Download PDF
Download page Install and Configure Cisco Secure Application.
Install and Configure Cisco Secure Application
This page provides a step-by-step procedure on how to get started with Cisco Secure Application.
If there are multiple tenants on your Controller with argento.enabled=true
, then you need sign into the Controller with <tenant>.<controller dns name>
. If you do not do this, then you cannot view the Security tab in the Controller UI.
Install Cisco Secure Application Services
After you install Cisco Secure Application service, apply feed files and configure secure socket layer certificates.
1 | |
2 | |
3 | |
4 | Install Cisco Secure Application Services. |
5 | Configure the Standalone Controller in Cisco AppDynamics On-Premises. |
After you install Cisco Secure Application service, apply feed files and configure secure socket layer certificates.
Configure Domain Name System
To configure the Domain Name System (DNS):
- Ensure that there is a record for the Virtual Appliance IP address matching
dnsDomain
in/var/appd/globals.yaml.gotmpl
.
This allows Controller traffic to proxy through the Virtual Appliance. - Ensure that there is a record for the host name of the standalone Controller.
- Add entries to DNS for each tenant enabled in the Controller with Cisco Secure Application.
For hybrid deployments, you must add<tenant>-tnt-authn.mycompany.com
regardless of single or multi-tenant. This example is only ifmycompany.com
is the value ofdnsDomain
. This is needed so that the Controller connects to the Virtual Appliance authentication. For standard deployments, you do not need to add the tenant because the cluster is managed with internal DNS.
Create a Virtual Appliance Ingress Certificate
If you import an ingress certificate into the Virtual Appliance instead of the default self-signed certificate, the ingress certificate must include additional Subject Alt Names. The Subject Alt Names must match every DNS record created in the Configure Domain Name System section.
Apply Feed Files
The purpose of applying feed files:
- The Cisco Secure Application system is not fully functional until a feed file is downloaded and imported into the system.
- The daily updates of the feed file is required to receive the latest security signatures. This monitors the latest security vulnerabilities and attack detection.
The two methods to import the feed file into the deployment includes automatic feed downloads and manual feed downloads.
You must follow one download process and not use a combination of both. Configuring an automatic download, while also configuring a manual download, is not supported.
Automatic Feed Download
You want to configure feed downloads because without feed data, the Cisco Secure Application system is restricted. Feed data is refreshed daily by the automatic feed download process. You must provision a user under your Cisco AppDynamics Portal and provide those credentials to the on-premises Cisco Secure Application deployment using the command-line interface (CLI).
It's recommended that you create a user under your tenant in the Cisco AppDynamics Portal that does not have Admin privileges. This can be used for automatic feed downloads.
Example command for automatic download configuration:
appduser@jason-1:~$ ./appdcli run secapp_feedinit
Enter controller username: admin
Enter controller accountname: customer1
Enter controller password:
Enter download portal username: john.doe@domain.com
Enter download portal password:
SecApp feed download configuration completed.
Manual Feed Download
Manual feed downloads are required when your on-premises deployment is in an air-gapped environment and does not have access to the internet. For manual feed downloads, you must request an air-gap feed key from Customer Support and configure that key using the CLI. Once that's configured, you need to periodically download the feed file from the Downloads Portal and upload it to your on-premises deployment using the CLI. We recommend doing this on a daily basis.
Example command to set the air-gap key:
You only need use this command once. After the first instance, you can start daily uploads:
appduser@jason-1:~$ ./appdcli run secapp_airgap_key
Enter controller username: admin
Enter controller accountname: customer1
Enter controller password:
Enter air-gap feed key: <your key here>
SecApp air-gap feed key set.
Example command to upload the feed file, after downloading it from the portal:
We recommend you do this on a daily basis. You can download the feed file from the Downloads Portal.
appduser@jason-1:~/appd-charts$ ../appdcli run secapp_feedupload
Enter controller username: admin
Enter controller accountname: customer1
Enter controller password:
Enter path to feed file: ../secapp-data-001714012719.dat
SecApp feed upload completed.
Configure Secure Sockets Layer (SSL) Certificates
If the Virtual Appliance uses a self-signed certificate, then update the configuration for the .NET agent.
To determine if the Virtual Appliance uses a self-signed certificate, then review the value of ingress.defaultCert
in /var/appd/globals.yaml.gotmpl
. The value true
indicates self-signed certificates.
{
"controller": {
"host": "ec2-18-236-232-10.us-west-2.compute.amazonaws.com",
"port": 443,
"ssl": true,
"certfile": "_path_to_single_certificate_file_"
}
}
<controller host="ec2-18-236-232-10.us-west-2.compute.amazonaws.com" port="443" ssl="true" enable_tls12="true" ssl-certificate-file="_path_to_single_certificate_file_" >
...
</controller>
Cisco Secure Application References
Follow the steps to configure Cisco Secure Application:
Step | Reference | |
---|---|---|
1 | For the .NET and Java Agent, you must add node property:
CODE
For the Java Agent, you must be on version >= 24.4.1. For the .NET Agent, you must be on version >= 24.4.0.1. | |
2 | Extract the SSL certificate for use with the agents.
| |
3 | Assign roles using the Cisco AppDynamics Administration Console.
| |
4 | Click on the Security tab in the top navigation bar. Launch the required Cisco AppDynamics Application dashboard using your account, and then click Security on the top pane. This redirects you to the Cisco Secure Application dashboard. | |
5 | From the Cisco Secure Application Dashboard navigate to the Applications page, and then set Security Setting as Enabled for the target application. The Security Setting value is set to Inherit by default for all applications that inherit the non-configurable tenant setting of Disabled. To enable security for an application, you must set Security Setting to Enabled. | |
6 | From the Applicationspage, verify that the application nodes are registered and active. From the Applications page, check the Active Nodes and Registered Nodes fields for the specific application. Ensure that the application nodes are active. If the nodes are not active, then the application security data is not displayed on the dashboard. | |
7 | From the Libraries page view the risk-sorted libraries of secured applications. The Libraries page displays all the existing libraries of application(s) based on the selected application scope. You can use the risk score to prioritize the remediation task. |
For more information, see Getting Started with Cisco Secure Application.
Troubleshoot
For common troubleshooting steps, see Troubleshoot Virtual Appliance Issues.