Table Of Contents
Installing the Management Center for Cisco Security Agents
Overview
Licensing Information
PAK Certificates
License Types
License File Contents
Managing and Troubleshooting Licenses
Uploading a License
Using the Home Page
Using the Maintenance Menu
File Integrity Check Instructions
File Integrity Check on Downloaded CSA Software
File Integrity Check on CSA Software Delivered on CD
Upgrading from CSA V6.0 to CSA V6.0.1
Migrating Configurations and Hosts to CSA V6.0.1 from CSA V5.2 and Earlier
Upgrade and Migration Scenarios
Overview of Installing CSA MC with Local and Remote DB
New Installation Configuration Options
Installing CSA MC with a Local Database
Microsoft SQL Server 2005 and 2000 Local Installation Notes
Microsoft SQL Server Express Manual Installation Settings
Installing CSA MC with a Remote Database
Microsoft SQL Server 2000 Remote Database Setup
Microsoft SQL Server 2005 Remote Database Setup
Installing CSA MC Using the Remote Database
Information for Installing Multiple CSA MCs on Separate Systems
Installing CSA MC with a Previous Version's Database (Same System Installation)
Installation Log
Accessing Management Center for Cisco Security Agents
Local Access
Remote Access
Upgrading Your Deployment from CSA V6.0 to CSA V6.0.1
Upgrading CSA MC with a Local or Remote Database from CSA V6.0 to V6.0.1
Upgrading Multiple CSA MCs with a Remote Database from CSA V6.0 to V6.0.1
Migration Instructions
Solaris and Linux Agent Migration
Upgrade Note
Initiating Secure Communications
Internet Explorer: Importing the Root Certificate
Internet Explorer 7.0: Importing the Root Certificate
Uninstalling Management Center for Cisco Security Agents
Hotfix Information
Clearing the cache in Internet Explorer
Clearing the cache in Mozilla Firefox.
Installing the Management Center for Cisco Security Agents
Overview
This chapter provides instructions for installing CSA MC. Once you have reviewed the preliminary information outlined in the previous chapter, you are ready to proceed.
It is through CSA MC that you create agent installation kits. The tools for creating agent kits are installed as part of CSA MC.
This chapter contains the following topics:
•
Licensing Information
–PAK Certificates
–License Types
–License File Contents
–Managing and Troubleshooting Licenses
–Uploading a License
•File Integrity Check Instructions
–File Integrity Check on Downloaded CSA Software
–File Integrity Check on CSA Software Delivered on CD
•Upgrading from CSA V6.0 to CSA V6.0.1
•Migrating Configurations and Hosts to CSA V6.0.1 from CSA V5.2 and Earlier
•Upgrade and Migration Scenarios
•Overview of Installing CSA MC with Local and Remote DB
–New Installation Configuration Options
–Installing CSA MC with a Local Database
–Installing CSA MC with a Remote Database
–Information for Installing Multiple CSA MCs on Separate Systems
–Installing CSA MC with a Previous Version's Database (Same System Installation)
–Installation Log
•Accessing Management Center for Cisco Security Agents
–Local Access
–Remote Access
•Upgrading Your Deployment from CSA V6.0 to CSA V6.0.1
–Upgrading CSA MC with a Local or Remote Database from CSA V6.0 to V6.0.1
–Upgrading Multiple CSA MCs with a Remote Database from CSA V6.0 to V6.0.1
•Migration Instructions
•Initiating Secure Communications
•Uninstalling Management Center for Cisco Security Agents
•Hotfix Information
Licensing Information
Management Center for Cisco Security Agents (CSA MC) ships with a preliminary license (csamc.lic) that is automatically imported during the CSA MC installation process. (Note that this is not the formal product license that you will eventually use.) This license is for the CSA MC itself; it allows the CSA MC to be installed, regardless of additional licenses, with at least one agent to protect it. (While you are waiting to receive the combination of PAK information and licensing information from Cisco Systems, you can install the product with this initial license, intending to copy the formal license at a later time.) See License Types for more information.
The information contained in your CSA MC license includes the number of server-agent licenses that have been allotted to you. When you receive your license from Cisco, you should copy it to the system to which you are installing CSA MC (or to a file share accessible from the CSA MC system). Then you can upload the licenses you need for your enterprise. See Uploading a License for more information.
PAK Certificates
PAK certificates will be delivered in packages separate from the software, often arriving in multiple packages. It is strongly suggested that you wait until you have received all packages (software and certificates) before registering the PAK numbers at the link below. Often, certificates arrive before software. Once you register the PAK numbers, you will then be emailed the license file(s).
When you receive your PAK information via email or mail, you can register the files at the following URL. You must have a CCO account to reach this URL:
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet
Note If you have further licensing questions or are having trouble with your license, refer to the Managing and Troubleshooting Licenses section at the end of this document.
License Types
There are several separate and distinct licenses for the CSA product:
•A license for the Management Console (CSA MC). This license enables the core functionality of CSA MC along with signature-based and behavior-based AntiVirus functionality and content-scanning.
•A license for server platforms. This includes all supported Windows, Solaris, and Linux server platforms.
•A license for workstation platforms. This includes all supported Windows and Linux desktop platforms.
•A license for the Cisco Security Agent Analysis (formerly known as "Profiler"). For more information on CSA Analysis, see the chapter on CSA Analysis in the Using Management Center for Cisco Security Agents.
•A license for Data Loss Prevention. The Data Loss Prevention (DLP) feature is available for Windows desktop platforms only. In order for data scanning rules to be distributed to a host, CSA requires a DLP license key in addition to the standard CSA desktop host key.
DLP licensees are named DLP Desktop Agent Upgrade and are available in bundles between 25 and 10,000 seats.
See Uploading a License for more information about uploading licenses. See the Data Loss Prevention chapter in the Using Management Center for Cisco Security Agents manual for more information about this feature.
License File Contents
The license for each product can arrive in a single *.lic file or in multiple *.lic files. For example, the following is an example of what is contained in an evaluation *.lic file. (Notice that all 4 items listed above are referenced in this single file.):
INCREMENT managementcenter cisco 1 09-apr-2005 uncounted \ VENDOR_STRING=Count=1
HOSTID=ANY ISSUER="Cisco Systems, Inc." \
NOTICE="<LicFileID>20050310082639273</LicFileID><LicLineID>1</LicLineID> \ <PAK></PAK>"
TS_OK SIGN=BEE0095EFC0A
INCREMENT serveragent cisco 1 09-apr-2005 uncounted \VENDOR_STRING=Count=10 HOSTID=ANY
ISSUER="Cisco Systems, Inc."
\NOTICE="<LicFileID>20050310082639273</LicFileID><LicLineID>2</LicLineID> \<PAK></PAK>"
TS_OK SIGN=8E5A416A0C3C
INCREMENT desktopagent cisco 1 09-apr-2005 uncounted \
VENDOR_STRING=Count=25 HOSTID=ANY ISSUER="Cisco Systems, Inc."
\NOTICE="<LicFileID>20050310082639273</LicFileID><LicLineID>3</LicLineID> \<PAK></PAK>"
TS_OK SIGN=8282418012F8
INCREMENT profiler cisco 1 09-apr-2005 uncounted \
VENDOR_STRING=Count=1 HOSTID=ANY ISSUER="Cisco Systems, Inc."
\NOTICE="<LicFileID>20050310082639273</LicFileID><LicLineID>4</LicLineID> \<PAK></PAK>"
TS_OK SIGN=EB0183B81748
Notice that the license is for a particular part of the product, indicated by the first line of each license. For example:
"INCREMENT managementcenter. . ." is the license for the CSA MC.
"INCREMENT serveragent. . ." is the license for servers.
The number of seats is referenced in the "Count=x" part of the license.
Each of the licenses can arrive in a single file as well. So, for example, you can receive a *.lic file containing this information:
INCREMENT serveragent cisco 1 09-apr-2005 uncounted \ VENDOR_STRING=Count=10 HOSTID=ANY
ISSUER="Cisco Systems, Inc."
\NOTICE="<LicFileID>20050310082639273</LicFileID><LicLineID>2</LicLineID> \<PAK></PAK>"
TS_OK SIGN=8E5A416A0C3C
This example license is only for 10 server licenses and nothing else. Usually this kind of license arrives when you order additional seats for servers or desktops for a particular operating system.
Managing and Troubleshooting Licenses
•All license files are stored in this directory on the CSA MC:
Program Files\Cisco\CSAMC\CSAMC<version #>)\cfg
•Rename license files that you receive from Cisco to have a more descriptive name. For example, you may get a license called 123456789.lic. Rename that to reflect the contents of the license (e.g. server_100.lic). This will help you keep a quick-glance inventory of each license type and seat count.
•Never upload a license file that contains within the title "CORE". This is not a CSA license and might cause system instability.
•Never edit the contents of the license file itself (though the name of the *.lic file itself is editable). It may look like a straight text file but any changes in the contents of the license file itself will render it invalid.
•Always remove or rename the license file stored in the
Program Files\Cisco\CSAMC\CSAMC<version #>)\cfg directory of your CSA MC machines before attempting to reload the file. (You may have multiple CSA MC machines - remove/rename the files on all of them.)
•If you are having licensing issues, try to re-upload the licenses prior to contacting Cisco TAC. This means you should:
–Stop the CSA MC HTTP Server service on your CSA MC machine(s).
–Rename or delete all the *.lic files located in
Program Files\Cisco\CSAMC\CSAMC<version #>)\cfg
–Start the MC service
Upload the license(s), starting with the CSA MC license or the license that contains the CSA MC license first, via the CSA MC GUI. (Go to the Home page and click Update License Information.)
Uploading a License
Proceed with the installation of CSA MC first and then upload additional licenses for servers and desktops. You may use either of these methods to upload agent licenses.
Using the Home Page
You can upload licenses from the Home page in either Simple or Advanced Mode:
Step 1 Login to the CSA MC as an administrator with "configure" privileges.
Step 2 Click Home to view the Home page.
Step 3 In the Maintenance area, click Update License Information.
Step 4 In the Update License Information pop-up, browse to the license file by clicking the Browse button.
Step 5 Once the license file is located, click the Upload button to copy the file into the CSA MC directory. You do not need to generate rules after uploading a license.
Using the Maintenance Menu
You can also upload licenses from choices in the Maintenance menu. This is available to users of Advanced Mode only.
Step 1 Login to the CSA MC as an administrator with "configure" privileges.
Step 2 Mouse-over the Maintenance in the menu bar and select License Information.
Step 3 In the Update License Information area, browse to the license file by clicking the Browse button.
Step 4 Once the license file is located, click the Upload button to copy the file into the CSA MC directory. You do not need to generate rules after uploading a license.
File Integrity Check Instructions
You can perform an integrity check on the files provided with this release of Management Center for Cisco Security Agents. The file integrity check ensures that the CSA kit you downloaded from Cisco.com, or that was delivered to you on a CD, is authentic.
File Integrity Check on Downloaded CSA Software
Step 1 Download CSA software from Cisco.com and save the file locally.
Step 2 Extract the contents of the zip file to its own directory.
Step 3 View the contents of the directory in Windows Explorer. Among the files extracted is a file named cisco_V#_verify_digests.exe where # stands for the CSA version number. For example, the file could be named cisco_V6.0.1.90_verify_digests.exe.
Step 4 Double-click cisco_V#_verify_digests.exe. The pre-computed MD5 values of the files contained in the kit are displayed in a command prompt window.
Step 5 At the Enter kit directory [.] : prompt, press Enter.
•If the hash computed by cisco_V#_verify_digests.exe is the same as that displayed in the previous step, the file is authentic and the output for the file is "OK". See Example 2-1 for an example of this output.
•If the hash computed by cisco_V#_verify_digests.exe is different than that displayed in the previous step, the file may not be authentic and the output for the file is "failure". See Example 2-2 for an example of this output.
Note If you receive a "failure" message, try downloading the CSA software again and re-running the cisco_V#_verify_digests.exe application. If you still receive a failure message, contact Cisco Technical Services.
File Integrity Check on CSA Software Delivered on CD
Step 1 Insert the CSA software CD into the CD drive.
Step 2 View the contents of the CSA software CD in Windows Explorer. Among the files is a file named cisco_V#_verify_digests.exe where # stands for the version number. For example, the file could be named cisco_V6.0.1.90_verify_digests.exe.
Step 3 Double-click cisco_V#_verify_digests.exe. The pre-computed MD5 values of the files contained in the kit are displayed in a command prompt window.
Step 4 At the Enter kit directory [.] : prompt, enter the drive letter for the CD drive, followed by a colon, and press Enter. For example, if the CD drive is assigned letter D, enter D: and press Enter.
•If the hash computed by cisco_V#_verify_digests.exe is the same as that displayed in the previous step, the file is authentic and the output for the file is "OK". See Example 2-1 for an example of this output.
•If the hash computed by cisco_V#_verify_digests.exe is different than that displayed in the previous step, the file may not be authentic and the output for the file is "failure". See Example 2-2 for an example of this output.
Note If you receive a "failure" message, contact Cisco Technical Services.
Example 2-1 Successful authentication of files output from cisco_v#_verify_digests.exe
Enter kit directory [.] :
Verifying kit files in directory '.'...
Documentation\CSAMC_InstallGuide.pdf : ok
Documentation\CSAMC_ReleaseNotes.pdf : ok
Documentation\CSAMC_UserGuide.pdf : ok
DotNet\NetFx20SP1_x86.exe : ok
OpenSource\clamav\ClamAVsrc-0.93.zip : ok
OpenSource\clamav\csaclamutil.zip : ok
OpenSource\clamav\GMPsrc-4.1.zip : ok
OpenSource\reports\itext-src-1.3.1.tar.gz: ok
OpenSource\reports\jasperreports-1.3.1.tar.gz: ok
OpenSource\reports\jfreechart-1.0.5.tar.gz: ok
OpenSource\reports\jtds-1.2-dist.tar.gz : ok
OpenSource\reports\jtds-1.2-src.tar.gz : ok
Num of files in built kit = 17
Num of files in this kit, Verified = 17
All files in this kit were verified succesfully!
Example 2-2 Failed authentication of files output from cisco_v#_verify_digests.exe
Enter kit directory [.] :
Verifying kit files in directory '.'...
Documentation\CSAMC_InstallGuide.pdf : ok
Documentation\CSAMC_ReleaseNotes.pdf : ok
Documentation\CSAMC_UserGuide.pdf : failure
DotNet\NetFx20SP1_x86.exe : ok
OpenSource\clamav\ClamAVsrc-0.93.zip : ok
OpenSource\clamav\csaclamutil.zip : ok
OpenSource\clamav\GMPsrc-4.1.zip : ok
OpenSource\reports\itext-src-1.3.1.tar.gz: ok
OpenSource\reports\jasperreports-1.3.1.tar.gz: ok
OpenSource\reports\jfreechart-1.0.5.tar.gz: ok
OpenSource\reports\jtds-1.2-dist.tar.gz : ok
OpenSource\reports\jtds-1.2-src.tar.gz : ok
Num of files in built kit = 17
Num of files in this kit, Verified = 16
Not all files in this kit were verified. Please check list above.
Upgrading from CSA V6.0 to CSA V6.0.1
If you have CSA V6.0 installed on your Windows Server 2003 R2 system, installing Management Center for Cisco Security Agents 6.0.1 upgrades version 6.0 to version to 6.0.1. Upgrades are much simpler if you are reusing the same CSA V6.0 system.
After installing CSA 6.0.1, you can push software upgrades to 6.0 agents using the software update tools provided. Wherever the policies from the old version of CSA are exactly the same as the policies from the new version of CSA, the old policies are replaced by the new policies. Any rules that you changed, or policies you added to your V6.0 CSA MC will be maintained in the correct group after the upgrade.
After you have updated the hosts with the CSA 6.0.1 software, locate updated versions of policies that you deployed with CSA 6.0. Compare the contents of the new and old policies. Once you have reviewed the new policies and configured them for your deployment, you can distribute the new policies if you desire.
Upgrade scenarios are detailed in this chapter. See Upgrading Your Deployment from CSA V6.0 to CSA V6.0.1 for more information.
Migrating Configurations and Hosts to CSA V6.0.1 from CSA V5.2 and Earlier
If you have previous versions (V5.2, V5.1, V5.0, V4.5.x, or 4.0) of the product installed on your Windows 2003 R2 system, installing Management Center for Cisco Security Agents 6.0.1 does not upgrade those previous versions. CSA V6.0.1 coexists with V5.2 or V5.1. CSA V5.0 configurations and V4.x configurations need to be migrated to V5.1 before you can migrate them to CSA V6.0.1.
When migrating from V5.0, be sure to backup the local database before migrating. If you are reusing the same hardware, you must uninstall CSA MC V5.0 and VMS from your Windows 2000 system. You must then uninstall Windows 2000 and perform a clean installation of Windows 2003 R2 because you cannot install CSA V6.0.1 on Windows 2000.`
Caution Do not perform an operating system upgrade of Windows 2000 Server to Windows 2003 R2. Prior versions of system and SQL libraries may not be compatible with the CSA 5.2/6.0.1 environment running on Windows 2003 R2. After installing the clean version of Windows 2003 R2, you can install CSA 6.0.1 on your newly installed Windows 2003 system.
After installing CSA 6.0.1, you can migrate older V5.0.x configurations and hosts to your 6.0.1 CSA MC using migration tools that are provided.
The migration procedure is more straightforward if you are not reusing the same hardware. In that case, you could install Management Center for Cisco Security Agents 6.0.1 on the Windows 2003 system and migrate configurations and hosts from the Management Center for Cisco Security Agents 5.1, 5.0 or 4.5.x on the Windows 2000 system.
And if you are running Management Center for Cisco Security Agents 5.2 or 5.1 on Windows 2003, the migration is quite simple.
All migration scenarios mentioned here are detailed in this chapter.
Upgrade and Migration Scenarios
CSA V6.0.1 supports the following upgrade and migration scenarios:
•Scenario 1 - Upgrading V6.0 to V6.0.1 - Same System: Install V6.0.1 on the same machine as V6.0. The upgrade is done in place; there is no data migration. Use the Upgrading Your Deployment from CSA V6.0 to CSA V6.0.1.
•Scenario 2 - Migrating V5.2 to V6.0.1 - Same System: Install V6.0.1 on the same machine as V5.2. Data migration is done automatically. See Migration Instructions for more information.
•Scenario 3 - Migrating V5.2 to V6.0.1 - Separate System: Install V6.0.1 on a new machine. Data migration is done manually. See Migration Instructions to move V5.2 configurations and hosts to the newly installed V6.0.1 system.
•Scenario 4 - Migrating V5.1 to V6.0.1 - Same System: Install V6.0.1 on the same machine as V5.1. Data migration is done automatically. See Migration Instructions for more information.
•Scenario 5 - Migrating V5.1 to V6.0.1 - Separate Systems: Install V6.0.1 on a new machine. Data migration is done manually. See Migration Instructions to move V5.1 configurations and hosts to the newly installed V6.0.1 system.
•Scenario 6 - Migrating V5.0 to V5.1 to V6.0.1 - Same System: Follow this migration approach:
a. Backup CSA MC V5.0 database
b. Uninstall CSA MC V5.0
c. Uninstall VMS (Cisco Works)
d. Install a new Windows 2003 R2 OS on system. Do not perform an upgrade of Windows 2000 to Windows 2003 R2.
e. Install CSA MC V6.0.1
f. Specify 5.0 database migration during installation
g. CSA MC 5.1 is installed along with CSA MC 6.0.
h. Automatic migration occurs
i. See Migration Instructions for more information.
You can install V6.0.1 on the same machine where V5.0 resided, once V5.0 and VMS are uninstalled, the database is backed up safely (if local DB) and the system is running a Windows 2003 R2 operating system. Then you can use the migration tools provided to access and migrate the backed-up V5.0 database while installing 5.1 and 6.0.1 MCs.
•Scenario 7- Migrating V5.0 to V6.0.1 - Separate Systems: Install V6.0.1 on a new Windows 2003 R2 system. See Migration Instructions to move V5.0 configurations and hosts to the newly installed V6.0.1 system.
•Scenario 8 - Migrating V4.5.x or 4.0.3 (4.x) to V6.0.1 - Same Systems: If you are running CSA MC V4.5.x or 4.0.3 on the same system where V6.0.1 will be installed, you must first upgrade to CSA MC V5.0 before you can migrate to CSA MC V6.0.1 using one of the previously mentioned scenarios. Follow this migration approach:
a. Upgrade to CSA MC 5.0
a. Backup CSA MC V5.0 database
b. Uninstall CSA MC V5.0
c. Uninstall VMS (Cisco Works)
d. Install New Windows 2003 R2 OS on system. Do not perform an upgrade of Windows 2000 to Windows 2003 R2.
e. Install CSA MC V6.0.1
f. Specify 5.0 DB Migration during installation
g. CSA MC 5.1 is installed along with CSA MC 6.0.1
h. Automatic migration occurs
i. See Migration Instructions for more information
•Scenario 9 - Migrating V4.5.x or 4.0.3 (4.x) to V6.0.1 - Separate Systems: Install V6.0.1 on a new Windows 2003 R2 system. See Migration Instructions to move these older versions of CSA configurations and hosts to the newly installed V6.0.1 system.
Note If you have a CSA MC with V5.1 and V5.2 already installed, you can not add V6.0.1 to the same system. There can only be two versions of CSA MC running on the same system. Either V5.1 or V5.2 must be uninstalled before V6.0 can be installed.
The CSA MC V6.0.1 installation does not automatically upgrade or overwrite CSA versions 5.2 or older. Content defined as "untrusted" by the earlier version of CSA will also be treated as untrusted content by CSA 6.0.1.
Ultimately, the migration process will allow you to import your older configuration items into the newly installed V6.0.1 system. It will also allow you to migrate hosts to V6.0.1. After installing V6.0.1, it is expected that you will spend some time examining how policies and other functionality has changed between versions and you will gradually apply the V6.0.1 policies to the migrated hosts.
Caution For Scenario 5, you should not uninstall V5.1 until you have migrated all agents to V6.0.1. Once you install V6.0.1, you can apply hotfixes to the old V5.1 version, but you cannot install a V5.1 version of the product once the V6.0.1 version is installed in a one system installation scenario.
If you do apply hotfixes to an old V5.1 version after you install V6.0.1, you have to manually restart the CSA MC system for both MCs to begin running again.
CSA MC V6.0.1 creates a new directory structure if it is being installed on a new system. However, if CSA MC V5.2 is being upgraded to CSA MC V6.0.1, CSA MC V6.0.1 will use the existing CSA MC V5.2 directory structure. Refer to the following for a list of directory paths:
Table 2-1 Directory Paths for CSA Versions
CSA Version
|
Directory Path to CSA MC
|
CSA 6.0.1
CSA 6.0
|
Cisco\CSAMC\CSAMC60
|
CSA 5.2
|
Cisco Systems\CSAMC\CSAMC52
|
CSA 5.1
|
Cisco Systems\CSAMC\CSAMC51
|
CSA 5.0
|
CSCOpx\CSAMC50
|
Overview of Installing CSA MC with Local and Remote DB
You must have local administrator privileges on the system in question to perform the CSA MC installation. Once you have verified system requirements, you can begin the installation.
Warning Changing the system name after installing the CSA MC will cause communication problems between agents and the CSA MC. Therefore, you should not change the name of the server on which the CSA MC is installed. Changing the system name after installing CSA MC is not supported.
Tip Give the server, on which the CSA MC resides, a generic name to avoid the need to rename it in the future.
New Installation Configuration Options
For a new product installation, you have three installation configuration options to consider before launching the CSA MC installation process.
•You can install CSA MC and the database on the same machine. (Select the Local Database radio button during the CSA MC installation.)
For a local database configuration, you have the option of installing CSA MC and the included Microsoft SQL Server Express Edition (provided with the product) on the same system if you are planning to deploy no more than 1,000 agents. In this case, the CSA MC installation also installs its own version of Microsoft SQL Server Express Edition on the system.
For a local database configuration, you also have the option of installing Microsoft SQL Server 2005 Service Pack 2 instead of using the Microsoft SQL Server Express Edition that is provided. Microsoft SQL Server Express Edition has a 4 GB database size limit. In this case, you can have CSA MC and Microsoft SQL Server 2005 on the same system depending on the number of agents you are deploying (see Scalable Deployments, page 1-18). Note that if you are using SQL Server 2005, it must be licensed separately and it must be installed on the system before you begin the CSA MC installation.
See Installing CSA MC with a Local Database for this installation method.
Note There is no upgrade path from Microsoft SQL Server Express to Microsoft SQL 2005 Service Pack 2.
Note If your plan is to use SQL Server 2005, it is recommended that you choose one of the other installation configuration options rather than the local database configuration.
Note Microsoft SQL Server 2005 is the database version that will be used for this installation section, but you should note that SQL Server 2000 is also supported at this time.
•You can install CSA MC on one machine and install the database on a remote machine. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2005 Remote Database Setup.)
Use this configuration option depending on the number of agents you are deploying (see Scalable Deployments, page 1-18). If you are using a separately licensed, managed, and maintained SQL Server 2005 database, SQL Server 2005 must be installed and configured on the remote system before you begin the CSA MC installation.
See Installing CSA MC with a Remote Database for this installation method.
Caution If you are installing CSA MC and the database to multiple machines, make sure the clocks of each machine are in sync. If all clocks are not in sync, unexpected behavior may occur.
•You can install two CSA MCs on two separate machines and install the database on a remote machine. In this case, both CSA MCs use the same remote database. (Select the Remote Database radio button during the CSA MC installation. Note that you must install a Cisco Security Agent on this remote database to protect this system. See Microsoft SQL Server 2005 Remote Database Setup.)
This is the recommended configuration if you are deploying more than 5,000 agents and are using a separately licensed, managed, and maintained SQL Server 2005 database. SQL Server 2005 must be installed and configured on the remote system before you begin the MC installations.
Using this configuration, you can deploy up to 100,000 agents. Having two CSA MCs lets you use one MC for host registration and polling and another MC for editing configurations.
See Installing CSA MC with a Remote Database for this installation method and read the important information at Information for Installing Multiple CSA MCs on Separate Systems.
Caution If you are installing two CSA MCs with one of the MCs residing on the machine where the database is installed, you must select the Remote Database radio button during the installation of both MCs. Even though one MC is "local" to the database, for the two MCs configuration to work properly, they must both be configured to communication with the database as though it were remote.
Installing CSA MC with a Local Database
If you are installing both CSA MC and the database to the same machine with the provided Microsoft SQL Server Express database, you should install Microsoft SQL Server Express Edition as part of the CSA MC installation. The CSA MC installation runs the Microsoft SQL Server Express installation program choosing the Microsoft SQL Server Express settings the MC needs. During the MC installation, if you want to install the database on a different system drive from the MC, the install prompts allow you to do this.
It is recommended that you install SQL Server Express via the CSA MC installer. If you install it manually as implied that you might do in step 8 on page 14, you should know that if you take the SQL Server Express defaults, then your subsequent CSA MC installation will fail. (See Caution below)
Caution Because Microsoft SQL Server Express is provided on the CD separately, you might be tempted to install it yourself manually. This is not recommended. If you install it yourself, you must select specific non-default settings for the database to work with CSA MC. Those settings are provided in another section here, see
Microsoft SQL Server Express Manual Installation Settings. But again, this is not the recommended deployment.
If you want to install a local Microsoft SQL Server 2005 or 2000 database rather than using Microsoft SQL Server Express, install the Microsoft SQL Server 2005 or 2000 before you install the CSA MC. See Microsoft SQL Server 2005 and 2000 Local Installation Notes for important information.
Before beginning, exit any other programs you have running on the system where you are installing CSA MC.
To install the CSA MC, follow this procedure:
Step 1 Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.
Step 2 Put the Management Center for Cisco Security Agents CD into the CDROM drive. The welcome screen appears. Click Next to begin the installation. See Figure 2-1. (If the installation does not start automatically, browse to the setup.exe file on the CD and double click to begin the installation.)
Figure 2-1 CSA MC Installation Welcome Screen
Step 3 After you click Next in the welcome screen, various system checks are performed before the system installation continues.
Step 4 When the initial system checks are complete, you are prompted to accept the license agreement. Accept the agreement by clicking Yes. See Figure 2-2.
Figure 2-2 CSA MC End User License Agreement
Step 5 The installation checks if the needed ports are available.
Figure 2-3 Installation Port Check
Step 6 The installation next asks if you are upgrading from a V5.0 Management Center. In this case, click No to continue. See Figure 2-4. (If you are upgrading from a V5.0 Management Center, click Yes and refer to Installing CSA MC with a Previous Version's Database (Same System Installation).)
Figure 2-4 Upgrade Question Window
Step 7 The install then begins by prompting you to select a database location. In this case, you will keep the default selection of Local Database and click the Next button. See Figure 2-5.
Figure 2-5 Database Setup Type
Step 8 If installing locally, the installation next checks to see if you have Microsoft SQL Server Express Edition installed. CSA MC uses Microsoft SQL Server Express Edition for its local configuration database. If this software is not detected, you are prompted to install it. See Figure 2-6.
Note For installations exceeding 1,000 agents, it is recommended that you install Microsoft SQL Server 2005 instead of using the Microsoft SQL Server Microsoft SQL Server Express Edition that is provided with the product. Refer to New Installation Configuration Options for more information. If you are using Microsoft SQL Server 2005, refer to Microsoft SQL Server 2005 and 2000 Local Installation Notes for details.
Caution On a system where CSA MC has not previously been installed, the setup program first installs Microsoft SQL Server Express Edition. If the CSA MC installation detects any other database type attached to an existing installation of Microsoft SQL Server Express Edition, the installation will abort. This database configuration is not qualified.
Figure 2-6 Install Microsoft SQL Server Express Edition Prompt
After clicking Yes, you are prompted to select an Microsoft SQL Server Express Edition install directory.
Figure 2-7 SQL Server Installation Directory Selection
Step 9 You are prompted to select a CSA MC directory installation path. Either accept the default installation path or browse to a different path for installation.
Step 10 You are next prompted to enter Administrator Name and Password information. This is the user name and password you will use to login in to CSA MC. Checking the Enforce password policy checkbox places these constraints on the password you enter:
•Password cannot be the same as, or contain, the login name
•Password must be between 6 and 32 characters long
•Password must contain characters from at least three of the following classes:
–lower case letters
–upper case letters
–digits
–non-alphanumeric characters
See Figure 2-8. Enter this information and click Next.
Figure 2-8 Enter Administrator Name and Password
Step 11 You are next prompted to select whether or not you want the system to automatically reboot once the installation is complete (see Figure 2-9). It is required that you reboot the system after the installation is complete whether you select Yes to have it done automatically or you choose to manually reboot at the end.
Figure 2-9 Automatic Reboot Option Prompt
Step 12 You are next prompted to begin the installation. Click the Install button (see Figure 2-10).
Figure 2-10 Begin Install
SQL Server Express Edition installs .NET Framework on the system and continues to perform configuration tasks (see Figure 2-11). The SQL Server Express Edition windows that appear require no user action.
Figure 2-11 SQL Server Express Edition Configuration Status Window
When the Microsoft SQL Server Express Edition installation finishes, the CSA MC installation automatically begins again, copying the necessary files to your system, (see Figure 2-12.) and then installing them (see Figure 2-13.).
Figure 2-12 Copy Files
Figure 2-13 Installation Proceeds
Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.)
If an agent is already installed on a system to which you are installing CSA MC, that agent will automatically be upgraded by the CSA MC agent installation.
When the MC and agent installs are complete, if you selected to have the system reboot automatically, you are prompted that the automatic reboot will occur within 5 minutes. If you selected not to have the system reboot automatically, it is required that you manually reboot the system at this time.
Figure 2-14 Automatic Reboot Prompt
Once the system reboots, you should login to the MC and copy the license key file(s) you received from Cisco Systems to your CSA MC. CSA MC ships with and automatically uses a license for the MC and local agent. See Uploading a License for more information.
Microsoft SQL Server 2005 and 2000 Local Installation Notes
Note The following instructions are only intended for administrators choosing to install CSA MC and Microsoft SQL Server 2005(or 2000) to the same system. These instructions are not for administrators using CSA MC with a remote database. If you are choosing to use Microsoft SQL Server 2005 as a remote database, information is provided in the section titled Installing CSA MC with a Remote Database. All instructions apply to both Microsoft SQL Server 2005 and 2000 unless otherwise specified.
Note No additional database should be present on the server running CSA MC.
Caution CSA MC supports Microsoft SQL Server 2005 with Service Pack 0, Service Pack 1, or Service Pack 2. You should note that if you install a SQL Server 2005 build that is lower than build number 2153 (released after SP1), the service "SQL Server Integration Services" will fail upon system reboot. You can manually start the service or you can upgrade to Microsoft SQL Server 2005 SP1 build number 2153 or higher.
For local database installations exceeding 1,000 agents, it is recommended that you install Microsoft SQL Server 2005 instead of using the Microsoft SQL Server Express Edition that is provided with the product. Microsoft SQL Server Express Edition has a 4 GB limit. SQL Server 2005 must be licensed separately and it must be installed on the local system before you begin the CSA MC installation.
In order for Microsoft SQL Server 2005 to function properly with CSA MC, you must select certain settings during the installation. Those settings are listed here. (Refer to your Microsoft SQL Server 2005 manual for detailed installation information.)
Note You should not change the default instance name of "MSSQLSERVER" for the SQL Server 2005 database. If you change this, the CSA MC installation will not detect the database.
When installing Microsoft SQL Server 2005, choose the default settings except in the following instances:
•In the Setup Type installation window, choose the Typical radio button and in the Destination Folder section, click the various Browse buttons to install SQL Server on the system.
•In the Components to Install dialog box, select SQL Server Database Services and Analysis Services.
•In the Instance Name dialog box, select Default Instance.
•In the Service Account installation dialog box, choose Use the built-in System Account radio button and specify Local System. In the Start Services at the End of Setup area, select SQL Server and Analysis Services.
•In the Authentication Mode dialog box, select Windows Authentication Mode.
•(For Microsoft SQL Server 2000 only) In the Choose Licensing Mode installation window, select the Per Seat for radio button and then increment the devices number field to a positive value—at least 1 or 2.
(For Microsoft SQL Server 2005 only) Reboot the system.
(For Microsoft SQL Server 2000 only) Reboot the system and install the most recent service pack for SQL Server 2000. CSA MC has been qualified with Service Pack 4. When installing the service pack, choose the default settings except in the following instances
•When you install the service pack, in the Installation Folder screen, you should select a drive that has at least 140 MB of free space. For the service pack installation, choose the default settings in all instances.
•In the SA Password Warning installation screen, select the Ignore the security threat warning, leave the password blank radio button.
•In the SQL Server 2000 Service Pack Setup installation screen, select the Upgrade Microsoft Search and apply SQL Server 2000 SP4 (required) checkbox.
Microsoft SQL Server Express Manual Installation Settings
Because Microsoft SQL Server Express is provided on the CD separately, during a local database MC installation, you might be tempted to install Microsoft SQL Server Express yourself manually. This is not recommended. If you install it yourself, you must select specific non-default settings for the database to work with CSA MC. Those settings are provided here. But again, this is not the recommended deployment.
Caution If you are installing both CSA MC and the database to the same machine with the provided Microsoft SQL Server Express database, you should install Microsoft SQL Server Express Edition as part of the CSA MC installation. The CSA MC installation runs the Microsoft SQL Server Express installation program choosing the Microsoft SQL Server Express settings the MC needs. During the MC installation, if you want to install the database on a different system drive from the MC, the install prompts allow you to do this.
During the Microsoft SQL Server Express manual installation, you can simply leave all the default settings except in the following cases:
•Registration information dialog - UNCHECK the "Hide advanced configuration options" option.
•Instance name dialog - Choose the "Default instance" option.
Service Account - Select "User the built-in system account" and from the drop down menu, select "Local System".
Installing CSA MC with a Remote Database
If you are installing one or two CSA MCs and their corresponding database to different machines, you must first install and properly configure Microsoft SQL Server 2005 or Microsoft SQL Server 2000 on the remote system according to Microsoft's instructions. You should restrict access to this database machine as much as possible using any access control systems you already have in place on your network.
Caution It is recommended that all installed CSA MCs and remote databases be placed on a private LAN. If you cannot provide a private LAN, then you should follow Microsoft's recommendations for securing communication between database servers and application servers.
Caution It is important that the time on the database server system closely match the time on the CSA MC system. Both systems must be in the same time zone and you should make sure both times are set correctly.
Caution You must install a Cisco Security Agent on this remote database. This agent should be in the Servers-CSA Management Center- Secured Remote Database group. This group is hidden by default, you will need to change the visibility view on the Groups list page to "Show all items" to expose this group. You should install this agent after the last CSA MC has been installed and rebooted.
Microsoft SQL Server 2000 Remote Database Setup
Note The following section contains overview information for setting up the Microsoft SQL Server 2000 database to work correctly with CSA MC. More detailed SQL Server configuration information should be obtained from your Microsoft documentation.
In order to enter the requested remote database information during the CSA MC installation, you must first setup the SQL Server database system by doing the following. (Note that these steps may be performed by your database administrators. The procedure is detailed after the bullet list.)
•Create an empty database.
•You must configure a new login ID and password and associate it with a new user ID which has the standard access rights on the CSA MC database, including db_ddladmin, db_datareader, and db_datawriter. Note that the login ID and user ID must be identical. (db_owner privileges are not required.)
•Make sure the default language is set to English. Note that you should not change the language default after CSA MC is installed. The SQL Server collision string must contain Latin1_General.
•Make sure that the database is configured to accept SQL Server authentication.
•You also need to create a Filegroup for the database called "analysis" and it must have at least one file attached.
More specifically, use the following procedure as a guideline to create a remote database on MS SQL Server 2000:
Step 1 Right click your SQL Server. Select the Security tab and set "Authentication" to SQL Server and Windows. Then click OK.
Step 2 Stop and start sql server.
Step 3 Create new database "CSAMC601".
Step 4 Inside the DB properties, click Filegroups and create a new filegroup called ANALYSIS. Inside the DB properties, click Data Files and in the File Name field, type "csamcanalysis", and in the Filegroup field type "ANALYSIS". Then click OK.
Step 5 Expand the "security" + and right-click Logins. Then create a new login. Use SQL Server Authentication. Set Defaults -> Database = csamc60 database.
Note Do not click anything under "server roles".
Step 6 In the "database access" section, permit access to csamc60 and give the role of db_ddladmin. db_datareader and db datawriter permissions must also be provided. Click OK.
Step 7 Restart the server.
Microsoft SQL Server 2005 Remote Database Setup
Note The following section contains overview information for setting up the Microsoft SQL Server 2005 database to work correctly with CSA MC. More detailed SQL Server configuration information should be obtained from your Microsoft documentation.
Caution CSA MC supports Microsoft SQL Server 2005 with Service Pack 0, Service Pack 1, or Service Pack 2. You should note that if you install a SQL Server 2005 build that is lower than build number 2153 (released after SP1), the service "SQL Server Integration Services" will fail upon system reboot. You can manually start the service or you can upgrade to Microsoft SQL Server 2005 SP1 build number 2153 or higher.
In order to enter the requested remote database information during the CSA MC installation, you must first setup the SQL Server database system by doing the following. (Note that these steps may be performed by your database administrators. The procedure is detailed after the bullet list.)
•Create an empty database.
•You must configure a new login ID and password and associate it with a new user ID which has the standard access rights on the CSA MC database, including db_ddladmin, db_datareader, and db_datawriter. Note that the login ID and user ID must be identical. (db_owner privileges are not required.)
•Right-click on the server name and view Properties. On the left side of the Properties panel, click Permissions. In the table containing the logins and roles, click on the user id that has been created for CSA MC. In the explicit permissions list for the user, for the permission "View Server State", check the box for "Grant".
•Expand the created CSA MC Database tree and click Security. In the Security pane for your database, right-click Schemas and create a new schema with a name that is identical to the user id and login id. Click the Search button and locate the user. Attach this user to the new schema and click OK. Return to the Users in the database. Double-click the user id and select the newly created schema as the default schema.
•Make sure the default language is set to English. Note that you should not change the language default after CSA MC is installed. The SQL Server collision string must contain Latin1_General.
•Make sure that the database is configured to accept SQL Server authentication.
•You also need to create a file group for the database called "analysis" and it must have at least one file attached.
Use the following procedure as a guideline for creating a database on MS SQL 2005:
Step 1 In the Object Explorer column on the left, right-click the name of your SQL Server and select Properties.
Step 2 In the Server Properties dialog box, in the left hand column, select Security. Select the SQL Server and Windows Authentication radio button in the Server authentication area. Click OK.
Step 3 In the Object Explorer column on the left, right-click the name of your SQL Server and select Restart to restart the SQL Server service.
Step 4 In the Object Explorer column on the left, click Databases for your SQL server. In the Databases pane, right-click in the background and select New Database. Give the database a name such as "CSAMC601". Click OK.
Step 5 In the Databases pane, right-click the database you just created and click Properties.
Step 6 Select Filegroups in the left column and then click Add. Name the new Filegroup ANALYSIS.
Step 7 In the Database Properties dialog, click Files (or Data Files) and then click Add. Give the File a Logical Name, for example, csamc601_analysis. Click the Filegroup column for the file and select ANALYSIS from the list box. The Filegroup designation must be ANALYSIS. Click OK.
Step 8 Create an SQL Server Login:
a. Under the name of your SQL server in the left hand column, select Security.
b. Right-click Logins and click New Login.
c. Specify a Name for the new user. Select the SQL Server authentication radio button and enter a Password for the new user. Specify the name of your new database as the Default database.
d. Click OK.
Note Do not click anything under "server roles".
Step 9 Configure the SQL Server Login:
a. In the Object Explorer column on the left, right-click your SQL Server and select Properties.
b. Click Permissions in the Server Properties dialog box.
c. In the Logins or roles window, select the SQL Server login you just created.
d. In the Explicit permissions for Login Name window, select View server state. Select Grant and click OK.
Step 10 Create a database user:
a. In the left hand column, expand Databases and then expand the tree for your new database. Click Security.
b. In the Security pane for your database, right-click Users and click New User.
c. Specify a User name and a Login name for the new user. Make these names the same as the name of the SQL Server user.
d. In the Schemas owned by this user field, select db_datareader, db_datawriter, and db_ddladmin.
e. In the Database role membership field, select db_datareader, db_datawriter, and db_ddladmin.
f. Click OK.
Step 11 Create a database schema:
a. In the Security pane for your database, right-click Schemas and select New Schema.
b. In the Schema name and Schema owner fields, enter the name of the database user you created in the previous step.
c. Click OK.
Step 12 In the Security pane for your database, double-click Users. Right-click the name of the database user you created and select Properties. In the Default schema field, enter the name of the database schema you created. Click OK.
Step 13 Restart the SQL server.
Installing CSA MC Using the Remote Database
Before beginning, exit any other programs you have running on the system where you are installing CSA MC. To install the CSA MC, do the following:
Step 1 Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.
Step 2 Management Center for Cisco Security Agents CD into the CDROM drive. The welcome screen appears. Click Next to begin the installation. (If the installation does not start automatically, browse to the setup.exe file on the CD and double click to begin the installation.)
Step 3 The Management Center for Cisco Security Agents appears. After you click Next in the welcome screen, various system checks are performed before the system installation continues.
Step 4 When the initial system checks are complete, you are prompted to accept the license agreement. Accept the agreement by clicking Yes. See Figure 2-15.
Figure 2-15 CSA MC End User License Agreement
Step 5 The installation asks if you are upgrading from a V5.0 Management Center. In this case, click No to continue. See Figure 2-16. (If you are upgrading from a V5.0 Management Center, click Yes and refer to Installing CSA MC with a Previous Version's Database (Same System Installation).)
Figure 2-16 Upgrade Question Window
Step 6 The install begins by prompting you to choose a database setup type. In this case, you will select the Remote Database radio button and click the Next button.
When you select the Remote Database radio button, you are next prompted to enter the following information for the remote SQL Server database (see Figure 2-17):
•Name of the server
•Name of the database
•Login ID
•Password
Figure 2-17 Remote Database Information
Step 7 Once you enter the database information and click Next, the installation attempts to locate the database and verify that it is configured appropriately. If the database is not setup correctly, you are prompted with this information and the installation will not continue. Otherwise, the installation proceeds.
Step 8 You are next prompted to select a CSA MC directory installation path. Either accept the default installation path or browse to a different path.
Figure 2-18 Installation Directory
Step 9 You are next prompted to enter Administrator Name and Password information. This is the user name and password you will use to login in to CSA MC. Checking the Enforce password policy checkbox places these constraints on the password you enter:
•Password cannot be the same as, or contain, the login name
•Password must be between 6 and 32 characters long
•Password must contain characters from at least three of the following classes:
–lower case letters
–upper case letters
–digits
–non-alphanumeric characters.
See Figure 2-19. Enter this information and click Next.
Figure 2-19 Enter Administrator Name and Password
Step 10 You are next prompted to select whether or not you want the system to automatically reboot once the installation is complete (see Figure 2-20). It is recommended that you reboot the system after the installation is complete whether you select Yes to have it done automatically or you choose to manually reboot at the end.
Figure 2-20 Automatic Reboot Option Prompt
You are next prompted to begin the installation. Click the Install button. (See Figure 2-21.)
Figure 2-21 Begin Install
The install then proceeds copying the necessary files to your system (see Figure 2-22).
Figure 2-22 Copy Files
Once the copying is complete, the installation begins configuration and setup tasks. See Figure 2-23.
Figure 2-23 Installation Proceeds
Note When the CSA MC installation completes, an agent installation automatically begins. It is recommended that an agent protect the CSA MC system and this is done automatically for you. (You may uninstall the agent separately if you choose, but this is not the recommended configuration.)
When the MC and agent installs are complete, if you selected to have the system reboot automatically, you are prompted that the automatic reboot will occur within 5 minutes. If you selected not to have the system reboot automatically, it is recommended that you manually reboot the system at this time.
Once the system reboots, should login to the MC and copy the license key file(s) you received from Cisco Systems to your CSA MC. CSA MC ships with and automatically uses a license for the MC and local agent. You must manually import all other licenses through the MC Maintenance>License Information window. See Uploading a License for license import instructions.
Information for Installing Multiple CSA MCs on Separate Systems
A CSA installation with two or more CSA MCs and a remote database is referred to as a "Distributed Configuration" or a "3 Tier System."
If you are installing a distributed configuration, follow this procedure:
Step 1 Install the remote database and the first CSA MC using the Installing CSA MC with a Remote Database procedure and reboot the system. This becomes the Polling CSA MC.
Step 2 Stop the CSA MC service on the Polling CSA MC.
a. Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.
b. Open a command prompt window and type net stop csamc60 and press Enter.
Step 3 Install the second (and subsequent) CSA MCs using the Installing CSA MC Using the Remote Database and use the same remote database information for the additional After the system reboots, stop the CSA MC service before installing the next Configuration CSA MC.
Step 4 Start the CSA MC service on the Polling CSA MC and all configuration CSA MCs.
a. Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.
b. Open a command prompt window and type net start csamc60 and press Enter.
Caution When installing two CSA MCs, the first MC you install automatically becomes the Polling and logging MC. The second MC acts as the Configuration MC. During the installation process, the CSA MCs know the order in which the MCs were installed and direct polling, logging, and management tasks to the appropriate MC.
Caution The CSA MC service must be stopped on the Polling CSA MC before the configuration CSA MC can be installed. The CSA MC service must also be stopped on both the polling and configuration CSA MCs before either CSA MC is upgraded or uninstalled.
Caution In a distributed configuration, when installing or updating, you
must install the CSA MC software update on
all MC's.
Installing CSA MC with a Previous Version's Database (Same System Installation)
This section addresses the procedure for backing up and importing a 5.0 database as part of CSA MC V6.0.1 same system installation.
In order to perform this type of migration, you must install a V5.1 MC along with the V6.0.1 MC. You must use V5.1 to migrate your V5.0 hosts and data to the V6.0.1 product schema. V5.1 is provided as an interim tool for bringing all your data into V6.0.1 correctly. The V6.0.1 installation installs both MCs, first 5.1 and then 6.0.1, with one reboot at the end.
Note If you are migrating from CSA MC V4.x in a same system installation scenario, you must first upgrade to CSA MC V5.0. Refer to the CSA MC V5.0 Installation Guide for that procedure. Once you've completed that upgrade, you can use the following procedure.
Step 1 Uninstall CSA MCV5.0 per the instructions in your CSA MC V5.0 Installation Guide. (If V5.0 uses a local database, during the CSA MC V5.0 uninstall procedure, when prompted, make sure to select to backup the database. When the uninstall completes, move the backed-up database to a different, network accessible system.)
Step 2 Re-install that same system with the Windows 2003 R2 operating system.
Install CSA MC V6.0.1 as follows:
Step 1 Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.
Step 2 Place the Management Center for Cisco Security Agents CD into the CDROM drive. The welcome screen appears. Click Next to begin the installation. See Figure 2-24. (If the installation does not start automatically, browse to the setup.exe file on the CD and double click to begin the installation.)
Figure 2-24 CSA MC Installation Welcome Screen
Step 3 After you click Next in the welcome screen, various system checks are performed before the system installation continues.
Step 4 When the initial system checks are complete, you are prompted to accept the license agreement. Accept the agreement by clicking Yes. See Figure 2-25.
Figure 2-25 CSA MC EULA License Agreement
Step 5 The installation asks if you are upgrading from a V5.0 Management Center. In this case, click Yes to continue. See Figure 2-26.
Figure 2-26 Upgrade Question Window
Step 6 Select whether your V5.0 installation used a local or a remote database. See Figure 2-27.
Figure 2-27 Select V5.0 Database Type
Step 7 If you select Local Database, you are next asked to browse to the location of the backed-up V5.0 database. Once you've located the database, click Next to continue. See Figure 2-28.
If you select Remote Database, you are asked to enter data for accessing the remote database. This remote database entry screen is the same as Figure 2-17.
Figure 2-28 Browse to Backed-up V5.0 Database
Step 8 Once the V5.0 local or remote database is located, the installation will proceed to install CSA MC V5.1.
Step 9 You must create a user name and password to login into the CSA MC V5.1. See Figure 2-29. (You will later create another user and password for CSA MC V6.0.1).
Figure 2-29 Username and Password Creation for V5.1
From here, you can continue by following the procedures detailed in Installing CSA MC with a Local Database or Installing CSA MC with a Remote Database depending on how you are installing the product. As stated earlier, the installation will proceed by first installing V5.1 and then directly begin the V6.0.1 installation with one reboot at the end of the procedure. For both V5.1. and V6.0.1 installations, you must select a database type and setup usernames and passwords as explained in the procedures referenced above.
Installation Log
The installation of CSA MC produces a log file. This log file, called "CSAMC-Install.log" and located in the CSAMC60\log directory, provides a detailed list of installation tasks that were performed. If there is a problem with the installation, this text file should provide information on what task failed during the install.
Note The installation of the agent produces a similar file called "CSAgent-Install.log" and is located in the Cisco\CSAgent\log directory on agent host systems.
Accessing Management Center for Cisco Security Agents
When the installation has completed and you've rebooted the system, a Management Center for Cisco Security Agents [version number] shortcut icon is placed on your desktop. Double-clicking this icon launches the MC in your default browser.
Local Access
To access CSA MC locally on the system hosting the CSA MC software, double-click the shortcut icon added to your desktop during the installation. This launches the management console login screen in your default browser.
Note See Initiating Secure Communications if you cannot connect to CSA MC.
Remote Access
To access CSA MC from a remote location, launch a browser application on the remote host and enter the following in the Address or Location field (depending on the browser you're using) to access the Login view:
https://<management center system hostname>.<domain>
For example, enter https://stormcenter.cisco.com
Note In this example, CSA MC is installed on a host system with the name stormcenter.
Note This is the preferred method of accessing the CSA MC.
Figure 2-30 CSA MC Login Window
Upgrading Your Deployment from CSA V6.0 to CSA V6.0.1
Take this approach, when upgrading from CSA 6.0 to CSA 6.0.1:
Step 1 Upgrade the CSA MC from CSA6.0 to 6.0.1 using Upgrading CSA MC with a Local or Remote Database from CSA V6.0 to V6.0.1 or Upgrading Multiple CSA MCs with a Remote Database from CSA V6.0 to V6.0.1 procedure.
Step 2 Update existing agents with CSA 6.0.1 software by scheduling software updates. See "Scheduling Software Updates" in the CSA MC online help or in Chapter 3, of Using Management Center for Cisco Security Agents, for more information.
Step 3 Compare the CSA 6.0.1 default policies with the CSA 6.0 default policies.
a. In the Things to Do section of the Home Page, users with configure or deploy roles, viewing CSA MC in Advanced Mode, will see an alert stating "At least one mandatory policy is obsolete" and it will provide links to Update mandatory policies: Linux, Solaris, Windows. (Mandatory policies are those connected to the auto-enrollment groups: <All Windows>, <All Linux>, and <All Solaris>.)
Clicking the link for an operating system opens the compare tool and displays the differences between, for example, the <All Windows> auto-enrollment group and the All Windows prototype group. Use the compare tool to review the new and updated policies in the prototype group to those in the auto-enrollment group.
After comparing the policies, attach the new or updated policies in the prototype group to the auto-enrollment groups and detach outdated policies from the auto-enrollment group.
b. In addition to the auto-enrollment groups be sure to review changes to the CSA MC, Desktops, and Servers groups.
Though there is not an alert in the Things to Do section for every group or policy; however, you can still use the compare tool to compare your existing policies to those provided in the latest release.
See "Comparing Configurations" in the CSA MC online help or in Chapter 5 of Using Management Center for Cisco Security Agents, for more information.
Step 4 Pilot new policies. If you want to test the new policies before you deploy them, add the new policies to a small test group and add a limited number of hosts to the group.
Step 5 When you are ready to adopt the CSA 6.0.1 default policies, move hosts out of the groups running the 6.0 policies and into the groups using the 6.0.1 policies. See "Host Managing Tasks" in Chapter 3, of Using Management Center for Cisco Security Agents, for more information.
Upgrading CSA MC with a Local or Remote Database from CSA V6.0 to V6.0.1
Step 1 Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.
Step 2 Put the Management Center for Cisco Security Agents CD into the CDROM drive. The Welcome screen appears. Click Next to begin the installation. (If the installation does not start automatically, browse to the setup.exe file on the CD and double click to begin the installation.)
If you have downloaded the updated release from Cisco.com, save the kit on the same system on which CSA 6.0 is running and double-click the setup.exe file. At the Welcome screen, click Next to begin the installation.
Step 3 The install shield will attempt to stop the CSA 6.0 agent running on the CSA MC. When you receive the message, "An attempt is being made to disable security for Cisco Security Agent. Do you wish to Allow this?" Select Yes, provide a brief explanation in the Please explain field, and click Apply.
Step 4 Respond to the security challenge in the Cisco Security Agent Challenge pop-up dialog box and click OK.
Step 5 When asked if you want to reboot at the end of the upgrade; click Yes. The installation continues and you see a Setup Stratus similar to that in Figure 2-13.
Step 6 After the installation has finished, you receive a pop-up message indicating that you have five minutes until the reboot takes place. Click OK if you want to restart the system immediately.
Note Wherever CSA 6.0.1 policies are exactly the same as they were in CSA 6.0, the 6.0 policy is replaced by the 6.0.1 policy. The group details page may show a group from 6.0 with 6.0.1 policies.
Note Any rules that you changed or policies you added to 6.0 will be maintained in the correct group for 6.0.1.
Step 7 See Upgrading Your Deployment from CSA V6.0 to CSA V6.0.1 and continue with steps 2-5 to upgrade agents in your deployment.
Upgrading Multiple CSA MCs with a Remote Database from CSA V6.0 to V6.0.1
In this configuration there is a Polling CSA MC, at least one Configuration CSA MCs, and a remote database. This is referred to as a "Distributed Configuration" or a "3 Tier System."
There are two procedural items to note when installing a software update in a distributed configuration with multiple MC's.
•In a distributed configuration, you must install the software update on all MC's.
•In a distributed configuration, when installing, upgrading, or uninstalling any MC, the service must be stopped on the other MCs. For example, in a configuration with 2 MCs, you must first stop the service on one MC before you install the software update on the other MC. Then restart the services.
This is the approach of the upgrade:
Step 1 Stop the CSA MC service on all Configuration CSA MCs in the configuration:
a. Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.
b. Open a command prompt window and type net stop csamc60 and press Enter.
Step 2 Upgrade the Polling CSA MC from CSA V6.0 to CSA V6.0.1 using Upgrading CSA MC with a Local or Remote Database from CSA V6.0 to V6.0.1. After the system reboots, stop the CSA MC service on the newly upgraded Polling CSA MC.
Step 3 Start the CSA MC service on the next Configuration CSA MC you want to upgrade.
a. Log on as a local Administrator on your Microsoft Server Windows 2003 R2 Standard or Enterprise system.
b. Open a command prompt window and type net start csamc60 and press Enter.
Step 4 Upgrade the Configuration CSA MC from CSA V6.0 to CSA V6.0.1 using Upgrading CSA MC with a Local or Remote Database from CSA V6.0 to V6.0.1. After the system reboots, stop the CSA MC service on the newly upgraded Configuration CSA MC.
Step 5 Repeat step 4 until all your Configuration CSA MCs have been upgraded.
Step 6 Start the CSA MC service on all CSA MCs where the service is stopped, starting with the Polling CSA MC.
Step 7 See Upgrading Your Deployment from CSA V6.0 to CSA V6.0.1 and continue with steps 2-5 to upgrade agents in your deployment.
Migration Instructions
The following section contains information for migrating to CSA MC V6.0.1 from a previous version installed on the same system and for a previous version installed on a separate machine. Both scenarios are covered here.
Note If you install 6.0.1 on the same system where you have 5.2 installed, the majority of this migration is done automatically.
If you intend to migrate 5.2 Solaris agents, please read Solaris and Linux Agent Migration before starting your upgrade.
To migrate to V6.0.1, do the following:
Step 1 Install the Management Center for Cisco Security Agents V6.0.1. See previous sections for instructions.
•If you're installing CSA MC V6.0.1 on the same machine running CSA MC V5.2, an xml file containing V5.2 configuration items and several .dat files containing host information are automatically generated by the installation and ready for importing once the install is complete.
•If you're installing CSA MC V6.0.1 on a different machine from the system running V5.x or V4.x, after installing V6.0.1, you must copy and manually run an executable file on the V5.x or V4.x machine to create the xml and dat files needed for importing V5.x or V4.x configurations and host information to V6.0.1.
Step 2 If you have installed V6.0.1 on the same machine as V5.2, you can skip to Step 8. Otherwise, once you have installed CSA MC V6.0.1 and rebooted the system, navigate to the Cisco Systems\CSAMC\CSAMC60\migration directory. Copy the appropriate file (named prepare_<version>_migration.exe depending on the version you are migrating from, for example prepare_52_migration.exe) to your V5.x or V4.x system. (You can copy it to any place on the system.)
Step 3 On your V5.x or V4.x system, disable agent security and run the prepare_<version>_migration.exe file that you copied from the V6.0.1 system. (You must disable security in order to run the executable file and create the import xml data.) This launches a command prompt which displays the progress of the migration.
Step 4 When the prepare_<version>_migration.exe file is finished, on the V5.x or V4.x system, navigate to the Cisco Systems\CSAMC\CSAMC52\migration\export or CSCOpx\CSAMC50\migration\export directory (the directory name depends on the version you're migrating from) and locate several newly created files. Your configuration data is now in a file named migration_data_export.xml. Your host data (hosts and distinct host groupings) are now in several files, depending on how many distinct host groupings existed, named migration_host_data<number>.dat.
Using the data that is now wrapped up in these files allows you to import your existing policy configurations and your current host groupings, thereby preserving the policy tuning and host group configurations for your new V6.0.1 installation.
Step 5 Next, copy the migration_data_export.xml and all the migration_host_data<number>.dat files from the V5.x or V4.x system to your V6.0.1 system. These files must exist together in the same directory on the V6.0.1 system (although the directory name and location does not matter).
Step 6 From the V6.0.1 system, run the webmgr import utility from a command prompt to pull the data into the new MC. You cannot use the CSA MC UI Import utility to do this. That utility does not allow you to import the .dat files that are associated with the .xml file as one grouping.
For example, from a command prompt window on the V6.0.1 system, change to the directory in the following example and run the command as follows:
%system%Cisco\CSAMC\CSAMC60\bin>webmgr import %path_to_xml_file%\migration_data_export.xml
Because the host .dat files are associated with the .xml file, this command imports both the configuration and host data with the migration_data_export.xml file.
Step 7 You must generate rules once the import is complete. If you do not generate rules at this point, you cannot upgrade agent host software as described in the next section.
Note CSA MC V6.0.1 ships with policies that contain new V6.0.1 functionality. This new functionality does not match all V5.x or V4.x configurations. CSA MC configuration item names are labeled with the release version number to distinguish them from older (or newer) configuration items or items created by administrators. When you import your older configuration, new V6.0.1 items are not overwritten. You will likely have items from both versions in your CSA MC V6.0.1. If the import process finds that two items have the exact same contents and the only difference is the V6.0.1 appended name field, the older item is not imported and the newer V6.0.1 item is used in its place.
Step 8 To upgrade migrated V5.x or V4.x agents to V6.0.1, schedule V6.0.1 software updates for older agents. You schedule this upgrade from the V5.x or V4.x system.
To schedule the update, mouseover the Systems menu in the V5.x or V4.x CSA MC and select Software Updates > Scheduled Software Updates. For instructions on how to schedule the software update, select Help > Online help.
Once the older agents receive the scheduled software update, they will point to and register with the new CSA MC V6.0.1. The update contains the appropriate new certificates to allow this to occur. After the hosts have registered with the new CSA MC, they will need to moved into groups with the 6.0.1 security policies. Take the same upgrade approach, starting with step 3, as outlined in Upgrading from CSA V6.0 to CSA V6.0.1. The difference, of course, is that you will be moving hosts out of 5.x or 4.x groups into 6.0.1 groups.
Note Agent kits are configuration items that do not migrate to the new version. Because host migration does not relate to agent kits, old agents kits are not considered to be necessary migration items.
Also, configuration items that are not used (not attached to any group) do not migrate to the new version.
Caution When upgrading V5.x or V4.x agents to software version 6.0.1, the upgrade program disables the system network interfaces to ensure a secure upgrade process. The agent service is also stopped to allow the update to occur. Once the update is complete, the agent service is restarted and the network interfaces are enabled. (Note, that secure upgrades are not supported for Windows NT systems.)
Once you have migrated all old agents to the newer version, you can uninstall the old version of CSA MC. See Uninstalling Management Center for Cisco Security Agents.
Solaris and Linux Agent Migration
Caution Solaris agent versions 4.0.3.736 or later can be upgraded to version 6.0.1 Earlier Solaris agents cannot be upgraded.
Only Linux agent version 4.5.1.638 or later can be upgraded to version 6.0.1 Earlier Linux agents cannot be upgraded.
You should note that the Solaris host migration process is a bit different than Windows and Linux migration.
Once scheduled, Solaris software upgrades must be launched manually by accessing the csactl command line tool on the Solaris systems and typing in the software update command. When the update is complete, network connectivity is disabled and remains disabled until the system automatically reboots within 5 minutes. This reboot cannot be stopped. Therefore, once you launch the Solaris software update, you must understand that the system will reboot when the update completes.
Upgrade Note
Newer versions of policies are not automatically attached to the auto-enrollment groups during upgrade. If you want to update the mandatory policies, you can use the CSA MC Compare tool to synchronize the existing auto-enrollment groups with the new updated auto-enrollment groups added by the upgrade.
Initiating Secure Communications
CSA MC uses SSL to secure all communications between the CSA MC user interface (locally and remotely) and the Management Center for Cisco Security Agents server system itself. This way, all configuration data travels over secure channels irrespective of the location of the CSA MC host system.
During installation, CSA MC generates private and public keys to be used for secure communications between any system accessing the CSA MC user interface and the CSA MC itself.
When your browser connects to the server, it receives the server's certificate. You are then prompted to accept this certificate. It is recommended that you import it into your local certificate database so that you are not prompted to accept the certificate each time you login. The following sections show the process of importing certificates into Internet Explorer and Netscape Web browsers.
Internet Explorer: Importing the Root Certificate
Note If you are using Internet Explorer 7.0, you see an "Invalid Certificate" screen when you first attempt to open a CSA MC browser window. See the end of this section for further information.
Step 1 You import the certificate from the CSA MC login window. Click the Get root certificate link. See Figure 2-30.
Step 2 Select the Open (this file from its current location) button and click OK.
Step 3 The certificate information box appears (see Figure 2-31). It contains information on the system the certificate is issued to and it displays expiration dates. Click the Install Certificate button to start the Certificate Manager Import Wizard.
Figure 2-31 Certificate Information
Step 4 The first Certificate Manager Import page contains an overview of certificate information. Click Next to continue.
Step 5 From the Select a Certificate Store page, make sure the Automatically select the certificate store based on the type of certificate radio button is selected. Click Next.
Figure 2-32 Certificate Wizard
Step 6 You've now imported your certificate for the server. Click the Finish button (Figure 2-33) to continue.
Figure 2-33 Certificate Wizard Finish Page
Step 7 Now, you must save the certificate. Click the Yes button in the Root Certificate Store box.
Step 8 You are next prompted with a confirmation box informing you that your certificate was created successfully.
Note You must perform this certificate import process the first time you login to CSA MC from any remote machine. Once the certificate import is complete, you can access the login page directly for all management sessions. To access the login page remotely, enter the URL in the following format.
http://<management center system hostname>.<domain>
For example, enter http://stormcenter.cisco.com
Caution If you have not obtained a valid license from Cisco, when you login to CSA MC, you'll receive a warning informing you that your license is not valid. Refer back to
page 2 for further licensing information.
Internet Explorer 7.0: Importing the Root Certificate
If you are using Internet Explorer 7.0, you see an "Invalid Certificate" screen when you first attempt to open a CSA MC browser window. When that screen appears, click the Continue to this website (not recommended) link, see Figure 2-34. Then you can continue by following instructions in Internet Explorer: Importing the Root Certificate.
You will only see this screen the first time you access the CSA MC browser in IE 7.0. Once you follow the instructions and import the root certificate, the screen should not appear again.
Figure 2-34 Internet Explorer 7.0 Certificate Screen
Uninstalling Management Center for Cisco Security Agents
Uninstall the CSA MC software as follows:
Step 1 Click the uninstall CSA MC option on the system from Start > Programs > Cisco > Uninstall Management Center for Cisco Security Agents. This launches the uninstall program.
Step 2 You must respond to uninstall confirmation and database back-up prompts during the uninstall process. The CSA MC uninstall also removes the Cisco Security Agent on the MC system.
Tip If you are running a local database, click Yes when prompted to backup your CSA MC database configuration. Store the backup in a location other than the Program Files\Cisco\CSA MC directory. If you are uninstalling and reinstalling CSA MC, this will give you an easy way to restore your CSA MC's configuration.
Step 3 Reboot when prompted.
Note Uninstalling CSA MC does not uninstall the Microsoft SQL Server Desktop Engine (database). You must uninstall this separately from the Control Panel>Add/Remove Programs window if you are completely removing the product from your system.
Caution If you are upgrading to a new version of CSA MC, or if you are reinstalling the product on the same system, and you want to preserve your current configuration, you should select to
Backup the Database during the uninstall when you are prompted to do so. If you do not backup the database, the uninstall removes all program files and configurations. (Note that this only applies to local database installations. CSA MC does not provide a backup mechanism for remote databases.)
Hotfix Information
After a hotfix is installed, administrators must clear the cache of the browsers they use to reach the updated CSA MC.
Clearing the cache in Internet Explorer
Step 1 From the Tools menu of Internet Explorer, select Internet Options.
Step 2 In the Temporary Internet files section click Delete Files.
Step 3 In the Delete Files dialog box, select Delete all offline content.
Step 4 Click OK to delete the content.
Step 5 Click OK to close the Internet Options dialog box.
Clearing the cache in Mozilla Firefox.
Step 1 From the Tools menu of Mozilla Firefox, click Clear Private Data.
Step 2 Make sure that Cache is selected.
Step 3 Click Clear Private Data Now.
