Installing Management Center for Cisco Security Agents 5.0 - Installing Management Center for Cisco Security Agents [Cisco Security Agent]

Table Of Contents

Installing the Management Center for Cisco Security Agents

Overview

Licensing Information

Installing V5.0 and Migrating Configurations and Hosts from V4.x

Installation and Migration Overview

Installing Management Center for Cisco Security Agents

Installation Configuration Options

Installing CSA MC with a Local Database

Microsoft SQL Server 2000 Local Installation Notes

Installing CSA MC with a Remote Database

Microsoft SQL Server 2000 Remote Setup

Installation Log

Accessing Management Center for Cisco Security Agents

Migration Instructions

Solaris and Linux Agent Migration

Upgrade Note

Initiating Secure Communications

Internet Explorer: Importing the Root Certificate

Netscape: Importing the Root Certificate

Uninstalling Management Center for Cisco Security Agents

Copying Cisco Trust Agent Installer Files

Installing the Management Center for Cisco Security Agents

Overview

This chapter provides instructions for installing CSA MC. Once you have reviewed the preliminary information outlined in the previous chapter, you are ready to proceed.

It is through CSA MC that you create agent installation kits. The tools for creating agent kits are installed as part of CSA MC.

This section contains the following topics.

•Licensing Information

•Installing V5.0 and Migrating Configurations and Hosts from V4.x

•Installing Management Center for Cisco Security Agents

•Installing CSA MC with a Local Database

•Microsoft SQL Server 2000 Local Installation Notes

•Installing CSA MC with a Remote Database

•Installation Log

•Accessing Management Center for Cisco Security Agents

•Migration Instructions

•Initiating Secure Communications

•Uninstalling Management Center for Cisco Security Agents

•Copying Cisco Trust Agent Installer Files

Licensing Information

CSA MC and agents require a license obtained from Cisco in order to operate with full functionality. You can install and run both the MC and the agent without a license. If you do not have a valid license, CSA MC and all associated agents will not operate until you obtain a valid license.

The information contained in your CSA MC license includes the number of server-agent licenses that have been allotted to you. When you receive your license from Cisco, you should copy it to the system to which you are installing CSA MC (or to a file share accessible from the CSA MC system). Then you can copy the license to the CSA MC directory in one of the following manners:

During installation

During the installation, you are prompted to copy the license into the CSA MC directory. If you choose Yes, you can browse to the license file on the system (or in an accessible file share), save it, and continue the installation. Or you can choose No when prompted and copy the license when the installation has completed and the system is rebooted.

Note If you copy a valid license key to CSA MC during the installation, after the system reboots, all downloaded and installed agent kits immediately operate with full functionality. You do not have to login and generate rules to have this occur.

After installation

After installing CSA MC, to copy the license to the CSA MC directory, click Maintenance in the menu bar and select License Information. The License Information screen appears. You can browse to the license file by clicking the Browse button. Once the license file is located, click the Upload button to copy the file into the CSA MC directory.

Installing V5.0 and Migrating Configurations and Hosts from V4.x

If you have previous versions (V4.5.x or V4.0.x) of the product installed, installing Management Center for Cisco Security Agents 5.0 does not upgrade those previous versions. V5.0 coexists with previous product versions. Rather than performing a traditional upgrade from a previous release to the new release, you would install 5.0 and then migrate older configurations and hosts to your 5.0 MC using migration tools that are provided. If you install 5.0 on the same system where you have 4.0 or 4.5 installed, this migration is done automatically.

The installation and migration process to V5.0 is the same whether you're upgrading from V4.5.x or from V4.0.x of the product. Therefore, previous versions of the product in these migration instructions will be referred to as 4.x.

Note Migrating from versions of the product earlier than version 4.x to version 5.0 is not supported.

Installation and Migration Overview

You have two options when migrating from CSA MC 4.x. to CSA MC 5.0.

•Install V5.0 on the same machine as V4.x.

Caution You cannot have three CSA MCs installed on the same system. If you already have both V4.0 and V4.5 installed on one system, you must uninstall one MC before installing V5.0 on that system.

•Install V5.0 on a different machine with the knowledge that V4.x agents will eventually be migrated to the new V5.0 machine.

The CSA MC V5.0 installation does not automatically upgrade or overwrite the V4.x installation. Ultimately, the upgrade process described here will allow you to import your V4.x configuration items into the newly installed V5.0 system. It will also allow you to migrate V4.x hosts to V5.0. After installing V5.0, it is expected that you will spend some time examining how policies and other functionality has changed between versions and you will gradually apply the V5.0 policies to the migrated hosts.

Caution You should not uninstall V4.x until you have migrated all agents to V5.0. Once you install V5.0, you can apply hotfixes to the old V4.x version, but you cannot install a V4.x version of the product once the V5.0 version is installed in a one system installation scenario.

If you do apply hotfixes to an old V4.x version after you install V5.0, you have to manually restart the CSA MC system for both MCs to begin running again.

When you install CSA MC V5.0, a new Security Agents V5.0 menu item appears in your CiscoWorks UI. If you install CSA MC V5.0 on the same machine as V4.x, your original Security Agents menu item remains in place and you continue to manage your existing V4.x configurations from there. The CSA MC V5.0 installation also creates a new directory structure. (If you install CSA MC V5.0 on the same machine as V4.x, your original CSAMC directory structure remains in place, co-existing with the new V5.0 structure.) Note that subsequent releases of CSA MC will continue to include the new version number in the directory structure. Refer to the following chart.

Table 3-1 Menu Item and Directory Path

Menu Item

Directory Path

CSA MC V5.0

Security Agents V5.0

CSCOpx\CSAMC50

CSA MC V4.5

Security Agents V4.5

CSCOpx\CSAMC45

CSA MC V4.0

Security Agents

CSCOpx\CSAMC

Installing Management Center for Cisco Security Agents

Migration instructions appear after the installation instructions. See Migration Instructions.

Caution CSA MC is a component of the CiscoWorks VPN/Security Management Solution (VMS). You must have CiscoWorks Common Services installed on the system to which you are installing CSA MC. See the CiscoWorks2000 VPN/Security Management Solution Quick Start Guide for details.

You must have local administrator privileges on the system in question to perform the installation. Once you've verified system requirements, you can begin the installation.

Caution After you install CSA MC, you should not change the name of the MC system. Changing the system name after the product installation will cause agent/CSA MC communication problems.

Installation Configuration Options

You have three installation configuration options to consider before launching the CSA MC installation process.

•You can install CSA MC and the database on the same machine. (Select the Local Database radio button during the CSA MC installation.)

For a local database configuration, you have the option of installing CSA MC and the included Microsoft SQL Server Desktop Engine (provided with the product) on the same system if you are planning to deploy no more than 500 agents. In this case, the CSA MC installation also installs its own version of Microsoft SQL Server Desktop Engine on the system.

For a local database configuration, you also have the option of installing Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided. Microsoft SQL Server Desktop Engine has a 2 GB database size limit. In this case, you can have CSA MC and Microsoft SQL Server 2000 on the same system depending on the number of agents you are deploying (see Scalable Deployments). Note that of you are using SQL Server 2000, it must be licensed separately and it must be installed on the system before you begin the CSA MC installation.

Also note that if your plan is to use SQL Server 2000, it is recommended that you choose one of the other installation configuration options rather than the local database configuration.

•You can install CSA MC on one machine and install the database on a remote machine. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2000 Remote Setup.)

Use this configuration option depending on the number of agents you are deploying (see Scalable Deployments). If you are using a separately licensed, managed, and maintained SQL Server 2000 database, SQL Server 2000 must be installed and configured on the remote system before you begin the CSA MC installation.

Caution If you are installing CSA MC and the database to multiple machines, make sure the clocks of each machine are in sync. If all clocks are not in sync, unexpected behavior may occur.

•You can install two CSA MCs on two separate machines and install the database on a remote machine. In this case, both CSA MCs use the same remote database. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2000 Remote Setup.)

This is the recommended configuration if you are deploying more than 5,000 agents and are using a separately licensed, managed, and maintained SQL Server 2000 database. SQL Server 2000 must be installed and configured on the remote system before you begin the MC installations.

Using this configuration, you can deploy up to 100,000 agents. Having two CSA MCs lets you use one MC for host registration and polling and another MC for editing configurations.

Caution If you are installing two CSA MCs with one of the MCs residing on the machine where the database is installed, you must select the Remote Database radio button during the installation of both MCs. Even though one MC is "local" to the database, for the two MCs configuration to work properly, they must both be configured to communication with the database as though it were remote.

Installing CSA MC with a Local Database

If you are installing both CSA MC and the database to the same machine, you will first install Microsoft SQL Server Desktop Engine (as part of the CSA MC installation) and then install CSA MC.

Before beginning, exit any other programs you have running on the system where you are installing CSA MC.

To install the CSA MC, do the following:

Step 1 Log on as a local Administrator on your Microsoft Windows 2000 server system with Service Pack 4 installed.

Step 2 Insert the VPN/Security Management Solution CD into the CDROM drive. When the installation screen listing all available VMS products appears, select the checkbox beside Managing Cisco Security Agents—Servers and Desktops and click Next to start the installation. The welcome screen appears. See Figure 3-1.

Figure 3-1 CSA MC Installation Welcome Screen

Step 3 After you click Next in the welcome screen, the install begins by prompting you to choose a database setup type. See Figure 3-2. In this case, you will keep the default selection of Local Database and click the Next button.

Figure 3-2 Database Setup Type

Step 4 If installing locally, the installation next checks to see if you have Microsoft SQL Server Desktop Engine (MSDE) installed. CSA MC uses MSDE for its local configuration database. If this software is not detected, you are prompted to install it.

Note For installations exceeding 500 agents, it is recommended that you install Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided with the product. Refer to Installation Configuration Options for more information. If you are using Microsoft SQL Server 2000, refer to Microsoft SQL Server 2000 Local Installation Notes for details.

Caution On a system where CSA MC has not previously been installed, the setup program first installs MSDE. If the CSA MC installation detects any other database type attached to an existing installation of MSDE or a version of MSDE or SQL Server 2000 that does not have at least Service Pack 3a, the installation will abort. This database configuration is not qualified.

Once you click Yes, you proceed through the Microsoft SQL Server installation. It only takes a few minutes.

The first installation screen prompts you to accept the default SQL Server install directory path. The default is selected by searching the system disk for a location that provides the most space for the database. You can select a different path if you choose.

Figure 3-3 Microsoft SQL Server Directory Prompt

Note When the Microsoft SQL Server installation finishes, you must begin the CSA MC installation again. You may have to restart your system before beginning the CSA MC installation.

Step 5 Begin the CSA MC installation again. This time the installation detects the Microsoft SQL Server software and proceeds.

Step 6 You are reminded that you must obtain a license key (see page 2 for information). If you already have a license key file on the system to which you are installing CSA MC, you can copy it to the installation directory at this time by clicking the Yes button (see Figure 3-4) and browsing to it on the system. You can also click No and copy it any time after the installation.

Note If you copy a valid license key to CSA MC during the installation, after the system reboots, all downloaded and installed agent kits immediately operate with full functionality. You do not have to login and generate rules to have this occur.

Figure 3-4 License Key Popup

Once you copy a valid license key to the system, you prompted to select whether or not you want the system to automatically reboot once the installation is complete (see Figure 3-5). It is required that you reboot the system after the installation is complete whether you select Yes to have it done automatically or you choose to manually reboot at the end.

Figure 3-5 Automatic Reboot Option Prompt

You are next prompted to begin the installation (see Figure 3-6). The install then proceeds copying the necessary files to your system (see Figure 3-7).

Figure 3-6 Installation Prompt

Figure 3-7 Copy Files

Once all the files are copied, the installation performs some preliminary system setup tasks (see Figure 3-8).

Figure 3-8 System Setup

Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.)

If an agent is already installed on a system to which you are installing CSA MC, that agent will automatically be upgraded by the CSA MC agent installation.

When the MC and agent installs are complete, if you selected to have the system reboot automatically, you are prompted that the automatic reboot will occur within 5 minutes. If you selected not to have the system reboot automatically, it is required that you manually reboot the system at this time.

Note When you install CSA MC, the installation enables SSL in CiscoWorks. When you access the CSA MC UI from CiscoWorks, you must have SSL enabled in CiscoWorks for CSA MC to allow the connection.

Microsoft SQL Server 2000 Local Installation Notes

Note The following instructions are only intended for administrators choosing to install CSA MC and Microsoft SQL Server 2000 to the same system. These instructions are not for administrators using CSA MC with a remote database. If you are choosing to use Microsoft SQL Server 2000 as a remote database, information is provided in the section titled Installing CSA MC with a Remote Database.

For local database installations exceeding 500 agents, it is recommended that you install Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided with the product. Microsoft SQL Server Desktop Engine has a 2 GB limit. SQL Server 2000 must be licensed separately and it must be installed on the local system before you begin the CSA MC installation.

In order for Microsoft SQL Server 2000 to function properly with CSA MC, you must select certain settings during the installation. Those settings are listed here. (Refer to your Microsoft SQL Server 2000 manual for detailed installation information.)

Note You should not change the default instance name of "MSSQLSERVER" for the SQL Server 2000 database. If you change this, the CSA MC installation will not detect the database.

When installing Microsoft SQL Server 2000, choose the default settings except in the following instances:

•In the Setup Type installation window, choose the Typical radio button and in the Destination Folder section, click the various Browse buttons to install SQL Server on the system.

•In the Services Accounts installation window, choose the Use the same account for each service radio button. In the Service Settings section, choose Use a Domain User Account. In the edit fields, enter a Username and Password for the local administrator account.

•In the Choose Licensing Mode installation window, select the Per Seat for radio button and then increment the devices number field to a positive value—at least 1 or 2.

Reboot the system and install the most recent service pack for SQL Server 2000. CSA MC has been qualified with Service Pack 3a. When installing the service pack, choose the default settings except in the following instances

•When you install the service pack, in the Installation Folder screen, you should select a drive that has at least 140 MB of free space. For the service pack installation, choose the default settings in all instances.

•In the SA Password Warning installation screen, select the Ignore the security threat warning, leave the password blank radio button.

•In the SQL Server 2000 Service Pack Setup installation screen, select the Upgrade Microsoft Search and apply SQL Server 2000 SP3a (required) checkbox.

Installing CSA MC with a Remote Database

If you are installing one or two CSA MCs and their corresponding database to different machines, you must first install and properly configure Microsoft SQL Server 2000 on the remote system according to Microsoft's instructions. You should restrict access to this database machine as much as possible using any access control systems you already have in place on your network.

Caution It is recommended that all installed CSA MCs and remote databases be placed on a private LAN. If you cannot provide a private LAN, then you should follow Microsoft's recommendations for securing communication between database servers and application servers.

Caution In a distributed (multiple MC) environment, when installing, upgrading, or uninstalling any MC in the distributed configuration, the service must be stopped on the other MCs. For example, in a configuration with 2 MCs, you must first stop the CiscoWorks Daemon Manager (net stop crmdmgtd) on one MC before you install the software update on the other MC.

Caution It is important that the time on the database server system closely match the time on the CSA MC system. Additionally, make sure both times are set correctly.

Caution You must install a Cisco Security Agent on this remote database. This agent should be in the following groups: Servers-SQL Server 2000, Servers-All types, Systems-Mission Critical, and Systems-Restricted Networking. You should install this agent after the last CSA MC has been installed and rebooted.

Microsoft SQL Server 2000 Remote Setup

Note The following section contains overview information for setting up the Microsoft SQL Server 2000 database to work correctly with CSA MC. More detailed SQL Server configuration information should be obtained from your Microsoft documentation.

In order to enter the requested remote database information during the CSA MC installation, you must first setup the SQL Server database system by doing the following. (Note that these steps may be performed by your database administrators. The procedure is detailed after the bullet list.)

•Create an empty database.

•You must configure a new login ID and password and associate it with a new user ID which has the standard access rights on the CSA MC database, including db_ddladmin, db_datareader, and db_datawriter. Note that the login ID and user ID must be identical. (db_owner privileges are not required.)

•Make sure the default language is set to English. Note that you should not change the language default after CSA MC is installed.

•Make sure that the database is configured to accept SQL Server authentication.

•You also need to create a file group for the database called "analysis" and it must have at least one file attached.

More specifically, use the following procedure as a guideline:

Step 1 Right click your SQL Server. Select the Security tab and set "Authentication" to SQL Server and Windows. Then click OK.

Step 2 Stop and start sql server.

Step 3 Create new database "CSAMC50".

Step 4 Inside the DB properties, click Data Files and in the File Name box, type "csamcalanysis", and in the Filegroup field type "ANALYSIS". Then click OK.

Step 5 Expand the "security" + and right-click Logins. Then create a new login. Use SQL Server Authentication. Set Defaults -> Database = csamc50 database.

Note Do not click anything under "server roles".

Step 6 In the "database access" section, permit access to csamc50 and give the role of db_ddladmin. Click OK.

Step 7 Restart the server.

Once this is configured, you can begin the CSA MC installation.

Before beginning, exit any other programs you have running on the system where you are installing CSA MC. To install the CSA MC, do the following:

Step 1 Log on as a local Administrator on your Microsoft Windows 2000 server system with Service Pack 4 installed.

Step 2 Insert the VPN/Security Management Solution CD into the CDROM drive. When the installation screen listing all available VMS products appears, select the checkbox beside Managing Cisco Security Agents—Servers and Desktops and click Next to start the installation.

Step 3 The install begins by prompting you to choose a database setup type. See Figure 3-2. In this case, you will select the Remote Database radio button and click the Next button.

When you select the Remote Database radio button, you are next prompted to enter the following information for the remote SQL Server database (see Figure 3-9):

•Name of the server

•Name of the database

•Login ID

•Password

Figure 3-9 Remote Database Information

Step 4 Once you enter the database information and click Next, the installation attempts to locate the database and verify that it is configured appropriately. If the database is not setup correctly, you are prompted with this information and the installation will not continue. Otherwise, the installation proceeds.

Step 5 You are next reminded that you must obtain a license key (see page 2 for information). If you already have a license key file on the system to which you are installing CSA MC, you can copy it to the installation directory at this time by clicking the Yes button (see Figure 3-10) and browsing to it on the system. You can also click No and copy it any time after the installation.

Note If you copy a valid license key to CSA MC during the installation, after the system reboots, all downloaded and installed agent kits immediately operate with full functionality. You do not have to login and generate rules to have this occur.

Figure 3-10 License Key Popup

Once you copy a valid license key to the system, you prompted to select whether or not you want the system to automatically reboot once the installation is complete (see Figure 3-11). It is recommended that you reboot the system after the installation is complete whether you select Yes to have it done automatically or you choose to manually reboot at the end.

Figure 3-11 Automatic Reboot Option Prompt

You are next prompted to begin the installation (see Figure 3-12). The install then proceeds copying the necessary files to your system (see Figure 3-13).

Figure 3-12 Installation Prompt

Figure 3-13 Copy Files

Once all the files are copied, the installation performs some preliminary system setup tasks.

Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system and this is done automatically for you. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.)

When the MC and agent installs are complete, if you selected to have the system reboot automatically, you are prompted that the automatic reboot will occur within 5 minutes. If you selected not to have the system reboot automatically, it is recommended that you manually reboot the system at this time.

Note for installing two CSA MCs on two separate machines

If you are installing two CSA MCs using one remote database, repeat the steps detailed in this section, entering the same remote database information for the second MC.

Caution When installing two CSA MCs, the first MC you install automatically becomes the polling and logging MC. The second MC acts as the configuration MC. During the installation process, the CSA MCs know the order in which the MCs were installed and direct polling, logging, and management tasks to the appropriate MC.

Caution In a distributed MC environment, when installing, upgrading, or uninstalling any MC in the distributed configuration, the service must be stopped on the other MCs. For example, in a configuration with 2 MCs, you must first stop the CiscoWorks Daemon Manager (net stop crmdmgtd) on one MC before you install the other MC.

Installation Log

The installation of CSA MC produces a log file. This log file, called "CSAMC-Install.log" and located in the CSCOpx\CSAMC50\log directory, provides a detailed list of installation tasks that were performed. If there is a problem with the installation, this text file should provide information on what task failed during the install.

Note The installation of the agent produces a similar file called "CSAgent-Install.log" and is located in the Cisco Systems\CSAgent\log directory on agent host systems.

Accessing Management Center for Cisco Security Agents

When the installation has completed and you've rebooted the system, a Security Agent category becomes available in the left pane of the CiscoWorks UI. Cisco Security Agent management screens are accessible from the CiscoWorks VPN/Security Management Solution "drawer". Security Agents (the category by which you access the CSA MC UI) are located in the Management Center and Administration>Management Center folders.

Note Refer to the Using CiscoWorks Common Services manual for CiscoWorks installation instructions and login information.

Local Access

To access CSA MC locally on the system hosting CSA MC and CiscoWorks software:

•From the Start menu, go to Programs>CiscoWorks>CiscoWorks to open the CiscoWorks 2000 management UI.

•Login to CiscoWorks. To access CSA MC, open the VPN/Security Management Solution "drawer". The Security Agents 5.0 item is located in the Management Center and Administration>Management Center folders. See Figure 3-14.

Note See Initiating Secure Communications if you cannot connect to CSA MC.

Remote Access

To access CSA MC from a remote location,

•Launch a browser application on the remote host and enter the following:
      http://<ciscoworks system hostname>:1741
in the Address or Location field (depending on the browser you're using) to access the Login view.

For example, enter http://<ciscoworks system hostname>:1741

Note In this example, the CiscoWorks and CSA MC are installed on a host system with the name stormcenter.

Figure 3-14 CiscoWorks Main Page

Migration Instructions

The following section contains information for migrating to CSA MC V5.0 from a previous version installed on the same system as CSA MC V5.0 and for a previous version installed on a separate machine. Both scenarios are covered here.

Note If you install 5.0 on the same system where you have 4.0 or 4.5 installed, the majority of this migration is done automatically.

The installation and migration process to V5.0 is the same whether you're upgrading from V4.5 or from V4.0.x of the product. Therefore, previous versions of the product in these migration instructions will be generally referred to as 4.x.

If you intend to migrate 4.x Solaris agents, please read Solaris and Linux Agent Migration before starting your upgrade.

To migrate to V5.0, do the following:

Step 1 Install the Management Center for Cisco Security Agents V5.0. See page 4 for instructions.

•If you're installing CSA MC V5.0 on the same machine running CSA MC V4.x, an xml file containing V4.x configuration items and several .dat files containing host information are automatically generated by the installation and ready for importing once the install is complete.

•If you're installing CSA MC V5.0 on a different machine from the system running V4.x, after installing V5.0, you must copy and manually run an executable file on the V4.x machine to create the xml and dat files needed for importing V4.x configuration and host information to V5.0.

Step 2 If you have installed V5.0 on the same machine as V4.x, you can skip to the end of Step 6. Otherwise, once you've installed CSA MC V5.0 and rebooted the system, navigate to the CSCOpx\CSAMC50\migration directory. Copy the appropriate file (named http://stormcenter:1741 or prepare_45_migration.exedepending on the version you're migrating from) to your V4.x system. (You can copy it to any place on the system.)

Step 3 On your CSA MC V4.x, disable agent security and run the prepare_40_migration.exe file that you copied from the V5.0 system. (You must disable security in order to run the executable file and create the import xml data.) This launches a command prompt which displays the progress of the migration.

Step 4 When the prepare_<version>_migration.exe file is finished, on the V4.x system, navigate to the CSCOpx\CSAMC45\bin or CSCOpx\CSAMC\bin directory (again, directory name depends on the version you're migrating from) and locate several newly created files. Your configuration data is now in a file named prepare_<version>_migration.exe . Your host data (hosts and distinct host groupings) are now in several files, depending on how many distinct host groupings existed, named migration_data_export.xml.

Using the data that is now wrapped up in these files allows you to import your existing policy configurations and your current host groupings, thereby preserving the policy tuning and host group configurations for your new V5.0 installation.

Step 5 Next you copy the migration_host_data<number>.dat and all themigration_data_export.xml files from the V4.x system to your V5.0 system. These files must exist together in the same directory on the V5.0 system (although the directory name and location does not matter).

Step 6 Then from the V5.0 system, run the webmgr import utility from a command prompt to pull the data into the new MC. You cannot use the CSA MC UI Import utility to do this. That utility does not allow you to import the .dat files that are associated with the .xml file as one grouping.

From a command prompt window on the V5.0 system, cd to the migration_host_data<number>.dat directory and run the following:
CSCOpx\CSAMC50\bin

Because the host .dat files are associated with the .xml file, this command imports both the configuration and host data with the migration_data_export.xml file.

Step 7 You must generate rules once the import is complete. If you do not generate rules at this point, you cannot upgrade agent host software as described in the next section.

Note CSA MC V5.0 ships with policies that contain new V5.0 functionality. This new functionality does not match all V4.x configurations. CSA MC configuration item names are labeled with the release version number to distinguish them from older (or newer) configuration items or items created by administrators. When you import your V4.x configuration, new V5.0 items are not overwritten. You will likely have items from both versions in your CSA MC V5.0. If the import process finds that two items have the exact same contents and the only difference is the V5.0 appended name field, the old V4.x item is not imported and the newer V5.0 item is used in its place.

Step 8 To upgrade migrated V4.x agents to V5.0, schedule V5.0 software updates for V4.x agents. You schedule this upgrade from the CSA MC V4.x system. (Running the %system%CSCOpx\CSAMC50\bin>webmgr import %path_to_xml_file%\migration_data_export.xml file placed a V5.0 software update on the V4.x machine.)

Once V4.x agents receive the scheduled software update, they will point to and register with the new CSA MC V5.0. The update contains the appropriate new certificates to allow this to occur. Once hosts register with V5.0, they will be associated with the correct groups based on the host migration that you performed earlier.

Note Agent kits are configuration items that do not migrate to the new version. Because host migration does not relate to agent kits, old agents kits are not considered to be necessary migration items.

Also, configuration items that are not used (not attached to anything) do not migrate to the new version.

Caution When upgrading 4.x agents to software version 5.0, the upgrade program disables the system network interfaces to ensure a secure upgrade process. The agent service is also stopped to allow the update to occur. Once the update is complete, the agent service is restarted and the network interfaces are enabled. (Note, that secure upgrades are not supported for Windows NT systems.)

Once you have migrated all old agents to the newer version, you can uninstall the old version of CSA MC. See Uninstalling Management Center for Cisco Security Agents.

Solaris and Linux Agent Migration

Caution Solaris agent versions 4.0.3.736 and any 4.5 or 4.5.1 can be upgraded to version 5.0. Earlier Solaris agents cannot be upgraded.

Only Linux agent version 4.5.1.638 and above can be upgraded to version 5.0. Earlier Linux agents cannot be upgraded.

You should note that the Solaris host migration process is a bit different than Windows and Linux migration.

Once scheduled, Solaris software upgrades must be launched manually by accessing the csactl command line tool on the Solaris systems and typing in the software update command. When the update is complete, network connectivity is disabled and remains disabled until the system automatically reboots within 5 minutes. This reboot cannot be stopped. Therefore, once you launch the Solaris software update, you must understand that the system will reboot when the update completes.

Upgrade Note

Newer versions of policies are not automatically attached to the auto-enrollment groups during upgrade. If you want to update the mandatory policies, you can use the CSA MC Compare tool to synchronize the existing auto-enrollment groups with the new updated auto-enrollment groups added by the upgrade.

Initiating Secure Communications

CSA MC uses SSL to secure all communications between the CSA MC user interface (locally and remotely) and the Management Center for Cisco Security Agents server system itself. This way, all configuration data travels over secure channels irrespective of the location of the CSA MC host system.

During installation, CSA MC generates private and public keys to be used for secure communications between any system accessing the CSA MC user interface and the CSA MC itself.

When your browser connects to the server, it receives the server's certificate. You are then prompted to accept this certificate. It is recommended that you import it into your local certificate database so that you are not prompted to accept the certificate each time you login. The following sections show the process of importing certificates into Internet Explorer and Netscape Web browsers.

Internet Explorer: Importing the Root Certificate

Step 1 You import the certificate from the CiscoWorks UI. From the VPN/Security Management Solution drawer, expand the Administration folder and click the Import Root Certificate item. See Figure 3-15.

Step 2 Select the Open this file from its current location button and click OK.

Step 3 The certificate information box appears (see Figure 3-16). It contains information on the system the certificate is issued to and it displays expiration dates. Click the Install Certificate button to start the Certificate Manager Import Wizard.

Figure 3-15 Import Root Certificate

Figure 3-16 Certificate Information

Step 4 The first Certificate Manager Import page contains an overview of certificate information. Click Next to continue.

Step 5 From the Select a Certificate Store page, make sure the Automatically select the certificate store based on the type of certificate radio button is selected. Click Next.

Figure 3-17 Certificate Wizard

Step 6 You've now imported your certificate for the server. Click the Finish button (Figure 3-18) to continue.

Figure 3-18 Certificate Wizard Finish Page

Step 7 Now, you must save the certificate. Click the Yes button in the Root Certificate Store box (see Figure 3-19).

Figure 3-19 Root Certificate Store Box

Step 8 You are next prompted with a confirmation box informing you that your certificate was created successfully. Lastly, the View Certificate box remains on the screen (see Figure 3-16). Since your certificate has been generated, you can click the Yes button here.

Note You must perform this certificate import process the first time you login to CSA MC from any remote machine. Once the certificate import is complete, you can access the login page directly for all management sessions. To access the login page remotely, enter the URL in the following format.

prepare_<version>_migration.exe
For example, enter http://<ciscoworks system hostname>:1741

Caution If you have not obtained a valid license from Cisco, when you login to CSA MC, you'll receive a warning informing you that your license is not valid. Refer back to page 2 for further licensing information.

Netscape: Importing the Root Certificate

Step 1 You import the certificate from the CiscoWorks UI. From the VPN/Security Management Solution drawer, expand the Administration folder and click the Import Root Certificate item. See Figure 3-15.

Step 2 In the Downloading Certificate window, select the Trust this CA to identify web sites checkbox.

Figure 3-20 Downloading Certificate Window

Step 3 Click OK to import the certificate.

Note You should perform this certificate import process the first time you login to CSA MC from any remote machine. Once the certificate import is complete, you can access the login page without further certificate prompts.

Uninstalling Management Center for Cisco Security Agents

Uninstall the CSA MC software as follows:

Step 1 From Start>Settings>Control Panel, access the Add/Remove Programs window. Locate the CiscoWorks item and click Change/Remove.

Step 2 From the window that appears, select the appropriate checkbox to remove the Management Center for Cisco Security Agents program item and click Uninstall. This also removes the Cisco Security Agent.

Note Uninstalling CSA MC does not uninstall the Microsoft SQL Server Desktop Engine (database). You must uninstall this separately from the Control Panel>Add/Remove Programs window if you are completely removing the product from your system.

Caution If you are upgrading to a new version of CSA MC, or if you are reinstalling the product on the same system, and you want to preserve your current configuration, you should select to Backup the Database during the uninstall when you are prompted to do so. If you do not backup the database, the uninstall removes all program files and configurations. (Note that this only applies to local database installations. CSA MC does not provide a backup mechanism for remote databases.)

Copying Cisco Trust Agent Installer Files

Cisco Trust Agent (CTA) is an optional application you may install as part of an agent kit. The goal of bundling CTA in an agent kit is to facilitate the distribution of CTA. CTA is a separate application from CSA and has its own security objectives.

If you intend to distribute CTA through an agent kit, copy your CTA installer files to the system running CSA MC.

To copy the CTA installer files, follow this procedure:

Step 1 Obtain the desired CTA installer files from Cisco Systems.

Note It is the user's responsibility to verify that they have obtained the correct CTA installer files.

Step 2 Copy the CTA installer files to the
%Program Files%\CSCOpx\CSAMC50\bin\webserver\htdocs\cta_kits directory.

The default Cisco Security Agent policies protect this directory. When you copy the files into the directory, CSA prompts you to determine if you want to allow the action. Select the Yes radio button and click Apply. Repeat this step for every file you copy into this directory.

Note Refer to the Agent Kits section of the User Guide for information on installing the CTA files you have just copied.