CliQr is now part of Cisco Learn More About Cisco

Amazon Appliance Setup

To setup up CloudCenter using appliances for AWS clouds, follow this process.

  1.  Prepare Infrastructure

    Prepare Infrastructure

    To prepare infrastructure for the appliance approach, follow this process.

    1. Request image sharing for the AWS account by opening a CloudCenter Support case (mycase.cisco.com). In your request, specify the following details:

      1. AWS account number
      2. CloudCenter version

      3. Customer ID (CID)

      4. Customer name

      5. Production or POC setup
      6. Contact email

    2. After you open a case, your support case is updated with the share AMI IDs. Proceed to the next step only after your support case is updated with the AMI IDs.
    3. Go to the AWS cloud console and select:
      1. Region: US East (North Virginia)
      2. Compute: EC2

        Cisco Provided AWS Images

        Icon

        By default, Cisco only provides images for US East (North Virginia) region.

        Icon

        If you prefer to use any other region, follow this procedure:

        1. Follow the rest of the process to set up CloudCenter Appliances to launch each CloudCenter component using the AMI provided by Cisco.
        2. Save each component as a new AMI (refer to the AWS documentation for details).
        3. Copy the AMI to the required AWS region (refer to the AWS documentation for details).
        4. Then follow the remainder of this process to set up CloudCenter appliances in the new AWS region.
    4. Prepare to launch the image for each component. See Component Modes and Roles for additional context.

      1. Required:

        • One CCM is required for each CloudCenter setup.

        • One AMQP and CCO are required for each cloud region.

      2. Optional:
        • A monitor for each CloudCenter setup
        • An isolated Docker container
        • A custom worker image

          Icon

          You can use the out-of-box worker (Application VM) images. If you use custom application VM images, you do not need to launch the worker image.

    5. Locate the AMI ID for each component:
      1. Search for Private Images in the search bar.
      2. Ensure that the selected private image is the same as listed in the AMI ID that was emailed to you.
    6. Launch the instance for each component using the AMI ID:

      1. Choose an instance type (see Phase 1: Prepare Infrastructure > Hardware Requirements for additional context)
      2. Configure the instance details as required by your environment.
      3. Add the storage of your choice.
      4. Tag instance using a descriptive name. See Component Modes and Roles for CloudCenter names.
      5. Configure the security groups to associate with each VM. See Phase 2: Configure Network Rules for additional context. The next section in this process Configure Network Rules provides the minimum required network settings.

        Icon

        Ensure that Port 22 is open to allow SSH access into the component VM.


      6. Review and update the instance launch settings as required by your environment.
      7. Click Launch and the Select an existing key pair or create a new key pair screen displays. Refer to your AWS documentation for information on key pairs.

        Icon

        If you do not select a key pair, you will not be able to log into the component VM!

      8. Click Launch Instance to launch the component VM. Check the AWS console for completion of the VM launch process has successfully completed.
    7. Setup hostname – For all launched VMs, update the hostname. Choose a hostname that matches the Role. For example:
      1. hostname – For all launched VMs, update the hostname.

        Icon

        Don't change the hostname after you install and configure a component as it may cause unknown issues.

        Icon

        Choose a hostname that matches the Role. For example:

        Example
      2. Setup the hostname resolution – Once you update the hostname, ensure that the VM host name is resolvable by running the following command

        1. hostname -i
        2. If the VM name is not resolvable, edit the file /etc/hosts and add your VM’s hostname.
          For example:

          Example
      3. Network routing loopback:

        1. Refers to deployed CCMs that are running behind the Network Address Translation (NAT).
        2. This setup places a restriction on machines from internal networks to ensure that they do not use an external IP to access the CCM.
        3. To address this restriction, you must add a line to the CCO and AMQP server's /etc/hosts file and include the internal private IP of the CCM. For example: If the CCM DNS name is ccm.example.com and it is behind a NAT, and the internal private IP address is 192.168.20.5 and its external public IP address is 54.16.20.5, then enter the following line in the local /etc/hosts file:

          Example
          Icon

          When configuring the CCM, the hostname used above (ccm.example.com) must match what you configure as the Public DNS while configuring CCM.

    8. Create the CloudCenter Descriptor JSON file:
      Once infrastructure has been setup for all the CloudCenter components, create a CloudCenter Descriptor JSON file that lists all the CloudCenter components with their modes and the IP address that correspond to infrastructure elements for each mode and role. This descriptor file will be used for network compliance check (Step #3). Following are a few sample descriptor files based on some common combination of component modes.

      Icon

      The overall file structure will depend on factors like modes of various components, number of cloud regions, use of conditional/optional components and repos etc. Also, the region names used in the file should be unique, but do not need to match up with any cloud or datacenter names. These strings are merely used to perform network compliance checks and report results: -

      Sample JSON File


  2.  Configure Network Rules

    Configure Network Rules

    In this phase, you must setup Network rules to enable communication across various components.

    Icon

    The network settings in this page provide the minimal port requirements for inter-component communication. In environments where all the components can communicate with each other via any port (typically POC environments or private datacenters), you can skip this phase.

    Production environments typically are secured by only allowing communication through the ports specified in this section.

    The tables in this section list the networking requirements for each Component Role.

     CCM Ports

    CCM Ports

    Port

    Direction

    Remote Source

    Notes

    80

    Ingress (optional)

    0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

    For HTTP to HTTPS redirection.

    Egress0.0.0.0/0To download installer or appliance packages.

    443      

    Egress0.0.0.0/0To download installer or appliance packages.

    Ingress

    0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

    For UI/API access.

    22

    Ingress (optional)

    Allowed SSH source IP

    For troubleshooting purposes.

    8443

     

    Ingress

    CCO_IP or CCO_PRIMARY_IP &  CCO_SECONDARY_IP

    For two-way communication between the CCO and CCM VMs.

    Icon

    Required for all Cloud Regions supported by your CloudCenter deployment.

    Egress

    CCO_IP or CCO_LB_IP

    Ingress (optional)

    MON_IP or  MON_PRIMARY_IP &  MON_SECONDARY_IP

    For two-way communication between the Monitor CM and the CCM VM.

    Egress (Optional)

    MON_IP or MON_LB_IP

    Ingress

    AMQP_IP or AMQP_PRIMARY_IP & AMQP_SECONDARY_IP

    For Web SSH/VNC through Guacamole.

     AMQP Ports

    AMQP Ports

    Port

    Direction

    Remote Source

    Notes

    22

    Ingress (optional)

    Allowed SSH source IP

    For troubleshooting purposes.

    5671

    Ingress

    • CCO or
      CCO_PRIMARY, CCO_SECONDARY, and CCO_TERTIARY
    • Worker VM IP Range

    For communication from the CCO VM and from launched VMs.

    7789

    Ingress

    Worker VM IP Range

    For SSH/VNC access of launched VMs. Done through reverse proxy for loop back connection.

    7788

    Ingress/Egress

    AMQP or
    AMQP_PRIMARY, AMQP_SECONDARY, and AMQP_LB

    For SSH/VNC access of launched VMs. Done through reverse proxy. Done through reverse proxy for loop back connection.

    443

    Ingress

    0.0.0.0/0 (or appropriate IP address range for user browsers that are allowed to access)

    For SSH/VNC and RDP access of launched VMs.

    8443

    Egress

    • CCM or
      CCM_SA or CCM_SA_PRIMARY and CCM_SA_SECONDARY
    • CCO or
      CCO_PRIMARY, CCO_SECONDARY, and CCO_TERTIARY

    For SSH/VNC access of launched VMs. Guacamole server on AMQP VM communicates to the CCM and CCO VMs via this port.

     CCO Ports

    CCO Ports                                                                                                        

    Port

    Direction

    Remote Source

    Notes

    8443   

    Ingress/
    Egress

    • CCM or
    • CCM_SA or
    • CCM_SA_PRIMARY and CCM_SA_SECONDARY
    • Monitor

    For two-way communication between the CCO and CCM VMs.

    22

    Ingress (optional)

    Allowed SSH source IP

    For troubleshooting purposes.

    Egress0.0.0.0/0To download installer or appliance packages.
    443Egress0.0.0.0/0To download installer or appliance packages.

    All

    Egress (Conditional)

    Cloud Region EndPoints, Script Sources

    For cloud region endpoint access and for downloading scripts/packages defined in external services.

    2375

    Egress (Conditional)

    • Only for CloudCenter 4.6.x and earlier
    • Not used for CloudCenter 4.7.x and later

    EXT_SCRIPT_EXECUTOR

    For Docker container engine access to execute external scripts.

    2376Egress (Conditional)
    • Only for CloudCenter 4.7.x and later
    • Not used for CloudCenter 4.6.x and earlier
    EXT_SCRIPT_EXECUTORFor Docker container engine access to execute external scripts.

     Monitor Ports

    MON Ports

    Port

    Direction

    Remote Source

    Notes

    22

    Ingress (optional)

    Allowed SSH source IP

    For troubleshooting purposes.

    80Egress0.0.0.0./0To download installer or appliance packages.
    443Egress0.0.0.0/0To download installer or appliance packages.
    4560Ingress
    • CCM_IP or
      CCM_PRIMARY_IP and  CCM_SECONDARY_IP
    • CCO_IP or
      CCO_PRIMARY_IP, CCO_SECONDARY_IP, and CCO_TERTIARY_IP
    (Logstash) To collect, process, and push the logs to the CCM and/or CCO.
    8881Ingress
    • CCM_IP or
      CCM_PRIMARY_IP and  CCM_SECONDARY_IP
    • CCO_IP or
      CCO_PRIMARY_IP, CCO_SECONDARY_IP, and CCO_TERTIARY_IP
    (Elasticsearch) To download logs for the CCM and/or CCO.
    8882IngressPublic browser accessTo view the logs in the Kibana console.

    8443

     

    Ingress/ Egress

    • CCM or
    • CCM_SA or
    • CCM_SA_PRIMARY, CCM_SA_SECONDARY, and CCM_LB

    For two-way communication between the CCM and Monitor VMs.

    Egress

    CCO or CCO_LB

    For access to the CCO VM.

  3.  Perform Network Compliance Check

    Perform Network Compliance Check

    You must perform the network compliance check to ensure that all network rules for inter-component communication between CloudCenter component VMs, application VMs and end user access are accurately setup.

    CloudCenter Component VMs

    To perform network compliance checks for CloudCenter components, perform this procedure on each VM launched as part of the 1. Prepare Infrastructure process.

    1. Upload the deployment descriptor JSON file created in 1. Prepare Infrastructure to the /tmp location.
    2. Upload the validator script called validator.py to the /tmp location (available with the CloudCenter appliance files).
    3. Execute the following command from the location /tmp location.

      Command

      Examples:

      • python network_validator.py –-role=CCM --deploymentDetails=deployment.json

      • python network_validator.py –-role=CCO --region=AmazonEast1 --deploymentDetails=deployment.json

      • python network_validator.py –-role=AMQP --region=AmazonEast1 --deploymentDetails=deployment.json

    4. Verify the results to ensure that there are no failures and that all required network rules are setup accurately. In case of failures, update network settings as appropriate and repeat the test.

    Application VMs

    To ensure that application VMs (that are launched as part of application orchestration) can communicate with relevant CloudCenter components and repositories, perform this procedure:

    1. Launch a test VM in every cloud environment intended to be managed by CloudCenter.
    2. Upload the deployment descriptor JSON file to the /tmp location.
    3. Upload the validator script called validator.py to the /tmp location.
    4. Execute the following command from the /tmp location.

      Command

      Example:
      python network_validator.py –-role=AGENT --region=AmazonEast1 --deploymentDetails=deployment.json

    5. Verify the results to ensure that there are no failures and that all required network rules are setup accurately. In case of failures, update network settings as appropriate and repeat the tests

    6. Once network compliance check is successful, terminate the test VMs.
    Client Test

    Some CloudCenter components (CCM, AMQP or GUAC) must be accessible to end users to ensure UI or REST API access. To ensure client access to these components, perform this procedure:

    1. Identify the Linux, Windows (Python Enabled), or MacOSX systems running in networks accessed by end users.
    2. Upload the deployment descriptor file to this client system.
    3. Upload the validator.py to the client system.
    4. Execute the following command from the python script location.

      Command
    5. Verify the results to ensure that there are no failures and that all required network rules are setup accurately. In case of failures, update network settings as appropriate and repeat the test.

    Icon

    Before proceeding to to the next section, ensure that network compliance check is successful.

  4.  Configure Components

    Configure Components

    After you launch the instance for each image:

    1. Power on the image.
    2. Log into the image.
    3. SSH into each component instance as the centos user, and run the following command as the root user:

    4. Launch the CloudCenter wizard for each component:

      1.  CCM Wizard Properties

        CCM Wizard Properties

        To configure the CCM wizard properties, follow this procedure.

          1. SSH into the CCM instance as a centos user.
          2. Run the following command:

        1. Invoke the CCM wizard.

          CCM Wizard Path
        2. Configure the basic properties. The wizard includes several menu groups with different properties.

          Write this down for future reference!

          Icon
          Write down the Field details in a printed version of the Your Notes section for later use.

          CCM Properties

          Field

          Description

          Mail

          • SMTP Host
          • SMTP Port
          • SMTP Auth

          SMTP server details to send mail notifications.

          Mail_User

          • Mail User
          • Password
          • From User
          • Display Name

          Mail authentication and configuration details to send mail notifications. If you retain the default settings, the mail functionality will not be configured.

          Server_info (Required)
          • Public DNS
          • DNS or IP of the CCM.
          • Used by the CCO VM to communicate with the CCM VM.
          • Monitor URL
          • Monitor VM's complete URL. For example, https://<MON or MON_LB IP address>:8443.
          • Must use HTTPS protocol.
          • Used by the CCM VM to retrieve the health status from the Monitor VM.
          • Hazelcast IP
          • Private IP address of the CCM VM.
          • Used internally by the CloudCenter platform.
          • External URL
          • Optional for non-HA CCM scenarios.

          Config_App_Logo

          No fields listed

          Used by the application profile templates.

          ESB_InfoNo fields listed

          Required only if you installed Enterprise Service Bus (ESB), an optional component that is not installed in CloudCenter appliances by default.

          Network

          • Hostname
          • Interface

          Use the defaults if you are not making any changes to these settings.

          DB
          (Effective CloudCenter 4.7.0)
          • IP or Hostname
          • Username
          • Password
          • DNS or IP of the Database
            • Local host: Default, does not include the flyway migrate configuration
            • Remote host, includes the flyway migrate configuration – see the last bullet in this row.
          • Authentication credentials (username and Password) for the database (either local or remote).
          • Optional – Flyway Migrate. Remote Host Configure the CCM to a remote database by providing the IP address of the remote database. When you provide the IP address, you see an additional screen to configure the flyway migrate process.
            • Yes: Flyway migration takes place.
            • No: Only the configuration files are updated.
            Icon

            DB configuration is required for standalone database deployments.

          ELK_Info
          (Effective CloudCenter 4.7.0)
          • ELK Host
          • Elasticearch Port
          • Logstash Port
          • Kibana Port
          • ELK Password
          • ELK Username
          • Host Identifier
          • Host Identifier List
          • Specify the IP address for the ELK/Monitor host.
          • The Elasticearch Port displays 8881 by default.
          • The Logstash Port displays 4560 by default.
          • The Kibana Port displays 8882 by default.
          • The default ELK Password is re@d0nly (zero between d and n) (change this password after the initial login – see Download Log File for additional context).
          • The default ELK Username = logreader.
          • The Host Identifier is a Unique ID for the server – be sure to prefix the unique identifier with CCM_ for example, CCM_1
          • The Host Identifier List field only applies to environments using the HA mode – provide a list of comma separated unique host identifiers for all ELK/Monitor hosts in a HA setup = for example, CCM_1,CCM_2,myCCM.

            Icon

            In an environment operating in HA mode, if you have two CCM instances with unique IDs configured as CCM_1,CCM_2 in their respective server.properties file, then this property should state CCM_1,CCM_2 in both CCM instances. Each CCM must be aware of the unique ID of the other CCM(s) when in HA mode.

        3. Exit the CCM configuration wizard.

        4. Select Yes, to restart the Tomcat service for the changes to be effective.

        You have successfully installed the CCM component! You can now proceed to the next step – Per CloudCenter Region Installation.

         

      2.  AMQP - CCM/CCO Wizard Properties

        AMQP  – Configure CCM/CCO Properties for Guacamole Server

        Dedicated GUAC Setup?

        Icon

        This GUA config wizard step is not required if you have set up a dedicated Guacamole server.

          1. SSH into the GUA instance as a centos user.
          2. Run the following command:

        1. Invoke the GUA wizard.

          GUA Wizard Path
        2. Configure the CCO and CCM properties. The wizard includes multiple menu groups with different properties. The table below lists each property and highlights the common properties in bold text.

          Write this down for future reference!

          Icon
          Write down the Field details in a printed version of the Your Notes section for later use.
        3. Configure the properties for the CCM and CCO VMs:

          GroupHostPossible IP Addresses

          CCM_Info

          CCM Host

          CCM_IP or  CCM_SA_IP or CCM_LB_IP
          CCO_InfoCCO HostCCO_IP or  CCO_LB_IP
        4. Verify your changes and Exit the GUA configuration wizard.

        You have successfully configured the AMQP server! You can now proceed to the next step.

        Post-Install Setup

        Icon

        Any change in the hostname may result in a VM bounce/reboot.

        If you change the AMQP server's hostname, the local AMQP database is renamed and you may need to rerun the AMQP configuration.

        Some clouds set the hostname automatically for each new instance or boot and RabbitMQ uses the a pre-set hostname to set the database name. In these cases, you must run the following commands as root to rerun the AMQP configuration:

        You will also need to run these commands again if the node is rebooted, as you may end up with a new hostname and database name.

        If a database user exists and a login is not associated, this user may not be able to log into the AMQP server.

        Ensure that the required users (cliqr and cliqr_worker) are setup in your database. If you have additional users in your database, they will also be displayed when you run the rabbitmqctl command.

        If you do not see these users in your database, run the following commands as root (to recreate the users in the AMQP configuration):

        Reboot the AMQP Server

        Reboot the AMQP server.

        Start the Wizard

        Use the following command to start the guacamole wizard if you need to change settings as required by your deployment. See Per CloudCenter Region Installation (Required) > AMQP  for additional context.

      3.  CCO Wizard Properties

        CCO – Configure CCO Wizard Properties

          1. SSH into the CCO instance as a centos user.
          2. Run the following command:

        1. Invoke the CCO wizard.

          CCO Wizard Path
        2. Configure the Agent bundle, AMQP server, Guacamole server, and Docker server properties. The wizard includes multiple menu groups with different properties. The table below lists each property and highlights the common properties in bold text.

          Write this down for future reference!

          Icon
          Write down the Field details in a printed version of the Your Notes  section for later use.
        3. Configure the properties for the Agent bundle, AMQP server, Guacamole server, and Docker VMs:

          GroupPropertiesNotes

          AgentBundle

           

          Use the defaults.

          • If you are using the custom bundle, replace cdn.cliqr.com with the custom bundle store IP or DNS
          • If you are using the package store, replace repo.cliqrtech.com with the custom package store IP or DNS

          AMQP_Server

          • AMQP Server IP
          • AMQP Port
          • AMQP_IP or AMQP_LB_IP
          • 5671
          Network
          • Hostname
          Configure the Network details for your CCO environment. This is an optional step to configure the Private IP of the VM. You can generally configure this information if the VM does not have preset IP or hostname or if you need to override an existing IP or Hostname.

          Guacamole

           

          • Connection Broker Host
          • Connection Broker Port1
          • Connection Broker Port2
          • AMQP_IP or AMQP_LB_IP 
          • 7788
          • 7789

          Docker

          • Docker Registry URL
          • Docker CACert URL
          • Set only if custom docker registry is used
          • Set only if docker registry uses SSL with custom CA Certificates

          ELK_Info

          (Effective CloudCenter 4.7.0)

          • ELK Host
          • Elasticearch Port
          • Logstash Port
          • Host Identifier
          • Host Identifier List
          • Specify the IP address for the ELK/Monitor host.
          • The Elasticearch Port displays 8881 by default.
          • The Logstash Port displays 4560 by default.
          • The Host Identifier is a Unique ID for the server – be sure to prefix the unique identifier with CCO_ for example, CCO_Openstack_regionOne or CCO_Amazon_east.
          • The Host Identifier List field only applies to environments using the HA mode – provide a list of comma separated unique host Identifiers for all ELK/Monitor hosts in a HA setup = for example, CCO1,CCO2,myCCO.

            Icon

            In an environment operating in HA mode, if you have three CCO instances with unique IDs configured as CCO_1,CCO_2,CCO_3 in their respective server.properties file, then this property should state CCO_1,CCO_2,CCO_3 in each CCO instance. Each CCO must be aware of the unique ID of the other CCO(s) when in HA mode.

        4. Verify your changes and Exit the CCO configuration wizard.

        You have successfully configured the CCO! You can now proceed to the next step.

      4.  Monitor - CCM Wizard Properties

        Monitor – Configure Monitor Properties

          1. SSH into the MONITOR instance as a centos user.
          2. Run the following command:

        1. Invoke the wizard.

          Monitor Wizard Path
        2. Configure the basic properties for each MONITOR server. The wizard includes several menu groups with different properties.

          Write this down for future reference!

          Icon

           Write down the Field details in a printed version of the Your Notes section for later use.

          GroupPropertiesNotes
          CCM_Info
          • Monitor ID
          • CCM Hostname/URL
          • Monitor User
          • Monitor ID – A unique (alphanumeric) identifier used as the name for the health check instances and volumes created on the cloud provider
          • CCM Hostname/URL – REQUIRED!
            • CCM_IP or 
            • CCM_SA_IP or
            • CCM_LB_IP
          • Monitor User – The User ID configured on the CCM server (to enable health check for cloud  regions).
            • To perform a health check on all activated cloud regions, set this value as 2 (2 is the CloudCenter’s root administrator’s User ID).
            • To perform a health check on specific cloud regions, create and activate a new user with those specific regions and use that user’s User ID as value for this property. To get the User ID, use the v1 User Management APIs.
          ELK_Login
          • Elasticsearch
          • Logstash
          • Kibana
          For the ELK/Monitor host.
          • ELK username = logreader (default)
          • ELK password = re@d0nly (zero between d and n) (see Download Log File > Change Default ELK Password for additional context)
        3. Exit the Monitor wizard.

        You have successfully configured the Monitor! You can now proceed to the next step.

         

 

  • No labels