Install and Upgrade the Dynamic Attributes Connector

This chapter discusses how to install and upgrade the Dynamic Attributes Connector on all supported operating systems.

Supported operating systems and third-party software

The dynamic attributes connector requires the following:

  • Ubuntu 18.04 to 22.04.2

  • Red Hat Enterprise Linux (RHEL) 7 or 8

  • Python 3.6.x or later

  • Ansible 2.9 or later

Minimum requirements for all operating systems:

  • 4 CPUs

  • 8 GB RAM

  • For new installations, 100 GB available disk space to install the dynamic attributes connector

If you use a hypervisor:

VMware ESX or ESXi up to 8

If you wish to use vCenter attributes, we also require:

  • vCenter up to 8

  • VMware Tools must be installed on the virtual machine

Virtual machine sizing

We recommend you size your virtual machines as follows:

  • 50 connectors, assuming 5 filters per connector and 20,000 workloads: 4 CPUs; 8 GB RAM; 100 GB available disk space

  • 125 connectors, assuming 5 filters per connector and 50,000 workloads: 8 CPUs, 16 GB RAM, 100 GB available disk space


Note

Failure to size your virtual machines properly can cause the dynamic attributes connector to fail or not to start.

Requirements and prerequisites for the Cisco APIC integration with ASA

Following are requirements and prerequisits to use Cisco APIC to send dynamic objects to ASA:

  • Network communication: All of the following must be able to communicate with each other securely:

    • ASA 9.16 and later

    • Cisco APIC 4.2(7q) and later

    • Dynamic Attributes Connector virtual machine, version 3.1 and later

  • ASA requirements

    • License: Essentials

      For more information about licensing, see Smart Software Licensing.

    • FQDN: Supported

    • Multi-context: Supported

    • Multi-instance: Supported

    • High availability: Supported

    • Clustering: Supported

  • Permissions required:

    • ASA: privilege 15

    • Cisco APIC: at least the read-all role with readPriv access and the tenant-admin role with writePriv access for the security domain

More information

For more information about the the Cisco APIC integration with ASA, see About the integration with ASA.

Install prerequisite software

Before you begin

Make sure you have physical or virtual set up and that the system that can communicate with your the On-Prem Firewall Management Center or Cloud-Delivered Firewall Management Center.

Procedure

Step 1

(Optional.) Use a text editor to edit /etc/environment to export the following variables to enable communication with the internet if your Ubuntu machine is behind an internet proxy.

Variable

Value

export http_proxy

Use with an HTTP proxy.

user:pass@host-or-ip:port

export https_proxy

Use this with an HTTPS proxy.

user:pass@host-or-ip:port

export no_proxy

Remove the proxy configuration.

export no_proxy="localhost,127.0.0.1"

Examples:

HTTP proxy without authentication:

vi /etc/environment
export http_proxy="myproxy.example.com:8181"

HTTPS proxy with authentication:

vi /etc/environment
export https_proxy="ben.smith:bens-password@myproxy.example.com:8181"

Step 2

Use a different command window to confirm the settings:

env | grep proxy
Example result:
http_proxy=myproxy.example.com:8181

Step 3

Continue with one of the following sections.

Install prerequisite software—RHEL

Before you begin

Do all of the following:

Procedure

Step 1

Make sure Docker is not installed and uninstall it if it is.

docker --version

If Docker is installed, uninstall it as discussed in Uninstall Docker Engine on Ubuntu.

Step 2

Update your repositories.

RHEL 7:
sudo yum -y update && sudo yum -y upgrade
RHEL 8:
sudo dnf -y update && sudo dnf -y upgrade

Step 3

Install the epel repository.

RHEL 7:
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
RHEL 8:
sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

Step 4

(RHEL 7 only.) Install Python 3.

sudo yum install -y python3 libselinux-python3

Step 5

Install Ansible.

RHEL 7:
sudo yum -y install ansible
RHEL 8:
sudo dnf install -y ansible

Step 6

Verify the Ansible version.

ansible --version
An example follows.

RHEL 7:

ansible 2.9.24
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/stevej/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Mar 20 2020, 17:08:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

Note

 

It's normal for Ansible to reference Python 2.x as the preceding output shows. The connector will still use Python 3.
RHEL 8:
ansible 2.9.24
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/stevej/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Mar 18 2021, 08:58:41) [GCC 8.4.1 20200928 (Red Hat 8.4.1-1)]

What to do next

Install the connector as discussed in Install the dynamic attributes connector.

To optionally stop using a proxy with the dynamic attributes connector, edit /etc/environment and remove the proxy configuration.

Install prerequisite software—Ubuntu

This task discusses how to install prerequisite software on Ubuntu.

Procedure

Step 1

Make sure Docker is not installed and uninstall it if it is.

docker --version

If Docker is installed, uninstall it as discussed in Uninstall Docker Engine on Ubuntu.

Step 2

Update your repositories.

sudo apt -y update && sudo apt -y upgrade

Step 3

Confirm your Python version. 

/usr/bin/python3 --version
If the version is earlier than 3.6, you must install version 3.6 or later.

Step 4

Install Python 3.6.

sudo apt -y install python3.6

Step 5

Install the common libraries.

sudo apt -y install software-properties-common

Step 6

Install Ansible.

sudo apt-add-repository -y -u ppa:ansible/ansible && sudo apt -y install ansible

Step 7

Verify the Ansible version.

ansible --version
An example follows.
ansible --version
ansible 2.9.19
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/admin/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.17 (default, Feb 27 2021, 15:10:58) [GCC 7.5.0]

Note

 

It's normal for Ansible to reference Python 2.x as the preceding output shows. The connector will still use Python 3.6.

What to do next

Install the connector as discussed in Install the dynamic attributes connector.

To optionally stop using a proxy with the dynamic attributes connector, edit /etc/environment and remove the proxy configuration.

Install the dynamic attributes connector

About the installation

This topic discusses installing the dynamic attributes connector. You must install the dynamic attributes connector as a user with sudo privileges but you can run the connector as a non-privileged user.

Before you begin

Make sure your system has the following prerequisite software:

  • Ubuntu 18.04 to 22.04.2

  • Red Hat Enterprise Linux (RHEL) 7 or 8

  • Python 3.6.x or later

  • Ansible 2.9 or later

Minimum requirements for all operating systems:

  • 4 CPUs

  • 8 GB RAM

  • For new installations, 100 GB available disk space to install the dynamic attributes connector

We recommend you size your virtual machines as follows:

  • 50 connectors, assuming 5 filters per connector and 20,000 workloads: 4 CPUs; 8 GB RAM; 100 GB available disk space

  • 125 connectors, assuming 5 filters per connector and 50,000 workloads: 8 CPUs, 16 GB RAM, 100 GB available disk space


Note

Failure to size your virtual machines properly can cause the dynamic attributes connector to fail or not to start.

If you wish to use vCenter attributes, we also require:

  • vCenter up to 8

  • VMware Tools must be installed on the virtual machine

To install prerequisite software, see Install prerequisite software.

View the Readme and Release Notes

For the latest installation information, see the following:

Readme: https://galaxy.ansible.com/cisco/csdac

Release Notes: Release Notes

Install the muster service

The muster service is another name for the dynamic attributes connector.

Run the following command from the ~/.ansible/collections/ansible_collections/cisco/csdac directory.

ansible-playbook default_playbook.yml [--ask-become-pass] [--extra-vars " vars " ]

Syntax Description

--ask-become-pass

Prompts you to enter the sudo password. Required if sudo is enabled on your machine.

--extra-vars

The following optional extra variables enable the dynamic attributes connector to use a proxy. The value you use must match the value in /etc/environment, which you configured as discussed in Install prerequisite software.

  • csdac_proxy_enabled=true

  • csdac_http_proxy_url=http:// PROXY_URL

    csdac_https_proxy_url=PROXY_URL

The following optional extra variables create a self-signed certificate you can use to securely connect to the dynamic attributes connector. If you omit these parameters, the dynamic attributes connector uses a default certificate.

  • csdac_certificate_domain

    domain name for autogenerated certificate. Default value is autodetected hostname of the host (detected by ansible)

  • csdac_certificate_country_name

    Two-letter country code. (Default is US)

  • csdac_certificate_organization_name

    Organization name. (Default is Cisco)

  • csdac_certificate_organization_unit_name

  • Organizational unit name (Default is Cisco)

The following optional extra variables enable you to skip validation checks.

  • skip_disk_space_check=true

    Skip the available disk space check when installing the dynamic attributes connector. We recommend doing this if your system has less than 100GB free disk space; however, you could experience unpredictable performance if the disk fills up.

  • skip_all_verifications=true

    Skip the available disk space and internet verifications when installing the dynamic attributes connector.

The following optional extra variable enables you to set group ownership for TBD files and directories after installation: user_group=any_existing_user_group

Example installation with a default certificate

For example, to install the software with default options:

ansible-galaxy collection install cisco.csdac
cd ~/.ansible/collections/ansible_collections/cisco/csdac
ansible-playbook default_playbook.yml --ask-become-pass

Example installation with optional certificate

For example, to install the software with an optional certificate:

ansible-galaxy collection install cisco.csdac
cd ~/.ansible/collections/ansible_collections/cisco/csdac
ansible-playbook default_playbook.yml --ask-become-pass --extra-vars "csdac_certificate_domain=domain.example.com csdac_certificate_country_name=US csdac_certificate_organization_name=Cisco csdac_certificate_organization_unit_name=Engineering"

After you create the certificate, import it into the web browser you'll use to access the connector. The certificate is created in the ~/csdac/app/config/certs directory.

Example: Example installation skipping the disk space check

ansible-galaxy collection install cisco.csdac
cd ~/.ansible/collections/ansible_collections/cisco/csdac
ansible-playbook default_playbook.yml --ask-become-pass --extra-vars "skip_disk_space_check=true"

Example: Example installation skipping all verification checks and assigning group ownership to mygroup

ansible-galaxy collection install cisco.csdac
cd ~/.ansible/collections/ansible_collections/cisco/csdac
ansible-playbook default_playbook.yml --ask-become-pass --extra-vars "skip_all_verifications=true user_group=mygroup"

View the installation log

The installation log is located as follows:

~/.ansible/collections/ansible_collections/cisco/csdac/logs/csdac.log

Use your certificate to connect to the dynamic attributes connector

If you have a certificate and key, put them in the ~/csdac/app/config/certs directory on your virtual machine.

After you perform the preceding task, restart the dynamic attributes connector's Docker container by entering the following command:
docker restart muster-ui

Log in to the connector

  1. Access the dynamic attributes connector at https://ip-address

  2. Log in.

    The initial login is username admin, password admin. You are required to change the password the first time you log in.

Upgrade the dynamic attributes connector

This topic discusses how to upgrade from any earlier dynamic attributes connector to the current version. These tasks can be performed regardless of dynamic attributes connector version or operating system.

Procedure

Step 1

Log in to the machine you want to upgrade.

Step 2

Enter the following commands:

cd ~/.ansible/collections/ansible_collections/cisco/csdac
ansible-galaxy collection install cisco.csdac --force
ansible-playbook default_playbook.yml --ask-become-pass [--extra-vars vars]

Syntax Description

--ask-become-pass

Prompts you to enter the sudo password. Required if sudo is enabled on your machine.

--extra-vars

The following optional extra variables enable the dynamic attributes connector to use a proxy. The value you use must match the value in /etc/environment, which you configured as discussed in Install prerequisite software.

  • csdac_proxy_enabled=true

  • csdac_http_proxy_url=http:// PROXY_URL

    csdac_https_proxy_url=PROXY_URL

The following optional extra variables create a self-signed certificate you can use to securely connect to the dynamic attributes connector. If you omit these parameters, the dynamic attributes connector uses a default certificate.

  • csdac_certificate_domain

    domain name for autogenerated certificate. Default value is autodetected hostname of the host (detected by ansible)

  • csdac_certificate_country_name

    Two-letter country code. (Default is US)

  • csdac_certificate_organization_name

    Organization name. (Default is Cisco)

  • csdac_certificate_organization_unit_name

  • Organizational unit name (Default is Cisco)

Step 3

Wait for the upgrade to complete.

Step 4

Upgrade logs are available in the following location:

~/.ansible/collections/ansible_collections/cisco/csdac/logs/csdac.log