Published On: August 6ᵗʰ, 2019 02:07

Installation and Upgrade Guide for Cisco Secure Access Control System 5.4

Installing ACS in a VMware Virtual Machine

Virtual Machine Requirements

The minimum system requirements for the VMware virtual machine (VM) must be similar to the CSACS-1121 appliance hardware configuration.

Table 10-1 lists the minimum system requirements to install ACS 5.4 on a VMware virtual machine.

Table 10-1 Minimum System Requirements

Requirement Type
Minimum Requirements

CPU

2 CPUs (dual CPU, Xeon, Core2 Duo or 2 single CPUs)

Memory

4 GB RAM

Hard Disk

A minimum of 60 GB is required.

Maximum storage is up to 750 GB.

Note ACS partitions the available disk space automatically during the installation process.

Note It is recommended that you allocate the hard disk size to be greater than 500 GB for the secondary instance, which acts as a log collector.

NIC (Network Interface Card)

1 Gb dedicated NIC interface

Hypervisor
  • VMware ESXi 5.0
  • VMware ESXi 5.1 is supported after ACS 5.4 patch 3

Note If you want to upgrade the ACS installed on virtual machine to ACS 5.4, the virtual machine disk size should be greater than or equal to 500 GB.

The disk space management mechanism in ACS 5.4 manages the system automatically and configures the available file volumes on the file system per file type, such as local store, logs, configuration, cache, and so on. The actual file size limits are calculated at the time of installation, based on the hard coded relative disk quota configuration (percent based), using the disk size as an input. However, ACS database logs have a fixed size. ACS 5.4 gets installed with a variable hard disk size between 60 GB and 750 GB, based on the disk size that was chosen while creating the VMware instance. If you want to change the size of the ACS disk after the installation, complete the following procedure:

  • Back up your data.
  • Reimage the ACS application or install a fresh application.
  • Restore the backed up data.

While restoring the backed up data, a warning message is displayed when the backup size or ACS view database size exceeds the corresponding disk quota. However, the restore operation will not be interrupted. The restore operation is failed only when the hard limit of /opt partition size is reached.

In ACS 5.4, the log collector server can be installed on a 60 GB disk space. An ACS view log collector node usually requires more space to maintain a database of logs and reports. Therefore, the recommended disk size for the secondary instance, which acts as a log collector server, is 500 GB.

When you allocate 60 GB for the log collector server, the view database gets only 5.6 GB as total disk space. As a result of this, some of the functionalities may not work properly. The functionalities that may be affected are backup, full backup, incremental backup, logging recovery, purge, database compress operation, and so on.

While creating the VMware instances, make sure that the resources allocated for VMware instances with respect to CPU cores, RAM, and disk, are not more than the actual physical resources of the VMware host server. For example, if the VMware host server has a total number of CPU cores as 10, then the sum of the allocated CPU cores for all the VMware instances that are created on that server should not exceed 10.

Note In large ACS distributed deployment environments that are hosted on the VM, it is recommended that all VM hosting servers have CPUs from the same vendor.

Note It is recommended that if hyperthreading is enabled on any one of the VMware hosts, it should be enabled on all the VMware hosts that host the ACS VM as part of the same deployment.

Note ACS 5.4 does not get installed over multiple disks (by defining one Logical volume Manager [LVM] disk).

Install VMware Server

Install the VMware server with the default options and proper IP address.

Install VMware Infrastructure Client

The VMware vSphere client is used to access the VMware server from a remote location.

To install the VMware Infrastructure Client:

Step 1 Go to the following link.

http://IP address of VMware server

You should have valid Cisco.com login credentials to access this link.

Step 2 Click Download to download the VMware vSphere client software.

Step 3 Run the installer.

Step 4 Log into the VMware server.

Figure 10-1 displays the login window of the VMware server.

Figure 10-1 Login Window

The vSphere client window is displayed. (Figure 10-2)

Figure 10-2 vSphere Client Window

Step 5 Choose Help > About VMware vSphere to verify the VMware ESX and vSphere client versions.

Figure 10-3 displays the VMware vSphere versions.

Figure 10-3 About VMware vSphere

 

Configuring the VM for ESXi 5.0 and ESXi 5.1

The host uses virtualization software such as ESX server to run the virtual machine. The host provides the CPU and memory resources to the virtual machine to access storage and to connect to the network.

This section describes the VM configuration process using the VMware Infrastructure Client.

To configure the VM for ESXi 5.0 and ESXi 5.1, complete the following steps:

Step 1 Log into the ESX server.

Step 2 In the VMware Infrastructure Client, in the left pane, right-click your host container and choose New Virtual Machine.

The New Virtual Machine Wizard appears.

Step 3 In the Configuration Type dialog box, choose Typical as the VM configuration, as shown in Figure 10-4, and click Next.

Figure 10-4 Virtual Machine Configuration Dialog Box

The Name and Location dialog box appears. (Figure 10-5)

Step 4 Enter the name you will use to reference the VM, and click Next.

Figure 10-5 Name and Location Dialog Box

Tip Tip: Use the hostname you will use for your VM host.

The Data Storage dialog box appears. (Figure 10-6)

Step 5 Choose a data store that has a minimum of 500 GB free space available, and click Next.

Figure 10-6 Data Storage Dialog Box

The Guest Operating System dialog box appears. (Figure 10-7)

Step 6 Click the Linux radio button, and from the Version drop-down list, choose Other Linux (32-bit).

Figure 10-7 Guest Operating System Dialog Box

The Network dialog box appears. (Figure 10-8)

Step 7 Select the number of NICs that you want to use in the network window, and click Next.

Figure 10-8 Network Dialog Box

The Create a Disk dialog box appears. (Figure 10-9)

Step 8 Select the disk size as 500 GB in the virtual disk capacity window, and click Next.

Note You can configure the minimum virtual disk space requirement to be 60 GB. There may be a critical issue if you use 60 GB as virtual disk space. You can view the workaround in the troubleshooting section.

Figure 10-9 Create a Disk Dialog Box

The Ready to Complete dialog box appears. Figure 10-10.

Note Do not choose VMware thin provisioning as a storage type because ACS supports only thick provisioning on all supported VMware servers.

If ACS is installed in a VMware with thin provisioning storage type, you are recommended to:

1. Take a backup of the ACS configuration.

2. Reimage the VMware with the thick provisioning storage type.

3. Restore the backup in the newly converted thick provisioned storage VMware.

Note Do not over-provision hardware resources such as RAM, CPU, and disks for your virtual machines.

Step 9 Verify the configuration details—such as Name, Guest OS, Virtual CPU, Memory, and Virtual Disk Size—of the newly created VM.

Figure 10-10 Ready to Complete Dialog Box

Step 10 Check the Edit the virtual machine settings before completion check box, and click Next.

The Memory Configuration dialog box appears. (Figure 10-11)

Step 11 Enter 4096 MB, and click Next.

Figure 10-11 Memory Configuration Dialog Box

The Number of Virtual Processors dialog box appears. (Figure 10-12)

Step 12 From the Number of virtual processors drop-down list, choose 2 (if 2 is available), or you can choose any number and click Finish.

Figure 10-12 Number of Virtual Processors Dialog Box

Step 13 The virtual machine is installed and will be listed in the VMware drawer, as follows.

Figure 10-13 vSphere Client

 

Preparing the VM for ACS Server Installation

After configuring the VM, you are ready to install the ACS server. To install the ACS server from your ACS Install Disk, you need to configure the VM to boot from the ACS Install Disk.

The VM must be configured with a virtual DVD drive, in order to boot from the ACS 5.4 DVD.

This can be performed using different methods, depending on your environment.

See Configuring the VM Using the DVD Drive to configure the VM using the DVD drive of your VMware ESX server host.

Configuring the VM Using the DVD Drive

This section describes how to configure the VM to boot from the ACS Install Disk using the DVD drive of the VMware ESX server host.

To configure the VM using the DVD drive:

Step 1 In the VMware Infrastructure Client, highlight the newly created VM, and choose Edit Virtual Machine Settings.

The Virtual Machine Properties window appears. Figure 10-14 displays the properties of a VM that was created with the name ACS 5.4.

Figure 10-14 Virtual Machine Properties Dialog Box

Step 2 In the Virtual Machine Properties dialog box, choose CD/DVD Drive 1.

The CD/DVD Drive 1 properties dialog box appears.

Step 3 Choose the Host Device option, and from the drop-down list, choose your DVD host device.

Step 4 Choose the Connect at Power On option, and click OK to save your settings.

You can now use the DVD drive of the VMware ESX server to install the ACS server.

 

When you complete the configuration, click the Console tab, right-click the VM from the left pane, and choose GUEST > Send Ctrl+Alt+Del to restart the VM.

Installing the ACS Server on ESXi 5.0 and ESXi 5.1

This section describes the installation process for the ACS 5.4 server on VMware ESXi 5.0 and ESXi 5.1.

To install the ACS 5.4 server, complete the following steps:

Step 1 Log into the VMware Infrastructure Client.

Step 2 Insert the ACS 5.4 Install Disk into the VMware ESX host CD/DVD drive, and power on the VM.

Figure 10-15 Power on the Virtual Machine

Step 3 Store the ACS 5.4 recovery ISO image in the VMware vSphere client, to access the VMware Server.

Step 4 Click the CD icon on the tool bar and choose Connect CD/DVD 1 > Connect to ISO image on local disk.

Figure 10-16 Connecting to ISO image on Local Disk

Step 5 Browse and locate the ACS 5.4 ISO image.

Move to the console tab. You will lose your cursor control as soon as you enter the console tab.

Step 6 Press Ctrl + Alt to get cursor control.

Step 7 Press Enter.

The machine restarts with the ACS 5.4 recovery ISO image loaded. Now, the user is prompted with the install option for ACS 5.4.

When the ACS 5.4 Install Disk boots, the console displays:

Welcome to Cisco Secure ACS 5.4 Recovery

To boot from the hard disk press <Enter>

Available boot options:

[1] Cisco Secure ACS 5.4 Installation (Monitor/Keyboard)

[2] Cisco Secure ACS 5.4 Installation (Serial Console)

[3] Reset Administrator Password (Keyboard/Monitor)

[4] Reset Administrator Password (Serial Console)

<Enter> Boot from hard disk

Please enter boot option and press <Enter>.

boot: 1

You can select either the monitor and keyboard port, or the console port to perform the initial setup.

Step 8 At the system prompt, type 1 to select a monitor and keyboard port, or type 2 to select a console port, and press Enter.

This starts the installation of the ACS server on the VM.

Note Allow 20 minutes for the installation process to complete.

When the installation process finishes, the VM reboots automatically.

When the VM reboots, the console displays:

Type 'setup' to configure your appliance

localhost:

Step 9 At the system prompt, type setup, and press Enter.

The Setup Wizard appears and guides you through the initial configuration.

The console requests for the parameters, as shown below.

localhost login: setup

Enter hostname[]: acs54-server-1

Enter IP address[]: 10.77.243.177

Enter IP default netmask[]: 255.255.255.128

Enter IP default gateway[]: 10.77.243.129

Enter default DNS domain[]: mycompany.com

Enter primary nameserver[]: 10.77.242.86

Add secondary nameserver? Y/N : n

Add primary NTP server [time.nist.gov]: 10.77.242.86

Add secondary NTP server? Y/N : n

Enter system timezone[UTC]:

Enter username [admin]: admin

Enter password:

Enter password again:

Bringing up network interface...

Pinging the gateway...

Pinging the primary nameserver...

Virtual machine detected, configuring VMware tools...

File descriptor 4 (/opt/system/etc/debugd-fifo) leaked on lvm.static invocation

Parent PID 3036: /bin/bash

Do not use `Ctrl-C' from this point on...

debugd[2455]: [2809]: config:network: main.c[252] [setup]: Setup is complete.

Installing applications...

Installing acs...

Generating configuration...

Rebooting...

For more information on the setup process, see Running the Setup Program.

 

VMware Hardening Requirements

Both the VMware server and the operating system on which the VMware virtual machine is running must be hardened according to the guidelines that are specified by the VMware and operating system vendors.

See the VMware support website for more details. Some helpful links are:

  • http://www.vmware.com/support/
  • http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1017910
  • http://communities.vmware.com/community/vmtn

VMware Tools Support

ACS 5.4 supports VMware Tools 8.3.2. The benefits of using VMware Tools in ACS 5.4 are:

  • Improved NIC performance
  • Improved Small Computer System Interface (SCSI) I/O performance
  • Synchronization of guest operating system time with the host time

A new line of text appears, which says Virtual machine detected, configuring VMware Tools when you run the initial Setup Wizard. You can also do the following to check if the VMware Tools are installed:

Click the Summary tab of the virtual machine in the vSphere client. You can see that the value “OK” appears for VMware Tools. This confirms that the VMware Tools is installed.

You can use the CLI command show inventory. When you run this CLI, a list appears that shows the NIC driver information. If the VMware Tools is installed, then the driver information is listed as VMware Virtual Ethernet Driver.