Moving Cisco CSA Management Center to a New Server with New Name and New IP

The Cisco Security Agent Management Center (CSA MC) provides the central management for CSA. The Agents check in with the CSA MC to make sure they have the latest policy and version of software. For this reason, it is important that the CSA MC be a stable server that is always operational with the same IP address and name. Unfortunately, there may be unavoidable instances where the CSA MC must be moved to a new server with a different IP and name. This guide will go through how to move the CSA MC application and database to a new server and migrate the Agents, running on the end computers, to use the new CSA MC.

The following assumptions are being made

1. The database is MS SQL Server 2005 Express Ediation and is housed on the same server as the CSA MC
2. CSA version 6.0
   
3. Screenshots show the old CSA MC with name "CSA" and the new CSA MC with name "CSA2"
   

Creating the New CSA MC
The first step is to install the exact same version of CSA MC application on the new server. The license does not need to be installed on the new CSA MC because the license will be moved over from the old CSA MC as part of the database move.

The next step is to move the database from the old CSA MC to the new CSA MC. This will allow all the registered agents, groups, rule modules, rules, etc to be moved to the new CSA MC. The detailed steps are listed below.

Note: It is important to note that doing this fully replaces the existing database. This means that any SSL certificate, Agent, policy, group,etc information on the existing database will be removed. We will see how this affects the Agent registration for the new CSA MC later.

First, on the new and old CSA MCs, stop the CSA MC service and the Agent, running on the CSA MC, using the following commands

Open Start->Run... and type "services.msc". Stop the Management Console, MSSQL, and Agent services. The services should look similar to the names below.





On the new CSA MC, rename the c:\Program Files\Cisco\CSAMC\CSAMC60\db directory to a new name, such as db-backup. Next, copy the c:\Program Files\Cisco\CSAMC\CSAMC60\db directory from the old CSA MC to the new CSA MC. At this point you have fork lifted the database from the old CSA MC into the new CSA MC. Reboot the new CSA MC.

Updating Agent Kits
As mentioned earlier, the old CSA MC database has been fork lifted into the new CSA MC and fully replaced the existing database on the new CSA MC. This means that any existing agent kits and any new agent kits generated on the new CSA MC still reference the old CSA MC. To correct this, we need to dig into the database and modify some entries.

Note: The database changes are based on my own research. Use at your own risk

The CSA MC installation did not include the Management console to view the SQL Server 2005 database. Microsoft offers the Microsoft SQL Server Management Studio Express to manage the database. Download this application to the CSA MC and install it. After it has been installed, launch it. Take the default login settings as shown below


Navigate down the database tree to the following section



Within this tree scroll down and look for "dbo.mc_config". Right click on the name and click "Open Table" as shown below




The table shows the entries that get sent as part of the Agent Kit. We will modify the parameters to reflect the new CSA MC instead of the old CSA MC.

This screenshot shows the database before any changes were made. The name CSA references the old CSA MC as does the IP 192.168.137.100




This screenshot shows the database after the changes were made. The name CSA2 references the new CSA MC as does the IP 192.168.137.15.



In addition to the changes listed above, you should probably modify the sslca.crt, sslca.ns, sslca.key, sslhost.crt, sslhost.csr, and sslhost.key files in the database. In my testing, everything seemed to work fine without modifying the values, but for completeness sake, I would recommend modifying both the names and the data to reflect the information on the new CSA MC server. The data can be retrieved from the c:\Program Files\cisco\CSAMC\CSAMC60\cfg directory. Right click on each file and open with notepad. Then copy the entire contents and paste it into the value portion of the database.

After the database has been changed, the agent kits need to be refreshed to incorporate the new values. This can be done by running the following command

C:\Program Files\Cisco\CSAMC\CSAMC60\bin>webmgr makekits_refresh
Generating rule programs...
Regenerating agent kits...
Done.

Once this is complete, the agent kits will have the correct information referencing the new CSA MC.

Fixing the Agent on the New CSA MC
Now, access the web GUI and navigate to Systems > Hosts. You'll notice that the new CSA MC server is not listed. This is because we are using the database from the old server. This is shown below.



The old CSA MC does not need to be listed here, so you can move the server named "CSA.lab.com" to the recycling bin.

The Agent running on the new CSA MC, CSA2.lab.com, is not showing up because we are using the database from the old CSA MC. The new CSA MC was registered in the original database on the new CSA MC. This was the database that we renamed "db-backup". Confirmation of the problem is shown in the agent logs on the new CSA MC

1504: CSA2: Feb 06 2009 21:58:10.773 -0600: %CSA-4-REGISTRATION_FAILED_INVALID_REGID: %[Component=Csamanager][PID=1076]: No deployment host exists on server with registration ID={90A55B27-4F2B-490A-A27E-081D8747E3F5}.

We need to get a new registration that is recognized by the current database on the new CSA MC. In order to do this, the following steps should be followed:

1. Remove the Agent on the new CSA MC
2. Reboot
3. Download and install the "Servers CSA Management Center V6.0.0.201" Agent Kit from the new CSA MC.
   
4. Reboot
5. Verify that the new CSA MC shows up in the CSA MC web GUI in "Systems > Hosts".
   

Following these steps will allow the Agent, running on the new CSA MC, to be properly registered and displayed.

Handling Existing Agents
The registration IDs for the existing Agents have been ported to the new CSA MC with the database move. There are just two steps that need to occur, on the computers with the Agent installed, to complete the migration of the already deployed Agents from the old CSA MC to the new CSA MC

1. Modify the c:\Program Files\Cisco\CSAgent\cfg\agent.bundle file to reference the new CSA MC
2. Replace the c:\Program Files\Cisco\CSAgent\cfg\sslca.crt file to reference the new CSA MC

To complete step 1, you will first need to stop the Agent with the "net stop csagent" command. After that, open the agent.bundle file and make the modifications as shown in the screenshots below. In the screenshots, CSA and 192.168.137.100 reference the old CSA MC and CSA2 and 192.168.137.15 reference the new CSA MC. The original file is shown on the left and the new file is shown on the right














The second step was to replace the sslca.crt file. The CSA MC creates its own root certificate and distributes it in the CSA Agent Kit. The Agents then trust the SSL certificate provided by the CSA MC because it is signed with the root certificate. When the CSA MC is changed, the root certificate also needs to be changed to reference the new CSA MC. The new sslca.crt can be obtained from the new CSA MC in the c:\Program Files\Cisco\CSAMC\CSAMC60\cfg directory. It needs to replace the c:\Program Files\Cisco\CSAgent\cfg\sslca.crt file on each computer with the Agent.

The two steps above can normally be accomplished with a central application used to push out applications. Some examples of these applications would be Microsoft SMS or Altiris.

Once the two step above are completed, you should see the following screen on the Agent status page



References

• Changing the IP and Hostname of a CSA server
• How to migrate the CiscoWorks Management Center for Cisco Security Agents to a new server