Guest

Cisco Security Agent

CSA Management Center V5.0 Installation and Migrate Configurations and Hosts from V4.x

Document ID: 71648

Updated: Dec 04, 2006

   Print

Introduction

This document provides instructions to install the Management Center for Cisco Security Agents (CSA MC). You create agent installation kits through CSA MC. The tools to create agent kits are installed as part of CSA MC.

CSA MC is a component of the CiscoWorks VPN/Security Management Solution (VMS). The CSA MC installation checks for the required version of VMS (in this case, VMS V2.3) and aborts the installation if the correct version is not found. Refer to CiscoWorks VPN/Security Management Solution Install and Upgrade Guides for information on all bundle features and their requirements.

The CSA deploys agents that defend against the proliferation of attacks across networks and systems in order to provide distributed security to your enterprise. These agents use a set of rules provided by the CSA MC and are selectively assigned to each client node on your network by the network administrator.

Note: Any system to which you install CSA MC or the Cisco Security Agent itself must not have the Cisco IDS Host Sensor Console or the Cisco IDS Host Sensor installed. If the CSA MC or the agent installer detects the presence of any Cisco IDS Host Sensor software on the system, the installation aborts. Because there can be incompatibilities between Cisco IDS Host Sensor software and CSA MC or agent software, you must uninstall the Cisco IDS Host Sensor and Cisco IDS Host Sensor Console software before you install CSA MC or agent software.

Note: When you upgrade or change operating systems, uninstall the agent first. When the new operating system is in place, you can install a new agent kit. Because the agent installation examines the operating system at install time and copies components accordingly, agent components that exist might not be compatible with operating system changes.

Note: Before you install CSA MC, make sure that the system to which you plan to install the software has the correct and current time, date, and time zone settings. If these settings are not current, you encounter MC/agent certificate issues.

Prerequisites

Requirements

Refer to the Cisco Security Agent Release Notes for up-to-date information before you install CSA MC software. If you do not, this can result in the misconfiguration of your system. Make sure that your system is compatible with the Cisco product you install and that it has the appropriate software installed.

Components Used

This document is not restricted to specific software and hardware versions.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information

CSA contains two components:

  • The CSA MC—Installs on a secured server and includes a web server, a configuration database, and a web-based user interface.

  • The Cisco Security Agent (the agent)—Installs on desktops and servers across your enterprise and enforces security policies on those systems.

Administrators use the web-based interface in order to configure security policies on the CSA MC. They distribute these policies to agents installed on end user systems and servers. Policies can allow or deny specific system actions. The agents check policies before allowing applications access to system resources.

The CSA MC user interface installs as part of the overall Cisco Security Agent solution installation and is managed from CiscoWorks 2000. It is through a web-based interface that all security policies are configured and distributed to agents. The CSA MC provides tools to monitor and report. This allows you to generate reports with varied views of your network enterprise health and status. This web-based user interface provided allows an administrator to access the CSA MC from any machine that runs a web browser.

Install V5.0 and Migrate Configurations and Hosts from V4.x

If you have earlier versions, such as 4.5.x or 4.0.x, of the product installed, the installation of CSA MC 5.0 does not upgrade those earlier versions. V5.0 co-exists with earlier product versions. Rather than perform a traditional upgrade from an early release to the new release, you install 5.0 and then use migration tools that are provided in order to migrate earlier configurations and hosts to your 5.0 MC. If you install 5.0 on the same system where 4.0 or 4.5 are installed, this migration is done automatically.

The installation and migration process to V5.0 is the same whether you upgrade from V4.5.x or from V4.0.x of the product. Therefore, earlier versions of the product in these migration instructions are referred to as 4.x in this document.

Note: The migration from versions of the product earlier than version 4.x to version 5.0 is not supported.

License Information

CSA MC and agents require a license obtained from Cisco in order to operate with full functionality. You can install and run both the MC and the agent without a license. If you do not have a valid license, CSA MC and all associated agents do not operate until you obtain a valid license.

The information contained in your CSA MC license includes the number of server-agent licenses that have been allotted to you. When you receive your license from Cisco, copy it to the system to which you install the CSA MC (or to a file share accessible from the CSA MC system). Then, you can copy the license to the CSA MC directory in one of these manners:

  • During installation—During the installation, you are prompted to copy the license into the CSA MC directory. If you choose Yes, you can browse to the license file on the system (or in an accessible file share), save it, and continue the installation. Or, you can choose No when prompted, and copy the license when the installation has completed and the system is rebooted.

    Note: If you copy a valid license key to CSA MC during the installation, after the system reboots, all downloaded and installed agent kits immediately operate with full functionality. You do not have to login and generate rules to have this occur.

  • After installation—After you install CSA MC, click Maintenance in the menu bar and choose License Information in order to copy the license to the CSA MC directory. The License Information window appears. You can click Browse in order to browse to the license file. Once the license file is located, click Upload in order to copy the file into the CSA MC directory.

Installation and Migration Overview

You have two options when you migrate from CSA MC 4.x. to CSA MC 5.0:

  • Install V5.0 on the same machine as V4.x.

    Note: You cannot have three CSA MCs installed on the same system. If you already have both V4.0 and V4.5 installed on one system, you must uninstall one MC before you install V5.0 on that system.

  • Install V5.0 on a different machine with the knowledge that V4.x agents will eventually be migrated to the new V5.0 machine.

    Note: You should not uninstall V4.x until you have migrated all agents to V5.0. Once you install V5.0, you can apply hotfixes to the early V4.x, but you cannot install a 4.x version of the product once the V5.0 is installed in a one system installation scenario. If you do apply hotfixes to an early V4.x after you install V5.0, manually restart the CSA MC system for both MCs to run again.

When you install CSA MC V5.0, a new Security Agents V5.0 menu item appears in your CiscoWorks UI. If you install CSA MC V5.0 on the same machine as V4.x, your original Security Agents menu item remains in place and you continue to manage your V4.x configurations that exist from there. The CSA MC V5.0 installation also creates a new directory structure. If you install CSA MC V5.0 on the same machine as V4.x, your original CSA MC directory structure remains in place and co-exists with the new V5.0 structure. Subsequent releases of CSA MC will continue to include the new version number in the directory structure. Refer to this table:

CSA MC Version Menu Item Directory Path
CSA MC V5.0 Security Agents V5.0 CSCOpx\CSAMC50
CSA MC V4.5 Security Agents V4.5 CSCOpx\CSAMC45
CSA MC V4.0 Security Agents CSCOpx\CSAMC

Install Management Center for Cisco Security Agents

Migration instructions appear after the installation instructions. See the Migration Instructions section of this document.

Note: CSA MC is a component of the CiscoWorks VPN/Security Management Solution (VMS). You must have CiscoWorks Common Services installed on the system to which you install the CSA MC. Refer to CiscoWorks VPN/Security Management Solution Install and Upgrade Guides for more information.

Note: You must have local administrator privileges on the system in question to perform the installation. Once you have verified system requirements, you can begin the installation.

Installation Configuration Options

You have three installation configuration options to consider before you proceed with the CSA MC installation process:

  • You can install CSA MC and the database on the same machine. Choose Local Database during the CSA MC installation.

    For a local database configuration, you have the option to install CSA MC and the included Microsoft SQL Server Desktop Engine (MSDE), which is provided with the product, on the same system. This is if you plan to deploy no more than 500 agents. In this case, the CSA MC installation also installs its own version of MSDE on the system.

    For a local database configuration, you also have the option to install Microsoft SQL Server 2000 instead of the MSDE that is provided. MSDE has a 2 GB database size limit. In this case, you can have CSA MC and Microsoft SQL Server 2000 on the same system. This depends on the number of agents you deploy (refer to Scalable Deployments). If you use SQL Server 2000, it must be licensed separately and installed on the system before you begin the CSA MC installation.

    Also, if you plan to use SQL Server 2000, it is recommended that you choose one of the other installation configuration options rather than the local database configuration.

  • You can install CSA MC on one machine and install the database on a remote machine. Choose Remote Database during the CSA MC installation. You must install a CSA on this remote database to protect this system. See the Install CSA MC with a Remote Database section of this document.

    Use this configuration option, which depends on the number of agents you deploy (refer to Scalable Deployments). If you use a separately licensed, managed, and maintained SQL Server 2000 database, SQL Server 2000 must be installed and configured on the remote system before you begin the CSA MC installation.

    Note: If you install CSA MC and the database to multiple machines, make sure the clocks of each machine are in sync. If all clocks are not in sync, unexpected behavior can occur.

  • You can install two CSA MCs on two separate machines and install the database on a remote machine. In this case, both CSA MCs use the same remote database. Choose Remote Database during the CSA MC installation. You must install a CSA on this remote database to protect this system. See the Install CSA MC with a Remote Database section of this document.

    This is the recommended configuration if you deploy more than 5000 agents and use a separately licensed, managed, and maintained SQL Server 2000 database. SQL Server 2000 must be installed and configured on the remote system before you begin the MC installations.

    If you use this configuration, you can deploy up to 100,000 agents. Two CSA MCs allow you to use one MC for host registration and polling, and another MC to edit configurations.

    Note: If you install two CSA MCs with an MC that resides on the machine where the database is installed, choose Remote Database during the installation of both MCs. Even though one MC is local to the database, both MCs must be configured to communication with the database as though it were remote in order for the two MCs configuration to work properly.

Install CSA MC with a Local Database

If you install both CSA MC and the database to the same machine, install MSDE (as part of the CSA MC installation) first, then install the CSA MC.

Before you begin, exit any other programs that run on the system where you plan to install the CSA MC.

Complete these steps in order to install the CSA MC:

  1. Log on as a local Administrator on your Microsoft Windows 2000 server system with Service Pack 4 installed.

  2. Insert the VPN/Security Management Solution CD into the CD ROM drive.

  3. When the installation window that lists all available VMS products appears, check the Managing Cisco Security Agents—Servers and Desktops check box, then click Next to start the installation.

    The Welcome to the Installation Wizard for Management Center for Cisco Security Agents V5.0 window appears:

    csa-mc-install-1.gif

  4. Click Next on this welcome window.

    The install begins and prompts you to choose a database setup type.

  5. Keep the default selection of Local Database and click Next.

    csa-mc-install-2.gif

    If you install locally, the installation checks to see if you have MSDE installed. CSA MC uses MSDE for its local configuration database.

  6. If this software is not detected, you are prompted to install it.

    Note: For installations that exceed 500 agents, it is recommended that you install Microsoft SQL Server 2000 instead of the MSDE that is provided with the product. See the Installation Configuration Options section of this document for more information. If you use Microsoft SQL Server 2000, see the Microsoft SQL Server 2000 Local Installation Notes section of this document for more information.

    Note: On a system where CSA MC has not previously been installed, the setup program first installs MSDE. If the CSA MC installation detects any other database type attached to an installation of MSDE that exists, or a version of MSDE or SQL Server 2000 that does not have at least Service Pack 3a, the installation aborts. This database configuration is not qualified.

  7. Click Yes.

    You proceed through the Microsoft SQL Server installation. This takes a few minutes.

  8. The first installation window prompts you to accept the default SQL Server install directory path.

    The default is selected by a search of the system disk for a location that provides the most space for the database. You can choose a different path.

    csa-mc-install-3.gif

    Note: When the Microsoft SQL Server installation finishes, you must begin the CSA MC installation again. You might have to restart the system before you begin the CSA MC installation.

  9. Begin the CSA MC installation again.

    This time the installation detects the Microsoft SQL Server software and proceeds.

    You are reminded that you must obtain a license key.

  10. If you already have a license key file on the system to which you install CSA MC, click Yes and browse to it on the system in order to copy it to the installation directory.

    You can also click No and copy it any time after the installation.

    Note: If you copy a valid license key to CSA MC during the installation, after the system reboots, all downloaded and installed agent kits immediately operate with full functionality. You do not have to log in and generate rules to have this occur.

    csa-mc-install-4.gif

  11. Once you copy a valid license key to the system, you are prompted to select whether or not you want the system to automatically reboot once the installation is complete.

    It is required that you reboot the system after the installation is complete, whether you choose Yes to have it done automatically or you choose to manually reboot at the end.

    csa-mc-install-5.gif

  12. Click Install in order to begin the installation.

    The installation proceeds:

    csa-mc-install-6.gif

    The necessary files are copied:

    csa-mc-install-7.gif

    Once all the files are copied, the installation performs some preliminary system setup tasks:

    csa-mc-install-8.gif

    When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system.

    Note: If an agent is already installed on a system to which you install CSA MC, that agent is automatically upgraded by the CSA MC agent installation.

    When the MC and agent installs are complete, if you selected to have the system reboot automatically, the automatic reboot occurs within 5 minutes. If you selected not to have the system reboot automatically, it is required that you manually reboot the system at this time.

    Note: When you install CSA MC, the installation enables Secure Socket Layer (SSL) in CiscoWorks. When you access the CSA MC UI from CiscoWorks, you must have SSL enabled in CiscoWorks for CSA MC to allow the connection.

Microsoft SQL Server 2000 Local Installation Notes

The instructions in this section are intended for administrators that choose to install CSA MC and Microsoft SQL Server 2000 to the same system. These instructions are not for administrators that use CSA MC with a remote database. If you choose to use Microsoft SQL Server 2000 as a remote database, see the Install CSA MC with a Remote Database section of this document.

For local database installations that exceed 500 agents, it is recommended that you install Microsoft SQL Server 2000 instead of the MSDE that is provided with the product. MSDE has a 2 GB limit. SQL Server 2000 must be licensed separately and it must be installed on the local system before you begin the CSA MC installation.

In order for Microsoft SQL Server 2000 to function properly with CSA MC, you must select certain settings during the installation. Refer to your Microsoft SQL Server 2000 manual for more installation information.

Note: Do not change the default instance name of MSSQLSERVER for the SQL Server 2000 database. If you change this, the CSA MC installation does not detect the database.

When you install Microsoft SQL Server 2000, choose the default settings except in these instances:

  • In the Setup Type installation window, choose Typical. In the Destination Folder field, click the various Browse buttons in order to install SQL Server on the system.

  • In the Services Accounts installation window, choose Use the Same Account for Each Service. In the Service Settings field, choose Use a Domain User Account. In the edit fields, enter a username and password for the local administrator account.

  • In the Choose Licensing Mode installation window, choose Per Seat for and then increment the devices number field to a positive value—at least 1 or 2.

Reboot the system and install the most recent service pack for SQL Server 2000. CSA MC has been qualified with Service Pack 3a. When you install the service pack, choose the default settings except in these instances:

  • When you install the service pack, in the Installation Folder window, you should choose a drive that has at least 140 MB of free space. For the service pack installation, choose the default settings in all instances.

  • In the SA Password Warning installation window, choose the Ignore the security threat warning and leave the password blank.

  • In the SQL Server 2000 Service Pack Setup installation window, choose the Upgrade Microsoft Search and check the SQL Server 2000 SP3a (required) check box.

Install CSA MC with a Remote Database

If you install one or two CSA MCs and the corresponding databases to different machines, you must first install and properly configure Microsoft SQL Server 2000 on the remote system. This is in accordance to Microsoft instructions. Use any access control systems you already have in place on your network in order to restrict access to this database machine as much as possible.

It is recommended that all installed CSA MCs and remote databases be placed on a private LAN. If you cannot provide a private LAN, then refer to Microsoft recommendations in order to secure communication between database servers and application servers.

In a distributed (multiple MC) environment, when you install, upgrade, or uninstall any MC in the distributed configuration, the service must be stopped on the other MCs. For example, in a configuration with 2 MCs, you must first stop the CiscoWorks Daemon Manager (net stop crmdmgtd) on one MC before you install the software update on the other MC.

Note: It is important that the time on the database server system closely matches the time on the CSA MC system. Additionally, make sure both times are set correctly.

You must install a CSA on this remote database. This agent should be in these groups:

  • Servers-SQL Server 2000

  • Servers-all types

  • Systems-Mission Critical

  • Systems-Restricted Networking

Note: You must install this agent after the last CSA MC has been installed and rebooted.

Microsoft SQL Server 2000 Remote Setup

This section provides information to set up the Microsoft SQL Server 2000 database to work correctly with CSA MC. Refer to your Microsoft documentation for more SQL Server configuration information.

In order to enter the requested remote database information during the CSA MC installation, you must complete these steps in order to set up the SQL Server database system: (These steps can be performed by your database administrators.)

  1. Create an empty database.

  2. You must configure a new login ID and password and associate it with a new user ID which has the standard access rights on the CSA MC database. This includes db_ddladmin, db_datareader, and db_datawriter. The login ID and user ID must be identical. (db_owner privileges are not required.)

  3. Make sure the default language is set to English. Do not change the language default after CSA MC is installed.

  4. Make sure that the database is configured to accept SQL Server authentication.

  5. You also need to create a file group for the analysis database, and it must have at least one file attached.

Complete this procedure as a guideline:

  1. Right-click your SQL Server. Choose Security and set Authentication to SQL Server and Windows. Then, click OK.

  2. Stop and start the SQL server.

  3. Create the new database, CSAMC50.

  4. Inside the DB properties, click Data Files.

  5. Enter csamcanalysis in the File Name box, and enter ANALYSIS in the Filegroup field. Then click OK.

  6. Expand the security + and right-click Logins.

  7. Create a new login. Use SQL Server Authentication. Set Defaults -> Database = csamc50 database.

    Note: Do not click anything under server roles.

  8. In the database access section, permit access to csamc50 and give the role of db_ddladmin. Click OK.

  9. Restart the server.

    Once this is configured, you can begin the CSA MC installation.

Before you begin, exit any other programs that run on the system where you are installing the CSA MC.

Complete these steps in order to install the CSA MC:

  1. Log on as a local Administrator on your Microsoft Windows 2000 server system with Service Pack 4 installed.

  2. Insert the VPN/Security Management Solution CD into the CD ROM drive.

    The installation window that lists all available VMS products appears.

  3. Check the Managing Cisco Security Agents—Servers and Desktops check box, and click Next to start the installation.

    The install begins and prompts you to choose a database setup type.

  4. Choose Remote Database and click Next.

    When you choose Remote Database, you are prompted to enter this information for the remote SQL Server database:

    • Name of the server

    • Name of the database

    • Login ID (username)

    • Password

    csa-mc-install-9.gif

  5. Once you enter the database information, click Next.

    The installation attempts to locate the database and verify that it is configured appropriately. If the database is not set up correctly, you are prompted with this information and the installation does not continue. Otherwise, the installation proceeds.

    You are then reminded that you must obtain a license key.

  6. If you already have a license key file on the system to which you are installing the CSA MC, you can click Yes and browse to it on the system in order to copy it to the installation directory.

    You can also click No and copy it any time after the installation.

    Note: If you copy a valid license key to CSA MC during the installation, after the system reboots, all downloaded and installed agent kits immediately operate with full functionality. You do not have to login and generate rules to have this occur.

    csa-mc-install-10.gif

    Once you copy a valid license key to the system, you are prompted to select whether or not you want the system to automatically reboot once the installation is complete. It is recommended that you reboot the system after the installation is complete, whether you choose Yes to have it done automatically or you choose to manually reboot at the end.

    csa-mc-install-11.gif

    Then, you are prompted to begin the installation. The install proceeds and copies the necessary files to your system:

    csa-mc-install-12.gif

    The files are copied:

    csa-mc-install-13.gif

    Once all the files are copied, the installation performs some preliminary system setup tasks.

    Note: When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system and this is done automatically for you.

    When the MC and agent installs are complete, if you selected to have the system reboot automatically, the automatic reboot occurs within 5 minutes. If you selected not to have the system reboot automatically, it is recommended that you manually reboot the system at this time.

Notes to Install Two CSA MCs on Two Separate Machines

If you use one remote database to install two CSA MCs, repeat the steps in this section, and enter the same remote database information for the second MC.

When you install two CSA MCs, the first MC you install automatically becomes the polling and logging MC. The second MC acts as the configuration MC. During the installation process, the CSA MCs know the order in which the MCs were installed and direct polling, logging, and management tasks to the appropriate MC.

In a distributed MC environment, when you install, upgrade, or uninstall any MC in the distributed configuration, the service must be stopped on the other MCs. For example, in a configuration with 2 MCs, you must first stop the CiscoWorks Daemon Manager (net stop crmdmgtd) on one MC before you install the other MC.

Installation Log

The installation of CSA MC produces a log file. This log file, called CSAMC-Install.log, is located in the CSCOpx\CSAMC50\log directory. The log file provides a detailed list of installation tasks that were performed. If there is a problem with the installation, this text file provides information on what task failed during the install.

Note: The installation of the agent produces a similar file called CSAgent-Install.log which is located in the Cisco Systems\CSAgent\log directory on agent host systems.

Access Management Center for Cisco Security Agents

When the installation has completed and you have rebooted the system, a Security Agent category becomes available in the left pane of the CiscoWorks UI. Cisco Security Agent management windows are accessible from the CiscoWorks VPN/Security Management Solution drawer. Security Agents (the category by which you access the CSA MC UI) are located in the Management Center and Administration>Management Center folders.

Refer to the CiscoWorks Common Services manual for CiscoWorks installation instructions and login information.

Local Access

Complete these steps in order to access the CSA MC locally on the system that hosts CSA MC and CiscoWorks software:

  1. From the Start menu, go to Programs>CiscoWorks>CiscoWorks in order to open the CiscoWorks 2000 management UI.

  2. Login to CiscoWorks. Open the VPN/Security Management Solution drawer in order to access CSA MC.

    The Security Agents 5.0 item is located in the Management Center and Administration>Management Center folders.

    See the Initiate Secure Communications section of this document if you cannot connect to CSA MC.

Remote Access

Complete these steps in order to access the CSA MC from a remote location:

Launch a browser application on the remote host and enter http://<ciscoworks system hostname>:1741 in the Address or Location field (depending on the browser you use) in order to access the Login view.

For example, enter http://stormcenter:1741.

In this example, the CiscoWorks and CSA MC are installed on a host system with the name stormcenter:

csa-mc-install-14.gif

Migration Instructions

This section contains information to migrate to CSA MC V5.0 from a previous version installed on the same system as CSA MC V5.0, and for a previous version installed on a separate machine. Both scenarios are discussed in this section.

Note: If you install 5.0 on the same system where you have 4.0 or 4.5 installed, the majority of this migration is done automatically.

The installation and migration process to V5.0 is the same whether you upgrade from V4.5 or from V4.0.x of the product. Therefore, earlier versions of the product in these migration instructions are referred to as 4.x.

If you intend to migrate 4.x Solaris agents, see the Solaris and Linux Agent Migration section before you start your upgrade.

Complete these steps in order to migrate to V5.0:

  1. Install the Management Center for Cisco Security Agents V5.0.

    • If you install CSA MC V5.0 on the same machine that runs CSA MC V4.x, an xml file that contains the V4.x configuration items and several .dat files, which includes host information, is automatically generated by the installation and ready for import once the install is complete.

    • If you install CSA MC V5.0 on a different machine from the system that runs V4.x, you must copy and manually run an executable file on the V4.x machine in order to create the xml and dat files needed to import V4.x configuration and host information to V5.0. This is performed after you install V5.0.

    If you have installed V5.0 on the same machine as V4.x, you can skip to the end of step 6.

  2. Otherwise, once you have installed CSA MC V5.0 and rebooted the system, navigate to the CSCOpx\CSAMC50\migration directory. Copy the appropriate file, which is named prepare_45_migration.exe or prepare_40_migration.exe, to your V4.x system.

    The file name depends on the version you migrate from. You can copy it to any place on the system.

  3. On your CSA MC V4.x, disable agent security and run the prepare_<version>_migration.exe file that you copied from the V5.0 system.

    You must disable security in order to run the executable file and create the import xml data. This launches a command prompt which displays the progress of the migration.

  4. When the prepare_<version>_migration.exe file is finished, on the V4.x system, navigate to the CSCOpx\CSAMC45\bin or CSCOpx\CSAMC\bin directory and locate several newly created files.

    The directory name depends on the version you migrate from. Your configuration data is now in a file named migration_data_export.xml. Your host data (hosts and distinct host groupings) are now in several files, which depends on how many distinct host groupings existed, named migration_host_data<number>.dat.

    The use of the data that is now wrapped up in these files allows you to import your policy configurations that exist and your current host groupings. This preserves the policy tuning and host group configurations for your new V5.0 installation.

  5. Copy the migration_data_export.xml and all the migration_host_data<number>.dat files from the V4.x system to your V5.0 system.

    These files must exist together in the same directory on the V5.0 system, although the directory name and location does not matter.

  6. Then from the V5.0 system, run the webmgr import utility from a command prompt to pull the data into the new MC.

    You cannot use the CSA MC UI Import utility to do this. This utility does not allow you to import the .dat files that are associated with the .xml file as one group.

  7. From a command prompt window on the V5.0 system, cd to the CSCOpx\CSAMC50\bin directory and run this:

    %system%CSCOpx\CSAMC50\bin>webmgr import %path_to_xml_file%\migration_data_export.xml

    Because the host .dat files are associated with the .xml file, this command imports both the configuration and host data with the migration_data_export.xml file.

  8. You must generate rules once the import is complete.

    If you do not generate rules at this point, you cannot upgrade agent host software as described in the next section.

    Note: CSA MC V5.0 ships with policies that contain new V5.0 functionality. This new functionality does not match all V4.x configurations. CSA MC configuration item names are labeled with the release version number to distinguish them from older (or newer) configuration items or items created by administrators. When you import your V4.x configuration, new V5.0 items are not overwritten. You will likely have items from both versions in your CSA MC V5.0. If the import process finds that two items have the exact same contents and the only difference is the V5.0 appended name field, the old V4.x item is not imported and the newer V5.0 item is used in its place.

  9. Schedule V5.0 software updates for V4.x agents in order to upgrade migrated V4.x agents to V5.0. You schedule this upgrade from the CSA MC V4.x system. Run the prepare_<version>_migration.exe file placed a V5.0 software update on the V4.x machine.

    Once V4.x agents receive the scheduled software update, they point to and register with the new CSA MC V5.0. The update contains the appropriate new certificates to allow this to occur. Once hosts register with V5.0, they are associated with the correct groups based on the host migration that you performed earlier.

    Note: Agent kits are configuration items that do not migrate to the new version. Because host migration does not relate to agent kits, early agent kits are not considered to be necessary migration items.

    Note: Also, configuration items that are not used or not attached to anything do not migrate to the new version.

    Note: When you upgrade 4.x agents to software version 5.0, the upgrade program disables the system network interfaces to ensure a secure upgrade process. The agent service is also stopped to allow the update to occur. Once the update is complete, the agent service is restarted and the network interfaces are enabled. The secure upgrades are not supported for Windows NT systems.

    Once you have migrated all earlier agents to the newer version, you can uninstall the early version of CSA MC. See the Uninstall Management Center for Cisco Security Agents section.

Solaris and Linux Agent Migration

Note: Solaris agent versions 4.0.3.736 and any 4.5 or 4.5.1 can be upgraded to version 5.0. Earlier Solaris agents cannot be upgraded.

Note: Only Linux agent version 4.5.1.638 and later can be upgraded to version 5.0. Earlier Linux agents cannot be upgraded.

The Solaris host migration process is a bit different than the Windows and Linux migration.

Once scheduled, access the csactl command line tool on the Solaris systems and enter the software update command in order to manually launch the Solaris software upgrades. When the update is complete, network connectivity is disabled and remains disabled until the system automatically reboots within 5 minutes. This reboot cannot be stopped. Therefore, once you launch the Solaris software update, you must understand that the system reboots when the update completes.

Upgrade Note

Newer versions of policies are not automatically attached to the auto-enrollment groups during the upgrade. If you want to update the mandatory policies, you can use the CSA MC Compare tool to synchronize the auto-enrollment groups that exist with the new updated auto-enrollment groups added by the upgrade.

Initiate Secure Communications

CSA MC uses SSL to secure all communications between the CSA MC user interface (locally and remotely) and the Management Center for Cisco Security Agents server system itself. This way, all configuration data travels over secure channels regardless of the location of the CSA MC host system.

During installation, CSA MC generates private and public keys to be used for secure communications between any system that accesses the CSA MC user interface and the CSA MC.

When your browser connects to the server, the browser receives the certificate of the server. You are then prompted to accept this certificate. It is recommended that you import it into your local certificate database. Then, you are not prompted to accept the certificate each time you login.

Internet Explorer: Import the Root Certificate

Complete these steps:

  1. Import the certificate from the CiscoWorks UI. From the VPN/Security Management Solution drawer, expand the Administration folder and choose Import Root Certificate.

    csa-mc-install-15.gif

  2. Choose Open this file from its current location, then click OK.

    The certificate information box appears. It contains information on the system the certificate is issued to and displays expiration dates.

  3. Click Install Certificate in order to start the Certificate Manager Import Wizard.

    Certificate Information

    csa-mc-install-16.gif

    The first Certificate Manager Import window contains an overview of certificate information.

  4. Click Next to continue.

  5. From the Select a Certificate Store window, choose Automatically select the certificate store based on the type of certificate. Then, click Next.

    csa-mc-install-17.gif

    You have now imported your certificate for the server.

  6. Click Finish to continue.

    csa-mc-install-18.gif

  7. Now, you must save the certificate. Click Yes in the Root Certificate Store box.

    csa-mc-install-19.gif

    You are prompted with a confirmation box that informs you that your certificate was created successfully. The View Certificate box remains on the window.

  8. Because your certificate has been generated, click Yes.

    Note: You must perform this certificate import process the first time you login to CSA MC from any remote machine.

    Once the certificate import is complete, you can access the login page directly for all management sessions.

  9. Enter http://<ciscoworks system hostname>:1741 in order to access the login page remotely.

    For example, enter http://stormcenter:1741.

    Note: If you have not obtained a valid license from Cisco, when you login to CSA MC, you receive a warning that informs you that your license is not valid. See the Licensing Information section for further information.

Netscape: Import the Root Certificate

Complete these steps:

  1. Import the certificate from the CiscoWorks UI. From the VPN/Security Management Solution drawer, expand the Administration folder and click Import Root Certificate.

  2. In the Downloading Certificate window, check the Trust this CA to identify web sites. check box.

    csa-mc-install-20.gif

  3. Click OK in order to import the certificate.

    Note: You should perform this certificate import process the first time you login to CSA MC from any remote machine. Once the certificate import is complete, you can access the login page without further certificate prompts.

Uninstall Management Center for Cisco Security Agents

Complete this procedure in order to uninstall the CSA MC software:

  1. From the Start>Settings>Control Panel, access the Add/Remove Programs window. Locate the CiscoWorks item and click Change/Remove.

  2. From the window that appears, choose the appropriate checkbox in order to remove the Management Center for Cisco Security Agents program item and click Uninstall.

    This also removes the CSA.

    Note: The uninstallation of CSA MC does not uninstall the MSDE (database). You must uninstall this separately from the Control Panel>Add/Remove Programs window if you completely remove the product from your system.

    Note: If you upgrade to a new version of CSA MC or reinstall the product on the same system, and you want to preserve your current configuration, choose Backup the Database during the uninstall when you are prompted. If you do not backup the database, the uninstall removes all program files and configurations. This only applies to local database installations. CSA MC does not provide a backup mechanism for remote databases.

Copy Cisco Trust Agent Installer Files

Cisco Trust Agent (CTA) is an optional application you can install as part of an agent kit. The goal of bundling CTA in an agent kit is to facilitate the distribution of CTA. CTA is a separate application from CSA and has its own security objectives.

If you intend to distribute CTA through an agent kit, copy your CTA installer files to the system that runs CSA MC.

Complete these steps in order to copy the CTA installer files:

  1. Obtain the desired CTA installer files from Cisco Systems.

    Note: It is the responsibility of the user to verify that they have obtained the correct CTA installer files.

  2. Copy the CTA installer files to the %Program Files%\CSCOpx\CSAMC50\bin\webserver\htdocs\cta_kits directory.

    The default CSA policies protect this directory. When you copy the files into the directory, CSA prompts you to determine if you want to allow the action.

  3. Choose Yes and click Apply.

    Repeat this step for every file you copy into this directory.

    Refer to the Agent Kits section of the User Guide for information on how to install the CTA files you have just copied.

Related Information

Updated: Dec 04, 2006
Document ID: 71648