Table Of Contents
Installing the Management Center for Cisco Security Agents
Overview
Licensing Information
Installing V5.2 and Migrating Configurations and Hosts from Previous Versions
Installation and Migration Overview
Local and Remote DB Installation Overview
New Installation Configuration Options
Installing CSA MC with a Local Database
Microsoft SQL Server 2005 and 2000 Local Installation Notes
Microsoft SQL Server Express Manual Installation Settings
Installing CSA MC with a Remote Database
Microsoft SQL Server 2005 and 2000 Remote Setup
Installing CSA MC with a Previous Version's Database (Same System Installation)
Note for installing two CSA MCs on two separate machines
Installation Log
Accessing Management Center for Cisco Security Agents
Migration Instructions
Solaris and Linux Agent Migration
Upgrade Note
Initiating Secure Communications
Internet Explorer: Importing the Root Certificate
Internet Explorer 7.0: Importing the Root Certificate
Uninstalling Management Center for Cisco Security Agents
Copying Cisco Trust Agent Installer Files
Installing the Management Center for Cisco Security Agents
Overview
This chapter provides instructions for installing CSA MC. Once you have reviewed the preliminary information outlined in the previous chapter, you are ready to proceed.
It is through CSA MC that you create agent installation kits. The tools for creating agent kits are installed as part of CSA MC.
This section contains the following topics.
•
Licensing Information
•Installing V5.2 and Migrating Configurations and Hosts from Previous Versions
•Installation and Migration Overview
•Local and Remote DB Installation Overview
•Installing CSA MC with a Local Database
•Installing CSA MC with a Remote Database
•Installing CSA MC with a Previous Version's Database (Same System Installation)
•Note for installing two CSA MCs on two separate machines
•Installation Log
•Accessing Management Center for Cisco Security Agents
•Migration Instructions
•Initiating Secure Communications
•Uninstalling Management Center for Cisco Security Agents
•Copying Cisco Trust Agent Installer Files
Licensing Information
The Management Center for Cisco Security Agents product CD and product download contains a license key which is automatically imported during the installation and used to operate the MC itself. If you need further license keys, before deploying Cisco Security Agents, you should obtain a license key from Cisco. To receive your license key, you must use the Product Authorization Key (PAK) label affixed to the claim certificate for CSA MC located in the separate licensing envelope.
The information contained in your CSA MC license includes the number of server-agent licenses that have been allotted to you. When you receive your license from Cisco, you should copy it to the system to which you are installing CSA MC (or to a file share accessible from the CSA MC system). Then you can copy the license to the CSA MC directory in the following manner:
After installing CSA MC, to copy the license to the CSA MC directory, click Maintenance in the menu bar and select License Information. The License Information screen appears. You can browse to the license file by clicking the Browse button. Once the license file is located, click the Upload button to copy the file into the CSA MC directory.
Installing V5.2 and Migrating Configurations and Hosts from Previous Versions
If you have previous versions (V5.1, V5.0, V4.5.x or V4.0.3) of the product installed, installing Management Center for Cisco Security Agents 5.2 does not upgrade those previous versions. V5.2 configurations coexists with V5.1, but in some cases it requires that V5.0 configurations and V4.x configuration be migrated to V5.1 before then migrating to V5.2.
If you are reusing the same hardware, you must uninstall CSA MC V5.0 and VMS from your Windows 2000 system, and then you can install 5.2 on your newly installed Windows 2003 system. Then you could migrate older V5.0.x configurations and hosts to your 5.2 MC using migration tools that are provided.
The migration procedure is more straightforward if you are not reusing the same hardware. In that case, you could install Management Center for Cisco Security Agents 5.2 on the Windows 2003 system and migrate configurations and hosts from the Management Center for Cisco Security Agents 5.0 or 4.5.x or 4.0.3 on the Windows 2000 system.
And if you are running Management Center for Cisco Security Agents 5.1 on Windows 2003, the migration is quite simple.
All migration scenarios mentioned here are detailed in this chapter.
Note Migrating from versions of the product earlier than version 4.0.3 to version 5.2 is not supported.
Installation and Migration Overview
The following migration to CSA MC V5.2 scenarios are supported. (See Figure 3-1 for a graphical representation of these upgrade path installation scenarios.)
•Scenario 1 - Migrating V5.1 to V5.2 - Same System: You can install V5.2 on the same machine as V5.1 and the migration is done automatically.
•Scenario 2 - Migrating V5.1 to V5.2 - Separate Systems: You can install V5.2 on a new machine and use the provided migration tools to move V5.1 configurations and hosts to the newly installed V5.2 system.
•Scenario 3 - Migrating V5.0 to V5.1 to V5.2 - Same System: You can install V5.2 on the same machine where V5.0 resided once V5.0 and VMS are uninstalled, the database is backed up safely (if local DB) and the system is running a Windows 2003 OS. Then you can use the migration tools provided to access and migrate the backed-up V5.0 database while installing 5.1 and 5.2 MCs.
•Scenario 4 - Migrating V5.0 to V5.2 - Separate Systems: You can install V5.2 on a new Windows 2003 system and use the provided migration tools to move V5.0 configurations and hosts to the newly installed V5.2 system.
•Scenarios 5 and 6 - Migrating V4.5.x or 4.0.3 (4.x) to V5.2 - All: You can install V5.2 on a new Windows 2003 system and use the provided migration tools to move V4.5.x or 4.0.3 configurations and hosts to the newly installed V5.2 system. You are running CSA MC V4.x on the same system where V5.2 will be installed. You must first upgrade to CSA MC V5.0 before you can migrate to CSA MC V5.2 using one of the previously mentioned scenarios.
Figure 3-1 Supported Migration Paths
The CSA MC V5.2 installation does not automatically upgrade or overwrite the older installations. Ultimately, the migration process will allow you to import your older configuration items into the newly installed V5.2 system. It will also allow you to migrate hosts to V5.2. After installing V5.2, it is expected that you will spend some time examining how policies and other functionality has changed between versions and you will gradually apply the V5.2 policies to the migrated hosts.
Caution For Scenario 2 in
Figure 3-1, you should not uninstall V5.1 until you have migrated all agents to V5.2. Once you install V5.2, you can apply hotfixes to the old V5.1 version, but you cannot install a V5.1 version of the product once the V5.0 version is installed in a one system installation scenario.
If you do apply hotfixes to an old V5.1 version after you install V5.2, you have to manually restart the CSA MC system for both MCs to begin running again.
When you install CSA MC V5.2 on the same system as V5.1, you have multiple versions to select from on the login page. The CSA MC V5.2 installation also creates a new directory structure. Refer to the following:
Directory Paths Per Version
Cisco Systems\CSAMC\CSAMC52
Cisco Systems\CSAMC\CSAMC51
CSCOpx\CSAMC50
Local and Remote DB Installation Overview
You must have local administrator privileges on the system in question to perform the CSA MC installation. Once you've verified system requirements, you can begin the installation.
Caution After you install CSA MC, you should not change the name of the MC system. Changing the system name after the product installation will cause agent/CSA MC communication problems.
New Installation Configuration Options
For a new product install, you have three installation configuration options to consider before launching the CSA MC installation process.
•You can install CSA MC and the database on the same machine. (Select the Local Database radio button during the CSA MC installation.)
For a local database configuration, you have the option of installing CSA MC and the included Microsoft SQL Server Express Edition (provided with the product) on the same system if you are planning to deploy no more than 1,000 agents. In this case, the CSA MC installation also installs its own version of Microsoft SQL Server Express Edition on the system.
For a local database configuration, you also have the option of installing Microsoft SQL Server 2005 instead of using the Microsoft SQL Server Express Edition that is provided. Microsoft SQL Server Express Edition has a 4 GB database size limit. In this case, you can have CSA MC and Microsoft SQL Server 2005 on the same system depending on the number of agents you are deploying (see Scalable Deployments). Note that if you are using SQL Server 2005, it must be licensed separately and it must be installed on the system before you begin the CSA MC installation.
Note If your plan is to use SQL Server 2005, it is recommended that you choose one of the other installation configuration options rather than the local database configuration.
Note Microsoft SQL Server 2005 is the latest SQL Server database release. That is the database version that will be used for this installation section, but you should note that SQL Server 2000 is also supported at this time.
•You can install CSA MC on one machine and install the database on a remote machine. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2005 and 2000 Remote Setup.)
Use this configuration option depending on the number of agents you are deploying (see Scalable Deployments). If you are using a separately licensed, managed, and maintained SQL Server 2005 database, SQL Server 2005 must be installed and configured on the remote system before you begin the CSA MC installation.
Caution If you are installing CSA MC and the database to multiple machines, make sure the clocks of each machine are in sync. If all clocks are not in sync, unexpected behavior may occur.
•You can install two CSA MCs on two separate machines and install the database on a remote machine. In this case, both CSA MCs use the same remote database. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2005 and 2000 Remote Setup.)
This is the recommended configuration if you are deploying more than 5,000 agents and are using a separately licensed, managed, and maintained SQL Server 2005 database. SQL Server 2005 must be installed and configured on the remote system before you begin the MC installations.
Using this configuration, you can deploy up to 100,000 agents. Having two CSA MCs lets you use one MC for host registration and polling and another MC for editing configurations.
Caution If you are installing two CSA MCs with one of the MCs residing on the machine where the database is installed, you must select the Remote Database radio button during the installation of both MCs. Even though one MC is "local" to the database, for the two MCs configuration to work properly, they must both be configured to communication with the database as though it were remote.
Installing CSA MC with a Local Database
If you are installing both CSA MC and the database to the same machine with the provided Microsoft SQL Server Express database, you should install Microsoft SQL Server Express Edition as part of the CSA MC installation. The CSA MC installation runs the Microsoft SQL Server Express installation program choosing the Microsoft SQL Server Express settings the MC needs. During the MC installation, if you want to install the database on a different system drive from the MC, the install prompts allow you to do this.
It is recommended that you install SQL Server Express via the CSA MC installer. If you install it manually as implied that you might do on page 11, you should know that if you take the SQL Server Express defaults, then your subsequent CSA MC installation will fail. (See Caution below)
Caution Because Microsoft SQL Server Express is provided on the CD separately, you might be tempted to install it yourself manually. This is not recommended. If you install it yourself, you must select specific non-default settings for the database to work with CSA MC. Those settings are provided in another section here, see
Microsoft SQL Server Express Manual Installation Settings. But again, this is not the recommended deployment.
Before beginning, exit any other programs you have running on the system where you are installing CSA MC.
To install the CSA MC, do the following:
Step 1 Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.
Step 2 Put the Management Center for Cisco Security Agents CD into the CDROM drive. The welcome screen appears. Click Next to begin the installation. See Figure 3-2. (If the installation does not start automatically, browse to the setup.exe file on the CD and double click to begin the installation.)
Figure 3-2 CSA MC Installation Welcome Screen
Step 3 After you click Next in the welcome screen, various system checks are performed before the system installation continues.
Step 4 When the initial system checks are complete, you are prompted to accept the license agreement. Accept the agreement by clicking Yes. See Figure 3-3.
Figure 3-3 CSA MC EULA License Agreement
Step 5 The installation check if the needed ports are available.
Figure 3-4 Installation Port Check
Step 6 The installation next asks if you are upgrading from a V5.0 Management Center. In this case, click No to continue. See Figure 3-5. (If you are upgrading from a V5.0 Management Center, click Yes and refer to Installing CSA MC with a Previous Version's Database (Same System Installation).)
Figure 3-5 Upgrade Question Window
Step 7 The install then begins by prompting you to select a database location. In this case, you will keep the default selection of Local Database and click the Next button. See Figure 3-6.
Figure 3-6 Database Setup Type
Step 8 If installing locally, the installation next checks to see if you have Microsoft SQL Server Express Edition installed. CSA MC uses Microsoft SQL Server Express Edition for its local configuration database. If this software is not detected, you are prompted to install it. See Figure 3-7.
Note For installations exceeding 1,000 agents, it is recommended that you install Microsoft SQL Server 2005 instead of using the Microsoft SQL Server Microsoft SQL Server Express Edition that is provided with the product. Refer to New Installation Configuration Options for more information. If you are using Microsoft SQL Server 2005, refer to Microsoft SQL Server 2005 and 2000 Local Installation Notes for details.
Caution On a system where CSA MC has not previously been installed, the setup program first installs Microsoft SQL Server Express Edition. If the CSA MC installation detects any other database type attached to an existing installation of Microsoft SQL Server Express Edition, the installation will abort. This database configuration is not qualified.
Figure 3-7 Install Microsoft SQL Server Express Edition Prompt
Once you click Yes, you proceed through the Microsoft SQL Server Express Edition installation. You are prompted to select an Microsoft SQL Server Express Edition install directory. The Microsoft SQL Server Express Edition installation only takes a few minutes.
Figure 3-8 SQL Server Installation Directory Selection
SQL Server Express Edition installs .NET Framework on the system and continues to perform configuration tasks (see Figure 3-9). The SQL Server Express Edition windows that appear require no user action.
Figure 3-9 SQL Server Express Edition Configuration Status Window
Note When the Microsoft SQL Server Express Edition installation finishes, the CSA MC installation automatically begins again. This time the installation detects the Microsoft SQL Server Express Edition software and proceeds.
Step 9 You are prompted to select a CSA MC directory installation path. If you would like to restore a previously backed up CSA MC database, you are prompted to restore that database at this time. Either accept the default installation path or browse to a different path to restore an database backup.
Step 10 You are next prompted to enter Administrator Name and Password information. This the user name and password you will use to login in to CSA MC. See Figure 3-10. Enter this information and click Next.
Figure 3-10 Enter Administrator Name and Password
Step 11 You are next prompted to select whether or not you want the system to automatically reboot once the installation is complete (see Figure 3-11). It is required that you reboot the system after the installation is complete whether you select Yes to have it done automatically or you choose to manually reboot at the end.
Figure 3-11 Automatic Reboot Option Prompt
You are next prompted to begin the installation. Click the Install button (see Figure 3-12).
Figure 3-12 Begin Install
The install then proceeds copying the necessary files to your system. (See Figure 3-13.). The installation process then continues. (See Figure 3-14.)
Figure 3-13 Copy Files
Figure 3-14 Installation Proceeds
Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.)
If an agent is already installed on a system to which you are installing CSA MC, that agent will automatically be upgraded by the CSA MC agent installation.
When the MC and agent installs are complete, if you selected to have the system reboot automatically, you are prompted that the automatic reboot will occur within 5 minutes. If you selected not to have the system reboot automatically, it is required that you manually reboot the system at this time.
Once the system reboots, should login to the MC and copy the license key file(s) you received from Cisco Systems to your CSA MC. CSA MC ships with and automatically uses a license for the MC and local agent. You must manually import all other licenses through the MC Maintenance>License Information window. See the User Guide for license import instructions.
Microsoft SQL Server 2005 and 2000 Local Installation Notes
Note The following instructions are only intended for administrators choosing to install CSA MC and Microsoft SQL Server 2005(or 2000) to the same system. These instructions are not for administrators using CSA MC with a remote database. If you are choosing to use Microsoft SQL Server 2005 as a remote database, information is provided in the section titled Installing CSA MC with a Remote Database. All instructions apply to both Microsoft SQL Server 2005 and 2000 unless otherwise specified.
Caution CSA MC supports Microsoft SQL Server 2005 with Service Pack 0, Service Pack 1, or Service Pack 2. You should note that if you install a SQL Server 2005 build that is lower than build number 2153 (released after SP1), the service "SQL Server Integration Services" will fail upon system reboot. You can manually start the service or you can upgrade to Microsoft SQL Server 2005 SP1 build number 2153 or higher.
For local database installations exceeding 1,000 agents, it is recommended that you install Microsoft SQL Server 2005 instead of using the Microsoft SQL Server Express Edition that is provided with the product. Microsoft SQL Server Express Edition has a 4 GB limit. SQL Server 2005 must be licensed separately and it must be installed on the local system before you begin the CSA MC installation.
In order for Microsoft SQL Server 2005 to function properly with CSA MC, you must select certain settings during the installation. Those settings are listed here. (Refer to your Microsoft SQL Server 2005 manual for detailed installation information.)
Note You should not change the default instance name of "MSSQLSERVER" for the SQL Server 2005 database. If you change this, the CSA MC installation will not detect the database.
When installing Microsoft SQL Server 2005, choose the default settings except in the following instances:
•In the Setup Type installation window, choose the Typical radio button and in the Destination Folder section, click the various Browse buttons to install SQL Server on the system.
•In the Services Accounts installation window, choose the Use the same account for each service radio button. In the Service Settings section, choose Use a Domain User Account. In the edit fields, enter a Username and Password for the local administrator account.
•(For Microsoft SQL Server 2005 only) In the Components to Install screen, select SQL Server Database Services.
•(For Microsoft SQL Server 2000 only) In the Choose Licensing Mode installation window, select the Per Seat for radio button and then increment the devices number field to a positive value—at least 1 or 2.
(For Microsoft SQL Server 2005 only) Reboot the system.
(For Microsoft SQL Server 2000 only) Reboot the system and install the most recent service pack for SQL Server 2000. CSA MC has been qualified with Service Pack 4. When installing the service pack, choose the default settings except in the following instances
•When you install the service pack, in the Installation Folder screen, you should select a drive that has at least 140 MB of free space. For the service pack installation, choose the default settings in all instances.
•In the SA Password Warning installation screen, select the Ignore the security threat warning, leave the password blank radio button.
•In the SQL Server 2000 Service Pack Setup installation screen, select the Upgrade Microsoft Search and apply SQL Server 2000 SP4 (required) checkbox.
Microsoft SQL Server Express Manual Installation Settings
Because Microsoft SQL Server Express is provided on the CD separately, during a local database MC installation, you might be tempted to install Microsoft SQL Server Express yourself manually. This is not recommended. If you install it yourself, you must select specific non-default settings for the database to work with CSA MC. Those settings are provided here. But again, this is not the recommended deployment.
Caution If you are installing both CSA MC and the database to the same machine with the provided Microsoft SQL Server Express database, you should install Microsoft SQL Server Express Edition as part of the CSA MC installation. The CSA MC installation runs the Microsoft SQL Server Express installation program choosing the Microsoft SQL Server Express settings the MC needs. During the MC installation, if you want to install the database on a different system drive from the MC, the install prompts allow you to do this.
During the Microsoft SQL Server Express manual installation, you can simply leave all the default settings except in the following cases:
•Registration information dialog - UNCHECK the "Hide advanced configuration options" option.
•Instance name dialog - Choose the "Default instance" option.
•Service Account - Select "User the built-in system account" and from the drop down menu, select "Local System".
Installing CSA MC with a Remote Database
If you are installing one or two CSA MCs and their corresponding database to different machines, you must first install and properly configure Microsoft SQL Server 2005 on the remote system according to Microsoft's instructions. You should restrict access to this database machine as much as possible using any access control systems you already have in place on your network.
Caution It is recommended that all installed CSA MCs and remote databases be placed on a private LAN. If you cannot provide a private LAN, then you should follow Microsoft's recommendations for securing communication between database servers and application servers.
Caution It is important that the time on the database server system closely match the time on the CSA MC system. Both systems must be in the same time zone and you should make sure both times are set correctly.
Caution You must install a Cisco Security Agent on this remote database. This agent should be in the following groups: Servers-SQL Server, Servers-All types, Systems-Mission Critical, and Systems-Restricted Networking. You should install this agent after the last CSA MC has been installed and rebooted.
Microsoft SQL Server 2005 and 2000 Remote Setup
Note The following section contains overview information for setting up the Microsoft SQL Server 2005 or Microsoft SQL Server 2000 database to work correctly with CSA MC. More detailed SQL Server configuration information should be obtained from your Microsoft documentation. All instructions apply to both Microsoft SQL Server 2005 and 2000 unless otherwise specified.
Caution CSA MC supports Microsoft SQL Server 2005 with Service Pack 0, Service Pack 1, or Service Pack 2. You should note that if you install a SQL Server 2005 build that is lower than build number 2153 (released after SP1), the service "SQL Server Integration Services" will fail upon system reboot. You can manually start the service or you can upgrade to Microsoft SQL Server 2005 SP1 build number 2153 or higher.
In order to enter the requested remote database information during the CSA MC installation, you must first setup the SQL Server database system by doing the following. (Note that these steps may be performed by your database administrators. The procedure is detailed after the bullet list.)
•Create an empty database.
•You must configure a new login ID and password and associate it with a new user ID which has the standard access rights on the CSA MC database, including db_ddladmin, db_datareader, and db_datawriter. Note that the login ID and user ID must be identical. (db_owner privileges are not required.)
•(SQL Server 2005 - only instruction) Right-click on the server name and view Properties. On the left side of the Properties panel, click Permissions. In the table containing the logins and roles, click on the user id that has been created for CSA MC. In the explicit permissions list for the user, for the permission "View Server State", check the box for "Grant".
•(SQL Server 2005 - only instruction) Under the created CSA MC database, select Schema. Create a new schema with a name that is identical to the user id and login id. Click the Search button and locate the user. Attach this user to the new schema and click OK. Return to the Users in the database. Double-click the user id and select the newly created schema as the default schema.
•Make sure the default language is set to English. Note that you should not change the language default after CSA MC is installed.
•Make sure that the database is configured to accept SQL Server authentication.
•You also need to create a file group for the database called "analysis" and it must have at least one file attached.
More specifically, use the following procedure as a guideline:
Step 1 Right click your SQL Server. Select the Security tab and set "Authentication" to SQL Server and Windows. Then click OK.
Step 2 Stop and start sql server.
Step 3 Create new database "CSAMC52".
Step 4 Inside the DB properties, click Filegroups and create a new filegroup called ANALYSIS. Inside the DB properties, click Data Files and in the File Name field, type "csamcanalysis", and in the Filegroup field type "ANALYSIS". Then click OK.
Step 5 Expand the "security" + and right-click Logins. Then create a new login. Use SQL Server Authentication. Set Defaults -> Database = csamc52 database.
Note Do not click anything under "server roles".
Step 6 In the "database access" section, permit access to csamc52 and give the role of db_ddladmin. db_datareader and db datawriter permissions must also be provided. Click OK.
Step 7 Restart the server.
Once this is configured, you can begin the CSA MC installation.
Before beginning, exit any other programs you have running on the system where you are installing CSA MC. To install the CSA MC, do the following:
Step 1 Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.
Step 2 Management Center for Cisco Security Agents CD into the CDROM drive. The welcome screen appears. Click Next to begin the installation. (If the installation does not start automatically, browse to the setup.exe file on the CD and double click to begin the installation.)
Step 3 The Management Center for Cisco Security Agents appears. After you click Next in the welcome screen, various system checks are performed before the system installation continues.
Step 4 When the initial system checks are complete, you are prompted to accept the license agreement. Accept the agreement by clicking Yes. See Figure 3-15.
Figure 3-15 CSA MC EULA License Agreement
Step 5 The installation asks if you are upgrading from a V5.0 Management Center. In this case, click No to continue. See Figure 3-16. (If you are upgrading from a V5.0 Management Center, click Yes and refer to Installing CSA MC with a Previous Version's Database (Same System Installation).)
Figure 3-16 Upgrade Question Window
Step 6 The install begins by prompting you to choose a database setup type. In this case, you will select the Remote Database radio button and click the Next button.
When you select the Remote Database radio button, you are next prompted to enter the following information for the remote SQL Server database (see Figure 3-17):
•Name of the server
•Name of the database
•Login ID
•Password
Figure 3-17 Remote Database Information
Step 7 Once you enter the database information and click Next, the installation attempts to locate the database and verify that it is configured appropriately. If the database is not setup correctly, you are prompted with this information and the installation will not continue. Otherwise, the installation proceeds.
Step 8 You are next prompted to select a CSA MC directory installation path. Either accept the default installation path or browse to a different path.
Figure 3-18 Installation Directory
Step 9 You are next prompted to enter Administrator Name and Password information. This the user name and password you will use to login in to CSA MC. See Figure 3-19. Enter this information and click Next.
Figure 3-19 Enter Administrator Name and Password
You are next prompted to select whether or not you want the system to automatically reboot once the installation is complete (see Figure 3-20). It is recommended that you reboot the system after the installation is complete whether you select Yes to have it done automatically or you choose to manually reboot at the end.
Figure 3-20 Automatic Reboot Option Prompt
You are next prompted to begin the installation. Click the Install button. (See Figure 3-21.)
Figure 3-21 Begin Install
The install then proceeds copying the necessary files to your system (see Figure 3-22).
Figure 3-22 Copy Files
Once the copying is complete, the installation begins configuration and setup tasks. See Figure 3-23.
Figure 3-23 Installation Proceeds
Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system and this is done automatically for you. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.)
When the MC and agent installs are complete, if you selected to have the system reboot automatically, you are prompted that the automatic reboot will occur within 5 minutes. If you selected not to have the system reboot automatically, it is recommended that you manually reboot the system at this time.
Once the system reboots, should login to the MC and copy the license key file(s) you received from Cisco Systems to your CSA MC. CSA MC ships with and automatically uses a license for the MC and local agent. You must manually import all other licenses through the MC Maintenance>License Information window. See the User Guide for license import instructions.
Installing CSA MC with a Previous Version's Database (Same System Installation)
This section addresses the procedure for backing up and importing a 5.0 database as part of CSA MC V5.2. same system installation. (Scenarios 3 and 5 in Figure 3-1).
In order to perform this type of migration you must install a V5.1 MC along with the V5.2 MC. You must use V5.1 to migrate your V5.0 hosts and data to the V5.2 product schema. V5.1 is provided as an interim tool for bringing all your data into V5.2 correctly. The V5.2 installation installs both MCs, first 5.1 and then 5.2, with one reboot at the end.
Note If you are migrating from CSA MC V4.x in a same system installation scenario, you must first upgrade to CSA MC V5.0. Refer to the CSA MC V5.0 Installation Guide for that procedure. Once you've completed that upgrade, you can use the following procedure.
Step 1 Uninstall CSA MCV5.0 per the instructions in your CSA MC V5.0 Installation Guide. (If V5.0 uses a local database, during the CSA MC V5.0 uninstall procedure, when prompted, make sure to select to backup the database. When the uninstall completes, move the backed-up database to a different, network accessible system.)
Step 2 Re-install that same system with the Windows 2003 R2 operating system.
Install CSA MC V5.2 as follows:
Step 3 Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.
Step 4 Place the Management Center for Cisco Security Agents CD into the CDROM drive. The welcome screen appears. Click Next to begin the installation. See Figure 3-24. (If the installation does not start automatically, browse to the setup.exe file on the CD and double click to begin the installation.)
Figure 3-24 CSA MC Installation Welcome Screen
Step 5 After you click Next in the welcome screen, various system checks are performed before the system installation continues.
Step 6 When the initial system checks are complete, you are prompted to accept the license agreement. Accept the agreement by clicking Yes. See Figure 3-25.
Figure 3-25 CSA MC EULA License Agreement
Step 7 The installation asks if you are upgrading from a V5.0 Management Center. In this case, click Yes to continue. See Figure 3-26.
Figure 3-26 Upgrade Question Window
Step 8 Select whether your V5.0 installation used a local or a remote database. See Figure 3-27.
Figure 3-27 Select V5.0 Database Type
Step 9 If you select Local Database, you are next asked to browse to the location of the backed-up V5.0 database. Once you've located the database, click Next to continue. See Figure 3-28.
If you select Remote Database, you are asked to enter data for accessing the remote database. This remote database entry screen is the same as Figure 3-17.
Figure 3-28 Browse to Backed-up V5.0 Database
Step 10 Once the V5.0 local or remote database is located, the installation will proceed to install CSA MC V5.1.
Step 11 You must create a user name and password to login into the CSA MC V5.1. See Figure 3-29. (You will later create another user and password for CSA MC V5.2).
Figure 3-29 Username and Password Creation for V5.1
From here, you can continue by following the procedures detailed in Installing CSA MC with a Local Database or Installing CSA MC with a Remote Database depending on how you are installing the product. As stated earlier, the installation will proceed by first installing V5.1 and then directly begin the V5.2 installation with one reboot at the end of the procedure. For both V5.1. and V5.2 installations, you must select a database type and setup usernames and passwords as explained in the procedures referenced above.
Note for installing two CSA MCs on two separate machines
If you are installing two CSA MCs using one remote database, repeat the steps detailed in this section, entering the same remote database information for the second MC.
Caution When installing two CSA MCs, the first MC you install automatically becomes the polling and logging MC. The second MC acts as the configuration MC. During the installation process, the CSA MCs know the order in which the MCs were installed and direct polling, logging, and management tasks to the appropriate MC.
Caution In a distributed MC environment, when installing, upgrading, or uninstalling any MC in the distributed configuration, the service must be stopped on the other MCs and restarted later.
Installation Log
The installation of CSA MC produces a log file. This log file, called "CSAMC-Install.log" and located in the \CSAMC52\log directory, provides a detailed list of installation tasks that were performed. If there is a problem with the installation, this text file should provide information on what task failed during the install.
Note The installation of the agent produces a similar file called "CSAgent-Install.log" and is located in the Cisco Systems\CSAgent\log directory on agent host systems.
Accessing Management Center for Cisco Security Agents
When the installation has completed and you've rebooted the system, a Management Center for Cisco Security Agents [version number] shortcut icon is placed on your desktop. Double-clicking this icon launches the MC in your default browser.
Local Access
To access CSA MC locally on the system hosting the CSA MC software:
•Double-click the shortcut icon added to your desktop during the installation. This launches the management console login screen in your default browser.
Note See Initiating Secure Communications if you cannot connect to CSA MC.
Remote Access
To access CSA MC from a remote location,
•Launch a browser application on the remote host and enter the following:
http://<management center system hostname>.<domain>
in the Address or Location field (depending on the browser you're using) to access the Login view.
For example, enter http://<management center system hostname>.<domain>
Note In this example, CSA MC is installed on a host system with the name stormcenter.
Figure 3-30 CSA MC Login Window
Migration Instructions
The following section contains information for migrating to CSA MC V5.2 from a previous version installed on the same system as CSA MC V5.2 and for a previous version installed on a separate machine. Both scenarios are covered here.
Note If you install 5.2 on the same system where you have 5.1 installed, the majority of this migration is done automatically.
If you intend to migrate 5.1 Solaris agents, please read Solaris and Linux Agent Migration before starting your upgrade.
To migrate to V5.2, do the following:
Step 1 Install the Management Center for Cisco Security Agents V5.2. See previous sections for instructions.
•If you're installing CSA MC V5.2 on the same machine running CSA MC V5.1, an xml file containing V5.1 configuration items and several .dat files containing host information are automatically generated by the installation and ready for importing once the install is complete.
•If you're installing CSA MC V5.2 on a different machine from the system running V5.x or V4.x, after installing V5.2, you must copy and manually run an executable file on the V5.x or V4.x machine to create the xml and dat files needed for importing V5.x or V4.x configurations and host information to V5.2.
Step 2 If you have installed V5.2 on the same machine as V5.1, you can skip to the end of Step 6. Otherwise, once you've installed CSA MC V5.2 and rebooted the system, navigate to the CSAMC\CSAMC52\migration directory. Copy the appropriate file (named http://stormcenter.cisco.com depending on the version you're migrating from, for example prepare_<version>_migration.exe) to your V5.x or V4.x system. (You can copy it to any place on the system.)
Step 3 On your V5.x or V4.x system, disable agent security and run the prepare_50_migration.exefile that you copied from the V5.2 system. (You must disable security in order to run the executable file and create the import xml data.) This launches a command prompt which displays the progress of the migration.
Step 4 When the prepare_<version>_migration.exe file is finished, on the V5.x or V4.x system, navigate to the Cisco Systems\CSAMC\CSAMC51\migration\export or CSCOpx\CSAMC50\migration\export directory (again, directory name depends on the version you're migrating from) and locate several newly created files. Your configuration data is now in a file named prepare_<version>_migration.exe . Your host data (hosts and distinct host groupings) are now in several files, depending on how many distinct host groupings existed, named migration_data_export.xml.
Using the data that is now wrapped up in these files allows you to import your existing policy configurations and your current host groupings, thereby preserving the policy tuning and host group configurations for your new V5.2 installation.
Step 5 Next you copy the migration_host_data<number>.dat and all themigration_data_export.xml files from the V5.x or V4.x system to your V5.2 system. These files must exist together in the same directory on the V5.2 system (although the directory name and location does not matter).
Step 6 Then from the V5.2 system, run the webmgr import utility from a command prompt to pull the data into the new MC. You cannot use the CSA MC UI Import utility to do this. That utility does not allow you to import the .dat files that are associated with the .xml file as one grouping.
From a command prompt window on the V5.2 system, cd to the directory in the following example and run the command as follows:
%system%Cisco Systems\CSAMC\CSAMC52\bin>webmgr import
%path_to_xml_file%\migration_data_export.xml
Because the host .dat files are associated with the .xml file, this command imports both the configuration and host data with the migration_data_export.xml file.
Step 7 You must generate rules once the import is complete. If you do not generate rules at this point, you cannot upgrade agent host software as described in the next section.
Note CSA MC V5.2 ships with policies that contain new V5.2 functionality. This new functionality does not match allV5.x or V4.x configurations. CSA MC configuration item names are labeled with the release version number to distinguish them from older (or newer) configuration items or items created by administrators. When you import your older configuration, new V5.2 items are not overwritten. You will likely have items from both versions in your CSA MC V5.2. If the import process finds that two items have the exact same contents and the only difference is the V5.2 appended name field, the older item is not imported and the newer V5.2 item is used in its place.
Step 8 To upgrade migrated V5.x or V4.x agents to V5.2, schedule V5.2 software updates for older agents. You schedule this upgrade from the V5.x or V4.x system. (Running the migration_host_data<number>.dat file placed a V5.2 software update on the V5.x or V4.x machine.)
Once the older agents receive the scheduled software update, they will point to and register with the new CSA MC V5.2. The update contains the appropriate new certificates to allow this to occur. Once hosts register with V5.2, they will be associated with the correct groups based on the host migration that you performed earlier.
Note Agent kits are configuration items that do not migrate to the new version. Because host migration does not relate to agent kits, old agents kits are not considered to be necessary migration items.
Also, configuration items that are not used (not attached to anything) do not migrate to the new version.
Caution When upgrading V5.x or V4.x agents to software version 5.2, the upgrade program disables the system network interfaces to ensure a secure upgrade process. The agent service is also stopped to allow the update to occur. Once the update is complete, the agent service is restarted and the network interfaces are enabled. (Note, that secure upgrades are not supported for Windows NT systems.)
Once you have migrated all old agents to the newer version, you can uninstall the old version of CSA MC. See Uninstalling Management Center for Cisco Security Agents.
Solaris and Linux Agent Migration
Caution Solaris agent versions 4.0.3.736 and any 4.5 or 4.5.1 can be upgraded to version 5.2. Earlier Solaris agents cannot be upgraded.
Only Linux agent version 4.5.1.638 and above can be upgraded to version 5.2. Earlier Linux agents cannot be upgraded.
You should note that the Solaris host migration process is a bit different than Windows and Linux migration.
Once scheduled, Solaris software upgrades must be launched manually by accessing the csactl command line tool on the Solaris systems and typing in the software update command. When the update is complete, network connectivity is disabled and remains disabled until the system automatically reboots within 5 minutes. This reboot cannot be stopped. Therefore, once you launch the Solaris software update, you must understand that the system will reboot when the update completes.
Upgrade Note
Newer versions of policies are not automatically attached to the auto-enrollment groups during upgrade. If you want to update the mandatory policies, you can use the CSA MC Compare tool to synchronize the existing auto-enrollment groups with the new updated auto-enrollment groups added by the upgrade.
Initiating Secure Communications
CSA MC uses SSL to secure all communications between the CSA MC user interface (locally and remotely) and the Management Center for Cisco Security Agents server system itself. This way, all configuration data travels over secure channels irrespective of the location of the CSA MC host system.
During installation, CSA MC generates private and public keys to be used for secure communications between any system accessing the CSA MC user interface and the CSA MC itself.
When your browser connects to the server, it receives the server's certificate. You are then prompted to accept this certificate. It is recommended that you import it into your local certificate database so that you are not prompted to accept the certificate each time you login. The following sections show the process of importing certificates into Internet Explorer and Netscape Web browsers.
Internet Explorer: Importing the Root Certificate
Note If you are using Internet Explorer 7.0, you see an "Invalid Certificate" screen when you first attempt to open a CSA MC browser window. See the end of this section for further information.
Step 1 You import the certificate from the CSA MC login window. Click the Get root certificate link. See Figure 3-30.
Step 2 Select the Open (this file from its current location) button and click OK.
Step 3 The certificate information box appears (see Figure 3-31). It contains information on the system the certificate is issued to and it displays expiration dates. Click the Install Certificate button to start the Certificate Manager Import Wizard.
Figure 3-31 Certificate Information
Step 4 The first Certificate Manager Import page contains an overview of certificate information. Click Next to continue.
Step 5 From the Select a Certificate Store page, make sure the Automatically select the certificate store based on the type of certificate radio button is selected. Click Next.
Figure 3-32 Certificate Wizard
Step 6 You've now imported your certificate for the server. Click the Finish button (Figure 3-33) to continue.
Figure 3-33 Certificate Wizard Finish Page
Step 7 Now, you must save the certificate. Click the Yes button in the Root Certificate Store box.
Step 8 You are next prompted with a confirmation box informing you that your certificate was created successfully.
Note You must perform this certificate import process the first time you login to CSA MC from any remote machine. Once the certificate import is complete, you can access the login page directly for all management sessions. To access the login page remotely, enter the URL in the following format.
%system%Cisco Systems\CSAMC\CSAMC52\bin>webmgr import
%path_to_xml_file%\migration_data_export.xml
For example, enter prepare_<version>_migration.exe
Caution If you have not obtained a valid license from Cisco, when you login to CSA MC, you'll receive a warning informing you that your license is not valid. Refer back to
page 2 for further licensing information.
Internet Explorer 7.0: Importing the Root Certificate
If you are using Internet Explorer 7.0, you see an "Invalid Certificate" screen when you first attempt to open a CSA MC browser window. When that screen appears, click the Continue to this website (not recommended) link, see Figure 3-34. Then you can continue by following instructions in Internet Explorer: Importing the Root Certificate.
You will only see this screen the first time you access the CSA MC browser in IE 7.0. Once you follow the instructions and import the root certificate, the screen should not appear again.
Figure 3-34 Internet Explorer 7.0 Certificate Screen
Uninstalling Management Center for Cisco Security Agents
Uninstall the CSA MC software as follows:
Step 1 Click the uninstall CSA MC option on the system from Start>All Programs>Cisco Systems>Uninstall Management Center for Cisco Security Agents. This launches the uninstall program.
You must respond to uninstall confirmation and database back-up prompts during the uninstall process. The CSA MC uninstall also removes the Cisco Security Agent on the MC system.
Note Uninstalling CSA MC does not uninstall the Microsoft SQL Server Desktop Engine (database). You must uninstall this separately from the Control Panel>Add/Remove Programs window if you are completely removing the product from your system.
Caution If you are upgrading to a new version of CSA MC, or if you are reinstalling the product on the same system, and you want to preserve your current configuration, you should select to
Backup the Database during the uninstall when you are prompted to do so. If you do not backup the database, the uninstall removes all program files and configurations. (Note that this only applies to local database installations. CSA MC does not provide a backup mechanism for remote databases.)
Copying Cisco Trust Agent Installer Files
Cisco Trust Agent (CTA) is an optional application you may install as part of an agent kit. The goal of bundling CTA in an agent kit is to facilitate the distribution of CTA. CTA is a separate application from CSA and has its own security objectives.
If you intend to distribute CTA through an agent kit, copy your CTA installer files to the system running CSA MC.
Note Distribution of CTA through agent kits is only supported for Windows versions of CTA.
To copy the CTA installer files, follow this procedure:
Step 1 Obtain the desired CTA installer files from Cisco Systems.
Caution If you are intending to install CTA version 2.1 or later, you must extract an .msi installer file from the initial CtaAdminEx-xxx-xxx**.exe file you receive. If you copy the .exe file itself to CSA MC, the CTA installation will fail. Simply double-click the CtaAdminEx-xxx-xxx**.exe file and agree to the EULA (license) to extract the ctasetup-xxx-xxx.msi file. It is this msi file that you copy to the CSA MC system.
Note It is the user's responsibility to verify that they have obtained the correct CTA installer files.
Step 2 Copy the CTA installer files to the
%Program Files%\CSAMC52\bin\webserver\htdocs\cta_kits directory.
The default Cisco Security Agent policies protect this directory. When you copy the files into the directory, CSA prompts you to determine if you want to allow the action. Select the Yes radio button and click Apply. Repeat this step for every file you copy into this directory.
Note Refer to the Agent Kits section of the User Guide for information on installing the CTA files you have just copied.
