Installation tasks

This section contains the following topics:

Workflow for deploying and configuring Crosswork Data Gateway with Crosswork Cloud

These stages describe the high-level deployment process.

  1. Decide on when you want to get the enrollment token

    The enrollment token is required to establish communication between the Crosswork Data Gateway and Crosswork Cloud. You can enable enrollment for Crosswork Data Gateway in two ways:

    Irrespective of when you obtain the token, ensure that the token is entered correctly to allow the Crosswork Data Gateways to connect with the controller.

  2. Deploy the Crosswork Data Gateway VM

    Deploy the Crosswork Data Gateway as a base Virtual Machine (VM) on a preferred virtualization platform. See Deploy Crosswork Data Gateway.

  3. If you elected not to use auto-enrollment in step 1 of this workflow, enroll Crosswork Data Gateway using the token. See Enroll Crosswork Data Gateway.

  4. Register Crosswork Data Gateway with Crosswork Cloud

    After deploying the Crosswork Data Gateway VM and applying the enrollment token, register the Data Gateway with Crosswork Cloud. Once registered, Crosswork Cloud takes over management of the Data Gateway and automatically pushes the necessary collection job configurations. This setup allows the Data Gateway to focus on efficient data collection from network devices, while Crosswork Cloud handles orchestration and job management. See Register Crosswork Data Gateway with Crosswork Cloud applications.

  5. Verify the Crosswork Data Gateway connection

    Confirm that the Crosswork Data Gateway is connected to Crosswork Cloud and collecting data from your network devices. See Verify Crosswork Data Gateway connection.

Along with the deployment stages, review these concepts and configurations to ensure proper deployment of the Crosswork Data Gateway:

Platforms supporting Crosswork Data Gateway deployment

You can deploy Crosswork Data Gateway on these virtualization platforms:

  • VMware vCenter

  • OpenStack

Considerations for configuring Crosswork Data Gateway deployment

Before deploying Crosswork Data Gateway, review these concepts.

Crosswork Data Gateway VM instances

Decide on the number of Crosswork Data Gateway VM instances that you want to install.

vNIC role mapping

The system automatically assigns a role to each vNIC based on the number of vNICs you configure. Each role determines the type of traffic handled by that vNIC. In most deployments, the default role-to-vNIC mappings are appropriate and do not require changes. For information about the vNIC mappings, See Supported interfaces.

If you need to modify the default traffic mappings during installation, make changes only when absolutely necessary. To ensure proper configuration and support, always consult the Cisco Customer Experience team before implementing any modifications.

vNIC configuration

Crosswork Data Gateway supports three vNIC configuration options. The configuration you choose depends on how you plan to secure your network and segregate different types of traffic.

vNIC IPv4 or IPv6 address configuration methods

Decide whether you want to use DHCP or Static as the addressing method for the VMs. When using static addressing for your virtual machines, it's important to have the network information such as IP addresses, subnets, and ports ready for each VM.

Auditd messages configuration

To enable Crosswork Data Gateway to send Auditd messages, configure the remote server. To forward the Auditd messages to an external Auditd server, you must configure some additional parameters.

Proxy servers

If you use a proxy server, configure the proxy parameters for Crosswork Data Gateway to connect to the Internet via TLS.

Enrollment token (package)

Crosswork Data Gateway needs to enroll with Crosswork Cloud for having a secure communication. The enrollement happens through the enrollment token.

You can enable enrollment for Crosswork Data Gateway in two ways:

  • During installation or configuration: Generate an enrollment token ahead of time and apply it when installing or configuring the Data Gateway. To enable automatic enrollment, either create a new token or reuse an existing one.

  • After installation: If the Data Gateway is already deployed, you can still acquire and apply an enrollment token to enable the enrollment process.

Security group rules and policies

Make sure you plan and decide the security group rules and policies before you create and use them.

Configuration parameters required for Crosswork Data Gateway deployment

The tables in this section describe the labels and keys required to deploy Crosswork Data Gateway.

Each label maps to a corresponding value that is either:

  • Automatically collected when using the VMware template, or

  • Manually provided in the configuration file when deploying the node using the OVF Tool or other installation methods.

Table details:

  • Labels represent the parameters that you can configure in the VMware UI.

  • Keys correspond to field values in the OVF script that align with your configuration.

  • Mandatory parameters are denoted with an asterisk (*). You require these parameters for successful deployment.

  • Optional parameters are the parameters that you can choose based on your deployment scenario.

  • Parameters with additional procedures are denoted with double asterisks (**). You can configure these parameters during installation or later through additional procedures.

Guidelines for deploying Crosswork Data Gateway with correct parameters

  • When mandatory parameters are not specified, Crosswork Data Gateway will be deployed with default values. However, these default values may not align with your environment requirements and could lead to unintended behavior.

  • Ensure that the correct parameter values are entered during deployment. If an incorrect value is provided, you must destroy the current Crosswork Data Gateway VM, create a new one, and reenroll it with Crosswork Cloud.

Table 1. Host

Label

Key

Description

Hostname*

 Hostname

A unique name you assign to the Cisco Crosswork Data Gateway VM. It must be a fully qualified domain name (FQDN).

Description*

 Description

A detailed description of the Crosswork Data Gateway.

Label

 Label

A label you assign for Cisco Crosswork Cloud to use in categorizing and grouping multiple Crosswork Data Gateway instances.

AllowRFC8190*

 AllowRFC8190

Indicate whether Crosswork Data Gateway will automatically allow addresses in an RFC 8190 range. The default value is Yes.

Private Key URI

 DGCertKey

If you want to use other certificates other than the Crosswork Cloud self-signed certificates, provide the URI to the private key file for session key signing. You can retrieve this using SCP (user@host:path/to/file).

Certificate chains override any preset or generated certificates in the Crosswork Data Gateway and are given as an SCP URI (user:host:/path/to/file). The host with the URI files must be reachable on the network (in the vNIC0 interface via SCP) and the files must be present at the time of install.

Certificate File and Key Passphrase

 DGCertChainPwd

SCP user passphrase to retrieve the Crosswork Data Gateway PEM formatted certificate file and private key.

Data Disk Size

 DGAppdataDisk

Size in GB of a second data disk.

The default size is 24GB. To change the default value, consult a Cisco representative.

Enrollment Passphrase**

 EnrollmentPassphrase

SCP user passphrase to transfer enrollment package.
Table 2. Passphrases

Label

Key

Description

dg-admin Passphrase*

 dg-adminPassword

A password that is 10–64 characters.

dg-oper Passphrase*

 dg-operPassword

A password that is 10–64 characters.

Table 3. vNIC role mapping

vNIC roles that map to...

Ethernet interface

NicControl, NicNBExternalData, and NicSBData

eth1

NicSBData

eth2
NicControl and NicNBExternalData eth1
Table 4. Interfaces

Label

Key

Description

vNIC role assignment

NicDefaultGateway*

NicDefaultGateway

Interface used as the Default Gateway for processing the DNS and NTP traffic.

Traffic that is not assigned to any other interface is defaulted to this interface.

Options are eth0, eth1, eth2, or eth3. The default value is eth0.

NicAdministration*

NicAdministration

Interface used to route the traffic associated with the administration of the Crosswork Data Gateway. The interface uses the SSH Protocol through the configured port.

Options are eth0, eth1, eth2, or eth3. The default value is eth0.

NicExternalLogging*

NicExternalLogging

Interface used to send logs to Crosswork Cloud.

Options are eth0, eth1, eth2, or eth3. The default value is eth0.

NicManagement*

NicManagement

Interface used to send the enrollment and other management traffic.

Options are eth0, eth1, eth2, or eth3. The default value is eth0.

NicControl*

NicControl

Interface that is used for sending the destination, device, and collection configuration.

Options are eth0, eth1, eth2, or eth3. The default value is eth0.

NicNBSystemData*

NicNBSystemData

Interface used to send the collected data to the system destination.

Options are eth0, eth1, eth2, or eth3. The default value is eth0.

NicNBExternalData*

NicNBExternalData

Interface used to send collection data to Crosswork Cloud.

Options are eth0, eth1, eth2, or eth3. The default value is eth0.

NicSBData*

NicSBData

Interface used to collect data from all devices.

Options are eth0, eth1, eth2, or eth3. The default value is eth0.

vNIC IPv4 address

Note

 

Assign an IPv4 address to each vNIC (vNIC0, vNIC1, vNIC2) based on the number of network interfaces you intend to use.

vNIC IPv4 Method*

Vnic0IPv4Method

Vnic1IPv4Method

Vnic2IPv4Method

Options are None, Static, or DHCP.

Note

 

DHCP support is enabled only for deployments performed using the QCOW2 images.

To use the IPv4 address, select Method as Static or DHCP, and select the vNICxIPv6 Method as None.

The default value for Method is None.

vNIC IPv4 Address

Vnic0IPv4Address

Vnic1IPv4Address

IPv4 address of the interface.

vNIC IPv4 Netmask

Vnic0IPv4Netmask

Vnic1IPv4Netmask

IPv4 netmask of the interface in dotted quad format.

vNIC IPv4 Skip Gateway

Vnic0IPv4SkipGateway

Vnic1IPv4SkipGateway

Options are True or False.

Selecting True skips configuring a gateway.

The default value is False.

vNIC IPv4 Gateway

Vnic0IPv4Gateway

Vnic1IPv4Gateway

IPv4 address of the vNIC gateway.

vNIC IPv6 address

Note

 

Assign an IPv6 address to each vNIC (vNIC0, vNIC1, vNIC2, and so on) based on the number of network interfaces you intend to use.

vNIC IPv6 Method*

Vnic0IPv6Method

Vnic1IPv6Method

Options are None, Static, DHCP or SLAAC (QCOW2 only).

The default value for Method is None.

Note

 

DHCP support is enabled only for deployments performed using the QCOW2 images.

vNIC IPv6 Address

Vnic0IPv6Address

Vnic1IPv6Address

IPv6 address of the interface.

vNIC IPv6 Netmask

Vnic0IPv6Netmask

Vnic1IPv6Netmask

IPv6 prefix of the interface.

vNIC IPv6 Skip Gateway

Vnic0IPv6SkipGateway

Vnic1IPv6SkipGateway

Options are True or False.

Selecting True skips configuring a gateway.

The default value is False.

vNIC IPv6 Gateway

Vnic0IPv6Gateway

Vnic1IPv6Gateway

IPv6 address of the vNIC gateway.
Table 5. Servers

Label

Key

Description
DNS servers

DNS Address*

 DNS

Space-delimited list of IPv4 or IPv6 addresses of the DNS server accessible in the management interface.

DNS Search Domain

 Domain

DNS search domain.

The default value is localdomain.

DNS Security Extensions

 DNSSEC

Options are False, True, or Allow-Downgrade. Select True to use DNS security extensions.

The default value is False.

DNS over TLS

 DNSTLS

Options are False, True, or Opportunistic. Select True to use DNS over TLS.

The default value is False.

Multicast DNS

 mDNS

Options are False, True, or Resolve. Select True to use multicast DNS.

The default value is False.

Link-Local Multicast Name Resolution

 LLMNR

Options are False, True, Opportunistic, or Resolve. Select True to use link-local multicast name resolution.

The default value is False.

NTP servers

NTPv4 Servers*

 NTP

NTPv4 server list. Enter a space-delimited list of IPv4, IPv6 addresses, or hostnames of the NTPv4 servers accessible in the management interface.

Use NTPv4 Authentication

 NTPAuth

Select True to use NTPv4 authentication. The default value is False.

NTPv4 Keys

 NTPKey

Key IDs to map to the server list. Enter a space-delimited list of Key IDs.

NTPv4 Key File URI

 NTPKeyFile

SCP URI to the chrony key file.

NTPv4 Key File Passphrase

 NTPKeyFilePwd

Password of SCP URI to the chrony key file.

Remote syslog server
Use Remote Syslog Server* UseRemoteSyslog Select True to send syslog messages to a remote host. The default value is False.

Syslog Server Address

SyslogAddress

IPv4 or IPv6 address of a syslog server accessible in the management interface.

Note

 

If you are using an IPv6 address, surround it with square brackets ([1::1]).

Syslog Server Port

SyslogPort

Port number of the optional syslog server. The port value can range 1–65535. By default, this value is set to 514.

Syslog Server Protocol

 SyslogProtocol

Options are UDP, TCP, or RELP to send the syslog. The default value is UDP.

Syslog Multiserver Mode

SyslogMultiserverMode

Multiple servers in the failover or simultaneous mode. This parameter is applicable when the protocol is non-UDP (UDP must use Simultaneous).

Options are Simultaneous or Failover.

The default value is Simultaneous.

Use Syslog over TLS

 SyslogTLS

Select True to use TLS to encrypt syslog traffic.

The default value is False.

Syslog TLS Peer Name

 SyslogPeerName

The syslog server hostname exactly as entered in the server certificate SubjectAltName or subject common name.

Syslog Root Certificate File URI

SyslogCertChain

URI to the PEM formatted root cert of syslog server retrieved using SCP.

Syslog Certificate File Passphrase

SyslogCertChainPwd

Password of SCP user to retrieve Syslog certificate chain.

Remote Auditd server

Use Remote Auditd Server*

 UseRemoteAuditd

Select True to send an Auditd message to a remote host.

The default value is False.

Auditd Server Address

 AuditdAddress

Hostname, IPv4, or IPv6 address of an optional Auditd server.

Auditd Server Port

 AuditdPort

Port number of an optional Auditd server.

The default port number is 60.

Table 6. Controller and proxy settings

Label

Key

Description

Proxy Server URL

ProxyURL

URL of an optional HTTP proxy server.

Proxy Server Bypass List

 ProxyBypass

Comma-separated list of addresses and hostnames that will not use the proxy.

Authenticated Proxy Username

 ProxyUsername

Username for authenticated proxy servers.

Authenticated Proxy Passphrase

 ProxyPassphrase

Passphrase for authenticated proxy servers.

HTTPS Proxy SSL/TLS Certificate File URI

 ProxyCertChain

HTTPS proxy PEM formatted SSL/TLS certificate file retrieved using SCP.

HTTPS Proxy SSL/TLS Certificate File Passphrase

 ProxyCertChainPwd

Password of SCP user to retrieve proxy certificate chain.
Table 7. Enrollment package

Label

Key

Description

Autoenrollment token

 CloudEnrollmentToken

Configure the maximum number of times an auto-enrollment token can be used.

Note

 

Each token should be allocated per Crosswork Data Gateway you plan to deploy. We recommend provisioning one token per Crosswork Data Gateway, plus an additional spare token to accommodate potential Crosswork Data Gateway replacements.

The default values are:

  • Number of uses: 5

  • Expiry: 30 days

The maximum accepted values are:

  • Number of uses: 50

  • Expiry: 366 days

Enrollment Destination Host and Path

 EnrollmentURI

SCP host and path to transfer the enrollment package using SCP (user@host:/path/to/file).

Enrollment Passphrase

 EnrollmentPassphrase

SCP user passphrase to transfer enrollment package.

Enrollment tokens

An enrollment token is a unique JSON formatted registration file containing digital certificates that are used to enroll Crosswork Data Gateway with Crosswork Cloud. The token is used to authenticate each Crosswork Data Gateway with Crosswork Cloud and is required as part of the deployment process.

This is an example of the contents in an enrollment token file.

{
"name": "cdg450-test01",
"description": "cdg500-test01",
"profile": {
"cpu": 8,
"memory": 31,
"nics": 1,
"base_vm": "true"
},
"interfaces": [
{
"name": "eth0",
"mac": "xx:xx:xx:xx:xx:xx",
"ipv4Address": "x.x.x.x/24",
"roles":
"ADMINISTRATION,CONTROL,DEFAULT_GATEWAY,EXTERNAL_LOGGING,MANAGEMENT,NB_EXTERNAL_DATA,NB_SYSTEM_DATA,SB_DATA"
}
],
"certChain": [
"MIIJcjCCBVqgAwIBAgIUVBf8hVppCcDBA+yZG6tzIEvq/mEwDQYJKoZIhvcNAQENBQAwLDELMAkGA1UECgwCREcxHTAbBgNVBAMMFG1hbmFzLWNkZzQ1MC
10ZXN0MDExMB4XDTIzMDIwMTE3MTQ0OVoXDTQzMDIwMjE3MTQ0OVowLDELMAkGA1UECgwCREcxHTAbBgNVBAMMFG1hbmFzLWNkZzQ1MC10ZXN0MDExMIIEIjANB
gkqhkiG9w0BAQEFAAOCBA8AMIIECgKCBAEAuvgTWyIDi6FOlecovhbUoGagARPQ32QBkz3s07QgpkatyJalHUYTeseGi0rAPKfzDXoeTZioK5JphDKLRnSze6XJBM
kNpaNyhRTEXWcR/Dds5lRzMQ9qwY3NpWuYlJLKgmbxypabttakLGs0FjXNuqBm4RL3XrhMMooRDkwf7YF5WSMQnszfTGRfDtEVMPMC3xeIul9FLkULSl8FaPgt2cJN
ylK9Z0l9KeRxpQHP0M5G+d3Nt0ytEFkCdTyjKlwhJRmdpXUcoqaXJLHygl29XbuKMJA58ByurbWhR/0th7VAzFFSM5/mncVrvoG0NH8pxpXl6ZMPKDyLeHRkyX6EOBb
kwPD3ysEmT/Hw+XsVbOpt8alLQeaQK8MaOsbManZ0ksR8DZk/g8QUXwFWoRsNnq8+GfpvBdzVkoyT1irp43QFrsXxdpTX8pATlwNxoZOkD21jDK7sYTQoNHxK1A1KRu
YTMHDQZt30C5oHRvZfA9V95MWxt+oRaUhdq7JXG8UYyDc/FhVmoqlbEE8ossdBiGwncz/xQ4jaEmAu3UAWFWRISFZuSLdoPD/PsgfblPpYFhnuq/5Um49HB2PYXZuI
yJaKbhX6FAzD49dE6Zm5VuaZPrfPm8v4mu/2l+PPhTfY17nYyXRwBMCX7ZwXtfyZ+bH3xSgi7rG3Vqkte4XqNL/lVkHod2SXKWQ4M/l/cV0FDNX9ifVwPtlmUQgRlen
KvzXWSxCqXCK3o1qjz1TELPUPvvkKoZk3x6AqD5IZoriWX5CGHv1ikqHQCD1V9DatnbmIHPVtVQyM30TycVw8uOHJLDqU130LqDCl26kORCT26muJRi35DN4NpIszh2
oBAaYH6hy7rZaIMIC/Uw6BZ4AJ4k4Bpobv1yrDxf0xeg5Nvf47/GP+LLsn9JeaRhUOdFF8xcNINHjXvH8IfJ72H1IlH1srRB73+V4w3rCC92lsDK8sxN8YAssQm+IRa
Ze6Pw4lvddlfu1VYs7PqYwI9LSbeCePzPbKZ4zgl7/A2Ijh8XsV52HZ7shOPgUyaNbjvBi/+/0pI3wILFTbawVAmlEOTOekYm+N1pWWcwH9sB6SEXjG7mLl1jGWFHqV
nduZtjABjWhPE2ZHluZW1A2aLU25Lhd4do+DeDwtsMiMOgvIkSm5c5YS2xjDvZmJF2pf85AY0brVUjRep0z46p3D+zFtuW9DPYn65M+Bypf+OZTms7TfhUXxZlwKCLEM
xvcUc0gc6eOeMhF2lDC26cLBbE2eY5Y99mu8RtQPOLeCC9tcaYifhOB2f9pEGFOuX3DnSc0oXFzhBo9IZhCNUyPjvp1H/bERuFAiENGo0QPy3+vf+LMQK3JKX0BLpMF2Hc
0KhwIDAQABo4GLMIGIMB0GA1UdDgQWBBRBbcosvgUjVkqagHBuZ2UHslsiTzAfBgNVHSMEGDAWgBRBbcosvgUjVkqagHBuZ2UHslsiTzAPBgNVHRMBAf8EBTADAQH/MDUG
A1UdEQQuMCyCFG1hbmFzLWNkZzQ1MC10ZXN0MDExghRtYW5hcy1jZGc0NTAtdGVzdDAxMTANBgkqhkiG9w0BAQ0FAAOCBAEAoLczUuKA4Z8RC5QMVTyx9xeFMslPx7XEF2z
DOhesdTs1SVUDoolp1KaQa5hyYtyD5fwzipSgY4H1ylTkyrB+LVbVrGAE6K5A1//rMaft7KWbhJqx57O6FY0JghefGpVyAZ/gW/HI9uxPbDaWHG/SNXPH3zRb/mEIX2vksG
1rpYFlUDap2rDoGNahMC7ueNeDcPYMU9F5hTQeI/goqg31BE6uUI6mY9gfoMZ94EFcs/R1kI1XR/YwzoCibRWtiJqiZRIuZHX3rYa2vYX8QWIV9BXcVx561r342dTy5/1w9F
ZZHL0SQiWjXozOHFEHBwoMCLo4SbQRuWj8qFg4+dGGuBZvpZkGiaB7bwgbBx/JzOpEC0Kv5IZ9YGVnDeX7O9idNkAIRZsbE88U+VZu6D1XstrrRlPmbC/cgPbo3iXTHJZkXa9
4734TSBYI1si1uJzAzJXfAYLYR0yoYYoxx7xS4/up0U0amess/HaQcuElOBiYS+/cEnF5r4QT9rQQITK43G2Gi40vTX6kFYjmKD9Tk7A++ToEWt+BfNIlYjoNHbR8vyrMCFI
J4AlzLYu5/229Vog62LTdpupXJxC7s8sBzfU6TrdCJx0A2FhiHQFS3E1rZAnBpYPkzAGLQBeArlslwOH5cMAgxyOG2wFgca5Ce8PEJRFeB3M+oi3AOv8nJoseXfaPHyuhemDQ
o9XkBEg4w/PSq5rnM8vfWm6P1ajo2PbDJq8y8zP0yNjyEP8Dc6TL2bvHn4Jmzz/OQZ4m5a003UrmbDK+sQwUmNVfd7MMcqmVFvJmhOXc4lUi3srhwoPf5gK82m8S0/QhsWSoz
wGgKxPGT6NR46rRXBxXcuzYyAxSwrsPntMCNYRepCUmTFW4a7Ra9srSM06QcREmX7FlS3h4HetxB/4M/Krnx4XmNRQ+T4HnR9HXJnZ+KXaBkHIy8Lt55JrdlvNmGXcFU/uV9di
F08uwiO+ChhaZC8yfFG855f/dKdHanVBbp5fS47B3IYTC9AxF37q/6Hv1udZDzSkFbWqUWbANCgxOn4poCfePcAXKQ7iDcPr1JYu3XTJBpxzADKBqRa28G3Y1lriD0k7pb7HII
11YCdG10C53OmboLrhmnM6BFHYUGI0sMVWWmsiiDrCpblyn63khdBzzzA++9tnJtpOeFBOHo5GoJbSqfY+XnpZ5zr2Nt9mE61e8Cv8G4LFXkpCgkKJr5v/VshrFcFLlPCudU8Cy
PhpqONBGD0+YHOxhFGDcUCyM3rE7gGAAoh4rJD1wkq2WacVSF7fwmMdzGlAsb+LbBiDmaelQ6y17LeiWqA3xeSZLXQ7xyXHjYa3hWbjwvbAM17vI/9RvnHZSGYEjyNrEmWZuew=="
],
"version": "7.1.0 (branch dg45x - build number 19)",
"duuid": "a3bf6411-1ad0-418c-9957-eb199e9395e0",
"profileType": "VM_PROFILE_STANDARD"
}

Guidelines for enrollment token creation

These guidelines help you create enrollment tokens.

  • Create multiple enrollment tokens as needed. For each token, set a validity period of up to one year from the creation date and define the number of Crosswork Data Gateways it can enroll (at least one gateway). See Create an enrollment token in Crosswork Cloud UI.

  • If you plan to deploy multiple Crosswork Data Gateways in a single installation, generate a single token with a usage limit equal to the number of Crosswork Data Gateways and an expiration date that matches the deployment timeline.

  • Create individual tokens for each Crosswork Data Gateway, especially when different team members are responsible for deployment.

  • Assign appropriate usage limits and expiration periods for each token. This approach helps prevent the sharing of a single token across multiple users and minimizes security risks.

  • Enrollment tokens are required only during the enrollment of a Crosswork Data Gateway to Crosswork Cloud. After a Crosswork Data Gateway has been enrolled, the enrollment token is no longer needed. Revoke the token unless you plan to enroll additional Crosswork Data Gateways.

  • If an enrollment token has unused quotas or valid durations and is not required for any future enrollment, delete it. As a security best practice, avoid retaining unused tokens to minimize the risk of unauthorized use. See Delete enrollment tokens.

Default user accounts

During deployment, Crosswork Data Gateway automatically creates three default user accounts. For details on the permissions associated with these accounts, see Supported user roles.

Table 8. Default Crosswork Data Gateway user accounts

Username

Description

A password is created...

dg-admin

The administrator uses this ID to log in and troubleshoot Crosswork Data Gateway.

during deployment.

dg-oper

An operator uses this ID and can perform all read-only operations.

There are limited read-write operations that an operator can perform.

during deployment.

dg-tac

A user uses this ID when troubleshooting Crosswork Data Gateway with Cisco.

 when troubleshooting with Cisco.

Deploy Crosswork Data Gateway

Follow these steps to deploy Crosswork Data Gateway Ms:

Procedure

Step 1

Determine if you want to configure autoenroll or obtain the enrollment token. See Autoenroll Crosswork Data Gateway with Crosswork Cloud.

Step 2

Deploy Crosswork Data Gateway on the preferred virtualization platform:

Step 3

Register Crosswork Data Gateway with Crosswork Cloud applications

Step 4

Verify Crosswork Data Gateway connection

Configure and enable enrollment tokens

To enable Crosswork Data Gateway to enroll with Crosswork Cloud, you must either create a new enrollment token or use an existing one. This token is required for seamless integration and can optionally be used to preconfigure Crosswork Data Gateway for automatic enrollment.

  1. Decide when to generate or use the enrollment token:


    Note

    You can review the available tokens in the Crosswork Cloud UI by navigating to Configure > Data Gateways > Add Crosswork Data Gateway. Check the Remaining Uses column to ensure that there are sufficient uses that are left for the token.

  2. Based on your security preference, acquire the enrollment token via Base64 encoding scheme or export it using SCP. See Enroll Crosswork Data Gateway.

Create an enrollment token in Crosswork Cloud UI

Procedure

Step 1

Log in to Crosswork Cloud.

Step 2

From the main window, choose Configure > Data Gateways. The Data Gateways page opens.

Step 3

Click Add Crosswork Data Gateway.

Step 4

In the Crosswork Data Gateway page, click Manage Tokens.

Figure 1. Crosswork Cloud UI

Step 5

Click Create Enrollment Token.

The Create Enrollment Token window opens.

Step 6

Enter the token information:

  1. Token Name: Specify a unique name to the token that you are creating.

  2. Description: Enter a detailed description of the token.

  3. Number of Uses: Specify the permissible number of token uses. The minimum token usage limit is 1 and the maximum is 50.

  4. Valid Until: Specify the validity period for the token. The minimum duration is 1 and the maximum is 366 days.

Figure 2. Create Enrollment Token Window

Step 7

Click Create.

The enrollment token is created and displayed in the View Enrollment Token window. The token's content is displayed in a secure JSON format.

Figure 3. Enrollment Token

Step 8

Click Copy to copy the token. Paste the copied enrollment token into the configuration file you intend to use when installing Crosswork Data Gateway.

Reuse an enrollment token in Crosswork Cloud

You can reuse an existing one for configuring the Crosswork Data Gateway. If the existing token still has available uses, you can reuse it.

To check the number of uses left from the Crosswork Cloud UI, choose Configure > Data Gateways > Add Crosswork Data Gateway page. This page lists the available tokens and their state. Review the Remaining Uses column.

Procedure

Step 1

Log in to Crosswork Cloud.

Step 2

From the main window, click Configure > Data Gateways. The Data Gateways page opens.

Step 3

Click Add Crosswork Data Gateway

Step 4

In the Add Crosswork Data Gateway page, select the row corresponding to the token that you intend to use. When selecting an existing token, consider its expiration date. If the Crosswork Data Gateway will not be installed and registered before the expiration date, Cisco recommends you avoid using that token.

You can review the Valid Until column on the Add Crosswork Data Gateway page to determine the expiration information.

Figure 4. Crosswork Cloud UI

Note

 

Clicking on the Next button will take you to the next stage in the enrollment workflow. For example, upon choosing a row to use a pre-existing token and selecting Next, Crosswork displays the list of tokens for which the enrollment is pending.

Step 5

Click View Enrollment Token. The View Enrollment Token window displays the token in a secure JSON format.

Figure 5. Enrollment token

Step 6

Click Copy to copy the token. Paste the copied content in a local file.

What to do next

Paste the copied enrollment token into the configuration file you want to use when installing Crosswork Data Gateway.

Autoenroll Crosswork Data Gateway with Crosswork Cloud

You can choose to preconfigure a single or multiple Crosswork Data Gateway instances to enroll automatically with Crosswork Cloud using an enrollment token. You can opt to generate a fresh enrollment token (CloudEnrollmentToken) or make use of an existing token.

To enable auto-enrollment of Crosswork Data Gateway, complete these steps:

  1. Create an enrollment token in Crosswork Cloud UI

  2. Add the enrollment token to the configuration file

Add the enrollment token to the configuration file

Follow the steps to enable the automatic enrollment of Crosswork Data Gateway with Crosswork Cloud.

Before you begin

Make sure to copy the enrollment token from the Crosswork Cloud UI and keep it easily accessible.

Procedure

Step 1

During Crosswork Data Gateway deployment, paste the enrollment token in the applicable platform configuration file:

  • VMware

    • vCenter vSphere Client—Paste the token text into the Auto Enrollment Package Transfer > Enrollment Token UI field

    • OVF Tool—Locate the script and under the ## Enrollment Token for Crosswork Cloud section, paste the token text after CloudEnrollmentToken=

  • OpenStack—Locate the config.txt file and under the ## Enrollment Token for Crosswork Cloud section, paste the token text after CloudEnrollmentToken=

Step 2

Authorize Crosswork Data Gateway to access Crosswork Cloud.

  1. Log in to the Crosswork Cloud UI.

  2. From the main window, choose Configure > Data Gateways. The Data Gateways page opens.

  3. In the table, locate the recently enrolled Data Gateway and click Allow in the Actions column. This step allows Data Gateway to establish communication with the Crosswork Cloud application.

Enroll Crosswork Data Gateway

Use these two steps to manually enroll the Crosswork Data Gateway after it is deployed:

  1. Deploy Crosswork Data Gateway and generate an enrollment token from the Crosswork Data Gateway Interactive Console.

  2. Enter Crosswork Data Gateway details in Crosswork Cloud to complete the registration process.

Choose one of the following methods to obtain the enrollment token:

Obtain a Base64-encoded enrollment token

You can create an enrollment package file on your local machine by copying the package contents from the Interactive Console. The contents are secured in JSON format and encoded using Base64 encoding.

Follow these steps to obtain a Base65 encoded enrollment token.

Procedure

Step 1

Log in to Crosswork Data Gateway.

Step 2

From the Main Menu, choose Get Enrollment Package > Display base64 Encoded Enrollment Package. The enrollment package content is displayed on the console.

Step 3

Copy the package contents, paste it to a .json file, and save this file.

The enrollment file (Crosswork Cloud registration file) is generated with a unique .json name and can be uploaded to Crosswork Cloud.

Obtain the enrollment token using SCP

Follow these steps to export the enrollment token using Secure Copy Protocol (SCP).
Before you begin

Ensure you have the following information ready and are aware of the requirements:

  • The SCP server must be running on the target host.

  • Ideally, export the enrollment package to the local machine you use to access the Crosswork server.

  • If you are not using the default port (22), specify the port in the SCP command. For example, to export the package as an admin user and place it in the user’s home directory on port 4000, use the command:

    scp -P4000 admin@<ip_address>:/home/admin

Procedure

Step 1

Log in to Crosswork Data Gateway.

Step 2

From the Main Menu, select Get Enrollment Package.

Figure 6. Main Menu
Main Menu

Step 3

Choose Export Enrollment Package.

Step 4

Click OK.

Step 5

Enter the SCP URI for exporting the enrollment package, then click OK.

Step 6

Enter the SCP passphrase or the SCP user password and click OK.

The enrollment file, also known as the Crosswork Cloud registration file, created with a unique .json filename, can be uploaded to Crosswork Cloud.

Delete enrollment tokens

Delete any enrollment token that has unused quotas or a valid duration and is not needed for future enrollments. As a security best practice, avoid retaining unused tokens to reduce the risk of unauthorized access.

Before you begin

Ensure that you have the name of the enrollment token that you want to delete.

Procedure

Step 1

Log in to Crosswork Cloud.

Step 2

From the main window, choose Configure > Data Gateways. The Data Gateways page opens.

Step 3

Click Add Crosswork Data Gateway.

Step 4

In the Crosswork Data Gateway page, click Manage Tokens.

The available enrollment tokens are listed.
Figure 7. Manage tokens

Step 5

Select the token that you want to delete and click Revoke Token.

Step 6

Review the information in the confirmation window and click Yes to proceed.

Set security policy for the virtual switch and port group

Apply the security policy for each virtual switch that Crosswork Data Gateway uses.

Procedure

Step 1

From vCenter, navigate to Host > Configure > Networking > Virtual Switches and select the virtual switch.

Step 2

Click Edit > Security, and set these port group properties to Reject:

  • Promiscuous mode

  • MAC address changes

Deploy the Crosswork Data Gateway VM

Choose a virtualization platform where you want to deploy Crosswork Data Gateway.

Deploy Crosswork Data Gateway using VMware

  1. Choose the VMware method to deploy the Crosswork Data Gateway.

  2. Verify the Crosswork Data Gateway deployment

Deploy Crosswork Data Gateway using the vSphere Client

Before you begin

Verify that these prerequisites are met:

  • Confirm that all prerequisites listed in the Installation requirements chapter are fulfilled.

  • Download the Crosswork Data Gateway UEFI OVA (for cloud only) installation package from the Cisco Software Download site. If the file has .dms extension, rename it to .ova. This conversion is necessary to comply with vCenter's requirements for properly importing and deploying virtual appliances.

Procedure

Step 1

Log in to your vSphere Client interface.

Step 2

Right-click the data center (host) and select Actions > Deploy OVF Template.

The Deploy OVF Template wizard appears.

Step 3

On the Select an OVF template page, click Browse to locate and select the OVA file you downloaded. Click Next.

Figure 8. Select an OVF template

Step 4

On the Select name and folder page:

  1. Enter a unique name for the new VM.

  2. From the Select a location for the virtual machine list, choose the data center where you want to deploy Crosswork Data Gateway. Click Next.

    Figure 9. Name and folder selection

Step 5

On the Select a compute resource page, select the host for VM deployment. Click Next.

Figure 10. Computer resource
Deploy OVF Template - Select a computer resource Window

Step 6

On the Review details page, verify the OVA information. Click Next.

Note

 

You cannot modify the OVA information. The disk requirements for an on-premise deployment can be ignored for now. You will configure the disk settings later in the process.

Figure 11. Review details

Step 7

Review the End User License Agreement. Click Accept, then click Next.

Step 8

On the Configuration page, select Crosswork Cloud. Click Next.

Figure 12. Deployment configuration
Deploy OVF Template - Configuration Window

Step 9

On the Select storage page:

  1. In the Select virtual disk format field, select the virtual disk format:

    • Thick Provision Lazy Zeroed for production environments, or

    • Thin Provision for development environments

  2. From the Datastores table, select the datastore you want to use. Click Next.

Figure 13. Storage selection

Step 10

On the Select networks page, select the appropriate vNIC role for each interface from the drop-down list. Click Next.

Step 11

On the Customize template page, enter the required parameters for Crosswork Data Gateway deployment. See Configuration parameters required for Crosswork Data Gateway deployment. Click Next.

Step 12

On the Auto Enrollment Package Transfer page, paste the enrollment token that you copied earlier into the Auto Enrollment Token UI field. Click Next.

Step 13

On the Ready to complete page, review your settings. Click Finish.

Step 14

After the deployment is completed, check the Recent Tasks tab on the VM host for the Deploy OVF Template job status.

Step 15

Once the deployment status reaches 100%, right-click the VM and choose Actions > Power > Power On to start Crosswork Data Gateway.

Wait for at least five minutes for Crosswork Data Gateway to initialize. Once Crosswork Data Gateway is operational, log in via vCenter or SSH.

What to do next
Confirm if the deployment is successful. See Verify the Crosswork Data Gateway deployment.

Deploy Crosswork Data Gateway using the OVF tool

The Open Virtualization Format (OVF) Tool is a command-line utility that enables deployment of the Crosswork Data Gateway using a custom configuration script. Any parameters left unconfigured will be deployed with their default values.

Before you begin

Verify you meet the following prerequisites:

  • All prerequisites listed in the Installation requirements chapter are met.

  • Install OVF Tool version 4.4 or later on the machine where you run the deployment. Verify the installation by running the command ovftool --version.

  • Access to vCenter with appropriate user privileges to authenticate the deployment.

  • Use a Linux-based system for execution and have the required permissions to execute scripts, which is chmod +x.

  • Configure the security policy for the virtual switch and port group. See Set security policy for the virtual switch and port group.

  • Obtain the Crosswork Data Gateway sample installation script, available in the cdg-7.1.0-sample-install-scripts.tar.gz package. See Sample script for Crosswork Data Gateway IPv4 deployment.

Procedure

Step 1

On the machine where you have the OVF tool installed, use the command to verify that the OVF Tool version is 4.4 or later:

ovftTool --version

Step 2

Download the Crosswork Data Gateway UEFI OVA (for cloud only) installation package from the Cisco Software Download site. If the file has .dms extension, rename it to .ova. This conversion is necessary to comply with vCenter's requirements for properly importing and deploying virtual appliances.

Step 3

Extract the installation scripts and validation files with the command:

tar -xvzf cdg-7.1.0-sample-install-scripts.tar.gz

Once the file bundle is extracted, it includes the DG-sample-install-scripts.tar file and scripts for validating the samples install scripts.

Step 4

Extract the install scripts with the command:

tar -xvzf cdg-7.1.0-sample-install-scripts.tar.gz

Step 5

Make the script executable with the command:

chmod +x {filename}

Step 6

Execute the script from the directory where the OVA and script files are stored with the command:

./{script name} {path and ova file name}

For example:

./three-nic /home/admin/CDG_Install/cdg-deployment-7.1.0-17.uefi.ova

Step 7

Enter the vCenter username and password when prompted.

If the script fails, check for any error messages and resolve any invalid values or configuration issues. If the failure is due to invalid values, a message like the following is displayed: 

admin@nso-576-tsdn-410-aio:~/CDG_Install$ ./three-nic /home/admin/CDG_Install/cdg-deployment-7.1.0-17.uefi.qcow2.tar.gz
Opening OVA source: /home/admin/CDG_Install/cdg-deployment-7.1.0-17.uefi.qcow2.tar.gz
The manifest does not validate
Warning:
- Line -1: Unsupported value 'firmware' for attribute 'key' on element 'ExtraConfig'.
- Line -1: Unsupported value 'uefi.secureBoot.enabled' for attribute 'key' on element 'ExtraConfig'.
Enter login information for target vi://rcdn5-spm-vc-01.cisco.com/
Username: johndoe
Password: ******

Step 8

Enter the password and monitor the deployment process on the vCenter console. Observe any warnings or errors that are related to configuration parameters.

For example,

Opening VI target: vi://johndoe@rcdn5-spm-vc-01.cisco.com:443/Cisco-sample-sample/host/10.10.100.10
Warning:
- Line 146: Unable to parse 'enableMPTSupport' for attribute 'key' on element 'Config'.
- Line 229: Unable to parse 'vmxnet3.noOprom' for attribute 'key' on element 'Config'.
Deploying to VI: vi://johndoe@rcdn5-spm-vc-01.cisco.com:443/Cisco-sample-sample/host/10.10.100.10
Disk progress: 65%

Step 9

Optional. Once deployment is complete, ensure the Crosswork Data Gateway is powered on and check its status in the vCenter interface.

What to do next
Confirm if the deployment is successful. See Verify the Crosswork Data Gateway deployment.
Sample script for Crosswork Data Gateway IPv4 deployment

The following script example deploys Crosswork Data Gateway with IPv4 addresses.

#!/usr/bin/env bash
DM="<thin/thick>"
Disclaimer="<Disclaimer>"
DNSv4="<DNS Server>"
NTP="<NTP Server>"
Domain="<Domain>"
Hostname="<CDG hostname>"

VM_NAME="<VM name on vcenter>"
DeploymentOption="cloud"
DS="<Datastore>"
Host="<ESXi host>"
ManagementNetwork="<vSwitch/dvSwitch>"
DataNetwork="<vSwitch/dvSwitch>"
DeviceNetwork="<vSwitch/dvSwitch>"
ManagementIPv4Address="<CDG managment IP>"
ManagementIPv4Netmask="<CDG managment mask>"
ManagementIPv4Gateway="<CDG managment gateway>"
DataIPv4Address="<CDG Data network IP>"
DataIPv4Netmask="<CDG Data network mask>"
DataIPv4Gateway="<CDG Data network gateway>"
DeviceIPv4Address="<CDG Device network IP>"
DeviceIPv4Netmask="<CDG Device network mask>"
DeviceIPv4Gateway="<CDG Device network gateway>"
dgadminpwd="<CDG password for dg-admin user>"
dgoperpwd="<CDG password for dg-admin user>"
URI="<user@host:/path/to/file>"
Passphrase="<Passphrase for Enrollment URI server>"


ROBOT_OVA_PATH=$1

VCENTER_LOGIN="Administrator%40vsphere.local@<vCenter-IP>"
VCENTER_PATH="<vCenter-DC-NAME>/host"

ovftool --acceptAllEulas --skipManifestCheck --X:injectOvfEnv -ds=$DS --diskMode=$DM --overwrite --powerOffTarget --powerOn --noSSLVerify \
--allowExtraConfig \
--name=$VM_NAME \
--deploymentOption=${DeploymentOption} \
--net:"vNIC0=${ManagementNetwork}" \
--prop:"Hostname=${Hostname}" \
--prop:"Description=${Disclaimer}" \
--prop:"DNS=${DNSv4}" \
--prop:"NTP=${NTP}" \
--prop:"Domain=${Domain}" \
--prop:"EnrollmentURI=${URI}" \
--prop:"EnrollmentPassphrase=${Passphrase}" \
--prop:"Vnic0IPv4Method=Static" \
--prop:"Vnic0IPv4Address=${ManagementIPv4Address}" \
--prop:"Vnic0IPv4Gateway=${ManagementIPv4Gateway}" \
--prop:"Vnic0IPv4Netmask=${ManagementIPv4Netmask}" \
--prop:"NicDefaultGateway=eth0" \
--prop:"NicAdministration=eth0" \
--prop:"NicExternalLogging=eth0" \
--prop:"NicManagement=eth0" \
--prop:"NicControl=eth0" \
--prop:"NicNBExternalData=eth0" \
--prop:"NicSBData=eth0" \
--prop:"dg-adminPassword=${dgadminpwd}" \
--prop:"dg-operPassword=${dgoperpwd}" \
$ROBOT_OVA_PATH \
vi://$VCENTER_LOGIN/$VCENTER_PATH/$Host

#############################################################
Append section below for Two NIC deployment
#############################################################
#--net:"vNIC1=${DataNetwork}" \
#--prop:"Vnic1IPv4Method=Static" \
#--prop:"Vnic1IPv4Address=${DataIPv4Address}" \
#--prop:"Vnic1IPv4Gateway=${DataIPv4Gateway}" \
#--prop:"Vnic1IPv4Netmask=${DataIPv4Netmask}" \
#--prop:"NicDefaultGateway=eth0" \
#--prop:"NicAdministration=eth0" \
#--prop:"NicExternalLogging=eth0" \
#--prop:"NicManagement=eth0" \
#--prop:"NicControl=eth1" \
#--prop:"NicNBExternalData=eth1" \
#--prop:"NicSBData=eth1" \

#############################################################
Append section below for three NIC deployment
#############################################################
#--net:"vNIC1=${DataNetwork}" \
#--net:"vNIC2=${DeviceNetwork}" \
#--prop:"Vnic1IPv4Method=Static" \
#--prop:"Vnic2IPv4Method=Static" \
#--prop:"Vnic1IPv4Address=${DataIPv4Address}" \
#--prop:"Vnic1IPv4Gateway=${DataIPv4Gateway}" \
#--prop:"Vnic1IPv4Netmask=${DataIPv4Netmask}" \
#--prop:"NicDefaultGateway=eth0" \
#--prop:"NicAdministration=eth0" \
#--prop:"NicExternalLogging=eth0" \
#--prop:"NicManagement=eth0" \
#--prop:"NicControl=eth1" \
#--prop:"NicNBExternalData=eth1" \
#--prop:"NicSBData=eth2" \

### Auto Enrollment Package Transfer
## Enrollment Token for Crosswork Cloud
# Please enter the optional enrollment token to auto enroll with Crosswork Cloud
#--prop:"CloudEnrollmentToken=TOKEN"

## Enrollment Destination Host and Path
# Please enter the optional SCP destination host and path to transfer the enrollment package using SCP (user@host:/path/to/file)
EnrollmentURI= 

## Enrollment Passphrase
# Please enter the optional SCP user passphrase to transfer the enrollment package
EnrollmentPassphrase=

Verify the Crosswork Data Gateway deployment

To verify the successful deployment of Crosswork Data Gateway, follow these steps:

Procedure

Step 1

Log in to vCenter and navigate to Crosswork Data Gateway.

Step 2

In vCenter, locate Crosswork Data Gateway. Right-click on it and select Open Console.

Step 3

Enter your dg-admin or dg-oper credentials, along with the password you created during the deployment process.

Upon successful login, Crosswork Data Gateway displays a Welcome page. The presence of this page, along with the deployment menu, confirms that the deployment is complete.

Deploy Crosswork Data Gateway using OpenStack

Follow these steps to deploy Crosswork Data Gateway using OpenStack.

  1. Choose the OpenStack method to deploy Crosswork Data Gateway.

  2. Depending on the deployment method, choose the method to verify the Crosswork Data Gateway installation.

Deploy Crosswork Data Gateway with OpenStack CLI

This section explains how to deploy the Crosswork Data Gateway using the OpenStack CLI. The steps provided here focus on configuring networks, ports, and volumes within the OpenStack environment. While these are the recommended methods for deploying Crosswork Data Gateway, there are alternative approaches which fall outside the scope of this guide.

Before you begin

Verify that these prerequisites are met:

  • Access to an OpenStack environment with the necessary privileges to create networks, ports, and volumes.

  • A Python environment (either version 2.x or 3.x) installed on the system where you will perform the verification.

Procedure

Step 1

Download the Crosswork Data Gateway (qcow2) package:

  1. Download the latest available Crosswork Data Gateway image (*.bios.signed.bin) from cisco.com. For this guide, we use the package name cdg-deployment-7.1.0-17.uefi.qcow2.tar.gz and cdg-7.1.0-sample-install-scripts.tar.gz. Ensure that the downloaded files are located in a directory that is accessible by OpenStack.

Step 2

Validate the downloaded qcow2 package:

  1. Unzip the installer bundle using this command:

    tar -xvzf cdg-deployment-7.1.0-17.uefi.qcow2.tar.gz

    This command extracts the contents of the downloaded package.

    After extraction, the directory should contain the following files:

    README
cdg-deployment-7.1.0-17.uefi.qcow2.tar.gz
cisco_x509_verify_release.py3
cisco_x509_verify_release
CDG-CCO_RELEASE

  2. Verify the signature of the build:

    To verify the integrity and authenticity of the package, run the signature verification script. Ensure the machine where the script is executed has HTTP access to cisco.com. If access is restricted, or if you did not get a successful verification message after running the script, consult the Cisco Customer Experience team for assistance.

    Depending on the Python version in use, execute one of the commands:

    Table 9. Supported Python version

    If the Python version is...

    Use the command...

    Python 2.x

    		 python cisco_x509_verify_release.py -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512

    Python 3.x

    		 python cisco_x509_verify_release.py3 -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512

Step 3

Choose one of the following options based on the addressing method you plan to use for the Crosswork Data Gateway VM:

Step 4

Confirm if the deployment is successful. See Verify installation of Crosswork Data Gateway VMs with OpenStack CLI.

What to do next

Enroll Crosswork Data Gateway with Crosswork Cloud by generating and exporting the enrollment package. See Enroll Crosswork Data Gateway.

Configure a Crosswork Data Gateway VM with the static addressing

For each VM, update and save a unique config.txt.

Procedure

Step 1

Modify the config.txt file.

  1. Navigate to the directory where you have downloaded the Crosswork Data Gateway release image.

  2. Open the config.txt file and modify the parameters as per your installation requirements. Refer to Sample Configuration File for the Static Addressing and Required Information for Data Gateway Deployment for more information on parameters.

  3. Save the config.txt file with the hostname of the VM or a name that makes it easy for you to identify the VM for which you have updated it.

  4. Make a note of the IP address that you enter here for the vNIC IP addresses in config.text. Specifiy the same IP addresses when creating the ports for the VM in Step 6.

Step 2

Log in to the OpenStack VM from the CLI.

Step 3

Create the resource profile or flavor for the VMs.

openstack flavor create --public --id auto --vcpus 8 --ram 32768 --disk 74 cdg-cloud

Step 4

Create an image for the OpenStack install.

openstack image create --public --disk-format qcow2 --container-format bare --file <bios_release_image_file> <image_name>

For example:

openstack image create --public --disk-format qcow2 --container-format bare --file cdg-cloud-deployment-7.1.0-17.bios.qcow2 cdg-cloud-bios

Step 5

Create the VM-specific parameters for each Crosswork Data Gateway VM.

  1. (Optional) Create a 24-GB second data disk.

    openstack volume create --size

    For example:

    openstack volume create --size 24 cdg-vol1

  2. Create a security policy to allow incoming TCP, UDP, or ICMP connections in OpenStack, as it does not allow them by default.

    openstack security group create open
openstack security group rule create open --protocol tcp --dst-port <port_number> --remote-ip <IP_address>
openstack security group rule create open --protocol udp --dst-port <port_number> --remote-ip <IP_address>
openstack security group rule create --protocol icmp open

  3. Create ports with a specified IP address exclusively for Crosswork Data Gateway VMs using the static addressing.

    This is an optional step that is required if you are using the static addressing.
    openstack port create --network network_name --fixed-ip subnet=subnet_name,ip-address=port_ip_address port_name

    For example, to create ports for Crosswork Data Gateway VMs with 1 NICs using static addressing. 

    
openstack port create --network network1 --fixed-ip subnet=subnet1,ip-address=10.10.11.101 mgmt-port1

    In this command, the parameters indicate:

    • network1 is the management network in your environment.

    • subnet1 is the subnet on the management network.

    • mgmt-port1 is the port that we are creating with the IP address as 10.10.11.101 for vNIC0 as specified in the config.txt file for the VM.

  4. Apply the security policy to the ports.

    openstack port set <port_name> --security-group open

    For example,

    openstack port set mgmt-port1 --security-group open

Step 6

Install one or more Crosswork Data Gateway VMs.

To install a Crosswork Data Gateway VM with one NIC that uses the static addressing:

openstack server create --flavor <flavor_name> --image <image_name> --port <mgmt-port> 
--config-drive True --user-data <config.txt> --block-device-mapping
vdb=<volume_name>:::true <CDG_hostname>

For example:

openstack server create --flavor cdg-cloud --image cdg-cloud-bios --port mgmt-port1 
--config-drive True --user-data config-nodhcp-cdg1.txt --block-device-mapping
vdb=cdg1:::true cdg1-nodhcp

OR

openstack server create --config-drive true --flavor cdg --image <image_name> --key-name default
--nic net-id=<network id>,v4-fixed-ip=<CDG static IP> --security-group <security group name> --user-data
<config.txt> <CDG_hostname>

Note

 

The number of networks in the command to install the VMs depends on the number of NICs in the deployment.

For example, the command to install a VM with 2 NICs is:

openstack server create --flavor cdg-cloud --image cdg-cloud-bios --port mgmt-port2 --port south-port2 --config-drive True --user-data config-nodhcp_2nic.txt --block-device-mapping vdb=cdg-vol:::true cdg-bios-nodhcp_2NIC
Sample configuration file for the static addressing

This is a sample config.txt file for a one NIC deployment with the hostname as cdg1-nodhcp when using the static addressing. Mandatory parameters in this sample are highlighted. 

#### Required Parameters

### Deployment Settings

## Resource Profile
# How much memory and disk should be allocated?
# Default value: Crosswork-Cloud
Profile=Crosswork-Cloud

### Host Information

## Hostname
# Please enter the server's hostname (dg.localdomain)
Hostname=changeme

## Description
# Please enter a short, user friendly description for display in the Crosswork Controller
Description=changeme

### Passphrases

## dg-admin Passphrase
# Please enter a passphrase for the dg-admin user. It must be at least 10 characters.
dg-adminPassword=changeme

## dg-oper Passphrase
# Please enter a passphrase for the dg-oper user. It must be at least 10 characters.
dg-operPassword=changeme

### vNIC0 IPv4 Address

## vNIC0 IPv4 Method
# Skip or statically assign the vNIC0 IPv4 address
# Default value: DHCP
Vnic0IPv4Method=None

## vNIC0 IPv4 Address
# Please enter the server's IPv4 vNIC0 address if statically assigned
Vnic0IPv4Address=0.0.0.0

## vNIC0 IPv4 Netmask
# Please enter the server's IPv4 vNIC0 netmask if statically assigned
Vnic0IPv4Netmask=0.0.0.0

## vNIC0 IPv4 Skip Gateway
# Skip statically assigning a gateway address to communicate with other devices, VMs, or services
# Default value: False
Vnic0IPv4SkipGateway=False

## vNIC0 IPv4 Gateway
# Please enter the server's IPv4 vNIC0 gateway if statically assigned
Vnic0IPv4Gateway=0.0.0.1

### vNIC0 IPv6 Address

## vNIC0 IPv6 Method
# Skip or statically assign the vNIC0 IPv6 address
# Default value: None
Vnic0IPv6Method=None

## vNIC0 IPv6 Address
# Please enter the server's IPv6 vNIC0 address if statically assigned
Vnic0IPv6Address=::0

## vNIC0 IPv6 Netmask
# Please enter the server's IPv6 vNIC0 netmask if statically assigned
Vnic0IPv6Netmask=64

## vNIC0 IPv6 Skip Gateway
# Skip statically assigning a gateway address to communicate with other devices, VMs, or services
# Default value: False
Vnic0IPv6SkipGateway=False

## vNIC0 IPv6 Gateway
# Please enter the server's IPv6 vNIC0 gateway if statically assigned
Vnic0IPv6Gateway=::1

### DNS Servers

## DNS Address
# Please enter a space delimited list of DNS server addresses accessible from the Default Gateway role
DNS=changeme

## DNS Search Domain
# Please enter the DNS search domain
Domain=changeme

### NTPv4 Servers

## NTPv4 Servers
# Please enter a space delimited list of NTPv4 server hostnames or addresses accessible from the Default Gateway role
NTP=changeme

#### Optional Parameters

### Host Information

## Label
# An optional freeform label used by the Crosswork Controller to categorize and group multiple DG instances
Label=

## Allow Usable RFC 8190 Addresses
# If an address for vNIC0, vNIC1, vNIC2, or vNIC3 falls into a usable range identified by RFC 8190 or its predecessors, reject, accept, or request confirmation during initial configuration
# Default value: Yes
AllowRFC8190=Yes

## Crosswork Data Gateway Private Key URI
# Please enter the optional Crosswork Data Gateway private key URI retrieved using SCP (user@host:/path/to/file)
DGCertKey=

## Crosswork Data Gateway Certificate File URI
# Please enter the optional Crosswork Data Gateway PEM formatted certificate file URI retrieved using SCP (user@host:/path/to/file)
DGCertChain=

## Crosswork Data Gateway Certificate File and Key Passphrase
# Please enter the SCP user passphrase to retrieve the Crosswork Data Gateway PEM formatted certificate file and private key
DGCertChainPwd=


## High Availability Network Mode
# Please enter the mode for the HA Network. This will determine whether all interfaces require an address.
HANetworkMode=L2

### DNS Servers

## DNS Security Extensions
# Use DNS security extensions
# Default value: False
DNSSEC=False

## DNS over TLS
# Use DNS over TLS
# Default value: False
DNSTLS=False

## Multicast DNS
# Use multicast DNS
# Default value: False
mDNS=False

## Link-Local Multicast Name Resolution
# Use link-local multicast name resolution
# Default value: False
LLMNR=False

### NTPv4 Servers

## NTPv4 Authentication
# Use authentication for all NTPv4 servers
# Default value: False
NTPAuth=False

## NTPv4 Keys
# Please enter a space delimited list of IDs present in the key file. The number of IDs in the list must match the number of servers, even if some or all are the same ID.
NTPKey=

## NTPv4 Key File URI
# Please enter the optional Chrony key file retrieved using SCP (user@host:/path/to/file)
NTPKeyFile=

## NTPv4 Key File Passphrase
# Please enter the SCP user passphrase to retrieve the Chrony key file
NTPKeyFilePwd=

### Remote Syslog Servers

## Remote Syslog Server
# Send Syslog messages to a remote host
# Default value: False
UseRemoteSyslog=False

## Syslog Multiserver Mode
# Send syslog to all servers (simultaneous) or one at a time (failover)
SyslogMultiserverMode=Simultaneous

## Syslog Server Addresses
# Please enter a space delimited list of hostnames, IPv4 addresses, or IPv6 addresses of the Syslog servers accessible from the Default Gateway role
SyslogAddress=

## Syslog Server Port
# Please enter a Syslog port
# Default value: 514
SyslogPort=514

## Syslog Server Protocol
# Please enter the Syslog protocol
# Default value: UDP
SyslogProtocol=UDP

## Syslog over TLS
# Use Syslog over TLS (must use TCP or RELP as the protocol)
# Default value: False
SyslogTLS=False

## Syslog TLS Peer Name
# Please enter the Syslog server's hostname exactly as entered in the server certificate subjectAltName or subject common name
SyslogPeerName=

## Syslog Root Certificate File URI
# Please enter the optional Syslog root PEM formatted certificate file retrieved using SCP (user@host:/path/to/file)
SyslogCertChain=

## Syslog Certificate File Passphrase
# Please enter the SCP user passphrase to retrieve the Syslog PEM formatted cetificate file
SyslogCertChainPwd=

### Remote Auditd Servers

## Remote auditd Server
# Send auditd messages to a remote host
# Default value: False
UseRemoteAuditd=False

## Auditd Server Address
# Please enter a hostname, IPv4 address, or IPv6 address of the auditd server accessible from the Default Gateway role
AuditdAddress=

## Auditd Server Port
# Please enter na auditd port
# Default value: 60
AuditdPort=60

### Controller Settings

## Proxy Server URL
# Please enter the optional HTTP/HTTPS proxy URL
ProxyURL=

## Proxy Server Bypass List
# Please enter an optional space delimited list of subnets and domains that will not be sent to the proxy server
ProxyBypass=

## Authenticated Proxy Username
# Please enter an optional username for an authenticated proxy servers
ProxyUsername=

## Authenticated Proxy Passphrase
# Please enter an optional passphrase for an authenticated proxy server
ProxyPassphrase=

## HTTPS Proxy SSL/TLS Certificate File URI
# Please enter the optional HTTPS Proxy PEM formatted SSL/TLS certificate file URI retrieved using SCP (user@host:/path/to/file). This will override the Controller SSL/TLS Certificate File URI.
ProxyCertChain=

## HTTPS Proxy SSL/TLS Certificate File Passphrase
# Please enter the SCP user passphrase to retrieve the HTTPS Proxy PEM formatted SSL/TLS certificate file
ProxyCertChainPwd=

#### Static Parameters  - Do not change this section

### Deployment Settings

## Deployment Type
# What type of deployment is this?
# Default value: Crosswork Cloud
Deployment=Crosswork Cloud

### Host Information

## Data Disk Size
# Data disk size in GB mounted as /opt/dg/appdata
DGAppdataDisk=24

### vNIC Role Assignment

## Default Gateway
# The interface used as the Default Gateway and for DNS and NTP traffic
# Default value: eth0
NicDefaultGateway=eth0

## Administration
# The interface used for SSH access to the VM
# Default value: eth0
NicAdministration=eth0

## External Logging
# The interface used to send logs to an external logging server
# Default value: eth0
NicExternalLogging=eth0

## Management
# The interface used for enrollment and other management traffic
# Default value: eth0
NicManagement=eth0

## Control
# The interface used for destination, device, and collection configuration
# Default value: eth0
NicControl=eth0

## Northbound System Data
# The interface used to send collection data to the system destination
# Default value: eth0
NicNBSystemData=eth0

## Northbound External Data
# The interface used to send collection data to external destinations
# Default value: eth0
NicNBExternalData=eth0

## Southbound Data
# The interface used collect data from all devices
# Default value: eth0
NicSBData=eth0

### Auto Enrollment Package Transfer

## Enrollment Token for Crosswork Cloud
# Please enter the optional enrollment token to auto enroll with Crosswork Cloud
CloudEnrollmentToken=TOKEN

## Enrollment Destination Host and Path
# Please enter the optional SCP destination host and path to transfer the enrollment package using SCP (user@host:/path/to/file)
EnrollmentURI=

## Enrollment Passphrase
# Please enter the optional SCP user passphrase to transfer the enrollment package
EnrollmentPassphrase=
Configure a Crosswork Data Gateway VM with the DHCP addressing

For each VM, update and save a unique config.txt.

Procedure

Step 1

Modify the config.txt for Crosswork Data Gateway VMs using DHCP.

  1. Locate the directory where you have downloaded the Crosswork Data Gateway release image.

  2. Open the config.txt file and modify the parameters as per your installation requirements. Refer to Sample Configuration File for the DHCP Addressing and Required Information for Data Gateway Deployment for more information on parameters.

  3. Save the config.txt file with the hostname of the VM or a name that makes it easy for you to identify the VM for which you have updated it.

Step 2

Log in to the OpenStack VM from the CLI.

Step 3

Create the resource profile or flavor for the VMs.

openstack flavor create --public --id auto --vcpus 8 --ram 32768 --disk 74 cdg-cloud

Step 4

Create an image for OpenStack install.

openstack image create --public --disk-format qcow2 --container-format bare --file <bios_release_image_file> <image_name>

For example:

openstack image create --public --disk-format qcow2 --container-format bare --file cdg-cloud-deployment-7.1.0-17.bios.qcow2 cdg-cloud-bios

Step 5

Create the VM-specific parameters for each Crosswork Data Gateway VM.

Create the following parameters for each Crosswork Data Gateway VM instance that you want to install.

  1. (Optional) Create a 24 GB second data disk.

    openstack volume create --size

    For example:

    openstack volume create --size 24 cdg-vol1

  2. Create a security policy to allow the incoming TCP, UDP, or ICMP connections.

    OpenStack does not allow incoming TCP, UDP, or ICMP connections by default. Create a security policy to allow incoming connections from the TCP, UDP, or ICMP protocols. 

    openstack security group create open
openstack security group rule create open --protocol tcp --dst-port <port_number> --remote-ip <IP_address>
openstack security group rule create open --protocol udp --dst-port <port_number> --remote-ip <IP_address>
openstack security group rule create --protocol icmp open

  3. Create ports with a specified IP address ONLY for Crosswork Data Gateway VMs using the static addressing.

    If you’re using DHCP addressing, the IP addresses for the ports are automatically assigned from the IP addresses allocation pool for the subnet.
    openstack port create --network network_name --fixed-ip subnet=subnet_name,ip-address=port_ip_address port_name

    For example, to create ports for CDG VMs with 1 NICs using static addressing:

    
openstack port create --network network1 --fixed-ip subnet=subnet1,ip-address=10.10.11.101 mgmt-port1

    In the previous command, network1 is the management network in your environment, subnet1 is the subnet on the management network, mgmt-port1 is the port that we are creating with the IP address as 10.10.11.101 for vNIC0 as specified in the config.txt file for the VM.

  4. Apply the security policy to the ports.

    openstack port set <port_name> --security-group open

    For example,

    openstack port set mgmt-port1 --security-group open

Step 6

Install one or more Crosswork Data Gateway VMs.

Commands to install a Crosswork Data Gateway VM with one NIC with DHCP:

openstack server create --flavor <flavor_name> --image <image_name> --network <network1> --network <network2> --network <network3> --config-drive True --user-data <config.txt> --host <boot_drive> --block-device-mapping vdb=<volume_name>:::true <CDG_hostname>

For example:

openstack server create --flavor <flavor_name> --image <image_name> --network <network1> 
--config-drive True --user-data <config.txt> --host <boot_drive>
--block-device-mapping vdb=<volume_name>:::true <CDG_hostname>
OR 
openstack server create --config-drive true --flavor cdg --image --key-name default --network --security-group --user-data

Note

 

The number of networks in the command to install the VMs depends on the number of NICs in the deployment.

For example, the command to install a VM with 2 NICs is:

openstack server create --flavor cdg-cloud --image cdg-cloud-bios --port mgmt-port2 --port south-port2 --config-drive True --user-data config-nodhcp_2nic.txt --block-device-mapping vdb=cdg-vol:::true cdg-bios-nodhcp_2NIC
Sample configuration file for the DHCP addressing

This is a sample config.txt file for a one NIC deployment with the hostname as cdg1-nodhcp when using DHCP. Mandatory parameters in this sample are highlighted. 

#### Required Parameters

### Deployment Settings

## Resource Profile
# How much memory and disk should be allocated?
# Default value: Crosswork-Cloud
Profile=Crosswork-Cloud

### Host Information

## Hostname
# Please enter the server's hostname (dg.localdomain)
Hostname=changeme

## Description
# Please enter a short, user friendly description for display in the Crosswork Controller
Description=changeme

### Passphrases

## dg-admin Passphrase
# Please enter a passphrase for the dg-admin user. It must be at least 10 characters.
dg-adminPassword=changeme

## dg-oper Passphrase
# Please enter a passphrase for the dg-oper user. It must be at least 10 characters.
dg-operPassword=changeme

### vNIC0 IPv4 Address

## vNIC0 IPv4 Method
# Skip or statically assign the vNIC0 IPv4 address
# Default value: DHCP
Vnic0IPv4Method=None

## vNIC0 IPv4 Address
# Please enter the server's IPv4 vNIC0 address if statically assigned
Vnic0IPv4Address=0.0.0.0

## vNIC0 IPv4 Netmask
# Please enter the server's IPv4 vNIC0 netmask if statically assigned
Vnic0IPv4Netmask=0.0.0.0

## vNIC0 IPv4 Skip Gateway
# Skip statically assigning a gateway address to communicate with other devices, VMs, or services
# Default value: False
Vnic0IPv4SkipGateway=False

## vNIC0 IPv4 Gateway
# Please enter the server's IPv4 vNIC0 gateway if statically assigned
Vnic0IPv4Gateway=0.0.0.1

### vNIC0 IPv6 Address

## vNIC0 IPv6 Method
# Skip or statically assign the vNIC0 IPv6 address
# Default value: None
Vnic0IPv6Method=None

## vNIC0 IPv6 Address
# Please enter the server's IPv6 vNIC0 address if statically assigned
Vnic0IPv6Address=::0

## vNIC0 IPv6 Netmask
# Please enter the server's IPv6 vNIC0 netmask if statically assigned
Vnic0IPv6Netmask=64

## vNIC0 IPv6 Skip Gateway
# Skip statically assigning a gateway address to communicate with other devices, VMs, or services
# Default value: False
Vnic0IPv6SkipGateway=False

## vNIC0 IPv6 Gateway
# Please enter the server's IPv6 vNIC0 gateway if statically assigned
Vnic0IPv6Gateway=::1

### DNS Servers

## DNS Address
# Please enter a space delimited list of DNS server addresses accessible from the Default Gateway role
DNS=changeme

## DNS Search Domain
# Please enter the DNS search domain
Domain=changeme

### NTPv4 Servers

## NTPv4 Servers
# Please enter a space delimited list of NTPv4 server hostnames or addresses accessible from the Default Gateway role
NTP=changeme

#### Optional Parameters

### Host Information

## Label
# An optional freeform label used by the Crosswork Controller to categorize and group multiple DG instances
Label=

## Allow Usable RFC 8190 Addresses
# If an address for vNIC0, vNIC1, vNIC2, or vNIC3 falls into a usable range identified by RFC 8190 or its predecessors, reject, accept, or request confirmation during initial configuration
# Default value: Yes
AllowRFC8190=Yes

## Crosswork Data Gateway Private Key URI
# Please enter the optional Crosswork Data Gateway private key URI retrieved using SCP (user@host:/path/to/file)
DGCertKey=

## Crosswork Data Gateway Certificate File URI
# Please enter the optional Crosswork Data Gateway PEM formatted certificate file URI retrieved using SCP (user@host:/path/to/file)
DGCertChain=

## Crosswork Data Gateway Certificate File and Key Passphrase
# Please enter the SCP user passphrase to retrieve the Crosswork Data Gateway PEM formatted certificate file and private key
DGCertChainPwd=

### DNS Servers

## DNS Security Extensions
# Use DNS security extensions
# Default value: False
DNSSEC=False

## DNS over TLS
# Use DNS over TLS
# Default value: False
DNSTLS=False

## Multicast DNS
# Use multicast DNS
# Default value: False
mDNS=False

## Link-Local Multicast Name Resolution
# Use link-local multicast name resolution
# Default value: False
LLMNR=False

### NTPv4 Servers

## NTPv4 Authentication
# Use authentication for all NTPv4 servers
# Default value: False
NTPAuth=False

## NTPv4 Keys
# Please enter a space delimited list of IDs present in the key file. The number of IDs in the list must match the number of servers, even if some or all are the same ID.
NTPKey=

## NTPv4 Key File URI
# Please enter the optional Chrony key file retrieved using SCP (user@host:/path/to/file)
NTPKeyFile=

## NTPv4 Key File Passphrase
# Please enter the SCP user passphrase to retrieve the Chrony key file
NTPKeyFilePwd=

### Remote Syslog Servers

## Remote Syslog Server
# Send Syslog messages to a remote host
# Default value: False
UseRemoteSyslog=False

## Syslog Server Address
# Please enter a hostname, IPv4 address, or IPv6 address of the Syslog server accessible from the Default Gateway role
SyslogAddress=

## Syslog Server Port
# Please enter a Syslog port
# Default value: 514
SyslogPort=514

## Syslog Server Protocol
# Please enter the Syslog protocol
# Default value: UDP
SyslogProtocol=UDP

## Syslog over TLS
# Use Syslog over TLS (must use TCP or RELP as the protocol)
# Default value: False
SyslogTLS=False

## Syslog TLS Peer Name
# Please enter the Syslog server's hostname exactly as entered in the server certificate subjectAltName or subject common name
SyslogPeerName=

## Syslog Root Certificate File URI
# Please enter the optional Syslog root PEM formatted certificate file retrieved using SCP (user@host:/path/to/file)
SyslogCertChain=

## Syslog Certificate File Passphrase
# Please enter the SCP user passphrase to retrieve the Syslog PEM formatted cetificate file
SyslogCertChainPwd=

### Remote Auditd Servers

## Remote auditd Server
# Send auditd messages to a remote host
# Default value: False
UseRemoteAuditd=False

## Auditd Server Address
# Please enter a hostname, IPv4 address, or IPv6 address of the auditd server accessible from the Default Gateway role
AuditdAddress=

## Auditd Server Port
# Please enter na auditd port
# Default value: 60
AuditdPort=60

### Controller Settings

## Proxy Server URL
# Please enter the optional HTTP/HTTPS proxy URL
ProxyURL=

## Proxy Server Bypass List
# Please enter an optional space delimited list of subnets and domains that will not be sent to the proxy server
ProxyBypass=

## Authenticated Proxy Username
# Please enter an optional username for an authenticated proxy servers
ProxyUsername=

## Authenticated Proxy Passphrase
# Please enter an optional passphrase for an authenticated proxy server
ProxyPassphrase=

## HTTPS Proxy SSL/TLS Certificate File URI
# Please enter the optional HTTPS Proxy PEM formatted SSL/TLS certificate file URI retrieved using SCP (user@host:/path/to/file). This will override the Controller SSL/TLS Certificate File URI.
ProxyCertChain=

## HTTPS Proxy SSL/TLS Certificate File Passphrase
# Please enter the SCP user passphrase to retrieve the HTTPS Proxy PEM formatted SSL/TLS certificate file
ProxyCertChainPwd=

#### Static Parameters  - Do not change this section

### Deployment Settings

## Deployment Type
# What type of deployment is this?
# Default value: Crosswork Cloud
Deployment=Crosswork Cloud

### Host Information

## Data Disk Size
# Data disk size in GB mounted as /opt/dg/appdata
DGAppdataDisk=24

### vNIC Role Assignment

## Default Gateway
# The interface used as the Default Gateway and for DNS and NTP traffic
# Default value: eth0
NicDefaultGateway=eth0

## Administration
# The interface used for SSH access to the VM
# Default value: eth0
NicAdministration=eth0

## External Logging
# The interface used to send logs to an external logging server
# Default value: eth0
NicExternalLogging=eth0

## Management
# The interface used for enrollment and other management traffic
# Default value: eth0
NicManagement=eth0

## Control
# The interface used for destination, device, and collection configuration
# Default value: eth0
NicControl=eth0

## Northbound System Data
# The interface used to send collection data to the system destination
# Default value: eth0
NicNBSystemData=eth0

## Northbound External Data
# The interface used to send collection data to external destinations
# Default value: eth0
NicNBExternalData=eth0

## Southbound Data
# The interface used collect data from all devices
# Default value: eth0
NicSBData=eth0

### Auto Enrollment Package Transfer

## Enrollment Token for Crosswork Cloud
# Please enter the optional enrollment token to auto enroll with Crosswork Cloud
CloudEnrollmentToken=TOKEN

## Enrollment Destination Host and Path
# Please enter the optional SCP destination host and path to transfer the enrollment package using SCP (user@host:/path/to/file)
EnrollmentURI=

## Enrollment Passphrase
# Please enter the optional SCP user passphrase to transfer the enrollment package
EnrollmentPassphrase=
Verify installation of Crosswork Data Gateway VMs with OpenStack CLI

After deploying the Crosswork Data Gateway VMs, you can verify their installation status using these steps:

Procedure

Step 1

Run this command to list the status of all VMs:

openstack server list
Figure 14. Command output listing the servers

Step 2

Confirm the VM status:

  1. After executing the command, ensure that the status of the VMs shows as Active.

  2. Once the status is confirmed, wait for about 10 minutes for the VM to fully initialize.

  3. After waiting, verify that the VM is running correctly and as expected.

For further monitoring details, see Monitor the Data Gateway Installation on the OpenStack CLI.

Deploy Crosswork Data Gateway using the OpenStack UI

The deployment process for the Crosswork Data Gateway is divided into two parts. Initially, the deployment occurs on the virtual machine (VM). Subsequently, the second part involves configuring the VM using the OpenStack UI.

This section provides detailed instructions for the VM deployment from Step 1–3. For steps 4 and beyond, the documentation walks you through the configuration that is needed in the OpenStack UI.

Before you begin

Verify that these prerequisites are met:

  • A functional OpenStack environment with necessary access privileges.

  • A Python environment installed (version 2.x or 3.x) for verification.

Procedure

Step 1

Download the Crosswork Data Gateway (qcow2) package:

  1. Download the latest available Crosswork Data Gateway image (*.bios.signed.bin) from cisco.com to your local machine or a network location accessible to your OpenStack instance. For these instructions, we use the package name cdg-deployment-7.1.0-17.uefi.qcow2.tar.gz and cdg-7.1.0-sample-install-scripts.tar.gz.

Step 2

Validate the downloaded qcow2 package:

  1. Unzip the installer bundle by running this command:

    tar -xvzf cdg-deployment-7.1.0-17.uefi.qcow2.tar.gz

    This command extracts the files and verifies the authenticity of the product.

    After extraction, the following files will be present in the directory:

    README
cdg-deployment-7.1.0-17.uefi.qcow2.tar.gz
cdg-deployment-7.1.0-17.uefi.qcow2.tar.gz
cisco_x509_verify_release.py3
cisco_x509_verify_release
CDG-CCO_RELEASE

  2. Verify the signature of the build:

    To validate the integrity of the downloaded file, run the signature verification script. Ensure the machine running the script has HTTP access to cisco.com. If HTTP access is restricted, or if you do not receive a successful verification message after running the script, contact the Cisco Customer Experience team for assistance.

    Depending on the Python version in use, execute one of the commands:

    Table 10. Supported Python version

    If the Python version is...

    Use the command...

    Python 2.x

    		 python cisco_x509_verify_release.py -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512

    Python 3.x

    		 python cisco_x509_verify_release.py3 -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512

Step 3

Choose one of the following options based on the addressing method you plan to use for the Crosswork Data Gateway VM:

Step 4

For instructions on configuring the Data Gateway through the OpenStack UI, see Configure Crosswork Data Gateway in the OpenStack UI.

What to do next

Confirm if the deployment is successful. See Verify the Crosswork Data Gateway installation in the OpenStack UII.

Configure Crosswork Data Gateway in the OpenStack UI
Procedure

Step 1

Log in to the OpenStack VM from the OpenStack UI.

Step 2

Create the resource profile or flavor.

  1. Navigate to Compute > Flavors.

  2. Enter the required details. For the other optional fields, review the Flavor Information Window.

    • Name—Enter a unique resource name.

    • VCPUs—Enter the number of vCPUs.

    • RAM—Enter the RAM size.

    • Root Disk—Enter the Ephemeral Disk size.

    • Ephemeral Disk—Enter the Ephemeral Disk size.

  3. Click Create Flavor.

Figure 15. Flavor Information
Flavor Information Window

Step 3

Create an image for the OpenStack install.

  1. Enter the details:

    1. Image Name—Specify a name for the image you are creating.

    2. File—Browse to the directory where you have downloaded the Crosswork Data Gateway release image and select the image.

    3. Format—Select QCOW2 - QEMU Emulator from the drop-down list.

    4. Leave the other settings to the values as shown in the image.

  2. Click Create Image.

Figure 16. Create Image
Create Image Window

Step 4

Create a security group policy to allow incoming TCP, UDP, or ICMP connections.

OpenStack does not allow incoming TCP, UDP, or ICMP connections by default. Create a security policy to allow the incoming connections from the TCP, UDP, or ICMP protocols.

Note

 
Even after deploying Crosswork Data Gateway, you have the ability to create security groups and apply them to the VM.

  1. In the OpenStack UI, go to Networks > Security Groups.

  2. Click + Create Security Group.

    Figure 17. Security Groups
    Create Security Group Window

  3. Specify the Name and Description of the security group. Click Create Security Group.

  4. In the new window that appears to create security rules, click Add Rule to create a security policy for each protocol by specifying the direction, port range and the IP addresses range.

    The security group contains two rules by default. Use the Delete Rule option to delete these rules.

    Figure 18. Manage Security Group Rules
    Manage Security Group Rules Window

Step 5

When using the static addressing, make sure to create ports with specified IP addresses only.

Important

 

This step is required only if you are using Static addressing. If you are using DHCP addressing, the IP addresses for the ports are automatically assigned from the IP addresses allocation pool for the subnet.

  1. In the OpenStack UI, navigate to Network > Networks.

  2. Depending on the number of NICs in your deployment, (starting with the management network), select a network and click + Create Ports.

  3. Enter details in the Name and Fixed IP Address fields. Select the Enable Admin State and Port Security check box.

    Figure 19. Create Port
    Create Port Window

Step 6

Navigate to Compute > Instances. Click Launch Instance in this page.

A Launch Instance window appears to start the VM installation.

Step 7

In the Details tab, specify the VM name in the Instance Name field and Count as 1. Click Next.

Note

 
For larger systems it is likely that you will have more than one Crosswork Data Gateway VMs. The Crosswork Data Gateway name should, therefore, be unique and created in a way that makes identifying a specific VM easy. We recommend that you enter the same name you had specified in the Hostname parameter in the config.txt file for the VM.
Figure 20. Launch Instance
Launch Instance Window

Step 8

In the Source tab:

  1. Select Boot Source - Select Image from the drop-down list.

  2. Create New Volume - Select No.

  3. All images available in the OpenStack environment are listed under the Available pane. Click to select the image. Doing this will now move the image to the Allocated pane indicating that you have selected the image.

  4. Click Next.

Figure 21. Source menu
Launch Instance Window - Source Tab

Step 9

In the Flavor tab, in the Available pane, for the flavor you want to select for the VM, click to move it from the Available pane to the Allocated pane. Click Next.

Figure 22. Flavor menu
Launch Instance Window - Flavor Tab

Step 10

Assign networks to the VM. Depending on the number of vNICs in your deployment, select up to 3 networks for the VM by clicking for each network from the list of networks in the Available pane. Doing this moves the selected networks to the Allocated pane. Click Next.

Important

 
The order in which you select the networks is important. In a 3-NIC deployment, the first network you select will be assigned to the vNIC0 interface, the second to the vNIC1 interface and the third to the vNIC2 interface.
Figure 23. Networks menu
Launch Instance Window - Networks Tab

Step 11

Assign ports to the VM.

From the list of ports that are displayed in the Available pane, click to move the port to the Allocated pane.

Figure 24. Network Ports menu
Launch Instance Window - Network Ports Tab

Click Next.

Step 12

Assign Security Groups to the VM by moving the security groups you wish to apply to the VM from the Available pane to the Allocated pane.

In the following image, 2 security groups - default and cdg, are applied to the VM.

Figure 25. Security Groups menu
Launch Instance Window - Security Groups Tab

Click Next.

Step 13

In the Key Pair tab, click Next.

Step 14

In the Configuration tab:

  • Click Choose File to select and upload the config.txt file you had modified and saved for the VM.

  • Select the Configuration Drive check box.

Figure 26. Configuration menu
Launch Instance Window - Configuration Tab

Step 15

Click Launch Instance.

OpenStack starts the installation of the VM.

View the status of the installation of the VMs using the following command:

openstack server list

After the status of the VMs is displayed as Active, wait for about 10 minutes, and check if the VM was deployed properly and running as expected. See Verify the Crosswork Data Gateway installation in the OpenStack UII.

What to do next

Proceed to enrolling the Crosswork Data Gateway with Crosswork Cloud by generating and exporting the enrollment package. See Obtain the enrollment token using SCP.

Verify the Crosswork Data Gateway installation in the OpenStack UII
Procedure

Step 1

In the OpenStack UI, navigate to Compute > Instances.

A list of installed and pending Crosswork Data Gateway VMs will be displayed here.

Note

 

The installation status of each VM is shown in the Status, Task, and Power State columns.

Figure 27. Instances window
Instances Window - Status of CDG VM Installation

Step 2

Monitor VMs during installation:

  • If a Crosswork Data Gateway VM is still being installed, its Status will show as Build, Task as Spawning, and Power State as No State.

  • Once the VM is successfully installed, the following status indicators appear:

    • Status: Active

    • Task: None

    • Power State: Running

Figure 28. Installation status
Instances Window - Status of CDG VM Installation
After the Status changes to Active, wait for approximately 10 minutes to ensure proper initialization.

Step 3

Click the name of the Crosswork Data Gateway VM to open the VM's console.

Step 4

Log in to the console using the dg-admin or dg-oper user account, depending on the role assigned to you.

Enter the password that you configured in the config.txt file during the VM setup.

After a successful login, the Interactive Console of Crosswork Data Gateway will be displayed.

How auto-configuration enables Crosswork Data Gateway deployment

The auto-configuration procedure simplifies the Crosswork Data Gateway deployment on OpenStack. This procedure ensures that missing configuration parameters are discovered and automatically defined. The auto-configuration process involves a series of steps that facilitate the deployment of the base VM by automatically identifying and setting up essential parameters. This process streamlines the deployment.

These stages describe the auto-configuration process.

1. Parameter discovery—The auto-configuration mechanism identifies any missing configuration parameters and sets the mandatory parameters required to install the base VM.

2. DHCP framework—Configuration parameters are passed using the Dynamic Host Configuration Protocol (DHCP).

3. Day 0 configuration—During this initial setup, only essential parameters are defined with default values.

Security measures in auto-configuration

To comply with security policies and ensure the system's integrity, several security measures are embedded within the auto-configuration process. During auto-configuration, a default password is set to meet security policies. Users with dg-admin and dg-oper roles are required to reset this default password upon first login. Additionally, the Crosswork Data Gateway instance does not start its collection services until the default password has been changed.

Network configuration in auto-configuration process

The auto-configuration process is designed to support a straightforward network setup:

  • The auto-configuration process supports a single NIC deployment, specifically configuring eth0 for the Management network.

  • The eth0 interface is used for DHCP interactions, where the DHCP server provides the default values for auto-configuration.

  • These default values can be modified using the Interactive Console. For more information, see Change Current System Settings.

Parameters for auto-configuration

The auto-configuration utility configures these parameters with default values. For more information about these parameters, see Configuration parameters required for Crosswork Data Gateway deployment.

Table 11. Required deployment parameters

Name

Parameter

Default value

AllowRFC8190

AllowRFC8190

Yes
Auditd Server Port

AuditdPort

60

Deployment

Deployment

Crosswork Cloud

Crosswork Controller Port

ControllerPort

443

Description

Description

CDG auto configure

dg-admin Passphrase

dg-adminPassword

changeme

Reset the default value with the password that you have chosen for the dg-admin user.

Password must be 10–64 characters.

dg-oper Passphrase

dg-operPassword

changeme

Reset the default value with the password you have chosen for the dg-oper user.

Password must be 10–64 characters.

Data Disk Size

DGAppdataDisk

5

DNS Address

DNS

208.67.222.222

208.67.220.220

DNS Security Extensions

DNSSEC

False

DNS over TLS

DNSTLS

False

DNS Search Domain

Domain

localdomain

Crosswork Data Gateway HA mode

HANetworkMode

L2

Hostname

Hostname

dg-<eth0 address>

where <eth0-address> is the address of vNIC0.

Link-Local Multicast Name Resolution

LLMNR

False

Multicast DNS

mDNS

False

NicAdministration

NicAdministration

eth0

NicControl

NicControl

eth1

NicDefaultGateway

NicDefaultGateway

eth0

NicExternalLogging

NicExternalLogging

eth0

NicManagement

NicManagement

eth0

NicNBExternalData

NicNBExternalData

eth1

NicNBSystemData

NicNBSystemData

eth1

NicSBData

NicSBData

The last active interface such as eth0 if 1-NIC deployment, eth1 if 2-NIC.

NTPv4 Servers

NTP

162.159.200.1

65.100.46.164

40.76.132.147

104.131.139.195

Use NTPv4 Authentication

NTPAuth

False

Profile

Profile

Crosswork-Cloud

Syslog Multiserver Mode

SyslogMultiserverMode

Simultaneous

Syslog Server Port

SyslogPort

514

Syslog Server Protocol

SyslogProtocol

UDP

Use Syslog over TLS

SyslogTLS

False

Use Remote Auditd Server

UseRemoteAuditd

False

Use Remote Syslog Server

UseRemoteSyslog

False

vNIC IPv4 Method

Vnic0IPv4Method

DHCP

vNIC IPv4 Skip Gateway

Vnic0IPv4SkipGateway

False

vNIC IPv6 Method

Vnic0IPv6Method

None

vNIC IPv6 Skip Gateway

Vnic0IPv6SkipGateway

False

vNIC IPv4 Method

Vnic1IPv4Method

None

vNIC IPv4 Skip Gateway

Vnic1IPv4SkipGateway

False

vNIC IPv6 Method

Vnic1IPv6Method

None

vNIC IPv6 Skip Gateway

Vnic1IPv6SkipGateway

False

vNIC IPv4 Method

Vnic2IPv4Method

None

vNIC IPv4 Skip Gateway

Vnic2IPv4SkipGateway

False

vNIC IPv6 Method

Vnic2IPv6Method

None

vNIC IPv6 Skip Gateway

Vnic2IPv6SkipGateway

False

Register Crosswork Data Gateway with Crosswork Cloud applications

Registering a Crosswork Data Gateway with Crosswork Cloud Applications involves uploading a .json registration file. This file contains unique digital certificates that are used to enroll Crosswork Data Gateway into Crosswork Cloud.

Before you begin

Before registering, ensure that

  • you have the .json registration file for Crosswork Data Gateway, and

  • your firewall configuration allows traffic to cdg.crosswork.cisco.com and crosswork.cisco.com (if applicable).

Procedure

Step 1

Access Crosswork Cloud and log in with your credentials.

Step 2

From the main window, navigate to Configure > Data Gateways, then click Add.

Step 3

Click Registration File to upload the enrollment data file you downloaded from Crosswork Data Gateway. Navigate to the location where the .json file is stored and select it. Click Next.

Step 4

Enter a name for the Crosswork Data Gateway instance.

Step 5

In the Application field, select the Crosswork Cloud application to which you are assigning this Crosswork Data Gateway.

Note

 

Each Data Gateway can only be associated with one Crosswork Cloud application.

Step 6

Fill in the remaining required fields as needed. Click Next.

Step 7

(Optional) Enter a tag name to group Crosswork Data Gateways with similar characteristics or purposes. Click Next.

Step 8

Review the information you've entered to ensure accuracy. Click Next.

Step 9

Click Accept to accept the security certificate.

A confirmation message appears indicating that the Crosswork Data Gateway was added.

What to do next

  • Repeat this procedure to enroll each Crosswork Data Gateway in your network with Crosswork Cloud.

  • Verify that the Crosswork Data Gateway is successfully connected, click Data Gateways, then click the name of the Crosswork Data Gateway, and verify the following values for the Crosswork Data Gateway you added:

    • Session Up: Active

    • Connectivity: Session Up

  • If Crosswork Data Gateway has not connected to the Crosswork Cloud service, see Troubleshoot Crosswork Data Gateway connectivity for potential resolutions.

Verify Crosswork Data Gateway connection

Procedure

Step 1

Log in to Cisco Crosswork Cloud at crosswork.cisco.com.

Step 2

From the main window, choose either Crosswork Cloud Traffic Analysis or Crosswork Cloud Trust Insights.

Step 3

Navigate to Configure > Data Gateways.

Step 4

In the Crosswork Data Gateway table, locate the name of the Crosswork Data Gateway.

Step 5

Check the Connection column. The status will display Session Up to confirm that the connection is active.

Troubleshoot Crosswork Data Gateway connectivity

This section lists common issues that may occur with Crosswork Data Gateway's connectivity to the Cisco Crosswork Cloud application, and provides steps for identifying the root cause and resolving the issue.

Table 12. Troubleshooting issues and actions

Issue

Action

Crosswork Data Gateway cannot be enrolled with Cisco Crosswork Cloud due to an NTP issue (clock drift between the two)

  1. Log in to the Crosswork Data Gateway VM.

  2. From the main menu, navigate to 5 Troubleshooting > Run show-tech.

  3. Enter the destination where you want to save the tarball containing logs and vital data, then click OK.

  4. In the show-tech logs (found in the file session.log at /cdg/logs/components/controller-gateway/session.log), look for the following error message: 
    UNAUTHENTICATED: invalid certificate. reason: x509: certificate has expired or is not yet
      valid
    If you see this error, it indicates a clock drift between the Crosswork Data Gateway and Cisco Crosswork Cloud.

  5. From the main menu, navigate to 3 Change Current System Settings > 1 Configure NTP.

  6. Configure NTP to synchronize with the clock time on the Cisco Crosswork Cloud server.

  7. After configuring NTP, attempt to enroll the Crosswork Data Gateway with Cisco Crosswork Cloud again.

Crosswork Data Gateway does not have direct connectivity to external web services.

  1. If a proxy server is missing in your environment, configure a proxy server.

  2. If a proxy server is already configured, verify that the proxy URL is correct.

  3. Check that the credentials of the proxy server (certificate, proxy name, etc.) are correct.

  4. To update the proxy server details on the Crosswork Data Gateway, see Configure control proxy.