com user account.

  • Allocate enough time for the upgrade process, which can take longer than 6 hours to complete.

  • We strongly recommend that you do not use Catalyst Center or any of its applications or tools while the upgrade is in process.

  • Confirm that the minimum disk requirements are met:

    • The / partition has at least 2 GB of free space.

    • The /data partition has at least 35 GB of free space and is not more than 70% full.

  • Use the df -h command to verify the disk space: 

    $ df -h
Filesystem        Size  Used Avail Use% Mounted on
udev                                126G     0  126G   0% /dev
tmpfs                               26G   14M   26G   1% /run
/dev/sdb2                           29G   23G  4.5G  84% /
tmpfs                               126G     0  126G   0% /dev/shm
tmpfs                               5.0M     0  5.0M   0% /run/lock
tmpfs                               126G     0  126G   0% /sys/fs/cgroup
/dev/sdb3                           29G   44M   27G   1% /install2
/dev/sdb5                           374G   99G  256G  28% /data
/dev/sdb4                           9.3G  601M  8.2G   7% /var
/dev/sdc1                           420G  1.4G  397G   1% 
/data/maglev/srv/fusion
/dev/sdc2                           1.4T   41G  1.3T   4% 
/data/maglev/srv/maglev-system
/dev/sdd1                           3.5T  243M  3.3T   1% /data/maglev/srv/ndp
glusterfs-server.maglev-…ault_vol   1.4T   54G  1.3T   5% 
/mnt/glusterfs/default_vol
[Fri Jan 10 18:59:27 UTC] maglev@10.82.128.100 (maglev-master-10-82-128-100) /
$

If you receive a storage validation failed error, contact the Cisco TAC.

If the Catalyst Center download, update, or install procedures fail for any reason, always retry the procedure a second time.

Offline Update Workflow

An offline Catalyst Center update involves the following steps:

  1. Raise a TAC request to get access to the image for the air gap/offline update.

  2. Download the Catalyst Center binary image from a Cisco file server (requires access to the internet).

  3. Verify the integrity of the downloaded image.

  4. Transfer the downloaded image to the Catalyst Center cluster in the secure, air gap environment.

  5. SSH to the Catalyst Center cluster and execute the binary.

  6. Log in to the Catalyst Center GUI and perform a system update and an applications update.

Download the Image

You or your Cisco account representative must raise a TAC request. A TAC representative then gives you access and instructions for downloading the binary image from a Cisco file server.

Procedure

Step 1

Log in to the Cisco file server, which is accessible via the internet.

Step 2

Download the image from the Cisco file server. This includes the secure hash algorithm (SHA512) checksum file for the image.

Verify the Downloaded File

Verify the integrity of the downloaded image using Cisco signature verification and the SHA512 checksum provided on the portal.

Procedure

Step 1

Perform SHA verification to determine whether the binary image is corrupted due to a partial download.

Depending on your OS, enter one of the following commands:

  • Linux: 
    sha512sum Catalyst-Center-image-filename
  • Mac: 
    shasum -a 512 Catalyst-Center-image-filename

Microsoft Windows does not include a built-in checksum utility, but you can install a utility from Microsoft at http://www.microsoft.com/en-us/download/details.aspx?id=11533.

Step 2

Compare the command output (or Microsoft Windows utility) to the SHA512 checksum file. If the command output does not match, download the binary image again and enter the appropriate command a second time. If the output still does not match, contact Cisco support.

Transfer the File to Cisco DNA Center

Procedure

Step 1

Use a supported file transfer mechanism (SCP or SFTP) to transfer the downloaded image to the Cisco DNA Center cluster and the /data/tmp partition. When using USB, transfer the image to a terminal in the air-gapped network and then transfer the image to the Cisco DNA Center cluster and the /data/tmp partition (via SCP or SFTP).

Step 2

After transferring the image to the Cisco DNA Center cluster, perform SHA verification again to check if the file was corrupted in the process.

Considerations for a Three-Node Cluster

Procedure

Step 1

For a three-node Catalyst Center cluster, copy the bin file to the node where the catalogserver pod is running.

Step 2

To determine the IP address of the node where the catalog server is running, enter:

magctl service status catalogserver | grep Node:

For example, the output is similar to the following:

$ magctl service status catalogserver | grep Node:
Node: 192.192.192.72/192.192.192.72

[Thu Mar 19 22:59:48 UTC]maglev@192.192.192.68(maglev-master-192-192-192-68) ~
$

In this example, copy the bin file to the /data/tmp partition on 192.192.192.72.

Execute the Binary File

Procedure

Step 1

Use SSH to log in to the Catalyst Center cluster.

Step 2

Enter the following command to add execute permission:

chmod +x <uber-bin-file>

Step 3

Enter the following command to execute the binary file:

sudo ./<uber-bin-file>

The command has the following output:

$ sudo ./<bin-filename>.bin
[sudo] password for maglev:
=============================
Welcome to DNAC offline update
=============================
Please provide your credentials to get started
[administration] username: admin <Catalyst Center login/password combo>
[administration] password for admin: <Catalyst Center password>

Step 4

Executing the binary file updates the local catalog for the system and application packages. Locate the Installation SUCCESSFUL status message, which indicates that the bin file executed successfully.

You can track the current status of the process by tailing the log file <bin-filename>-install.log. If required, you can also verify the logs under /var/log/offlineupdates/.

Perform an Offline Update

This section applies only if you are upgrading from Cisco DNA Center 2.2.2.x or 2.2.3.x to 2.3.3.x.

If you are on a release earlier than 2.2.2.x, you must first upgrade to at least 2.2.2.x before completing the following steps.

Procedure

Step 1

After successful execution of the binary file, log in to the Cisco DNA Center GUI.

Step 2

From the top-left corner, click the menu icon and choose System > Software Updates.

A system update appears on the Software Updates window. Click Update.

Step 3

After the system update is complete, install the Cisco DNA Center 2.3.3.x application packages:

  1. From the top-left corner, click the menu icon and choose System > Software Management.

  2. The Software Management window indicates that Cisco DNA Center 2.3.3.x is available. Click Install now.

  3. After Cisco DNA Center completes its prechecks, click Install.

  4. (Optional) Click the View Details link to open a slide-in pane that lists the packages that are being installed and displays their progress.

  5. Click the Currently Installed Applications link and confirm that each application has been updated.

Update the Knowledge Pack for a PSIRT Scan

Offline Update of Knowledge Pack

An offline knowledge pack update involves the following steps:

  1. Download the knowledge pack file.

  2. Export the file to USB or other transferrable medium.

  3. Import the file to Catalyst Center on an air-gap device.

Export to USB or Other Transferrable Medium

Procedure

Step 1

Confirm that the file is in .tar.gz format.

Step 2

Transfer the downloaded file to USB (or other medium).

Import to Catalyst Center on an Air-Gap Device

Procedure

Step 1

Insert the USB into the device.

Step 2

In the Catalyst Center GUI, click the menu icon and choose System > Settings > Machine Reasoning.

Step 3

To import to Catalyst Center, click Import.

Step 4

Select the .tar.gz file from the USB to upload.

Download the Latest KGV File for Integrity Verification

Complete the following procedure to download the KGV file you'll use for integrity verification.

Procedure

Step 1

Using a device with internet access, download the Cisco_KnownGoodValues.tar KGV file from the following URL: https://tools.cisco.com/cscrdr/security/center/files/trust/Cisco_KnownGoodValues.tar.

Step 2

Transfer this file to storage media or a device in your air-gapped environment.

Step 3

Using a device with browser access to your air-gapped Catalyst Center cluster, import the file:

  1. On your Catalyst Center cluster, open the following URL in a browser: /dna/systemSettings/settings?settings-item=IntegrityVerficationSettings.

  2. Choose Import New from Local.

  3. Import the KGV file you downloaded in Step 1.