Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
0
Helpful
0
Replies

[HOWTO] - Using CDO Secure Device Connector with a Proxy

AHack210
Cisco Employee
Cisco Employee

‎04-04-2024 07:29 AM - edited ‎04-12-2024 11:35 AM

Cisco Defense Orchestrator's (CDO) Secure Device Connector (SCD) supports the use of a proxy for the SDC to CDO outbound connection.

Requirements:
- This is only for the SDC container and not for the host Linux Operating System.
- The proxy cannot do TLS Intercept (man-in-the-middle decryption).
Engineering tells me that we have customers using TLS intercept proxy by placing the cert chain into the data directory with filename “tls-ca-chain.pem” and restarting the SDC.
- You should have a basic knowledge of Linux CLI before attempting this.
- Note that this impacts the Docker container ONLY and does not proxy the host Linux OS. Your Linux host OS will need to be proxied in the same way that your organization proxies other Linux servers in your environment.
- It is recommended to backup your config.json file before editing it.

Details:
To enable this, ssh to the SDC, change to the sdc user (sudo su sdc) then edit the following json file:

 

 

/usr/local/cdo/data/<your_sdc_name>/data/config.json

 

 

 

 Add the following json key/value pair to the file paying close attention that you are following json formatting and syntax:

 

 

"awsProxy":"https://proxy:port"

 

 

Where proxy is the IP or FQDN of your proxy server and port is the port on which your proxy server listens.

For example, config.json file looks like this before editing:

 

 

{"tags":{},"tagKeys":[],"tagValues":[],"uid":"11111111-1111-1111-1111-1111111111111","name":"CDO_my_tenant-SDC-1","namespace":"targets","type":"proxies","version":1,"createdDate":1646762984579,
...
,"latestAegisSignatureKey":{"empty":false,"present":true},"latestAegisEncryptionKey":{"empty":false,"present":true},"snsSqs":true}

 

 

And post edit:

 

 

{"tags":{},"tagKeys":[],"tagValues":[],"uid":"11111111-1111-1111-1111-1111111111111","name":"CDO_my_tenant-SDC-1","namespace":"targets","type":"proxies","version":1,"createdDate":1646762984579,
...
,"latestAegisSignatureKey":{"empty":false,"present":true},"latestAegisEncryptionKey":{"empty":false,"present":true},"snsSqs":true,"awsProxy":"https://192.168.30.211:8443"}

 

 

Then restart the SDC container or reboot the VM. 

If you choose to restart the container, First. find the SDC container id:

 

 

[sdc@localhost cdo]$ docker ps | grep sdc
8b7efb70d28e   projectlockhart-docker-hub-mirror.jfrog.io/ciscodefenseorchestrator/sdc_prod:latest   "/usr/local/bin/entr…"   7 months ago    Up About an hour             CDO_my_tenant

 

 

Restart the container:

 

 

[sdc@localhost cdo]$ docker restart 8b7efb70d28e

 

 

Verify the container is up and running:

 

 

[sdc@localhost cdo]$ docker ps | grep sdc
8b7efb70d28e   projectlockhart-docker-hub-mirror.jfrog.io/ciscodefenseorchestrator/sdc_prod:latest   "/usr/local/bin/entr…"   7 months ago    Up 3 seconds                 CDO_my_tenant

 

 

 

 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card