CloudCenter 4.8 has reached End of Life (EOL) as of November 14, 2018. See End of Support Notices for additional context.

Install CCM Using Appliances (Required)                 

  •  Optional: CCM on a FIPS System

    Configuring CCM on a FIPS System

    Overview

    The Federal Information Processing Standard (FIPS) 140-2 is an U.S.and Canadian government certification standard for use in computer systems. To enable this mode in an operating systems, refer to your operating system documentation.

    To configure FIPS support on the CCM, you must satisfy two conditions:

    • Enable FIPS at the OS level on the CCM
    • Use a brand new CloudCenter environment – You cannot enable FIPS support on an existing CloudCenter environment.

    This section provides details on how to configure FIPs in the context of the CCM server.

    You can choose to configure FIPs in a CCM server using one of two methods.

    • Option 1: Install CCM with FIPS Support on a FIPS Enabled System

      (or)

    • Option 2: Enable FIPs on an Existing CCM Server

    Option 1: Install CCM with FIPS Support on a FIPS Enabled System

    To install CCM on a system that already has FIPs enabled, follow this process.

    1. Verify if FIPS is enabled at the OS level by running the following command.

      sysctl crypto.fips_enabled
      
      # The response to this command should return 1
    2. Install CCM (see CCM (Required) for procedural details.

      This is the only additional step and the difference between using both options!

    3. Edit the NSS configuration.

      vi $JAVA_HOME/jre/lib/security/nss.cfg
      Change the entries to
      
      name = NSS
      nssLibraryDirectory = /usr/lib64/
      nssSecmodDirectory = /usr/local/osmosix/nss
      nssModule = fips
    4. Execute the following commands to create and validate the NSS database creation.

      When you run certutil, it prompts you for a new password. You can only use the specific password provide by Cisco. Contact the CloudCenter Support team to obtain the password.

      mkdir -p /usr/local/osmosix/nss
      cd /usr/local/osmosix/nss
      
      certutil -N -d .
      
      modutil -fips true -dbdir .
      certutil -L -d .
    5. Verify if the folder ownership is correct for the NSS database folder.

      chown -R cliqruser:cliqruser /usr/local/osmosix/nss
    6. Add an entry in the mgmtserver.conf file.

      vi /usr/local/osmosix/conf/mgmtserver.conf
      
      #Add the following entry after JAVA_OPTS line
      export SPRING_PROFILES_ACTIVE=encryption_nss_fips
    7. Restart the CCM server.

      root> systemctl stop ccm
      root> systemctl start ccm
    8. Log in as a System Admin using valid credentials. Contact the CloudCenter Support team to obtain the default and new SysAdmin credentials.

      See Admin Users for additional context on this user.


      1. Contact the CloudCenter Support team to obtain the SysAdmin credentials.

      2. Login using the default SysAdmin credentials provided by the CloudCenter Support team.

      3. Navigate to Crypto Services accordion.

      4. Click Change Password.

      5. Enter the new password provided by the CloudCenter Support team.

      6. Logout as SysAdmin.

      7. Login to CCM as a tenant admin.

    9. Each time you restart the CCM service, you must repeat the steps where you login as SysAdmin and enter the Crypto Services password before you can login as tenant admin.

    You have now configured FIPs in a CCM server using the Option 1 method.

    Option 2: Enable FIPs on an Existing CCM Server

    Verify that you have already configured your OS to enable FIPS as per your OS documentation.

    To enable FIPs on an existing CCM server, follow this process.

    1. Verify if FIPS is enabled at the OS level by running the following command.

      sysctl crypto.fips_enabled
      
      # The response to this command should return 1
    2. Edit the NSS configuration.

      vi $JAVA_HOME/jre/lib/security/nss.cfg
      Change the entries to
      
      name = NSS
      nssLibraryDirectory = /usr/lib64/
      nssSecmodDirectory = /usr/local/osmosix/nss
      nssModule = fips
    3. Execute the following commands to create and validate the NSS database creation.

      When you run certutil, it prompts you for a new password. You can only use the specific password provide by Cisco. Contact the CloudCenter Support team to obtain the password.

      mkdir -p /usr/local/osmosix/nss
      cd /usr/local/osmosix/nss
      
      certutil -N -d .
      
      modutil -fips true -dbdir .
      certutil -L -d .
    4. Verify if the folder ownership is correct for the NSS database folder.

      chown -R cliqruser:cliqruser /usr/local/osmosix/nss
    5. Add an entry in the mgmtserver.conf file.

      vi /usr/local/osmosix/conf/mgmtserver.conf
      
      #Add the following entry after JAVA_OPTS line
      export SPRING_PROFILES_ACTIVE=encryption_nss_fips
    6. Restart the CCM server.

      root> systemctl stop ccm
      root> systemctl start ccm
    7. Log in as a System Admin using valid credentials. Contact the CloudCenter Support team to obtain the default and new SysAdmin credentials.

      See Admin Users for additional context on this user.


      1. Contact the CloudCenter Support team to obtain the SysAdmin credentials.

      2. Login using the default SysAdmin credentials provided by the CloudCenter Support team.

      3. Navigate to the Crypto Services section.

      4. Click Change Password.

      5. Enter the new password provided by the CloudCenter Support team.

      6. Logout as SysAdmin.

      7. Login to CCM as a tenant admin.

    8. Each time you restart the CCM service, you must repeat the steps where you login as SysAdmin and enter the Crypto Services password before you can login as tenant admin.

    You have now configured FIPs in a CCM server using the Option 2 method.


  •  Optional: Proxy Settings

    Proxy Settings

    If you need a proxy server to connect to the internet, be sure to configure the Proxy setting for the underlying services on the CCM and CCO servers.

    Guidelines

    Adhere to these guidelines if you decide to use a proxy server to connect to the internet:

    • Set the proxy variables before starting the installation processes. 

    • Proxy configuration is only applicable to the CCM and CCO instances – they are not applicable for any other components.

    • The process differs based on the CloudCenter version.

    • These proxy values are used by the CCM or CCO. In some cases, your worker VM agent might also require a proxy connection to communicate with the outside world. 

      • If so, configure the values as described in the Repo (Conditional) or REPO Upgrade (Conditional) sections. 

      • If not provided, then the CloudCenter platform copies the proxy values from the CCO settings, assuming that the CCO and agent are located in the same network.

    CloudCenter 4.9.1 – Wizard Configuration

    If you have a local custom repository, then configure the non-proxy host variable in the wizard.

    To connect to the Internet using a proxy server, follow this process:

    1. Modify your proxy environment to reflect your proxy settings.

    2. Invoke the CCM or CCO wizard as a root user (see Virtual Appliance Process > Cloud-Specific Setup Details for a sample setup).

      CCM Wizard Path
      /usr/local/cliqr/bin/ccm_config_wizard.sh
      CCO Wizard Path
      /usr/local/cliqr/bin/cco_config_wizard.sh
    3. Configure the Proxy server configuration.

      Write this down for future reference!

      Write down the Field details in a printed version of the Installation Approach > Your Notes section for later use.

      If you do not configure any of these settings, the default settings are used as follows:

      • CCM: No proxy configuration is set

      • CCO: No proxy configuration is set

      No other default values is updated automatically – if the value is default, then the value for that field is considered to be empty.

      Wizard Menu

      Field

      Description

      Proxy servers configuration


      HTTPS Proxy Host

      Provide the proxy host if using the HTTPS protocol.

      HTTPS Proxy Port

      Provide the HTTPS proxy port.

      If you update the host, you must update the port as well.

      HTTP Proxy Host

      Provide the proxy host if using the HTTP protocol

      HTTP Proxy Port

      Provide the HTTP proxy port.

      If you update the host, you must update the port as well.

      No Proxy Hosts

      Use a | (pipe) character to separate the list of domain extensions which do not need the proxy configuration. For example:

      localhost|devCC|127.0.0.1
      HTTPS Proxy Host for Agent

      Provide the proxy host if using the HTTPS protocol for the agent bundles to be downloaded based on the agent proxies.


      HTTPS Proxy Port for Agent

      Provide the HTTPS proxy port.

      If you update the host, you must update the port as well.

      HTTP Proxy Host for Agent

      Provide the proxy host if using the HTTP protocol for the agent bundles to be downloaded based on the agent proxies.

      HTTP Proxy Port for Agent

      Provide the HTTP proxy port.

      If you update the host, you must update the port as well.

      No Proxy Hosts for Agent

      Use a | (pipe) character to separate the list of domain extensions which do not need the proxy configuration. For example:

      localhost|127.0.0.1|cisco.com
    4. Verify your changes.

    5. Restart the server and corresponding CloudCenter services.

    6. Exit the CCM or CCO configuration wizard.

    CloudCenter 4.9.1 – CLI Configuration

    To connect to the Internet using a proxy server, follow this CLI-based process:

    1. Invoke the CCM or CCO config CLI as a root user.

      Be sure to provide arguments in the same order.

      Provide default as an argument, instead of providing empty values.

      /usr/local/cliqr/bin/ccm_config_cli.sh proxy_config  <https_proxy_host>
      <https_proxy_port> <http_proxy_host> <http_proxy_port>
      <http_non_proxy_hosts> <agent_https_proxy_host> <agent_https_proxy_port>
      <agent_http_proxy_host> <agent_http_proxy_port>
      <agent_http_non_proxy_hosts>
      
    2. Restart the service.

    CloudCenter 4.9.0 – Wizard Configuration

    If you have already installed a custom repository (not the CloudCenter REPO Virtual Appliance) in your environment, these proxy variables are ignored.

    To connect to the Internet using a proxy server, follow this process:

    1. Modify your proxy environment to reflect your proxy settings.

      1. Invoke the CCM or CCO wizard as a root user (see Virtual Appliance Process > Cloud-Specific Setup Details for a sample setup).

        CCM Wizard Path
        /usr/local/cliqr/bin/ccm_config_wizard.sh
        CCO Wizard Path
        /usr/local/cliqr/bin/cco_config_wizard.sh
      2. Configure the Proxy settings.

        Write this down for future reference!

        Write down the Field details in a printed version of the Installation Approach > Your Notes section for later use.

        Wizard Menu

        Field

        Description

        Proxy_Settings

        HTTPS Proxy Host

        Provide the proxy URL as follows:

        https://proxyServer:port

        HTTPS Proxy Server URL

        Provide the proxy URL as follows:

        http://proxyServer:port

        No Proxy Hosts

        A comma separated list of domain extensions which do not need the proxy configuration
        If you set the HTTP or HTTPs options, then this field will display the following default values:

        localhost, devCC, 127.0.0.1
      3. Verify your changes.

      4. Restart the server and corresponding CloudCenter services.

      5. Exit the CCM or CCO configuration wizard.

    2. Verify that the proxy settings are in effect by issuing the following command:

      ps aux | grep java 
      
      #Output of the ps aux | grep java command
      
      cliqrus+ 25106 0.0 45.3 4368868 929000 ? Sl
      Mar02 54:15 /usr/lib/jvm/java-8-sun/bin/java -Djava.util.logging.config.file=/usr/local/tomcatgua/conf/logging.properties
      -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
      -Djava.awt.headless=true -Dfile.encoding=UTF-8 -server -Xms1024m -Xmx2048m
      -XX:NewSize=512m -XX:MaxNewSize=512m -XX:PermSize=512m -XX:MaxPermSize=512m
      -Djav.endorsed.dirs=/usr/local/tomcatgua/endorsed -classpath
      /usr/local/tomcatgua/bin/bootstrap.jar:/usr/local/tomcatgua/bin/tomcat-juli.jar
      -Dcatalina.base=/usr/local/tomcatgua -Dcatalina.home=/usr/local/tomcatgua -Djava.io.tmpdir=/usr/local/tomcatgua/temp
      -Dhttp.proxyHost=proxy.cisco.com -Dhttp.proxyPort=80
      -Dhttp.nonProxyHosts=10.1.1.1 org.apache.catalina.startup.Bootstrap start
    3. Ensure that the line  -Dhttp.proxyHost=proxy.cisco.com -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts=10.1.1.1 is present in the output.

    CloudCenter 4.9.0 – CLI Configuration

    To connect to the Internet using a proxy server, follow this CLI-based process:

    1. Invoke the CCM or CCO config CLI as a root user.

      /usr/local/cliqr/bin/ccm_config_cli.sh proxy_config 
      HTTPS_PROXY=<https_proxy_url> HTTP_PROXY=<http_proxy_url> 
      NO_PROXY=<no_proxy_configurations>
    2. Restart the service.


    Back to:

  •  CCM NON-HA

    Install CCM NON-HA Using Appliance

     

    Prepare Infrastructure

    As part of preparing your infrastructure, you should have already launch two instances for the CCM_SA role (for the CCM server) and the MGMTPOSTGRES role for the database server. Identify the credentials for these two servers and then proceed with this installation.

    Configure CCM Wizard Properties

    To configure the CCM wizard properties, follow this procedure.

    1. Invoke the CCM wizard as a root user (see Virtual Appliance Process > Cloud-Specific Setup Details for a sample setup).

      CCM Wizard Path
      /usr/local/cliqr/bin/ccm_config_wizard.sh
    2. Configure the server properties.

      Write this down for future reference!

      Write down the Field details in a printed version of the Installation Approach > Your Notes section for later use.

      Wizard Menu

      Field

      Description

      Server_Info – Configure Server Info (Required)

      Mgmtserver DNS Name

      DNS (or IP address) of the CCM management server.

      If you are configuring the HA environment, enter the CCM_LB DNS (or IP) in this field.

      DB – Configure DatabaseIP or Hostname

      DNS or IP of the database.

      DB Username and Password

      The following credentials are pre-populated:

      Default username = cliqr (cannot be changed)

      Default password = cliqr (must be changed)

      Be sure to change the default password immediately after your first login. See PostgreSQL Password for additional context.

      ELK_Info –  Configure Log Collector InfoELK Host

      Specify the IP address for the Log Collector host.

      Elasticsearch PortDisplays 8881 by default.
      Kibana PortDisplays 8882 by default.
      ELK UserThe default ELK Username = logreader.
      ELK PasswordThe default ELK Password is re@d0nly (zero between d and n) (change this password after the initial login – see Download Log File for additional context).
      Host Identifier
      A Unique ID for the server – be sure to prefix the unique identifier with CCM_ for example, CCM_1
      If not set, the CloudCenter platform uses the CCM server date.

      The Host Identifier cannot contain capital letters for both CCM and CCO configurations.

      Host Identifier List

      Only applies to environments using the HA mode – provide a list of comma separated unique host identifiers for all Log Collector hosts in a HA setup = for example, CCM_1,CCM_2,myCCM.

      The Host Identifier List cannot contain capital letters for both CCM and CCO configurations.

      In an environment operating in HA mode, if you have two CCM instances with unique IDs configured as CCM_1,CCM_2 in their respective server.properties file, then this property should state CCM_1,CCM_2 in both CCM instances. Each CCM must be aware of the unique ID of the other CCM(s) when in HA mode.

      Custom Certs Menu
      Generate_CertsTo generate new certificates for CloudCenter components. See Certificate Authentication > Generate and Update the certs.zip File on the CCM for additional context.
      Update_CertsTo update certificates f=for CloudCenter components. See Certificate Authentication > Generate and Update the certs.zip File on the CCM for additional context.
    3. Exit the CCM configuration wizard.

    4. Select Yes, to restart the CCM server and corresponding CloudCenter services.

    You have successfully installed the CCM instance! You can now proceed to the next step:

    • Configure the Log Collector details in the CCM wizard's Configure Log Collector Info menu.

    • If you are installing the Enterprise Service Bus (ESB), do so at this point.

    Back to: CCM (Required)

    Back to: CCM (Required)

  •  CCM HA

    Install CCM HA Using Appliance

     

    CCM HA installation is tested and verified for AWS, OpenStack, and VMware clouds.


    To configure CCM in HA mode, you must use the following roles:

    • Database: MGMTPOSTGRES_MASTER and MGMTPOSTGRES_SLAVE (and if required, MGMTPOSTGRES_VIP)

    • CCM: CCM_SA_PRIMARY and CCM_SA_SECONDARY

      Do not use the CCM or CCM_SA roles as those roles DO NOT allow you to configure high availability. See Virtual Appliance Overview and High Availability Best Practices for additional context.

    • Loadbalancer: CCM_LB

    Unable to render {include} The included page could not be found.

    Unable to render {include} The included page could not be found.

    CCM_SA_PRIMARY/SECONDARY – Exchange CCM SSH Keys

    To exchange the SSH keys between the CCM_SA_PRIMARY and CCM_SA_SECONDARY servers, follow this procedure using root permissions.

    1. On the CCM_SA_PRIMARY and the CCM_SA_SECONDARY instances, execute the following commands to generate a new SSH key on each instance. 

      ssh-keygen -t rsa
      cd ~/.ssh
      cat id_rsa.pub >> authorized_keys
      chmod 600 authorized_keys
    2. Copy the id_rsa.pub content from both the CCM instances and paste the content into the authorized_keys file.

    3. Verify mutual SSH access between the CCM_SA_PRIMARY and CCM_SA_SECONDARY by running the following command on each VM.

      ssh root@<CCM_SA_PRIMARY/CCM_SA_SECONDARY>

    CCM_PRIMARY – Configure HA Wizard Properties

    To configure high availability for CCM_SA_PRIMARY, follow this procedure.

    1. Invoke the CCM wizard as a root user (see Virtual Appliance Process > Cloud-Specific Setup Details for a sample setup).

      Prior to CloudCenter 4.8.2, cliqruser credentials were used for SSH configuration.

      Effective CloudCenter 4.8.2, root user credentials are used for SSH configuration.

      Wizard Path
      /usr/local/cliqr/bin/ccm_config_wizard.sh
    2. Configure the HA properties.

      Write this down for future reference!

      Write down the Field details in a printed version of the Installation Approach > Your Notes section for later use.

      Wizard Menu

      Field

      Description

      DB – Configure Database



      DB IP or Hostname

      The VIP/EIP for the master database and slave database. See Phase 1: Prepare Infrastructure > Cloud Nuances for additional context.

      When you configure the MGMTPOSTGRES_MASTER – Configure High Availability Properties, you would have configured the VIP/EIP address for the db_config_wizard already. Similarly, you must provide the EIP/VIP address for the CCM_SA_PRIMARY and the CCM_SA_SECONDARY servers.

      DB Username
      and
      DB Password

      The following credentials are pre-populated:

      • Default username = cliqr (can be changed – manually change the password on MGMTPOSTGRES VMs or RDS and then update the username in the CCM through the database config wizard.

        Be sure to change the PostgresDB password and update the db.properties file to reflect the correct password.

      • Default password = cliqr (can be changed)

        Be sure to change the default password immediately after your first login. See PostgreSQL Password for additional context.

      Configure_HA


      Primary Node Private IPThe IP address of the primary CCM VM
      Secondary Node Private IP The IP address of the secondary CCM VM

      Mgmtserver DNS Name

      Use the DNS or IP of the CCM_LB – Used by the CCO VM to communicate with the CCM VM.

    3. Once the details are entered, the database server begins replication configuration between the database servers followed by HA configuration and finally presents the following status messages.

      • Configuring CCM HA ...
      • Restart server (with the progress bar)
      • Configured CCM HA successfully
    4. Restart the secondary CCM server and corresponding CloudCenter services.
    5. Exit the CCM configuration wizard.

    Back to: CCM HA

    CCM_LB – HAProxy Installers

    Use a plain clean OS image (such as CentOS7) to install a load balancer.

    See CCM and Database Firewall Rules > CCM_LB Ports for the complete list of ports that need to be open for your deployment.

    If you configure a load balancer for any CloudCenter component, be aware that the firewalId is enabled by default and you must explicitly disable it to ensure that the CloudCenter component(s) can communicate with the load balancer. See Firewall Rules Overview for additional context.

     Here is a sample configuration to load balance a CentOS7.x VM with HAProxy for the CCM.

    1. SSH into the VM instance using the key pair that you used to launch the VM.
    2. Install HAProxy as the root user. 

      yum install -y haproxy
      
    3. Create .pem files for haproxy configuration for CCM_LB in the CCM Primary server.
      1. Run the following commands.

        sudo -i 
        cd /usr/local/cliqr/ssl/ccm
        cat ccm.crt ccm.key >> mgmtserver.pem 
        cat ca_root.crt ccm.key >> ca.pem

        You can name the mgmtserver and ca pem files as required for your environment, however, be sure to append them with the .pem extension.

         

      2. Place the mgmtserver.pem and ca.pem files created earlier to the CCM_LB server in the  /etc/haproxy location.


    4. Append the following details to the HAProxy config file.

      vi /etc/haproxy/haproxy.cfg        
                                                            
      # configuration to listen on 443 with SSL certs and loadbalance
      frontend https-in
          mode http
          log global
          bind *:443 ssl crt /etc/haproxy/mgmtserver.pem ca-file /etc/haproxy/ca.pem
          default_backend ccms
      
      # configuration to listen on 8443 with SSL certs and loadbalance
      frontend httpsalt-in
          mode tcp
          bind *:8443
          default_backend nodes
      
      backend ccms
          balance roundrobin
          mode    http
          log global
          option httplog
          cookie SVR insert preserve nocache
          server  ccm1 <CCM_SA_PRIMARY_IP>:443 check cookie ccm1 ssl verify none
          server  ccm2 <CCM_SA_SECONDARY_IP>:443 check cookie ccm2 ssl verify none
      
      backend nodes
          mode tcp
          balance roundrobin
          option ssl-hello-chk
          server  ccm1 <CCM_SA_PRIMARY_IP>:8443 check
          server  ccm2 <CCM_SA_SECONDARY_IP>:8443 check
      
    5. Start the HAProxy service and verify that the status response is active.

      systemctl start haproxy
      systemctl status haproxy
    6. At this point, you must use HTTPS to invoke the CCM server. For example:

      https://<CCM_LB_IP>

      The following option is an alternative step to the HTTPS step above

      Optional. To view the HA proxy status use the following configuration to access the ha_proxy from a web browser. These stats allow you to view the status of the nodes from a web browser and allows admins to drain/stop nodes without accessing the VMs directly.

      https://CCM_LB_IP:9000/haproxy_stats

      listen stats 0.0.0.0:9000 #Listen on all IP's on port 9000
       mode http
       balance
       timeout client 5000
       timeout connect 4000
       timeout server 30000
      
      #This is the virtual URL to access the stats page
       stats uri /haproxy_stats
      
      #Authentication realm. This can be set to anything. Escape space characters with a backslash.
       stats realm HAProxy\ Statistics
      
      #The user/pass you want to use. Change this password!
       stats auth admin:<password>
      
      #This allows you to take down and bring up back end servers.
       #This will produce an error on older versions of HAProxy.
       stats admin if TRUE

    Back to: CCM (Required)

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved