CISCO

Prerequisites

CISCO CUCM

For CISCO CUCM, access privileges are needed for executing the CLM commands corresponding to the supported CLM features (discovery, CSR generation, push, and bind).

For executing these commands, ensure that the admin user has an access privilege of level 1 (read and write access)

For links to detailed documentation on the commands and access privileges, see the References section.

CISCO ISE

  • Ensure that at least one node is designated as the primary node.

    Cisco ISE can have one primary PAP node and multiple secondary nodes. AppViewX will always discover certificates from the primary node.

    In the absence of a designated primary node, certificates will not be discovered from Cisco ISE.

    If a primary node is designated but is disabled, only trust certificates will be discovered.

  • Ensure that the API setting is enabled for both ERS and OpenAPI.

    Cisco ISE recommends to use port 443 for both ERS and OpenAPI.

  • Ensure that the onboarding user has been mapped to the ERS Admin group
For links to detailed documentation for ISE installation and configuration, see the References section.

CISCO IOS

For CISCO IOS, access privileges are needed for executing the CLM commands corresponding to the supported CLM features (discovery). Each user is assigned a privilege level between 1 and 15, and each command has an associated level. The privilege level determines what commands a user can execute.

For links to detailed documentation on the commands and access privileges, see the References section.

Onboarding CISCO

The CISCO device can be on-boarded by four server types,
  • UCS
  • CUCM
  • ISE
  • IOS.
  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
  4. Select CISCO logo from the Vendors list.
    The CISCO server configuration screen is displayed.
  5. In the Server Details section, enter details as mentioned below.
    1. Select the Server Type = UCS, and enter the details of the fields mentioned below.
      Table 1. Server Details - Field Description Table
      Fields Description
      *Server Type Select Server type from the dropdown (UCS).
      *Server name Enter the server name, a unique name for the device addition.
      *IP address/ FQDN Enter the valid IP address or FQDN for device communication and integration with CISCO.
      Data center Choose the desired data center.
      Onboarding Group Select the onboarding group to assign the device.
      Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
      *SSH Port Enter the SSH port number. Default value is 22.
      Cert sync Choose from any of the following:
      • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
      • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
      • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
      *: Mandatory fields
    2. Select the Server Type = CUCM. All the fields mentioned above (in step a) will be displayed along with the additional fields as below:
      Table 2. Server Details - Field Description Table
      Fields Description
      Cert sync Choose from the any of the following:
      • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
      • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
      • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    3. Select the Server Type = ISE. All the fields mentioned above (in step a) will be displayed along with the additional fields as below:
      Table 3. Server Details - Field Description Table
      Fields Description
      ERS API Port The Cisco Identity Services Engine (ISE) API uses ERS and OpenAPI port for communication. These port requirements can be modified during the installation or configuration of the ISE, depending on the network and security requirements.

      The default value for ERS API Port is 9060.

      The default value for Open API Port is 443.
      Open API Port
      Proxy Required The checkbox is not selected (false) by default. To enable communication through proxy servers select the checkbox (true).
      Cert sync Select the required cert sync.

      The possible options are

      • Managed (default selection)
      • Monitored
      • Ignored
      Cisco ISE Device Onbording - Prerequisite
      1. Make sure that one of the nodes is designated as the Primary node. If no Primary node is set, server certificates will not be discovered from Cisco ISE. When disabled, only trust certificates will be discovered.
      2. Make sure the API setting is enabled for both ERS and OpenAPI. API services are disabled by default. To enable it, navigate to Administration > System > Settings > API Settings > API Service Settings.
      3. Cisco ISE recommends to use port 443 for both ERS and OpenAPI.
      4. Make sure the onboarding user has been mapped to the ERS Admin group.
      5. Cisco ISE can have one primary PAP node and multiple secondary nodes. AppViewX will always discover certificates from the primary node.

      Additional Fields Support for Rest API based vendors

      Additional Fields Supported in AppViewX
      Proxy Required Yes
      The Cisco Identity Services Engine (ISE) API uses ERS and OpenAPI port for communication
      ERS Port 443 or 9060 (External Restful Services)
      Open API Port 443

      Discovery

      1. AppViewX discovers all trust certificates and system certificates from the primary node.
      2. AppViewX would also show the certificate associatation to the role details in the discovery response and also in the app connector.
      3. A profile will be created for the primary node, along with dedicated profiles for each existing certificate.
          1. If the profile name follows the format {deviceName}:{primary_node_name}, it is used for pushing certificates to Cisco ISE but cannot be used to map certificates to any role.
          2. If the profile name follows the format {deviceName}:{primary_node_name}:{commaSeparatedRoleName}:{friendlyName}, the profile can be used to renew, push, and bind the certificate to the specified roles.

      Push Format Support

      Push Format Supported in AppViewX
      PEM Privacy Enhanced Mail (PEM)
      AppConnector
      Field Name Details
      Friendly Name Enter a friendly name for the certificate. If no name is specified, Cisco ISE automatically creates a name in the format common-name, Subject-Alternative-Name#issuer#nnnnn where <nnnnn> is a unique five-digit number.
      1. If the trust certificate already exists in Cisco ISE, pushing it again is not required.
      2. If the admin profile is selected, the application server will restart automatically.
        Note: It is recommended to include both the FQDN and IP address of the ISE server in the SAN field of the ISE system certificate.
      3. The private key is required to push the certificate to Cisco ISE.
      4. If no role or 'Used By' value is defined, the certificate will be pushed to the Cisco ISE system certificate but will remain in a Not In Use state.
      5. Users cannot uncheck the pre-selected role from the discovered certificate. However, additional roles can be added based on the role selection rules.
      6. During the push process, users can select multiple roles for the certificate, in accordance with the rules defined in Cisco ISE.
      7. The SAML role cannot be combined with any other role.
      8. If the ISE Messaging service role is selected, users should not be allowed to select any other roles from the dropdown.
      9. If the portal role is selected, the Default Portal Certificate Group is used as the portalGroupTag; custom groups cannot be selected from the AppViewX application.
      10. Each role can be associated with only one system certificate. Assigning a new certificate will remove the role from the existing certificate.
      11. Users can utilize the existing configuration to push and bind the certificate.
      12. By default, the use of existing configuration is enabled on the Add/Edit App Connector screen.
      13. Users can disable the 'Use Existing Configuration' option and provide a new Friendly Name and Roles for the certificate.
      14. Certificate push operations always upload the certificate to the primary node. Customers must manually transfer the certificate from the primary node to the respective target node.
      15. If the user selects the Node profile to push a new certificate to a role, the existing certificate bound to that role cannot be identified, so a backup cannot be taken. As a result, the backup step will be skipped with the comment: 'No data available,' and rollback will not be possible.
      16. Cisco ISE does not allow pushing a new certificate with the same public key and will throw the following exception. Therefore, the user must regenerate the certificate before proceeding with the push. Found a certificate with matching public key.

      Limitation

      • CSR generation at the Cisco ISE endpoint is not supported.
    4. Select the Server Type = IOS. All the displayed fields are as mentioned in step b.
  6. In the Credentials section, select/enter the details as follows.
    Table 4. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry
    • Credential List - AppViewX
    • Credential List - BeyondTrust
    • Credential List - Thycotic
    Note:
    • If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
    *Username Enter the assigned username. (This field is displayed for Manual entry only)
    *Password Enter the secure password. (This field is displayed for Manual entry only)
    *Privilege Password Enter the privilege password for using the privilege mode.
    *: Mandatory fields
  7. Click Save.
    Note: The Cisco device can be configured through the Import option, by downloading the .csv or .xlxs templates, Additional columns (ERS API Port and Open API Port) have been added for Cisco ISE. These can be left blank; the default values, 9060 and 443 respectively will be considered.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:
  1. Go to ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
    The Server Inventory page is displayed.
  3. Check that the device name appears in the inventory (Name column) with the specified CertSync status (Status Column).
    The status column will have the value Managed/Monitored/Ignored based on the CertSync status if the connection is successful or displays Failed/Unresolved in case of failure.
  4. From the Status column, click the Managed/Monitored.
    Device Status Log pop-up is displayed.
  5. Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

What's Next

Once you have onboarded and validated the device connection, you are ready to proceed with the any of the following certificate actions: