Table Of Contents
Installing the Management Center for Cisco Security Agents
Overview
Licensing Information
Upgrading from Version 4.0.x to 4.5.x
Upgrade Instructions
Solaris Agent Migration
Upgrading from CSA Version 4.5 to 4.5.1
Piloting the Upgrade of CSA from Version 4.5 to 4.5.1
Installing Management Center for Cisco Security Agents
Installation Configuration Options
Installing CSA MC with a Local Database
Microsoft SQL Server 2000 Local Installation Notes
Installing CSA MC with a Remote Database
Microsoft SQL Server 2000 Remote Setup
Installation Log
Accessing Management Center for Cisco Security Agents
Initiating Secure Communications
Internet Explorer: Importing the Root Certificate
Netscape: Importing the Root Certificate
Uninstalling Management Center for Cisco Security Agents
Copying Cisco Trust Agent Installer Files
Installing the Management Center for Cisco Security Agents
Overview
This chapter provides instructions for installing CSA MC. Once you have reviewed the preliminary information outlined in the previous chapter, you are ready to proceed.
It is through CSA MC that you create agent installation kits. The tools for creating agent kits are installed as part of CSA MC.
This section contains the following topics.
•
Licensing Information
•Upgrading from Version 4.0.x to 4.5.x
•Upgrade Instructions
•Solaris Agent Migration
•Upgrading from CSA Version 4.5 to 4.5.1
•Piloting the Upgrade of CSA from Version 4.5 to 4.5.1
•Installing Management Center for Cisco Security Agents
•Installing CSA MC with a Local Database
•Microsoft SQL Server 2000 Local Installation Notes
•Installing CSA MC with a Remote Database
•Installation Log
•Accessing Management Center for Cisco Security Agents
•Initiating Secure Communications
•Uninstalling Management Center for Cisco Security Agents
•Copying Cisco Trust Agent Installer Files
Licensing Information
CSA MC and agents require a license obtained from Cisco in order to operate with full functionality. You can install and run both the MC and the agent without a license. If you do not have a valid license, CSA MC and all associated agents will not operate until you obtain a valid license.
The information contained in your license includes the number of server-agent licenses that have been allotted to you. When you receive your license from Cisco, you should copy it to the system to which you are installing CSA MC (or to a file share accessible from the CSA MC system). Then you can copy the license to the CSA MC directory in one of the following manners:
During installation
During the installation, you are prompted to copy the license into the CSA MC directory. If you choose Yes, you can browse to the license file on the system (or in an accessible file share), save it, and continue the installation. Or you can choose No when prompted and copy the license when the installation has completed and the system is rebooted.
Note If you copy a valid license key to CSA MC during the installation, after the system reboots, all downloaded and installed agent kits immediately operate with full functionality. You do not have to login and generate rules to have this occur.
After installation
After installing CSA MC, to copy the license to the CSA MC directory, click Maintenance in the menu bar and select License Information. The License Information screen appears. You can browse to the license file by clicking the Browse button. Once the license file is located, click the Upload button to copy the file into the CSA MC directory.
Upgrading from Version 4.0.x to 4.5.x
Upgrading from versions of the product earlier than version 4.0.x to version 4.5.x is not supported. (If you are trying to upgrade from version 4.5 to version 4.5.1 see Upgrading from CSA Version 4.5 to 4.5.1.)
You have two options when upgrading from CSA MC 4.0.x to CSA MC 4.5.x.
•Install V4.5.x on the same machine as V4.0.x.
Caution Both CSA MC 4.0.x and CSA MC 4.5.x will co-exist on the same system after upgrading. Therefore you should note that if you select this first option, you cannot apply any upgrades that may be released to the V4.0.x CSA MC once V4.5.x is installed. Additionally, after upgrading to the same machine, Profiler will no longer work with the V4.0.x CSA MC and agents.
Also note the following about this first upgrade option: You CANNOT select the Remote Database option if you upgrade on the same machine. (If you are planning to increase your number of deployed agents, it is highly recommended that you install CSA MC V4.5.x to a fresh machine and use a remote database.)
•Install V4.5.x on a different machine with the knowledge that V4.0.x agents will eventually be migrated to the new V4.5.x machine.
The CSA MC V4.5.x installation does not automatically upgrade or overwrite the V4.0.x installation. Ultimately, the upgrade process described here will allow you to import your V4.0.x configuration items into the newly installed V4.5.x system. It will also allow you to migrate V4.0.x hosts to V4.5.x. After installing V4.5.x, it is expected that you will spend some time examining how policies and other functionality has changed between versions and you will gradually apply the V4.5.x policies to the migrated hosts.
Caution You should not uninstall V4.0.x until you have migrated all agents to V4.5.x.
When you install CSA MC V4.5.x, a new Security Agents V4.5 menu item appears in your CiscoWorks UI. If you install CSA MC V4.5.x on the same machine as V4.0.x, your original Security Agents menu item remains in place and you continue to manage your existing V4.0.x configurations from there. The CSA MC V4.5.x installation also creates a new directory structure. (If you install CSA MC V4.5.x on the same machine as V4.0.x, your original CSAMC directory structure remains in place, co-existing with the new V4.5 structure.) Note that subsequent releases of CSA MC will continue to include the new version number in the directory structure. Refer to the following chart.
Table 3-1 Menu Item and Directory Path
| |
Menu Item
|
Directory Path
|
CSA MC V4.5.1
|
Security Agents V4.5
|
CSCOpx\CSAMC45
|
CSA MC V4.5
|
Security Agents V4.5
|
CSCOpx\CSAMC45
|
CSA MC V4.0
|
Security Agents
|
CSCOpx\CSAMC
|
Upgrade Instructions
The following upgrade process contains instructions for installing CSA MC V4.5.x on the same system as CSA MC V4.0.x and for installing CSA MC V4.5.x to a separate machine. Both scenarios are covered here.
Caution If you intend to upgrade 4.0.x Solaris agents, please read
Solaris Agent Migration before starting your upgrade.
To upgrade to V4.5.x, do the following:
Step 1 Install the Management Center for Cisco Security Agents V4.5.x. See page 9 for instructions.
•If you're installing CSA MC V4.5.x on the same machine running CSA MC V4.0.x, an xml file containing V4.0.x configuration items and host information is automatically generated by the installation and ready for importing once the install is complete.
•If you're installing CSA MC V4.5.x on a different machine from the system running V4.0.x, after installing V4.5.x, you must copy and manually run an executable file on the V4.0.x machine to create the xml file needed for importing V4.0.x configuration and host information to V4.5.x.
Step 2 If you have installed V4.5.x on the same machine as V4.0.x, you can skip to the end of Step 6. Otherwise, once you've installed CSA MC V4.5.x and rebooted the system, navigate to the CSCOpx\CSAMC45\migration directory. Copy the file named prepare_migration.exe to your V4.0.x system. (You can copy it to any place on the system.)
Step 3 On your CSA MC V4.0.x, disable agent security and run the prepare_migration.exe file that you copied from the V4.5.x system. (You must disable security in order to run the executable file and create the import xml data.) This launches a command prompt which displays the progress of the migration.
Step 4 When the prepare_migration.exe file is finished, on the V4.0.x system, navigate to the CSCOpx\CSAMC\bin directory and locate a newly created file named migration_data_export.xml.
Step 5 Then from the V4.5 system, import the migration_data_export.xml file to the CSA MC V4.5 machine. If V4.5.x and V4.0.x are on different machines, do this by either copying the xml file to the V4.5.x system first and then importing it or by browsing to it from the V4.5.x system if you have network shares set up.
Step 6 You must generate rules once the import is complete. If you do not generate rules at this point, you cannot upgrade and migrate agent hosts as described in the next section.
Note CSA MC V4.5.x ships with policies that contain new V4.5.x functionality. This new functionality does not match all V4.0.x configurations. Beginning with V4.5, CSA MC configuration item names are labeled with the release version number to distinguish them from older (or newer) configuration items or items created by administrators. When you import your V4.0.x configuration, new V4.5.x items are not overwritten. You will likely have items from both versions in your CSA MC V4.5.x. If the import process finds that two items have the exact same contents and the only difference is the V4.5.x appended name field, the old V4.0.x item is not imported and the newer V4.5.x item is used in its place.
Step 7 To upgrade and migrate V4.0.x agents to V4.5.x, schedule V4.5.x software updates for V4.0.x agents. You schedule this upgrade from CSA MC V4.0.x system. (Performing the V4.5.x installation placed a V4.5.x software update on the V4.0.x machine.)
Once V4.0.x agents receive the scheduled software update, they will point to and register with the new CSA MC V4.5.x. The update contains the appropriate new certificates to allow this to occur.
Caution When upgrading 4.0.x agents to software version 4.5.x, the upgrade program disables the system network interfaces to ensure a secure upgrade process. The agent service is also stopped to allow the update to occur. Once the update is complete, the agent service is restarted and the network interfaces are enabled. Note that this information only applies to 4.0.x to 4.5.x software upgrades. (Also note, that secure upgrades are not supported for Windows NT systems.)
Note that when you import your V4.0.x configurations to the V4.5.x system, old V4.0.x agent kits are also imported. When V4.0.x hosts perform software updates and register with the V4.5.x system, they are placed in groups according to the group information that was part of their original installation kit. If you want a host to be placed in a different group when it registers with V4.5.x, you have the ability to click on the original agent kit now listed along with the new V4.5.x agent kits and change the group association. You must generate rules after you change a group kit association.
Note Note that when hosts register with CSA MC V4.5.x, they appear in their assigned group(s) and they also appear in the mandatory V4.5.x groups that match their OS type.
Also note, the once you have migrated all V4.0.x agents to V4.5.x, you can uninstall CSA MC V4.0.x.
Solaris Agent Migration
You should note that Solaris host migration is a bit different than Windows migration.
Caution Only Solaris agent versions 4.0.3.735 or higher can be upgraded to version 4.5.x Earlier Solaris agents cannot be upgraded.
Once scheduled, Solaris software upgrades must be launched manually by accessing the csactl command line tool on the Solaris systems and typing in the software update command. When the update is complete, network connectivity is disabled and remains disabled until the system automatically reboots within 5 minutes. This reboot cannot be stopped. Therefore, once you launch the Solaris software update, you must understand that the system will reboot when the update completes.
Upgrading from CSA Version 4.5 to 4.5.1
Upgrading Cisco Security Agent from 4.5 to 4.5.1 is supported. (If you are trying to upgrade from CSA version 4.0.x to 4.5.1 see, Upgrading from Version 4.0.x to 4.5.x). The new software and policy changes are included in one self-extracting executable file and they can be installed alongside version 4.5. You do not need to uninstall CSA version 4.5 to proceed.)
If the installation process finds that two security components are identical, and the only difference is the version number appended name field, the newer item fromV4.5.1 overwrites the older version.
To upgrade CSA 4.5 to CSA 4.5.1, follow this procedure:
Step 1 From the system running CSA MC V4.5, download the new kit from Cisco's web site (http://www.cisco.com/pcgi-bin/tablebuild.pl/csa).
Step 2 Choose to Save the download locally rather than to open it.
Step 3 Open the folder where you saved the self-extracting ZIP file.
Step 4 Double-click the self-extracting ZIP file to open it.
Step 5 Double-click setup.exe to begin the installation.
Step 6 Click OK.
Step 7 At the Welcome screen (Figure 3-1), click Next.
Step 8 CSA prompts you with message that an attempt is being made to disable security for the Cisco security Agent. Select Yes and click Apply to allow the activity.
Step 9 Your response is then challenged. Type the letters you see in the Cisco Security Agent Challenge window in the text field and click OK.
Step 10 New files are copied to your system. (See Figure 3-7.)
Step 11 Once all the files are copied, the installation performs some preliminary system setup tasks. (See Figure 3-8.)
Note The agent protecting the system on which CSA MC runs is upgraded at the same time as CSAMC.
Step 12 You receive a message that installation is complete. Save and close any open files and click OK for the system to be restarted.
Step 13 In order for all the agents to receive the software upgrade, you must schedule a software upgrade for all the groups running version 4.5 software. See Using Management Center for Cisco Security Agents for information about scheduling a software upgrade.
Note The software upgrade deployed to agents does not contain policy changes, it only upgrades the agent application.
Piloting the Upgrade of CSA from Version 4.5 to 4.5.1
Once you have upgraded CSA MC with the version of 4.5.1 software and have distributed the software upgrade to all the agents running version 4.5, you should review the policy changes that came with version 4.5.1 and determine which of these changes you should deploy.
Step 1 Move the mouse over Systems and click Groups from the drop-down menu.
Step 2 From the Groups List page you can see which groups have both an old version and a new version and how many hosts would be affected by receiving policy changes.
Step 3 See the Release Notes for CSA version 4.5.1 for a list of policies that have changed to provide greater security, be less restrictive, or to be more efficient. Evaluate the policies that have changed in a particular group.
•If a policy changed because its rules were made more efficient or less restrictive, do not move existing hosts into the CSA version 4.5.1 groups associated with CSA version 4.5.1 policies. Your system is up and running and these sorts of changes were probably accounted for when CSA was originally piloted.
•If the policies have changed in order to enforce security more strictly, begin a pilot program by associating a small number of systems with the new CSA version 4.5.1 groups and see how the policy changes affect day to day work on those systems.
Step 4 After the pilot program has ended, and you are satisfied with the security provided by the new policies, associate the remaining hosts with the CSA version 4.5 groups with the CSA version 4.5.1 groups. See Using Management Center for Cisco Security Agents for information about bulk transferring hosts from one group to another.
Note CSA version 4.5 policies will contine to function with the version 4.5.1 agent.
Installing Management Center for Cisco Security Agents
Caution CSA MC is a component of the CiscoWorks VPN/Security Management Solution (VMS). You must have CiscoWorks Common Services installed on the system to which you are installing CSA MC. See the CiscoWorks2000 VPN/Security Management Solution Quick Start Guide for details.
You must have local administrator privileges on the system in question to perform the installation. Once you've verified system requirements, you can begin the installation.
Installation Configuration Options
You have three installation configuration options to consider before launching the CSA MC installation process.
•You can install CSA MC and the database on the same machine. (Select the Local Database radio button during the CSA MC installation.)
For a local database configuration, you have the option of installing CSA MC and the included Microsoft SQL Server Desktop Engine (provided with the product) on the same system if you are planning to deploy no more than 500 agents. In this case, the CSA MC installation also installs its own version of Microsoft SQL Server Desktop Engine on the system.
For a local database configuration, you also have the option of installing Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided. Microsoft SQL Server Desktop Engine has a 2 GB limit. In this case, you can have CSA MC and Microsoft SQL Server 2000 on the same system if you are planning to deploy no more than 5,000 agents. Note that of you are using SQL Server 2000, it must be licensed separately and it must be installed on the system before you begin the CSA MC installation.
Also note that if your plan is to use SQL Server 2000, it is recommended that you choose one of the other installation configuration options rather than the local database configuration.
•You can install CSA MC on one machine and install the database on a remote machine. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2000 Remote Setup.)
Use this configuration option if you are planning to deploy more than 5,000 agents and are using a separately licensed, managed, and maintained SQL Server 2000 database. SQL Server 2000 must be installed and configured on the remote system before you begin the CSA MC installation.
Caution If you are installing CSA MC and the database to multiple machines, make sure the clocks of each machine are in sync. If all clocks are not in sync, unexpected behavior may occur.
•You can install two CSA MCs on two separate machines and install the database on a remote machine. In this case, both CSA MCs use the same remote database. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2000 Remote Setup.)
This is the recommended configuration if you are deploying more than 5,000 agents and are using a separately licensed, managed, and maintained SQL Server 2000 database. SQL Server 2000 must be installed and configured on the remote system before you begin the MC installations.
Using this configuration, you can deploy up to 100,000 agents. Having two CSA MCs lets you use one MC for host registration and polling and another MC for editing configurations. This way, if your network is under attack and a flurry of events is causing one MC's CPU to spike, for example, your configuration MC remains unaffected and you can still push configuration changes to your hosts.
Caution If you are installing two CSA MCs with one of the MCs residing on the machine where the database is installed, you must select the Remote Database radio button during the installation of both MCs. Even though one MC is "local" to the database, for the two MCs configuration to work properly, they must both be configured to communication with the database as though it were remote.
Installing CSA MC with a Local Database
If you are installing both CSA MC and the database to the same machine, you will first install Microsoft SQL Server Desktop Engine (as part of the CSA MC installation) and then install CSA MC.
Before beginning, exit any other programs you have running on the system where you are installing CSA MC.
To install the CSA MC, do the following:
Step 1 Log on as a local Administrator on your Microsoft Windows 2000 server system with Service Pack 4 installed.
Step 2 Insert the VPN/Security Management Solution CD into the CDROM drive. When the installation screen listing all available VMS products appears, select the checkbox beside Managing Cisco Security Agents—Servers and Desktops and click Next to start the installation. The welcome screen appears. See Figure 3-1.
Figure 3-1 CSA MC Installation Welcome Screen
Step 3 After you click Next in the welcome screen, the install begins by prompting you to choose a database setup type. See Figure 3-2. In this case, you will keep the default selection of Local Database and click the Next button.
Figure 3-2 Database Setup Type
Step 4 If installing locally, the installation next checks to see if you have Microsoft SQL Server Desktop Engine (MSDE) installed. CSA MC uses MSDE for its local configuration database. If this software is not detected, you are prompted to install it. See Figure 3-3.
Note For installations exceeding 500 agents, it is recommended that you install Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided with the product. Refer to Installation Configuration Options for more information. If you are using Microsoft SQL Server 2000, refer to Microsoft SQL Server 2000 Local Installation Notes for details.
Caution On a system where CSA MC has not previously been installed, the setup program first installs MSDE. If the CSA MC installation detects any other database type attached to an existing installation of MSDE or a version of MSDE or SQL Server 2000 that does not have at least Service Pack 3a, the installation will abort. This database configuration is not qualified.
Figure 3-3 Install Microsoft SQL Server Desktop Engine
Once you click Yes, you proceed through the Microsoft SQL Server installation. It only takes a few minutes.
The first installation screen prompts you to accept the default SQL Server install directory path. The default is selected by searching the system disk for a location that provides the most space for the database. You can select a different path if you choose.
Figure 3-4 Microsoft SQL Server Directory Prompt
Note When the Microsoft SQL Server installation finishes, you must begin the CSA MC installation again. You may have to restart your system before beginning the CSA MC installation.
Step 5 Begin the CSA MC installation again. This time the installation detects the Microsoft SQL Server software and proceeds.
Step 6 You are reminded that you must obtain a license key (see page 2 for information). If you already have a license key file on the system to which you are installing CSA MC, you can copy it to the installation directory at this time by clicking the Yes button (see Figure 3-5) and browsing to it on the system. You can also click No and copy it any time after the installation.
Note If you copy a valid license key to CSA MC during the installation, after the system reboots, all downloaded and installed agent kits immediately operate with full functionality. You do not have to login and generate rules to have this occur.
Figure 3-5 License Key Popup
Once you copy a valid license key to the system, you are prompted to begin the installation (see Figure 3-6). The install then proceeds copying the necessary files to your system (see Figure 3-7).
Figure 3-6 Installation Prompt
Figure 3-7 Copy Files
Once all the files are copied, the installation performs some preliminary system setup tasks (see Figure 3-8).
Figure 3-8 System Setup
Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.)
If an agent is already installed on a system to which you are installing CSA MC, that agent will automatically be upgraded by the CSA MC agent installation.
When the MC and agent installs are complete, you are prompted to reboot the system. It will automatically reboot within 5 minutes.
Note When you install CSA MC, the installation enables SSL in CiscoWorks. When you access the CSA MC UI from CiscoWorks, you must have SSL enabled in CiscoWorks for CSA MC to allow the connection.
Microsoft SQL Server 2000 Local Installation Notes
Note The following instructions are only intended for administrators choosing to install CSA MC and Microsoft SQL Server 2000 to the same system. These instructions are not for administrators using CSA MC with a remote database. If you are choosing to use Microsoft SQL Server 2000 as a remote database, information is provided in the section titled Installing CSA MC with a Remote Database.
For local database installations exceeding 5,000 agents, it is recommended that you install Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided with the product. Microsoft SQL Server Desktop Engine has a 2 GB limit. SQL Server 2000 must be licensed separately and it must be installed on the local system before you begin the CSA MC installation.
In order for Microsoft SQL Server 2000 to function properly with CSA MC, you must select certain settings during the installation. Those settings are listed here. (Refer to your Microsoft SQL Server 2000 manual for detailed installation information.)
Note You should not change the default instance name of "MSSQLSERVER" for the SQL Server 2000 database. If you change this, the CSA MC installation will not detect the database.
When installing Microsoft SQL Server 2000, choose the default settings except in the following instances:
•In the Setup Type installation window, choose the Typical radio button and in the Destination Folder section, click the various Browse buttons to install SQL Server on the system.
•In the Services Accounts installation window, choose the Use the same account for each service radio button. In the Service Settings section, choose Use a Domain User Account. In the edit fields, enter a Username and Password for the local administrator account.
•In the Choose Licensing Mode installation window, select the Per Seat for radio button and then increment the devices number field to a positive value—at least 1 or 2.
Reboot the system and install the most recent service pack for SQL Server 2000. CSA MC has been qualified with Service Pack 3a. When installing the service pack, choose the default settings except in the following instances
•When you install the service pack, in the Installation Folder screen, you should select a drive that has at least 140 MB of free space. For the service pack installation, choose the default settings in all instances.
•In the SA Password Warning installation screen, select the Ignore the security threat warning, leave the password blank radio button.
•In the SQL Server 2000 Service Pack Setup installation screen, select the Upgrade Microsoft Search and apply SQL Server 2000 SP3a (required) checkbox.
Installing CSA MC with a Remote Database
If you are installing one or two CSA MCs and their corresponding database to different machines, you must first install and properly configure Microsoft SQL Server 2000 on the remote system according to Microsoft's instructions. You should restrict access to this database machine as much as possible using any access control systems you already have in place on your network.
Caution It is recommended that all installed CSA MCs and remote databases be placed on a private LAN. If you cannot provide a private LAN, then you should follow Microsoft's recommendations for securing communication between database servers and application servers.
Caution In a distributed (multiple MC) environment, when installing, upgrading, or uninstalling any MC in the distributed configuration, the service must be stopped on the other MCs. For example, in a configuration with 2 MCs, you
must first
stop the CiscoWorks Daemon Manager (
net stop crmdmgtd) on one MC before you install the software update on the other MC.
Caution It is important that the time on the database server system closely match the time on the CSA MC system. Additionally, make sure both times are set correctly.
Caution You must install a Cisco Security Agent on this remote database. This agent should be in the following groups: Servers-SQL Server 2000, Servers-All types, Systems-Mission Critical, and Systems-Restricted Networking.
Microsoft SQL Server 2000 Remote Setup
Note The following section contains overview information for setting up the Microsoft SQL Server 2000 database to work correctly with CSA MC. More detailed SQL Server configuration information should be obtained from your Microsoft documentation.
In order to enter the requested remote database information during the CSA MC installation, you must first setup the SQL Server database system by doing the following. (Note that these steps may be performed by your database administrators.)
•Create an empty database.
•You must configure a new login ID and password and associate it with a new user ID which has the standard access rights on the CSA MC database, including db_ddladmin, db_datareader, and db_datawriter. Note that the login ID and user ID must be identical. (db_owner privileges are not required.)
•Make sure that the database is configured to accept SQL Server authentication.
•You also need to create a file group for the database called "analysis" and it must have at least one file attached.
Once this is configured, you can begin the CSA MC installation.
Before beginning, exit any other programs you have running on the system where you are installing CSA MC. To install the CSA MC, do the following:
Step 1 Log on as a local Administrator on your Microsoft Windows 2000 server system with Service Pack 4 installed.
Step 2 Insert the VPN/Security Management Solution CD into the CDROM drive. When the installation screen listing all available VMS products appears, select the checkbox beside Managing Cisco Security Agents—Servers and Desktops and click Next to start the installation.
Step 3 The install begins by prompting you to choose a database setup type. See Figure 3-2. In this case, you will select the Remote Database radio button and click the Next button.
When you select the Remote Database radio button, you are next prompted to enter the following information for the remote SQL Server database (see Figure 3-9):
•Name of the server
•Name of the database
•Login ID
•Password
Figure 3-9 Remote Database Information
Step 4 Once you enter the database information and click Next, the installation attempts to locate the database and verify that it is configured appropriately. If the database is not setup correctly, you are prompted with this information and the installation will not continue. Otherwise, the installation proceeds.
Step 5 You are next reminded that you must obtain a license key (see page 2 for information). If you already have a license key file on the system to which you are installing CSA MC, you can copy it to the installation directory at this time by clicking the Yes button (see Figure 3-10) and browsing to it on the system. You can also click No and copy it any time after the installation.
Note If you copy a valid license key to CSA MC during the installation, after the system reboots, all downloaded and installed agent kits immediately operate with full functionality. You do not have to login and generate rules to have this occur.
Figure 3-10 License Key Popup
Step 6 Once you copy a valid license key to the system, you are prompted to begin the installation (see Figure 3-11). The install then proceeds copying the necessary files to your system (see Figure 3-12).
Figure 3-11 Installation Prompt
Figure 3-12 Copy Files
Once all the files are copied, the installation performs some preliminary system setup tasks.
Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system and this is done automatically for you. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.)
You are prompted to reboot the system after the CSA MC protecting agent installation is complete. The reboot occurs automatically after 5 minutes.
Note for installing two CSA MCs on two separate machines
If you are installing two CSA MCs using one remote database, repeat the steps detailed in this section, entering the same remote database information for the second MC.
Caution When installing two CSA MCs, the first MC you install automatically becomes the polling and logging MC. The second MC acts as the configuration MC. During the installation process, the CSA MCs know the order in which the MCs were installed and direct polling, logging, and management tasks to the appropriate MC.
Caution In a distributed MC environment, when installing, upgrading, or uninstalling any MC in the distributed configuration, the service must be stopped on the other MCs. For example, in a configuration with 2 MCs, you
must first
stop the CiscoWorks Daemon Manager (
net stop crmdmgtd) on one MC before you install the other MC.
Installation Log
The installation of CSA MC produces a log file. This log file, called "CSAMC-Install.log" and located in the CSCOpx\CSAMC45\log directory, provides a detailed list of installation tasks that were performed. If there is a problem with the installation, this text file should provide information on what task failed during the install.
Note The installation of the agent produces a similar file called "CSAgent-Install.log" and is located in the Cisco Systems\CSAgent\log directory on agent host systems.
Accessing Management Center for Cisco Security Agents
When the installation has completed and you've rebooted the system, a Security Agent category becomes available in the left pane of the CiscoWorks UI. Cisco Security Agent management screens are accessible from the CiscoWorks VPN/Security Management Solution "drawer". Security Agents (the category by which you access the CSA MC UI) are located in the Management Center and Administration>Management Center folders.
Note Refer to the Using CiscoWorks Common Services manual for CiscoWorks installation instructions and login information.
Local Access
To access CSA MC locally on the system hosting CSA MC and CiscoWorks software:
•From the Start menu, go to Programs>CiscoWorks>CiscoWorks to open the CiscoWorks 2000 management UI.
•Login to CiscoWorks. To access CSA MC, open the VPN/Security Management Solution "drawer". The Security Agents 4.5 item is located in the Management Center and Administration>Management Center folders. See Figure 3-13.
Note See Initiating Secure Communications if you cannot connect to CSA MC.
Remote Access
To access CSA MC from a remote location,
•Launch a browser application on the remote host and enter the following:
http://<ciscoworks system hostname>:1741
in the Address or Location field (depending on the browser you're using) to access the Login view.
For example, enter http://<ciscoworks system hostname>:1741
Note In this example, the CiscoWorks and CSA MC are installed on a host system with the name stormcenter.
Figure 3-13 CiscoWorks Main Page
Initiating Secure Communications
CSA MC uses SSL to secure all communications between the CSA MC user interface (locally and remotely) and the Management Center for Cisco Security Agents server system itself. This way, all configuration data travels over secure channels irrespective of the location of the CSA MC host system.
During installation, CSA MC generates private and public keys to be used for secure communications between any system accessing the CSA MC user interface and the CSA MC itself.
When your browser connects to the server, it receives the server's certificate. You are then prompted to accept this certificate. It is recommended that you import it into your local certificate database so that you are not prompted to accept the certificate each time you login. The following sections show the process of importing certificates into Internet Explorer and Netscape Web browsers.
Internet Explorer: Importing the Root Certificate
Step 1 You import the certificate from the CiscoWorks UI. From the VPN/Security Management Solution drawer, expand the Administration folder and click the Import Root Certificate item. See Figure 3-14.
Step 2 Select the Open this file from its current location button and click OK.
Step 3 The certificate information box appears (see Figure 3-15). It contains information on the system the certificate is issued to and it displays expiration dates. Click the Install Certificate button to start the Certificate Manager Import Wizard.
Figure 3-14 Import Root Certificate
Figure 3-15 Certificate Information
Step 4 The first Certificate Manager Import page contains an overview of certificate information. Click Next to continue.
Step 5 From the Select a Certificate Store page, make sure the Automatically select the certificate store based on the type of certificate radio button is selected. Click Next.
Figure 3-16 Certificate Wizard
Step 6 You've now imported your certificate for the server. Click the Finish button (Figure 3-17) to continue.
Figure 3-17 Certificate Wizard Finish Page
Step 7 Now, you must save the certificate. Click the Yes button in the Root Certificate Store box (see Figure 3-18).
Figure 3-18 Root Certificate Store Box
Step 8 You are next prompted with a confirmation box informing you that your certificate was created successfully. Lastly, the View Certificate box remains on the screen (see Figure 3-15). Since your certificate has been generated, you can click the Yes button here.
Note You must perform this certificate import process the first time you login to CSA MC from any remote machine. Once the certificate import is complete, you can access the login page directly for all management sessions. To access the login page remotely, enter the URL in the following format.
http://stormcenter:1741
For example, enter http://<ciscoworks system hostname>:1741
Caution If you have not obtained a valid license from Cisco, when you login to CSA MC, you'll receive a warning informing you that your license is not valid. Refer back to
page 2 for further licensing information.
Netscape: Importing the Root Certificate
Step 1 You import the certificate from the CiscoWorks UI. From the VPN/Security Management Solution drawer, expand the Administration folder and click the Import Root Certificate item. See Figure 3-14.
Step 2 In the Downloading Certificate window, select the Trust this CA to identify web sites checkbox.
Figure 3-19 Downloading Certificate Window
Step 3 Click OK to import the certificate.
Note You should perform this certificate import process the first time you login to CSA MC from any remote machine. Once the certificate import is complete, you can access the login page without further certificate prompts.
Uninstalling Management Center for Cisco Security Agents
Uninstall the CSA MC software as follows:
Step 1 From Start>Settings>Control Panel, access the Add/Remove Programs window. Locate the CiscoWorks item and click Change/Remove.
Step 2 From the window that appears, select the appropriate checkbox to remove the Management Center for Cisco Security Agents program item and click Uninstall. This also removes the Cisco Security Agent and Cisco Security Agent Profiler programs on the CSA MC system.
Note Uninstalling CSA MC does not uninstall the Microsoft SQL Server Desktop Engine (database). You must uninstall this separately from the Control Panel>Add/Remove Programs window if you are completely removing the product from your system.
Caution If you are upgrading to a new version of CSA MC, or if you are reinstalling the product on the same system, and you want to preserve your current configuration, you should select to
Backup the Database during the uninstall when you are prompted to do so. If you do not backup the database, the uninstall removes all program files and configurations. (Note that this only applies to local database installations. CSA MC does not provide a backup mechanism for remote databases.)
Figure 3-20 Backup Database Prompt
Copying Cisco Trust Agent Installer Files
Cisco Trust Agent (CTA) is an optional application you may install as part of an agent kit. The goal of bundling CTA in an agent kit is to facilitate the distribution of CTA. CTA is a separate application from CSA and has its own security objectives.
If you intend to distribute CTA through an agent kit, install your desired CTA installer files on the system running CSA MC.
To install the CTA installer files follow this procedure:
Step 1 Obtain the desired CTA installer files from Cisco Systems.
Note It is the user's responsibility to verify that they have obtained the correct CTA installer files.
Step 2 Copy the CTA installer files to the
%Program Files%\CSCOpx\CSAMC45\cfg\cta directory.
Step 3 The default Cisco Security Agent policies protect this directory. When you copy the files into the directory, CSA prompts you to determine if you want to allow the action. Select the Yes radio button and click Apply. Repeat this step for every file you copy into this directory.
Note Refer to the Agent kits section of the User Guide for information on installing the CTA files you have just copied.
