Install and Upgrade the Cisco Secure Dynamic Attributes Connector

This chapter discusses how to install and upgrade the Cisco Secure Dynamic Attributes Connector on all supported operating systems.

Supported Operating Systems and Third-Party Software

The dynamic attributes connector requires the following:

  • Ubuntu 18.04 to 22.04.2

  • CentOS 7 Linux

  • Red Hat Enterprise Linux (RHEL) 7 or 8

  • Python 3.6.x or later

  • Ansible 2.9 or later

Minimum requirements for all operating systems:

  • 4 CPUs

  • 8GB RAM

  • For new installations, 100GB available disk space

If you wish to use vCenter attributes, we also require:

  • vCenter 6.7

  • VMware Tools must be installed on the virtual machine

Virtual machine sizing

We recommend you size your virtual machines as follows:

  • 50 connectors, assuming 5 filters per connector and 20,000 workloads: 4 CPUs; 8GB RAM; 100GB available disk space

  • 125 connectors, assuming 5 filters per connector and 50,000 workloads: 8 CPUs, 16 GBRAM, 100GB available disk space


Note

Failure to size your virtual machines properly can cause the dynamic attributes connector to fail or not to start.

Install Prerequisite Software

Before you begin

Make sure you have physical or virtual set up and that the system that can communicate with your the On-Prem Firewall Management Center or Cloud-delivered Firewall Management Center.

Procedure

Step 1

(Optional.) Use a text editor to edit /etc/environment to export the following variables to enable communication with the internet if your Ubuntu machine is behind an internet proxy.

Variable

Value

export http_proxy

Use with an HTTP proxy.

user:pass@host-or-ip:port

export https_proxy

Use this with an HTTPS proxy.

user:pass@host-or-ip:port

export no_proxy

Remove the proxy configuration.

export no_proxy="localhost,127.0.0.1"

Examples:

HTTP proxy without authentication:

vi /etc/environment
export http_proxy="myproxy.example.com:8181"

HTTPS proxy with authentication:

vi /etc/environment
export https_proxy="ben.smith:bens-password@myproxy.example.com:8181"

Step 2

Use a different command window to confirm the settings:

env grep | proxy
Example result:
http_proxy=myproxy.example.com:8181

Step 3

Continue with one of the following sections.

Install Prerequisite Software—CentOS

Before you begin

Do all of the following:

Procedure

Step 1

Make sure Docker is not installed and uninstall it if it is.

docker --version

If Docker is installed, uninstall it as discussed in Uninstall Docker Engine on Ubuntu.

Step 2

Update and upgrade your repositories.

CentOS 7:

sudo yum -y update && sudo yum -y upgrade

Step 3

Install the epel repository.

CentOS 7:

sudo yum -y install epel-release

Step 4

(CentOS 7 only.) Install Python 3.

sudo yum install -y python3 libselinux-python3

Step 5

Install Ansible.

CentOS 7:

sudo yum install -y ansible

Step 6

Verify the Ansible version is 2.9 or later.

CentOS 7:

ansible --version
  ansible 2.9.24
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/admin/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Apr  2 2020, 13:16:51) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

Note

 

It's normal for Ansible to reference Python 2.x as the preceding output shows. The connector will still use Python 3.

What to do next

Install the connector as discussed in Install the Cisco Secure Dynamic Attributes Connector.

To optionally stop using a proxy with the dynamic attributes connector, edit /etc/environment and remove the proxy configuration.

Install Prerequisite Software—RHEL

Before you begin

Do all of the following:

Procedure

Step 1

Make sure Docker is not installed and uninstall it if it is.

docker --version

If Docker is installed, uninstall it as discussed in Uninstall Docker Engine on Ubuntu.

Step 2

Update your repositories.

RHEL 7:
sudo yum -y update && sudo yum -y upgrade
RHEL 8:
sudo dnf -y update && sudo dnf -y upgrade

Step 3

Install the epel repository.

RHEL 7:
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
RHEL 8:
sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

Step 4

(RHEL 7 only.) Install Python 3.

sudo yum install -y python3 libselinux-python3

Step 5

Install Ansible.

RHEL 7:
sudo yum -y install ansible
RHEL 8:
sudo dnf install -y ansible

Step 6

Verify the Ansible version.

ansible --version
An example follows.

RHEL 7:

ansible 2.9.24
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/stevej/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Mar 20 2020, 17:08:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

Note

 

It's normal for Ansible to reference Python 2.x as the preceding output shows. The connector will still use Python 3.
RHEL 8:
ansible 2.9.24
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/stevej/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Mar 18 2021, 08:58:41) [GCC 8.4.1 20200928 (Red Hat 8.4.1-1)]

What to do next

Install the connector as discussed in Install the Cisco Secure Dynamic Attributes Connector.

To optionally stop using a proxy with the dynamic attributes connector, edit /etc/environment and remove the proxy configuration.

Install Prerequisite Software—Ubuntu

This task discusses how to install prerequisite software on Ubuntu.

Procedure

Step 1

Make sure Docker is not installed and uninstall it if it is.

docker --version

If Docker is installed, uninstall it as discussed in Uninstall Docker Engine on Ubuntu.

Step 2

Update your repositories.

sudo apt -y update && sudo apt -y upgrade

Step 3

Confirm your Python version. 

/usr/bin/python3 --version
If the version is earlier than 3.6, you must install version 3.6 or later.

Step 4

Install Python 3.6.

sudo apt -y install python3.6

Step 5

Install the common libraries.

sudo apt -y install software-properties-common

Step 6

Install Ansible.

sudo apt-add-repository -y -u ppa:ansible/ansible && sudo apt -y install ansible

Step 7

Verify the Ansible version.

ansible --version
An example follows.
ansible --version
ansible 2.9.19
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/admin/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.17 (default, Feb 27 2021, 15:10:58) [GCC 7.5.0]

Note

 

It's normal for Ansible to reference Python 2.x as the preceding output shows. The connector will still use Python 3.6.

What to do next

Install the connector as discussed in Install the Cisco Secure Dynamic Attributes Connector.

To optionally stop using a proxy with the dynamic attributes connector, edit /etc/environment and remove the proxy configuration.

Install the Cisco Secure Dynamic Attributes Connector

About the installation

This topic discusses installing the Cisco Secure Dynamic Attributes Connector. You must install the connector as a user with sudo privileges but you can run the connector as a non-privileged user.

Before you begin

Make sure your system has the following prerequisite software:

  • Ubuntu 18.04 to 22.04.2

  • CentOS 7 Linux

  • Red Hat Enterprise Linux (RHEL) 7 or 8

  • Python 3.6.x or later

  • Ansible 2.9 or later

Minimum requirements for all operating systems:

  • 4 CPUs

  • 8GB RAM

  • For new installations, 100GB available disk space

We recommend you size your virtual machines as follows:

  • 50 connectors, assuming 5 filters per connector and 20,000 workloads: 4 CPUs; 8GB RAM; 100GB available disk space

  • 125 connectors, assuming 5 filters per connector and 50,000 workloads: 8 CPUs, 16 GBRAM, 100GB available disk space


Note

Failure to size your virtual machines properly can cause the dynamic attributes connector to fail or not to start.

If you wish to use vCenter attributes, we also require:

  • vCenter 6.7

  • VMware Tools must be installed on the virtual machine

To install prerequisite software, see Install Prerequisite Software.

View the Readme and Release Notes

For the latest installation information, see the following:

Readme: https://galaxy.ansible.com/cisco/csdac

Release Notes: Cisco Secure Dynamic Attributes Connector Release Notes

Get the Dynamic Attributes Connector software

To get the latest version of the dynamic attributes connector software, run the following command: 

ansible-galaxy collection install cisco.csdac

Install the muster service

The muster service is another name for the dynamic attributes connector.

Run the following command from the ~/.ansible/collections/ansible_collections/cisco/csdac directory.

ansible-playbook default_playbook.yml [--ask-become-pass] [--extra-vars " vars " ]

Syntax Description

--ask-become-pass

Prompts you to enter the sudo password. Required if sudo is enabled on your machine.

--extra-vars

The following optional extra variables enable the dynamic attributes connector to use a proxy. The value you use must match the value in /etc/environment, which you configured as discussed in Install Prerequisite Software.

  • csdac_proxy_enabled=true

  • csdac_http_proxy_url=http:// PROXY_URL

    csdac_https_proxy_url=PROXY_URL

The following optional extra variables create a self-signed certificate you can use to securely connect to the dynamic attributes connector. If you omit these parameters, the dynamic attributes connector uses a default certificate.

  • csdac_certificate_domain

    domain name for autogenerated certificate. Default value is autodetected hostname of the host (detected by ansible)

  • csdac_certificate_country_name

    Two-letter country code. (Default is US)

  • csdac_certificate_organization_name

    Organization name. (Default is Cisco)

  • csdac_certificate_organization_unit_name

  • Organizational unit name (Default is Cisco)

Example installation with a default certificate

For example, to install the software with default options:

ansible-galaxy collection install cisco.csdac
cd ~/.ansible/collections/ansible_collections/cisco/csdac
ansible-playbook default_playbook.yml --ask-become-pass

Example installation with optional certificate

For example, to install the software with an optional certificate:

ansible-galaxy collection install cisco.csdac
cd ~/.ansible/collections/ansible_collections/cisco/csdac
ansible-playbook default_playbook.yml --ask-become-pass --extra-vars "csdac_certificate_domain=domain.example.com csdac_certificate_country_name=US csdac_certificate_organization_name=Cisco csdac_certificate_organization_unit_name=Engineering"

After you create the certificate, import it into the web browser you'll use to access the connector. The certificate is created in the ~/csdac/app/config/certs directory.

View the installation log

The installation log is located as follows:

~/.ansible/collections/ansible_collections/cisco/csdac/logs/csdac.log

Use your certificate to connect to the dynamic attributes connector

If you have a certificate and key, put them in the ~/csdac/app/config/certs directory on your virtual machine.

After you perform the preceding task, restart the dynamic attributes connector's Docker container by entering the following command:
docker restart muster-ui

Log in to the connector

  1. Access the dynamic attributes connector at https://ip-address

  2. Log in.

    The initial login is username admin, password admin. You are required to change the password the first time you log in.

Upgrade the Cisco Secure Dynamic Attributes Connector

This topic discusses how to upgrade from any earlier Cisco Secure Dynamic Attributes Connector to the current version. These tasks can be performed regardless of Cisco Secure Dynamic Attributes Connector version or operating system.

Procedure

Step 1

Log in to the machine you want to upgrade.

Step 2

Enter the following commands:

cd ~/.ansible/collections/ansible_collections/cisco/csdac
ansible-galaxy collection install cisco.csdac --force
ansible-playbook default_playbook.yml --ask-become-pass [--extra-vars vars]

Syntax Description

--ask-become-pass

Prompts you to enter the sudo password. Required if sudo is enabled on your machine.

--extra-vars

The following optional extra variables enable the dynamic attributes connector to use a proxy. The value you use must match the value in /etc/environment, which you configured as discussed in Install Prerequisite Software.

  • csdac_proxy_enabled=true

  • csdac_http_proxy_url=http:// PROXY_URL

    csdac_https_proxy_url=PROXY_URL

The following optional extra variables create a self-signed certificate you can use to securely connect to the dynamic attributes connector. If you omit these parameters, the dynamic attributes connector uses a default certificate.

  • csdac_certificate_domain

    domain name for autogenerated certificate. Default value is autodetected hostname of the host (detected by ansible)

  • csdac_certificate_country_name

    Two-letter country code. (Default is US)

  • csdac_certificate_organization_name

    Organization name. (Default is Cisco)

  • csdac_certificate_organization_unit_name

  • Organizational unit name (Default is Cisco)

Step 3

Wait for the upgrade to complete.

Step 4

Upgrade logs are available in the following location:

~/.ansible/collections/ansible_collections/cisco/csdac/logs/csdac.log

What to do next

See Create a Connector.