Deploying Secure Workload Virtual
About Deploying Secure Workload Virtual
Secure Workload Virtual (also known as Tetration-V) is a software solution for deploying Cisco Secure Workload (formerly known as Cisco Tetration) in the VMware ESXi environment.
For more information about Cisco Secure Workload, see https://www.cisco.com/c/en/us/products/security/tetration/index.html.
Limitations
-
Beginning September 1, 2021:
Secure Workload Virtual (Tetration-V) can be used only for proof of concept (POC) or proof of value (POV) in non-production environments.
For purchases before September 1, 2021:
Tetration-V was intended for small scale deployments or environments where virtualization is the only available compute option.
-
Snapshots of VMs are not supported
-
Hardware sensors are not supported with Secure Workload Virtual.
Prerequisites
To deploy the Secure Workload virtual appliance in the VMware ESXi environment, your set-up must meet the following requirements:
Software Prerequisites
-
Hypervisor
-
VMware high availability cluster running a supported VMware vSphere version:
-
For Secure Workload version 3.6.x: VMware vSphere 6.5, 6.7, or 7.0.3
-
For Tetration versions through 3.5.x: VMware vSphere version 6.5 or 6.7
-
-
vSphere 6.7U3 or later with HTML5 client for deployment is recommended
-
The version requirement applies to all components, such as the hypervisors, core management, authentication and services, and upgrade and patch management
-
The deployment must be running in a configuration supported by VMware
-
All hosts must be part of a single HA cluster with Distributed Resource Scheduler (DRS) enabled
-
-
The Tetration virtual appliance install OVA for VMware ESXi environment OVA file, available from the Software Downloads page on Cisco.com.
-
Required Secure Workload (Tetration) RPMs, also available from the Software Downloads page on Cisco.com:
-
OS Adhoc
-
OS Enforcement
(not applicable for releases earlier than 3.5.1.x)
-
OS Mother
-
OS OVA
-
OS RPMInstall
-
Hardware Prerequisites
-
To ensure the highest performance, it is recommended to use dedicated hardware for the cluster.
-
Infrastructure capable of hosting:
-
128 physical CPU cores with a minimum of 2 GHz clock speed
-
2 TB RAM
-
The virtual machines will be as large as 128 GB.
-
The memory cannot be overcommitted.
-
-
18.1 TB Storage
-
The storage must be high performance, such as flash memory or SSD, that is capable of a minimum of 5,000 I/O operations per second (IOPS).
-
The storage must be accessible from all of the nodes in the cluster.
-
The storage must be provisioned as a single, shared VMware vSphere datastore. Hyperflex, vSAN, FC/FCoESAN, NFS, and iSCSI are supported.
-
The storage must be durable.
-
-
A resource check is performed at deployment, however the infrastructure must be managed to stay within requirements.
-
-
Network infrastructure
-
All hosts in the cluster should be connected with at least 10 Gigabit Ethernet (GbE) interfaces.
-
All hosts must have three virtual networks available for Secure Workload purposes.
-
Public Network – Dedicated or shared public network for external cluster traffic that must be reachable from sensors and clients and have access to the vCenter. This network is used for Secure Workload application access. You must specify a minimum subnet of /28. If the external network is dedicated with the full range of IP addresses being available, then eight IP addresses are automatically consumed as shown in the following table:
Table 1. IP Address in Range IP Address
Description
1st
Gateway IP address (Reserved).
2nd and 3rd
Reserved
4th
Web UI virtual IP address.
5th
Sensor management virtual IP address.
6th
Collector.
7th
Collector.
8th
Application interface.
9th
Application interface.
10th
Adhoc-Kafka.
11th
Orchestrator; used as needed.
If the public network is shared, you must define specific available addresses.
-
Private Network – Dedicated private network for internal cluster communication that must not be routable nor shared. You must specify a minimum subnet of /26. We recommend a subnet of /24.
-
Configuration Network – Temporary network for a bootstrapping cluster that must be reachable by the user who is performing the deployment, and must also have access to the VMware vCenter. This should be a separate subnet from the public subnet, and should be shut down after the deployment has completed. This network is used for Secure Workload setup interface access.
-
-
VMware vSphere Distributed Switch (VDS)
-
The VDS may be native or Cisco ACI-controlled.
-
All hosts must have a consistent network configuration with a common VDS.
-
-
If you use a VDS, it must include all of the hosts in the cluster.
-
Note |
Despite hardware recommendations being satisfied, no performance guarantee or SLA can be made since other factors may impact the overall performance of the Secure Workload software. |
Network Connectivity / Firewall Requirements during deployment
During deployment, the bootstrap orchestrator will have two public facing IP addresses assigned:
-
Configuration network
-
Public network
Orchestrator will automatically assign the last address in the Public network, and use that for performing Site Checker validation. This includes (but is not limited to): SMTP, DNS, NTP, Ping, vCenter connection tests. After Site Checker validation has completed, orchestrator will remove the IP address, and continue the rest of deployment using the Configuration network. The following connectivity will be established:
Network |
Destination |
Protocol |
Port |
---|---|---|---|
Config and Public |
DNS server |
UDP |
53 |
Config and Public |
NTP server |
UDP |
123 |
Public |
SMTP server |
TCP |
SMTP Port |
Config and Public |
vCenter host |
TCP |
443 |
Config |
ESXi Hosts* (see note below table) |
TCP |
443 |
* OVF tool establishes connectivity with vCenter, which redirects to ESX for large file transfers
After the deployment has completed, the Configuration network will remove its IP address and shut down the interface. Upgrades will be done entirely using the Public network.
SSH Public Key
You must have an SSH public key for remote support access to the Secure Workload platform if the GUI is unavailable. Before you begin installing the Secure Workload virtual appliance, generate an RSA 4096 bit key pair. You will specify this key during the installation. Keep the private key secure and available for future use.
Email Addresses
You must provide 3 unique email addresses that are used for initial system access and outbound alerting.
Email Address |
Description |
---|---|
Site-Admin |
This address is used to create a default administrator account. |
Customer-Support |
This address is used to create a default customer support account. |
Alerts |
This address is used for outbound alerts. |
Recommended VMware Configuration Settings
Each VMware vSphere deployment can have different requirements, constraints, and best practices that the administrator has implemented. The Secure Workload installer does not make any configuration changes to the VMware vSphere deployment. The recommendations in this section should not replace the advice and careful planning of a VMware expert. If you do not follow these recommendations, the availability of the data might suffer and Secure Workload might not function completely or as intended.
The following list contains the recommended VMware configuration settings:
-
Enable the VMware vSphere Distributed Resource Scheduler (DRS), VMware vSphere high availability (HA) for host failure, and VMware vMotion on the cluster where Secure Workload will be deployed. This will help provide availability and performance for instances in the Secure Workload cluster.
-
Datastores must be highly available and durable, meaning that data is stored redundantly and is resistant to hardware failure.
-
Set the hypervisor hosts and VMware vCenter server clocks correctly and synchronize the clocks using the Network Time Protocol (NTP).
After deployment, you will configure anti-affinity rules as described in the deployment procedure below.
VMware Permissions
The Secure Workload installer requires credentials to access VMware vSphere for creating virtual machines, folders, files in the Datastore, and to connect to virtual switches and datastores.
We strongly recommend that you use a separate user account for the Secure Workload installer, which has the minimum required permissions to perform the installation.
The following permissions can be used as a starting point for creating the VMware user account role:
-
Content Library
-
Datastore
-
Folder\Create Folder
-
Network\Assign network
-
Resource
-
Tasks
-
Virtual Machine
-
dvPort Group
-
vApp
-
vSphere Tagging (Labeling)
The open-source utility Terraform is used for managing some resources in vSphere. For more information on required permissions from Terraform, please see https://www.terraform.io/docs/providers/vsphere/index.html#notes-on-required-privileges.
Site Information
Your setup must meet the following site information requirements:
Network Tab
-
External Network—The external network subnet, which must have at least 8 free IP addresses.
-
Unless you configure the external IP addresses in the Advanced tab, automatic assignment is used with the following rules:
-
Automatic assignment attempts to allocate the IP addresses automatically.
-
Automatic assignment skips the first 3 and last 3 IP addresses, and inclusively assigns the 4th IP address up through the 4th to last IP address.
-
The first usable IP address in the subnet is used as the gateway.
For example, if you specify 192.168.1.0/28 for the subnet, 192.168.1.1 is the gateway and IP addresses 192.168.1.4 through 192.168.11 will be used.
-
-
ESX Tab
-
vSphere Host—The IP address or hostname of the VMware vCenter server.
-
vSphere Username—The username for the VMware vSphere account that has the necessary roles to upload files and create virtual machines.
-
vSphere Password—The password for the VMware vSphere account.
-
vSphere Datacenter—The name of target the VMware vSphere data center.
-
Cluster—The cluster into which virtual machines will be placed.
-
VM Folder Name—The name of the folder in which Secure Workload virtual machines will be placed. Nested folders are not supported.
-
Datastore—The datastore into which virtual machines will be allocated for storage.
-
Private Network Port Group—The name of the virtual switch port group to use for private networking.
-
Public Network—The name of the virtual switch port group to use for public networking.
-
Cloud Init Folder—The folder name on the datastore that will be used for storing the deployment configuration files.
Advanced Tab (Optional)
-
External IPs—If a shared subnet will be used for the public network, specify the list of IP addresses that might be used by the deployment. The IP addresses must meet the following requirements:
-
8 IP addresses are required.
-
The first three IP addresses in a subnet cannot be specified.
-
The first usable IP address in the subnet is used as the gateway.
For example, you can specify 8 IP addresses in the 192.168.1.0/24 subnet, but IP addresses 192.168.1.1 through 192.168.1.3 cannot be used. 192.168.1.1 is gateway.
-
External Service Parameters
The following table provides information about the external service parameters:
Service |
Parameters |
Required/Optional |
---|---|---|
vCenter |
vCenter Host User Credentials VM Folder Cluster and Data Center Names Port Groups—Orchestrator, Public, and Private Datastore Name |
Required |
DNS |
One or more DNS servers |
Required |
NTP |
One or more NTP servers |
Required |
SMTP |
SMTP Host SMTP Port Authentication Credentials (optional) |
Required |
Proxy |
HTTP Proxy Server and Port HTTPS Proxy Server and Port |
Optional |
Syslog |
Syslog Server and Port |
Optional |
Cluster Parameters
The following table provides information about the cluster parameters:
Parameters |
Required/Optional |
Notes |
---|---|---|
Site Name |
Required |
You cannot change the name after deployment. The name must match the host portion of the UI FQDN. |
UI FQDN |
Required |
The FQDN should be resolvable in the DNS. |
Deploying the Secure Workload Virtual Appliance in the VMware ESXi Environment
The following procedure deploys the Secure Workload virtual appliance in the VMware ESXi environment. First, you deploy the orchestrator OVA, then you set up Secure Workload.
Procedure
Step 1 |
Log in to the VMware vSphere Web interface. |
||
Step 2 |
Create a new Folder with the intended site name of the cluster. |
||
Step 3 |
Right-click the target cluster and choose Deploy OVF Template. |
||
Step 4 |
Enter the location of the OVF template. We recommend that you host the orchestrator OVA on a Web server close to the ESX cluster. Because the orchestrator OVA is over 5GB, the file can take a long time to transfer on a slow link. |
||
Step 5 |
Click Next. |
||
Step 6 |
Enter orchestrator-1 for the virtual machine name. Make sure that the virtual machine deploys in the intended data center and in the Secure Workload deployment folder named with the cluster site name. |
||
Step 7 |
Click Next. |
||
Step 8 |
Confirm that the chosen cluster is the intended target. |
||
Step 9 |
Click Next. |
||
Step 10 |
Review the licensing agreement, and if you agree to the terms, click Accept. |
||
Step 11 |
Click Next. |
||
Step 12 |
Use the default configuration profile (2CPU-8GB) and click Next. |
||
Step 13 |
Choose the datastore that you want for the deployment. You can leave all other options at their default settings, unless the environment requires other settings. |
||
Step 14 |
Click Next. |
||
Step 15 |
Choose the appropriate network mapping.
|
||
Step 16 |
Click Next. |
||
Step 17 |
Enter the orchestrator reachability details for the configuration network.
|
||
Step 18 |
Confirm all of your configuration parameters. |
||
Step 19 |
Click Finish. After a few minutes, the OVF will be deployed. After the OVA upload completes, you might need to refresh the VMware vSphere GUI session to be able to power on and access the orchestrator virtual machine. |
||
Step 20 |
If necessary, click the Refresh button next to the logged in user name at the top right of the VMware vSphere console. |
||
Step 21 |
Power on the orchestrator-1 virtual machine. Within a few minutes, the IP address that you entered in step 17 begins replying to ping requests. |
||
Step 22 |
After the orchestrator is up, open a new browser tab and point your browser to the following URL:
The Setup window opens in your browser.
|
||
Step 23 |
In the Setup window, upload the RPMs in the following order:
To upload the RPMs, perform the following substeps:
|
||
Step 24 |
Enter the site information following the standard installation procedure, and see Site Information for hypervisor-specific guidelines. |
||
Step 25 |
Click Continue and follow the standard site installation steps. After the deployment starts, you will begin to see virtual machines that are created in VMware vSphere in the order of orchestrator-2 and orchestrator-3, then the rest of the Secure Workload stack. If you do not see any virtual machines that were created after 15 minutes, check the deployment logs that are available in the Setup window by clicking the Details button. |
||
Step 26 |
Monitor the Secure Workload setup process, which takes approximately 1.5 hours to complete on hardware that matches the recommended specifications. After deployment has reached 100%, take note of the virtual IP address that is shown in the status line. If you accidentally close the installer, note the IP address for the virtual IP address. The virtual IP address is the first available IP address that was provided to the installer. |
||
Step 27 |
Open a tab page in your browser and point the browser to the GUI fully qualified domain name (FQDN) that you entered in the site information section. |
||
Step 28 |
Click Forgot Password?. |
||
Step 29 |
Enter the email address that you entered for the site administrator and click Send password reset link. |
||
Step 30 |
Check your inbox for the email and follow the included instructions. If necessary, check your Spam folder. |
||
Step 31 |
Configure anti-affinity rules for certain VM roles that provide redundancy within the Secure Workload infrastructure. Anti-affinity rules must be put in place for instances of the following base types:
|
||
Step 32 |
In the VMware VM configuration screen, right-click orchestrator-1 and choose Edit Settings. |
||
Step 33 |
Click the Virtual Hardware tab. |
||
Step 34 |
For Network Adapter 3, deselect the Connected box. |
||
Step 35 |
Click OK to apply the changes. Failure to remove the checkmark from the Connected box can leave the cluster exposed to other configurations after the installation process has completed. |
Licensing
Clusters on this platform are restricted to a 30-day trial license when deployed. After 30 days, the cluster will stop processing new data, but the user interface and data collected and processed when the cluster was active will still be accessible. To avoid service disruption, you must apply valid licensing before the evaluation period expires. For more information, see the online help/user guide in the Cisco Secure Workload web portal.
Administrative Guidelines for Commission/Decommission
When using the commission/decommission feature for Secure Workload Virtual environments, please observe the following important guidelines:
-
This feature is meant to be used only with the assistance of Cisco TAC, and can cause unrecoverable damage if used incorrectly. No two VMs should ever be decommissioned at the same time, without explicit approval from TAC. The following combinations of VMs must never be decommissioned concurrently:
-
More than one Orchestrator
-
More than one datanode
-
More than one namenode (namenode or secondaryNamenode)
-
More than one resourceManager
-
More than one happobat
-
More than one mongodb (mongodb or mongoArbiter)
-
-
Only one decommission/commission process can be executed at a time. Do not overlap the decommission/commission process for different VMs at the same time.
-
Please always contact Cisco TAC prior to using the esx_commission snapshot endpoint.