This document is for Cisco Engineers and customers deploying Cisco Stealthwatch 6.9 with Cisco Identity Service Engine (ISE 2.2 using Cisco platform Exchange Grid (pxGrid).   The reader should have some similarity with ISE and Cisco Stealthwatch and pxGrid.

Cisco Stealthwatch 6.9 no longer requires syslog information for obtaining contextual information, instead pxGrid is used.  The Cisco Stealthwatch Management Console will register as a pxGrid client and subscribe the ISE pxGrid node Session Directory topic to obtain the contextual information.

ISE 2.2 features an internal Certificate Authority (CA) for deploying pxGrid certificates. These pxGrid client certificates can be generated from ISE in either PEM or PKCS12 formats and imported into the Stealthwatch SSL Client store and ISE internal CA root certificate imported into the Stealthwatch CA store.  Additionally, certificates can be generated based on the Certificate Signing Requests (CSR).  These scenarios will be covered in this document.

This document starts using the preferred method of using the ISE 2.2 Internal CA for deploying pxGrid and Stealthwatch 6.9 using PKCS12 certificate format and then covers an external CA server deployment.

Self-signed certificate deployments and other ISE 2.2 internal CA configurations are covered under the Other Configurations Section.