This page provides a step-by-step procedure on how to get started with Cisco Secure Application. 

If there are multiple tenants on your Controller with argento.enabled=true, then you need sign into the Controller with <tenant>.<controller dns name>. If you do not do this, then you cannot view the Security tab in the Controller UI.

Install Cisco Secure Application Services

Configure Domain Name System

To configure the Domain Name System (DNS): 

  1. Ensure that there is a record for the Virtual Appliance IP address matching dnsDomain in /var/appd/globals.yaml.gotmpl.
    This allows Controller traffic to proxy through the Virtual Appliance.
  2. Ensure that there is a record for the host name of the standalone Controller. 
  3. Add entries to DNS for each tenant enabled in the Controller with Cisco Secure Application. 
    For hybrid deployments, you must add <tenant>-tnt-authn.mycompany.com regardless of single or multi-tenant. This example is only if mycompany.com is the value of dnsDomain. This is needed so that the Controller connects to the Virtual Appliance authentication. For standard deployments, you do not need to add the tenant because the cluster is managed with internal DNS. 

Create a Virtual Appliance Ingress Certificate 

If you import an ingress certificate into the Virtual Appliance instead of the default self-signed certificate, the ingress certificate must include additional Subject Alt Names. The Subject Alt Names must match every DNS record created in the Configure Domain Name System section.

Apply Feed Files

The purpose of applying feed files: 

  • The Cisco Secure Application system is not fully functional until a feed file is downloaded and imported into the system.
  • The daily updates of the feed file is required to receive the latest security signatures. This monitors the latest security vulnerabilities and attack detection.

The two methods to import the feed file into the deployment includes automatic feed downloads and manual feed downloads.

You must follow one download process and not use a combination of both. Configuring an automatic download, while also configuring a manual download, is not supported. 

Automatic Feed Download 

You want to configure feed downloads because without feed data, the Cisco Secure Application system is restricted. Feed data is refreshed daily by the automatic feed download process. You must provision a user under your Cisco AppDynamics Portal and provide those credentials to the on-premises Cisco Secure Application deployment using the command-line interface (CLI).

It's recommended that you create a user under your tenant in the Cisco AppDynamics Portal that does not have Admin privileges. This can be used for automatic feed downloads.

Example command for automatic download configuration: 

appduser@jason-1:~$ ./appdcli run secapp_feedinit
Enter controller username: admin
Enter controller accountname: customer1
Enter controller password: 
Enter download portal username: john.doe@domain.com
Enter download portal password: 
SecApp feed download configuration completed.
CODE

Manual Feed Download

Manual feed downloads are required when your on-premises deployment is in an air-gapped environment and does not have access to the internet. For manual feed downloads, you must request an air-gap feed key from Customer Support and configure that key using the CLI. Once that's configured, you need to periodically download the feed file from the Downloads Portal and upload it to your on-premises deployment using the CLI. We recommend doing this on a daily basis.

Example command to set the air-gap key:

You only need use this command once. After the first instance, you can start daily uploads: 

appduser@jason-1:~$ ./appdcli run secapp_airgap_key
Enter controller username: admin
Enter controller accountname: customer1
Enter controller password: 
Enter air-gap feed key: <your key here> 
SecApp air-gap feed key set.
CODE

Example command to upload the feed file, after downloading it from the portal: 

We recommend you do this on a daily basis. You can download the feed file from the Downloads Portal.

appduser@jason-1:~/appd-charts$ ../appdcli run secapp_feedupload
Enter controller username: admin
Enter controller accountname: customer1
Enter controller password:
Enter path to feed file: ../secapp-data-001714012719.dat
SecApp feed upload completed.
CODE

Configure Your Agents for Cisco Secure Application 

Extract the Ingress CA or Server Certificate

  1. Determine the provider of the server certificate: 
    Log into the cluster node and examine /var/appd/globals.yaml.gotmpl. If the value of ingress.defaultCert is true, this indicates that the On-Premises Virtual Appliance provided the CA and a server certificate. Otherwise, you provided a custom TLS certificate.

    The upgrade process sets ingress.defaultCert to false.


  2. If the On-Premises Virtual Appliance provided the CA certificate, run this command to extract a copy of it: 

    kubectl get secret ingress-cert-secret -n ingress-master -o jsonpath="{.data.ca\.crt}" | base64 --decode > ca.crt
    BASH
  3. If you provided a custom TLS certificate, run this command to extract a copy of it: 
    kubectl get secret custom-ingress-secret -n ingress-master -o jsonpath="{.data.tls\.crt}" | base64 --decode > certificate.crt
    BASH

Update the Agent Configuration

  • For Java agents:
    • Import the CA or server certificate into your Java agent's trust store by following the steps in Enable SSL for the Java Agent.
    • For general details on Java agent configuration, see Install the Java Agent.

      Certain features of Cisco Secure Application are currently not available when using Java Development Kit (JDK) versions 23 and 24. This is due to the removal of the security manager in these versions. As a result, the following runtime eventing features are impacted:

      • Remote Command Execution
      • Listening Server Sockets
      • Outbound Web API Connections
      • File Access (including reading, writing, creating, and deleting)

      We are committed to resolving this issue and are actively working on a permanent solution to ensure full compatibility with JDK versions 23 and above. Thank you for your understanding and patience as we enhance our product to support these newer Java versions.

  • For .NET agents on Linux hosts:
    • For general details on .NET agent configuration, see Install the .NET Agent for Linux.
    • In the agent configuration, specify the location of the file you extracted above. You can specify this location in your agent's configuration file or with the APPDYNAMICS_CONTROLLER_SSL_CERTFILE environment variable (see Configuring SSL Variables for .NET Agents):
      {
  "controller": {
    "host": "ec2-18-236-232-10.us-west-2.compute.amazonaws.com",
    "port": 443,
    "ssl": true,
    "certfile": "_path_to_single_certificate_file_"
  }
}
      JSON
  • For .NET agents on Windows hosts:
    • In the agent configuration, specify the location of the file you extracted above. You can specify this location in your agent's configuration file or with the APPDYNAMICS_CONTROLLER_SSL_CERTFILE environment variable (see Configuring SSL Variables for .NET Agents):
      <controller host="ec2-18-236-232-10.us-west-2.compute.amazonaws.com" port="443" ssl="true" enable_tls12="true" ssl-certificate-file="_path_to_single_certificate_file_" >
...
</controller>
      XML
       
  • For Node.js agents:
    • Confirm that the Node.js agent version is at least 24.9.0.
    • Add this to the require statement in its configuration file. For details see .Install and Configure Cisco Secure Application v24.10
      require("appdynamics").profile({
    controllerHostName: '<controllerHost>',
    controllerPort: 443,
    controllerSslEnabled: true,
    accountName: '<accountName>',
    accountAccessKey: '<accessKey>',
    applicationName: '<appName>',
    tierName: '<tierName>,
    nodeName: '<nodeName>',
    secureAppEnabled: true,
    certificateFile: '_path_to_single_certificate_file_'
})
      JSON



Enable Cisco Secure Application on On-Premises Virtual Appliance

Follow the steps to configure Cisco Secure Application:


StepReference
1

Integrate Cisco Secure Application with your agents:

  • For the Java agent:
    • Confirm that the Java agent version is at least 24.4.1.
    • Add this node property: 
      enable-secapp-service
      CODE
  • For the .NET agent:
    • Confirm that the .NET agent version is at least 24.4.0.1.
    • Add this node property: 
      enable-secapp-service
      CODE

App Agent Node Properties

2

Assign roles using the Splunk AppDynamics Administration Console.

  1. Assign the Configure Cisco Secure Application account permission to the users who are required to modify configurable fields on the Cisco Secure Application dashboard.
  2. Assign View Cisco Secure Application account permissions to users who are required to only monitor the dashboard.
Account Permissions
3

Click on the Security tab in the top navigation bar.

Launch the required Splunk AppDynamics Application dashboard using your account, and then click Security on the top pane.

This redirects you to the Cisco Secure Application dashboard.

Monitor Application Security Using Cisco Secure Application
4

From the Cisco Secure Application Dashboard navigate to the Applications page, and then set Security Setting as Enabled for the target application.

The Security Setting value is set to Inherit by default for all applications that inherit the non-configurable tenant setting of Disabled. To enable security for an application, you must set Security Setting to Enabled.

Monitor Security Status of Applications
5

From the Applicationspage, verify that the application nodes are registered and active.

From the Applications page, check the Active Nodes and Registered Nodes fields for the specific application. Ensure that the application nodes are active. If the nodes are not active, then the application security data is not displayed on the dashboard.

Monitor Security Status of Applications
6

From the Libraries page view the risk-sorted libraries of secured applications.

The Libraries page displays all the existing libraries of application(s) based on the selected application scope. You can use the risk score to prioritize the remediation task.

Monitor Libraries

For more information, see Getting Started with Cisco Secure Application.

Troubleshoot Authentication Failures

Sometimes, reinstalling secureapp puts auth-mysql into a perpetual failed state, which causes authentications to fail. If this occurs, do the following:

  1. Reset auth-mysql
    helm delete -n authn auth-service  auth-service-ingress
kubectl wait --for=delete -n authn po/auth-mysql-0 innodbcluster/auth-mysql --timeout=180s
PVS=$(kubectl get pv -o yaml | yq '.items[] | select(.spec.claimRef.name=="datadir-auth-mysql-0")|.metadata.name')
    BASH
  2. Confirm that there is one persistent volume (PV), and delete it:
    echo $PVS
kubectl delete pv --timeout=120s $PVS
    BASH
  3. If the PV doesn't delete:
    1. Delete the persistent volume claim (PVC): 
      kubectl delete pvc -n authn datadir-auth-mysql-0
      BASH
    2. If the PV still exists, manually remove the finalizer on the PV: 
      kubectl patch pv --patch '{"metadata":{"finalizers":null}}' $PVS
      BASH
  4. Delete the authn namespace:
    kubectl delete ns authn
    BASH
  5. Restart Cisco Secure Application: 
    appdcli run secapp
    BASH
  6. Start the reconfiguration of the authn service in the background:
    kubectl patch cm -n cisco-secureapp tenant-config --patch '{"data": null}' --type merge
    BASH


After a minute or two, authentications should succeed again.

Troubleshoot Other Issues

For common troubleshooting steps, see Troubleshoot Virtual Appliance Issues