pxgrid integration - cisco · pxgrid integration...

pxGrid Integration

The following describes how to integrate the Learning Network License system with pxGrid and IdentityServices Engine (ISE).

• Integrating pxGrid, page 1

• ISE pxGrid Demo, page 2

• Controller pxGrid Client Certificates, page 4

• pxGrid Properties Configuration, page 9

• pxGrid Activation, page 11

• ISE Server Settings Update, page 13

• Controller Process Restart, page 13

Integrating pxGridYou can integrate your Learning Network License deployment with an ISE server to populate detected hostsin anomalies with user identity information. This involves integrating pxGrid by generating public keycertificates, trusting controller and ISE certificates, configuring pxGrid properties, and updating the controller'sconfiguration.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 1

If you have not deployed an ISE server, you can instead enable an ISE pxGrid integration demo. This demopopulates endpoints detected in anomalies with sample user identity information. You update demo pxGridproperties, and update the controller's configuration. See ISE pxGrid Demo, on page 2 for more information.

Step 1 Manage the controller pxGrid and ISE public key certificates, adding them to keystores on the controller VM. SeeController pxGrid Client Certificates, on page 4 for more information.

Step 2 Update the pxGrid properties configuration file. See pxGrid Properties Configuration, on page 9 for more information.Step 3 Update the controller pxGrid configuration, then restart the controller's processes. See pxGrid Activation, on page 11

for more information.Step 4 Add the SLNpxGridClient to the Session group on your ISE server. See ISE Server Settings Update, on page 13 for

more information.Step 5 Restart the controller's processes again. See Controller Process Restart, on page 13 for more information.

ISE pxGrid DemoThe ISE pxGrid integration demo populates anomaly endpoints with sample user identity information, andprovides an example of the additional context ISE provides to the Learning Network License system. As youreview anomalies in the controller web UI, you can view the sample user identity information for hosts involvedin the anomaly.

To enable the demo, you update a pxGrid properties file with demo settings, then update a controllerconfiguration file to enable ISE integration. Finally, you restart controller processes.

pxGrid Demo Properties Table

Table 1: pxGrid Demo Properties Table

Enter...DescriptionProperty

.conf/pxgrid_demo.csvpxGrid integration demo file,which contains sample user identityvalues populated into anomalyendpoints.

PXGRID_DEMOFILENAME_IN

truepxGrid integration demo IP addresssetting.

PXGRID_DEMOIP

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.12

pxGrid IntegrationISE pxGrid Demo

Configuring an ISE pxGrid Demo

Before You Begin

• Log into the controller VM console from the ESXi hypervisor.

SUMMARY STEPS

1. cd SCA/services/pxgrid

2. sudo vi app.properties, then enter your administrator password when prompted.3. Update the pxGrid demo properties in the app.properties file.4. Press Esc, then enter :wq! and press Enter.

DETAILED STEPS

PurposeCommand or Action

Navigate to the pxgrid directory.cd SCA/services/pxgrid

Example:

Step 1

user@host:~$ cd SCA/services/pxgrid

Edit the app.properties file with super userprivileges.

sudo vi app.properties, then enter your administrator password whenprompted.

Example:

Step 2

user@host:~/SCA/services/pxgrid$ sudo vi app.properties

Update PXGRID_DEMOFILENAME_IN with./conf/pxgrid_demo.csv. UpdatePXGRID_DEMOID with true.

Update the pxGrid demo properties in the app.properties file.

Example:PXGRID_HOSTNAMES=PXGRID_USERNAME=

Step 3

PXGRID_DESCRIPTION=sln_pxgrid_clientPXGRID_KEYSTORE_FILENAME=PXGRID_KEYSTORE_PASSWORD=PXGRID_TRUSTSTORE_FILENAME=PXGRID_TRUSTSTORE_PASSWORD=PXGRID_APP_PORT=7072PXGRID_DEMOFILENAME_IN=./conf/pxgrid_demo.csvPXGRID_DEMOIP=true

Save your changes and exit vi.Press Esc, then enter :wq! and press Enter.Step 4

What to Do Next

• Enable the ISE pxGrid demo, as described in the next section.


pxGrid IntegrationConfiguring an ISE pxGrid Demo

Enable the pxGrid Demo

Before You Begin

• Log into the controller VM console.

SUMMARY STEPS

1. cd ~/SCA

2. sudo vi sca.conf, then enter your password when prompted3. Update the ise enabled setting to true.4. Press Esc, then enter :wq! and press Enter.5. sudo ./sca.sh restart

DETAILED STEPS


Change the directory.cd ~/SCAStep 1

Open the sca.conf file in vi as a super user.sudo vi sca.conf, then enter your password when promptedStep 2

Enable pxGrid integration.Update the ise enabled setting to true.

Example:modules {ise {

Step 3

enabled = true}

}


Restart the controller processes.sudo ./sca.sh restart

Example:

Step 5

user@host:~/SCA$ sudo ./sca.sh restart

Controller pxGrid Client CertificatesThe controller contains a pxGrid client which retrieves user information from the ISE server. To integrateLearning Network License with ISE, you first generate a private key and public key certificate signing request(CSR), then have a certificate authority (CA) sign the certificate, using a custom pxGrid certificate template.You then export an ISE identity certificate from the ISE server to the controller. Finally, you create a pxGridclient identity keystore and a Learning Network License controller trusted keystore, and import the appropriatecertificates into each.


pxGrid IntegrationEnable the pxGrid Demo

When you submit the CSR to the CA, the CA must use a custom pxGrid certificate template to sign thecertificate. Create this certificate template with an enhanced key usage (EKU) object identifier (OID) forclient authentication (1.3.6.1.5.5.7.3.2) and for server authentication (1.3.6.1.5.5.7.3.1).

Generating pxGrid Client Certificates

Before You Begin

• Create a custom certificate template with the proper EKU OIDs for client authentication and serverauthentication.

• Log into the controller VM console as a user with privileges to run OpenSSL.

SUMMARY STEPS


2. openssl genrsa -out pxGridClient.key 4096

3. openssl req -new -key pxGridClient.key -out pxGridClient.csr

4. Optionally, enter country-code, then state, then locality, then organization, thenorganizational-unit, then common-name, then email, then challenge-password, then company-name

5. Submit pxGridClient.csr and the certificate template to a CA.6. Receive the signed certificate and the CA root certificate.7. Upload pxGridClient.cer and ca_root.cer to the controller, in the SCA/services/pxgrid folder.8. On the controller VM, navigate to the SCA/services/pxgrid directory.9. openssl pkcs12 -export -out pxGridClient.pl2 -inkey pxGridClient.key -in

issued-certificate.cer -CAfileroot-ca-certificate.cer, then enter and verify a p12-passwordwhen prompted

DETAILED STEPS


Navigate to the /pxgrid directory.cd SCA/services/pxgrid

Example:

Step 1


Generate the pxGridClient.key private key for thecontroller pxGrid client.

openssl genrsa -out pxGridClient.key 4096

Example:

Step 2

user@host:~/SCA/services/pxgrid$ openssl genrsa -out

pxGridClient.key 4096

Enter the certificate signing request (CSR) wizardto generate a CSR for the pxGrid client.

openssl req -new -key pxGridClient.key -out

pxGridClient.csr

Example:

Step 3


pxGrid IntegrationGenerating pxGrid Client Certificates


user@host:~/SCA/services/pxgrid$ openssl req -new -key

pxGridClient.key -out pxGridClient.csr

If you want to specify the certificate subjectdistinguished name (DN), provide the information.

Optionally, enter country-code, then state, then locality, thenorganization, then organizational-unit, then common-name,then email, then challenge-password, then company-name

Step 4

If you want to specify a challenge password, enter achallenge-password. Determine what informationyour CA requires for a CSR.Example:

Country Name (2 letter code) [AU]: country-codeState or Province Name (full name) [Some-State]: stateLocality Name (eg, city) []: localityOrganization Name (eg, company) [Internet Widgits PtyLtd]: organizationOrganizational Unit Name (eg, section) []:organizational-unitCommon Name (e.g. server FQDN or YOUR name) []:common-nameEmail Address []: email

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: challenge-passwordAn optional company name []: company-name

Submit the certificate signing request to the CA. TheCA signs the request, and uses the certificate

Submit pxGridClient.csr and the certificate template to a CA.Step 5

template to add the EKU OIDs for clientauthentication and server authentication.

Receive the pxGridClient.cer signed certificatefile and the ca_root.cerCA root certificate file fromthe CA.

Receive the signed certificate and the CA root certificate.Step 6

Upload the signed certificate and root CA certificateto the pxgrid folder on the controller VM.

Upload pxGridClient.cer and ca_root.cer to the controller, inthe SCA/services/pxgrid folder.

Step 7

Change directories.On the controller VM, navigate to the SCA/services/pxgriddirectory.

Step 8

Add the pxGridClient.key private key,issued-certificate.cer signed client certificate,

openssl pkcs12 -export -out pxGridClient.pl2 -inkey

pxGridClient.key -in issued-certificate.cer

Step 9

and root-ca-certificate.cer root CA certificateto the pxGridClient.p12 archive file.

-CAfileroot-ca-certificate.cer, then enter and verify ap12-password when prompted

Example:user@host:~/SCA/services/pxgrid$ openssl pkcs12-export -out pxGridClient.pl2 -inkey pxGridClient.key-inpxGridClient.cer -CAfile ca_root.cer

Enter Export Password: p12-passwordVerifying - Enter Export Password: p12-password


pxGrid IntegrationGenerating pxGrid Client Certificates

What to Do Next

• Export the ISE identity public key certificate to the controller, as described in the next section.

Exporting an ISE Identity Certificate

Before You Begin

• Log into the ISE server.

SUMMARY STEPS

1. From the System Certificates page, select the Default self-signed server certificate and click Export.2. Select Export Certificate Only and click Export. Rename the file to isemnt.pem.3. Upload isemnt.pem to the controller, in the SCA/services/pxgrid folder.4. Repeat the procedure for any remaining ISE servers in your network deployment. Give each exported

certificate file a different name.

DETAILED STEPS

Step 1 From the System Certificates page, select the Default self-signed server certificate and click Export.

Step 2 Select Export Certificate Only and click Export. Rename the file to isemnt.pem.Step 3 Upload isemnt.pem to the controller, in the SCA/services/pxgrid folder.Step 4 Repeat the procedure for any remaining ISE servers in your network deployment. Give each exported certificate file a

different name.

What to Do Next

• Add certificates to keystores, as described in the next section.

Adding pxGrid Certificates to Stores

Before You Begin



pxGrid IntegrationExporting an ISE Identity Certificate

SUMMARY STEPS


2. keytool -importkeystore -srckeystore pxGridClient.p12 -destkeystore

./certificates/pxGridClient.jks -srcstoretype PKCS12, then enter and verify apxgrid-keystore-password, then enter the p12-password

3. keytool -import -alias pxGridSLNClient -keystore ./certificates/pxGridClient.jks -file

issued-certificate.cer

4. openssl x509 -outform der -in isemnt.pem -out isemnt.der

5. keytool -import -alias isemnt -keystore ./certificates/root3.jks -file isemnt.der, thenenter and verify a pxgrid-truststore-password, then yes to trust the certificate

6. Repeat the previous 2 steps for any remaining ISE identity certificates.7. keytool -import -alias ca_root1 -keystore ./certificates/root3.jks -file ca_root.cer, then

yes to trust the certificate

DETAILED STEPS


Navigate to the /pxgrid directory.cd SCA/services/pxgrid

Example:

Step 1


Create the pxGridClient.jks pxGrid clientidentity keystore from the pxGridClient.p12archive file.

keytool -importkeystore -srckeystore pxGridClient.p12

-destkeystore ./certificates/pxGridClient.jks -srcstoretype

PKCS12, then enter and verify a pxgrid-keystore-password, then enterthe p12-password

Step 2

Example:user@host:~/SCA/services/pxgrid$ keytool -importkeystore-srckeystore pxGridClient.p12 -destkeystore./certificates/pxGridClient.jks-srcstoretype PKCS12

Enter destination keystore password: pxgrid-keystore-passwordRe-enter new password: pxgrid-keystore-passwordEnter source keystore password: p12-password

Import the issued-certificate.cercertificate file into the pxGridClient.jkspxGrid client identity keystore.

keytool -import -alias pxGridSLNClient -keystore

./certificates/pxGridClient.jks -file issued-certificate.cer

Example:user@host:~/SCA/services/pxgrid$ keytool -import -aliaspxGridSLNClient -keystore ./certificates/pxGridClient.jks -file

Step 3

pxGridClient.cer

Enter keystore password: pxgrid-keystore-password

...

Trust this certificate? [no]: yes


pxGrid IntegrationAdding pxGrid Certificates to Stores


Convert the isemnt.pem certificate file toDER format.

openssl x509 -outform der -in isemnt.pem -out isemnt.der

Example:

Step 4

user@host:~/SCA/services/pxgrid$ openssl x509 -outform der -in

isemnt.pem -out isemnt.der

Import the isemnt.der ISE identity certificateinto the root3.jksLearningNetwork Licensecontroller trusted keystore.

keytool -import -alias isemnt -keystore

./certificates/root3.jks -file isemnt.der, then enter and verify apxgrid-truststore-password, then yes to trust the certificate

Example:user@host:~/SCA/services/pxgrid$ keytool -import -alias isemnt-keystore

Step 5

./certificates/root3.jks -file isemnt.der

Enter keystore password: pxgrid-truststore-passwordRe-enter new password: pxgrid-truststore-password

...


Convert other ISE identity certificate files toDER format, then import them into the

Repeat the previous 2 steps for any remaining ISE identity certificates.Step 6

root3.jks Learning Network Licensecontroller trusted keystore.

Import the ca_root.cer root CA certificateinto the root3.jksLearningNetwork Licensecontroller trusted keystore.

keytool -import -alias ca_root1 -keystore

./certificates/root3.jks -file ca_root.cer, then yes to trust thecertificate

Example:user@host:~/SCA/services/pxgrid$ keytool -import -aliasca_root1 -keystore

Step 7

./certificates/root3.jks -file ca_root.cer

Enter keystore password: pxgrid-truststore-password

...


What to Do Next

• Configure the pxGrid properties, as described in the next section.

pxGrid Properties ConfigurationAfter you add certificates to keystores on the controller, configure the pxGrid properties file to allow thecontroller to trust the certificates, and log into the ISE server to retrieve user identity information.


pxGrid IntegrationpxGrid Properties Configuration

pxGrid Properties Table

Table 2: pxGrid Properties Table

Enter...DescriptionProperty

an IPv4 addressThe ISE server IP address toconnect to.

PXGRID_HOSTNAMES

an ISE server usernameThe username the controller usesto contact the ISE server.

PXGRID_USERNAME

SLNpxGridClient (do not modify)The description associated with theusername, visible on the ISEserver.

PXGRID_DESCRIPTION

./certificates/pxGridClient.jks

or the filename and filepath whereyou created the keystore

The controller pxGrid clientidentity keystore location.

PXGRID_KEYSTORE_FILENAME

the keystorepxgrid-keystore-password

The controller pxGrid clientidentity keystore password.

PXGRID_KEYSTORE_PASSWORD

./certificates/root3.jks or thefilename and filepath where youcreated the trust store

The Learning Network Licensecontroller pxGrid trusted keystorelocation.

PXGRID_TRUSTSTORE_FILENAME

the trusted keystorepxgrid-truststore-password

The Learning Network Licensecontroller pxGrid trusted keystorepassword.

PXGRID_TRUSTSTORE_PASSWORD

7072 (do not modify)Port used by the controller tointernally connect to the controllerpxGrid client.

PXGRID_APP_PORT

Configuring pxGrid

Before You Begin

• Log into the controller VM console from the ESXi hypervisor.


pxGrid IntegrationpxGrid Properties Table

SUMMARY STEPS


2. sudo vi app.properties, then enter your administrator password when prompted.3. Update the pxGrid properties in the app.properties file.4. Press Esc, then enter :wq! and press Enter.

DETAILED STEPS


Navigate to the pxgrid directory.cd SCA/services/pxgrid

Example:

Step 1


Edit the app.properties file with super user privileges.sudo vi app.properties, then enter your administrator passwordwhen prompted.

Step 2

Example:user@host:~/SCA/services/pxgrid$ sudo vi app.properties

Update PXGRID_HOSTNAMES with the ISE server IPaddress. Update PXGRID_USERNAME with a username

Update the pxGrid properties in the app.properties file.

Example:PXGRID_HOSTNAMES=192.0.2.2PXGRID_USERNAME=<username>

Step 3

the controller uses to log into the ISE server. UpdatePXGRID_KEYSTORE_FILENAME with the keystorelocation. Update PXGRID_KEYSTORE_PASSWORD with

PXGRID_DESCRIPTION=sln_pxgrid_clientthe pxgrid-keystore-password. UpdatePXGRID_KEYSTORE_FILENAME=./certificates/pxGridClient.jksPXGRID_TRUSTSTORE_FILENAME with the keystorePXGRID_KEYSTORE_PASSWORD=pxgrid-keystore-password

PXGRID_TRUSTSTORE_FILENAME=./certificates/root3.jks location. Update PXGRID_TRUSTSTORE_PASSWORDwiththe pxgrid-truststore-password.

PXGRID_TRUSTSTORE_PASSWORD=pxgrid-truststore-passwordPXGRID_APP_PORT=7072


pxGrid ActivationAfter you configure the pxGrid properties, update the controller configuration file to enable pxGrid integration,then restart the controller processes.

Activating pxGrid Integration

Before You Begin



pxGrid IntegrationpxGrid Activation

SUMMARY STEPS

1. cd SCA

2. sudo vi sca.conf, then enter your password when prompted3. Update the ise enabled setting to true.4. Press Esc, then enter :wq! and press Enter.

DETAILED STEPS


Change the directory.cd SCA

Example:

Step 1

user@host:~$ cd SCA

Open the sca.conf file in vi as a super user.sudo vi sca.conf, then enter your password when prompted

Example:

Step 2

user@host:~/SCA$ sudo vi sca.conf

Enable pxGrid integration.Update the ise enabled setting to true.

Example:modules {ise {

Step 3

enabled = true}

}


What to Do Next

• Restart the controller processes, as described in the next section.

Restarting Controller Processes

Before You Begin


SUMMARY STEPS

1. cd ~/SCA

2. sudo ./sca.sh restart


pxGrid IntegrationRestarting Controller Processes

DETAILED STEPS


Change to the /SCA directory.cd ~/SCA

Example:

Step 1

user@host:~$ cd ~/SCA

Restart the controller processes.sudo ./sca.sh restart

Example:

Step 2

user@host:~/SCA$ sudo ./sca.sh restart

ISE Server Settings UpdateAfter you activate pxGrid integration, log into your ISE server. Approve the registration for theSLNpxGridClient client if it is in a pending state, then assign SLNpxGridClient to the Session group. Seehttp://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html for more information on approving a client's registration, and https://communities.cisco.com/docs/DOC-68291 for more information on updating the group membership.

Controller Process RestartAfter you update the SLNpxGridClient client group membership in ISE, restart the controller's processesagain. See Restarting Controller Processes, on page 12 for more information.


pxGrid IntegrationISE Server Settings Update

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html

https://communities.cisco.com/docs/DOC-68291

https://communities.cisco.com/docs/DOC-68291


pxGrid IntegrationController Process Restart

pxgrid integration - cisco · pxgrid integration...

Documents