Install Workflow Automation

This section covers the following topics:

Install NSO, CNC and CDG

To run CNC Workflow Automation, you must have previously installed Cisco Crosswork Network Controller (CNC), Crosswork Data Gateway (CDG), and Cisco Network Services Orchestrator (NSO). If you have not already installed these three foundational applications, or upgraded them to the required versions, you must to do so before continuing.

For help installing or upgrading to CNC 7.1 and CDG, see the Cisco Crosswork Network Controller 7.1 Installation Guide. Ensure that you perform a cluster install on one of the supported hypervisor platforms.

For help installing NSO, see the System Install documentation for NSO 6.4.1. For help upgrading to the required minimum version, see the 6.4.1 Upgrade NSO document.

Install the Crosswork Premier application package

This topic explains how to install CNC Workflow Automation on cluster installations of Cisco Crosswork Network Controller (CNC)

CNC applications are offered as packages. There are four packages, named Essentials, Advantage, Premierand Add-on. Each package contains one or more installable applications, stored in a format unique to Crosswork known as a CAPP (Crosswork APPlication).

To download and install the CAPPs in a CNC application package:

  1. Download and decompress the signed version of the CNC application package file.

  2. Use Python to verify the extracted files.

  3. Add the CAPPs to CNC.

  4. Install the CAPPs.

  5. Activate the installed CAPPs.

The following steps provide detail on how to perform each of these tasks.

Procedure

Step 1

Download and decompress the signed application package file:

  1. Navigate to cisco.com and download to an accessible storage location the signed CNC package. For example:

  2. Decompress the signed CNC package and extract its files using a command like this: tar -xvf <signature file>

    For example:

    cd <folder where tar was downloaded>
tar -xvf signed-cw-na-cncpremier-7.1.0-85-release700-.tar.gz 
README
cw-na-cncpremier-7.1.0-85-release700-.tar.gz
cw-na-cncpremier-7.1.0-85-release700-240823.tar.gz.signature
CW-CCO_RELEASE.cer
cisco_x509_verify_release.py3
cisco_x509_verify_release.py

Step 2

Use Python to validate the extracted files:

Note

 

Use python --version to find out the version of Python on your machine.

If you do not have python installed, go to python.org and download the version of python that is appropriate for your environment.

If you are using Python 2.x, use the following command to validate the file:

python cisco_x509_verify_release.py -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512

If you are using Python 3.x, use the following command to validate the file:

python cisco_x509_verify_release.py3 -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512

Step 3

Add the CAPPs to CNC:

  1. Log into CNC and select Administration > Crosswork Manager. The Crosswork Summary page is displayed with Crosswork Cluster and Crosswork Platform Infrastructure tiles.

  2. Click on Application Management and select the Applications tab.

  3. Click on the Add File (.tar.gz) option to add the application package that contains the CAPP files.

    When adding a CNC CAPP, there is no need to untar the package. You can add the CAPP tarball to CNC as is. The applications within the CAPP are all automatically added when you add the package. You can then install the individual applications as needed.

  4. In the Add File dialog box, enter the relevant information and click Add.

    The add operation progress is displayed on the Applications screen. You can also view the installation progress in the Job History tab.

    When adding a CAPP, the loading process may stop at 50 percent for awhile, depending on the resources your host platform has available.

    CNC displays the newly added CAPPs as tiles on the Applications screen.

Step 4

Install the CAPPs:

Click on the Install prompt on each of the application tiles in the following sequence only:

  1. Element Management Functions (available in Essentials, Advantage, and Premium)

  2. Optimization Engine (available in Advantage and Premium)

  3. Active Topology (available in Advantage and Premium)

  4. Service Health (available in Advantage and Premium)

  5. Workflow Manager (available in Premier only)

  6. Workflow Manager Solutions (available in Premier only)

  7. Change Automation (available in Add-On only)

  8. Health Insights (available in Add-On only)

You can also install by clicking the more icon on the tile, and then selecting the Install option from the drop down list.

Once an application is installed, you will see changes in the application tile. All the related resources, UI screens and menu options are dynamically loaded in the Crosswork UI. The 90-day evaluation period will also start. You can register the application with your Cisco Smart Account in the Smart License tab.

Step 5

Activate the installed CAPPs:

To become functional, an installed CAPP must be activated. Unless a problem occurs, activation is automatic the first time you install a CAPP. Later re-installs (when, for example, upgrading to a higher license tier) require manual activation. To manually activate a CAPP, click the more icon on the application tile, then select Activate.

Step 6

(Optional) Once all CAPPs are installed and activated, check the health of the environment to make sure all the applications are healthy. Click the more icon on the application tile and select the View Details option to view details of the installed application. Note that it can take up to an hour for all the processes to launch and for the applications to report as healthy. If a newly installed application is not healthy after an hour, contact your Cisco Customer Experience team.

Create CNC Providers and Credential Profiles

A Cisco Crosswork Network Controller (CNC) Provider is a helper application that lets CNC perform special functions. Cisco Network Services Orchestrator (NSO) is a type of CNC Provider. Its special function is accessing and controlling your network devices.

CNC Credential Profiles store login user names and passwords in a secure fashion. CNC uses them to let Workflow Automation authenticate with CNC Providers like NSO when they attempt to access your devices.

Before continuing, follow the instructions in the Cisco Crosswork Network Controller Administrator Guide topic Create Credential Profiles to create two or more CNC Credential Profiles like these:

  1. NSO Credential Profile: Name it NSO-Credential or any other unique name you find meaningful. Give it a Connectivity type protocol of SSH, and a Username and Password that match the username and password of a user with administrator privileges on your NSO server.

  2. Device Credential Profile: Name it devices-profile or any other unique name . Add to it as many Connectivity type protocols (SSH, NETCONF, HTTP, HTTPS, and so on), with corresponding usernames and passwords, as appropriate for the devices you intend to manage using Workflow Automation. You can create multiple device Credential Profiles if you have groups of devices using the same protocols but with different credentials.

Once you have created these Credential Profiles, follow the instructions in the Cisco Crosswork Network Controller Administrator Guide topic Add Cisco NSO Providers to add an NSO provider that uses the NSO credential profile you created above. This will allow Workflow Automation to authenticate with NSO.

If you already have created CNC Credential Profiles and an NSO Provider, consider modifying them to use the parameters given here.

Deploy the NSO Function Packs

Use the Crosswork Network Controller (CNC) NSO Deployment Manager to deploy the CNC Premier NSO function packs on NSO. These function packs will provide the basic inventory management and other NSO capabilities needed to use CNC Workflow Automation. You will also need to log in to NSO to ensure that NACM is enabled and that other NSO settings are properly configured.

Before you begin

Ensure you have added NSO as a provider as explained in Create CNC Providers and Credential Profiles

Procedure

Step 1

Log in to CNC and choose Administration > Crosswork Manager > NSO Deployment Manager.

Step 2

Under NSO Deployment Manager, choose the NSO function pack bundles tab and click the check box next to CWM SOLUTIONS FP. Then click the Deploy button to start the deployment process.

NSO Deployment Manager

Step 3

When prompted on the first Provide credentials page, provide the SSH User name, password and Sudo password credentials.

Providing Credentials

Step 4

On the Deployment target page, select Non-HA in the High Availability column, as shown below.

Deployment Target

Step 5

When prompted on the Review & Deploy page, click Deploy.

Step 6

Click the Job History tab to monitor the NSO deployment as it proceeds. You will see the packages listed in the Job Details window for the running job.

Job Details for the Functon Pack Bundles

Step 7

When the job is listed as Succeeded, click the Installed NSO function packs tab and expand the NSO provider to verify that the packages are all installed.

The package list should look like the illustration below.

Installed NSO Functon Pack List

You can also verify that all the packages are installed correctly by running the show packages command on NSO and comparing the command output with the list shown below. 

admin1@ncs% run show packages package oper-status | tab
                                                                                                         PACKAGE
                           PROGRAM                                                                       META     FILE
                           CODE     JAVA           PYTHON         BAD NCS  PACKAGE  PACKAGE  CIRCULAR    DATA     LOAD   ERROR
NAME                   UP  ERROR    UNINITIALIZED  UNINITIALIZED  VERSION  NAME     VERSION  DEPENDENCY  ERROR    ERROR  INFO   WARNINGS
------------------------------------------------------------------------------------------------------------------------------------------
cisco-ios-cli-6.107    X   -        -              -              -        -        -        -           -        -      -      -
cisco-iosxr-cli-7.62   X   -        -              -              -        -        -        -           -        -      -      -
cisco-ztp              X   -        -              -              -        -        -        -           -        -      -      -
dlm-svc                X   -        -              -              -        -        -        -           -        -      -      -
fleet-upgrade          X   -        -              -              -        -        -        -           -        -      -      -
goldenconfig           X   -        -              -              -        -        -        -           -        -      -      -
inventory              X   -        -              -              -        -        -        -           -        -      -      -
inventory-junos        X   -        -              -              -        -        -        -           -        -      -      -
juniper-junos-nc-4.18  X   -        -              -              -        -        -        -           -        -      -      -
resource-manager       X   -        -              -              -        -        -        -           -        -      -      -
 
[ok][2025-04-22 12:06:26]
 
[edit]
admin1@ncs% run show packages package package-version  | tab
                       PACKAGE
NAME                   VERSION
--------------------------------
cisco-ios-cli-6.107    6.107.2
cisco-iosxr-cli-7.62   7.62
cisco-ztp              2.0.0
dlm-svc                7.1.0
fleet-upgrade          2.0.0
goldenconfig           2.0.0
inventory              2.0.0
inventory-junos        2.0.0
juniper-junos-nc-4.18  4.18.8
resource-manager       4.2.9

Step 8

If you haven't already done so, log in to NSO and set the following device global settings in configuration mode. These NSO settings are required for Fleet Upgrade. 

admin@ncs% set devices global-settings connect-timeout 600
admin@ncs% set devices global-settings read-timeout 600
admin@ncs% set devices global-settings write-timeout 600
admin@ncs% set devices global-settings ssh-algorithms public-key ssh-rsa
admin@ncs% set devices global-settings trace pretty
admin@ncs% set devices global-settings ned-settings cisco-iosxr read admin-show-running-config false
admin@ncs% commit
 
admin@ncs% show devices global-settings
connect-timeout 600;
read-timeout    600;
write-timeout   600;
ssh-algorithms {
    public-key [ ssh-rsa ];
}
trace           pretty;
ned-settings {
    cisco-iosxr {
        read {
            admin-show-running-config false;
        }
    }
}

Step 9

Note that NACM is required for NSO. Ensure the Linux user has ncsadmin rights to perform functions on NSO.

admin@ncs% set nacm groups group ncsadmin user-name admin
admin@ncs% commit
 
 
admin@ncs% show nacm
read-default     deny;
write-default    deny;
exec-default     deny;
groups {
    group ncsadmin {
        user-name [ admin private ];
    }
    group ncsoper {
        user-name [ public ];
    }
}

Step 10

Copy the ncs_backup.sh, ncs_restore.sh and get_technical_support_data.sh scripts from the provided bundle to the scripts directory under the NCS_RUN_DIR, and update the permissions of the copied scripts to make them executable. 

# Locate the NCS_RUN_DIR using the following command
cat /etc/systemd/system/ncs.service | grep NCS_RUN_DIR=
 
# Update the permissions
chmod +x ncs_backup.sh ncs_restore.sh get_technical_support_data.sh