Cisco Defense Orchestrator's (CDO) Secure Device Connector (SCD) supports the use of a proxy for the SDC to CDO outbound connection.
Requirements:
- This is only for the SDC container and not for the host Linux Operating System.
- The proxy cannot do TLS Intercept (man-in-the-middle decryption).
Engineering tells me that we have customers using TLS intercept proxy by placing the cert chain into the data directory with filename “tls-ca-chain.pem” and restarting the SDC.
- You should have a basic knowledge of Linux CLI before attempting this.
- Note that this impacts the Docker container ONLY and does not proxy the host Linux OS. Your Linux host OS will need to be proxied in the same way that your organization proxies other Linux servers in your environment.
- It is recommended to backup your config.json file before editing it.
Details:
To enable this, ssh to the SDC, change to the sdc user (sudo su sdc) then edit the following json file:
/usr/local/cdo/data/<your_sdc_name>/data/config.json
Add the following json key/value pair to the file paying close attention that you are following json formatting and syntax:
"awsProxy":"https://proxy:port"
Where proxy is the IP or FQDN of your proxy server and port is the port on which your proxy server listens.
For example, config.json file looks like this before editing:
{"tags":{},"tagKeys":[],"tagValues":[],"uid":"11111111-1111-1111-1111-1111111111111","name":"CDO_my_tenant-SDC-1","namespace":"targets","type":"proxies","version":1,"createdDate":1646762984579,
...
,"latestAegisSignatureKey":{"empty":false,"present":true},"latestAegisEncryptionKey":{"empty":false,"present":true},"snsSqs":true}
And post edit:
{"tags":{},"tagKeys":[],"tagValues":[],"uid":"11111111-1111-1111-1111-1111111111111","name":"CDO_my_tenant-SDC-1","namespace":"targets","type":"proxies","version":1,"createdDate":1646762984579,
...
,"latestAegisSignatureKey":{"empty":false,"present":true},"latestAegisEncryptionKey":{"empty":false,"present":true},"snsSqs":true,"awsProxy":"https://192.168.30.211:8443"}
Then restart the SDC container or reboot the VM.
If you choose to restart the container, First. find the SDC container id:
[sdc@localhost cdo]$ docker ps | grep sdc
8b7efb70d28e projectlockhart-docker-hub-mirror.jfrog.io/ciscodefenseorchestrator/sdc_prod:latest "/usr/local/bin/entr…" 7 months ago Up About an hour CDO_my_tenant
Restart the container:
[sdc@localhost cdo]$ docker restart 8b7efb70d28e
Verify the container is up and running:
[sdc@localhost cdo]$ docker ps | grep sdc
8b7efb70d28e projectlockhart-docker-hub-mirror.jfrog.io/ciscodefenseorchestrator/sdc_prod:latest "/usr/local/bin/entr…" 7 months ago Up 3 seconds CDO_my_tenant