This page provides a step-by-step procedure on how to get started with Cisco Secure Application. 

If there are multiple tenants on your Controller with argento.enabled=true, then you need sign into the Controller with <tenant>.<controller dns name>. If you do not do this, then you cannot view the Security tab in the Controller UI.

Install Cisco Secure Application Services

Configure Domain Name System

To configure the Domain Name System (DNS): 

  1. Ensure that there is a record for the Virtual Appliance IP address matching dnsDomain in /var/appd/globals.yaml.gotmpl.
    This allows Controller traffic to proxy through the Virtual Appliance.
  2. Ensure that there is a record for the host name of the standalone Controller. 
  3. Add entries to DNS for each tenant enabled in the Controller with Cisco Secure Application. 
    For hybrid deployments, you must add <tenant>-tnt-authn.mycompany.com regardless of single or multi-tenant. This example is only if mycompany.com is the value of dnsDomain. This is needed so that the Controller connects to the Virtual Appliance authentication. For standard deployments, you do not need to add the tenant because the cluster is managed with internal DNS. 

Create a Virtual Appliance Ingress Certificate 

If you import an ingress certificate into the Virtual Appliance instead of the default self-signed certificate, the ingress certificate must include additional Subject Alt Names. The Subject Alt Names must match every DNS record created in the Configure Domain Name System section.

Apply Feed Files

The purpose of applying feed files: 

  • The Cisco Secure Application system is not fully functional until a feed file is downloaded and imported into the system.
  • The daily updates of the feed file is required to receive the latest security signatures. This monitors the latest security vulnerabilities and attack detection.

The two methods to import the feed file into the deployment includes automatic feed downloads and manual feed downloads.

You must follow one download process and not use a combination of both. Configuring an automatic download, while also configuring a manual download, is not supported. 

Automatic Feed Download 

You want to configure feed downloads because without feed data, the Cisco Secure Application system is restricted. Feed data is refreshed daily by the automatic feed download process. You must provision a user under your Cisco AppDynamics Portal and provide those credentials to the on-premises Cisco Secure Application deployment using the command-line interface (CLI).

It's recommended that you create a user under your tenant in the Cisco AppDynamics Portal that does not have Admin privileges. This can be used for automatic feed downloads.

Example command for automatic download configuration: 

appduser@jason-1:~$ ./appdcli run secapp_feedinit
Enter controller username: admin
Enter controller accountname: customer1
Enter controller password: 
Enter download portal username: john.doe@domain.com
Enter download portal password: 
SecApp feed download configuration completed.
CODE

Manual Feed Download

Manual feed downloads are required when your on-premises deployment is in an air-gapped environment and does not have access to the internet. For manual feed downloads, you must request an air-gap feed key from Customer Support and configure that key using the CLI. Once that's configured, you need to periodically download the feed file from the Downloads Portal and upload it to your on-premises deployment using the CLI. We recommend doing this on a daily basis.

Example command to set the air-gap key:

You only need use this command once. After the first instance, you can start daily uploads: 

appduser@jason-1:~$ ./appdcli run secapp_airgap_key
Enter controller username: admin
Enter controller accountname: customer1
Enter controller password: 
Enter air-gap feed key: <your key here> 
SecApp air-gap feed key set. 
CODE

Example command to upload the feed file, after downloading it from the portal: 

We recommend you do this on a daily basis. You can download the feed file from the Downloads Portal.

appduser@jason-1:~/appd-charts$ ../appdcli run secapp_feedupload
Enter controller username: admin
Enter controller accountname: customer1
Enter controller password:
Enter path to feed file: ../secapp-data-001714012719.dat
SecApp feed upload completed.  
CODE

Configure Secure Sockets Layer (SSL) Certificates 

If the Virtual Appliance uses a self-signed certificate, then update the configuration for the .NET agent.
To determine if the Virtual Appliance uses a self-signed certificate, then review the value of ingress.defaultCert in 
/var/appd/globals.yaml.gotmpl. The value true indicates self-signed certificates. 

{
"controller": {
"host": "ec2-18-236-232-10.us-west-2.compute.amazonaws.com",
"port": 443,
"ssl": true,
"certfile": "_path_to_single_certificate_file_"
}
}
JSON
<controller host="ec2-18-236-232-10.us-west-2.compute.amazonaws.com" port="443" ssl="true" enable_tls12="true" ssl-certificate-file="_path_to_single_certificate_file_" >
...
</controller>
XML

Cisco Secure Application References

Follow the steps to configure Cisco Secure Application:


StepReference
1

For the .NET and Java Agent, you must add node property:

enable-secapp-service
CODE

For the Java Agent, you must be on version >= 24.4.1. For the .NET Agent, you must be on version >= 24.4.0.1. 

2

Extract the SSL certificate for use with the agents.

  1. Log in to the cluster node and run the command: 

    kubectl get secret ingress-cert-secret -n ingress-master -o jsonpath="{.data.tls\.crt}" | base64 --decode > certificate.crt
    CODE
    1. If the cluster is using non default self signed certificate, then copy the existing certificate in the global config location.
    2. If defaultCert is false, then run the command: 
      kubectl get secret custom-ingress-secret -n ingress-master -o jsonpath="{.data.tls\.crt}" | base64 --decode > certificate.crt
      CODE
      See globals.yaml.gotmpl file
  2. Copy this certificate for use with the agent.
3

Assign roles using the Cisco AppDynamics Administration Console.

  1. Assign the Configure Cisco Secure Application account permission to the users who are required to modify configurable fields on the Cisco Secure Application dashboard.
  2. Assign View Cisco Secure Application account permissions to users who are required to only monitor the dashboard.
4

Click on the Security tab in the top navigation bar.

Launch the required Cisco AppDynamics Application dashboard using your account, and then click Security on the top pane.

This redirects you to the Cisco Secure Application dashboard.

5

From the Cisco Secure Application Dashboard navigate to the Applications page, and then set Security Setting as Enabled for the target application.

The Security Setting value is set to Inherit by default for all applications that inherit the non-configurable tenant setting of Disabled. To enable security for an application, you must set Security Setting to Enabled.

6

From the Applicationspage, verify that the application nodes are registered and active.

From the Applications page, check the Active Nodes and Registered Nodes fields for the specific application. Ensure that the application nodes are active. If the nodes are not active, then the application security data is not displayed on the dashboard.

7

From the Libraries page view the risk-sorted libraries of secured applications.

The Libraries page displays all the existing libraries of application(s) based on the selected application scope. You can use the risk score to prioritize the remediation task.

For more information, see Getting Started with Cisco Secure Application.

Troubleshoot

For common troubleshooting steps, see Troubleshoot Virtual Appliance Issues