Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
757
Views
13
Helpful
2
Comments

ISE - What we need to know about Data Connect

Marcelo Morais
VIP
VIP

‎02-19-2025 07:47 AM - edited ‎03-21-2025 01:34 PM

 

The Portuguese version of this Article can be found at: ISE - O que precisamos saber sobre Data Connect .

 

MarceloMorais_0-1654436644727.png For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print > Print to PDF or Copy & Paste to any other document format you like.

 

Introduction

Data Connect is a feature that provides Read-Only access to the ISE Database so that you can query Data and create your own Reports - DIY Reports (Do It Yourself).

TCP / 2484 is used to establish Database Connections with ISE through Oracle TCPS (TCP Secure) Protocol.

To establish Database Connection with ISE, use a Programming Language such as:

  • Java
  • Python
  • SQL Client Tools
  • Oracle SQL Developer
  • JDBC Client
  • etc.

 

ISE 3.2+ supports Data Connect.

 

Getting Data Out of ISE.png

 

Data Connect - DIY Reports and Dashboards.png

 

License

Data Connect requires at least an Essential License.

 

Data Connect will be disabled if your LicenseExpires or becomes NonCompliant.

 

Deployment

In a Distributed DeploymentData Connect is enabled by default in Secondary Monitoring (SMnT) because it is less overhead than Primary Monitoring (PMnT).

In case of changes to the Deployment or Persona:

  • If Data Connect is enabled in PMnT and an SMnT is added, then there will be no change.
  • If Data Connect is enabled in SMnT and SMnT is manually removed from the Deployment, then Data Connect will be automatically enabled in PMnT.

  

In case of a Deployment with Dedicated MnT Node and Data Connect enabled, Database Queries and Configuration Data are routed internally to the Primary PAN (PPAN).

 

Data Connect

Tables

To view the available Data Connect TablesDevNet - Data Connect - Database Views.

Data Connect - Tables.png

 

To submit a request to include required Tables that are not available: ISE - Make a Wish.

 

Enabled Data Connect

In  Administration > System > Settings > Data Connect:

Data Connect Settings.png

 

Password12 to 30 characters containing at least:

  • a Capital Letter (A-Z)
  • a Lowercase Letter (a-z)
  • a Number (0-9)
  • a Special Character (#$%&*+,-.:;=?^_~).

You can reset the Password at any time (it should not be the same as the last 5x Passwords).

If you try to connect to the ISE Database using an incorrect Password for more than 5x, for 24 hours you will have an Account Locked (ORA-28000: The account is locked).

In an Account Locked situation, you can:

  • wait 24 hours for the Account Locked to be revoked
  • reset the Data Connect Password

 

Password Expiry: the valid range is 1 to 3,650 days. Default is 90 days.

Username | Port | Service Name: set by default to dataconnect | TCP / 2484 | cpm10 (cannot be changed).

 

Certificate

The configuration of Certificates required to use Data Connect changes based on the ISE Version:

 

ISE 3.2

After Data Connect is enabled, a Self-Signed Certificate (called Data Connect Certificate) is stored in Trusted Certificates for use by Clients, under Administration > System > Certificates > Certificate Management > Trusted Certificates > select Data Connect Certificate and click Export.

Data Connect - ISE 3.2 Trusted Certificates - Export.png

 

The Data Connect Certificate must be regenerated if:

  • the Certificate expires
  • the Certificate has been compromised

 

CSCwk73627

CSCwk73627 Data Connect Certificate is not seen in Trusted Certificates Store after generating it thru CSR

CSCwk73627.png

 

ISE 3.3+

In Administration > System > Certificates > Certificate Management > System Certificates > select the Certificate with Used by: Admin and click Export, to add this Certificate to the Client's Trust Store and thus be able to establish a TCPS Connection:

Data Connect - ISE 3.3 System Certificates - Export.png

 

When selecting the Certificate, you can see in Usage:

Admin: Use Certificate to Authenticate the ISE Admin Portal and DataConnect

Data Connect - ISE 3.3 System Certificates.png

 

Troubleshooting

ISE GUI

To view when the Data Connect feature is enabled / disabled or if a Persona change occurred, in Operations > Reports > Reports > Audit > Change Configuration Audit

Data Connect - Change Configuration Audit.png

 

This Report does not contain information about Logins performed by Third-Party Tools.

 

ISE CLI

Additional Logs can be found in ise-psc.log (example on PPAN) : 

 

ise/admin# show logging application ise-psc.log
 ...
 2025-02-17 07:54:19,571 INFO [admin-http-pool100][[]] admin.restui.features.mnt.DatadirectUIApi -:::::- New status of dataconnect recieved : false
 ...
 2025-02-17 07:54:32,618 INFO [admin-http-pool34][[]] admin.restui.features.mnt.DatadirectUIApi -:::::- New status of dataconnect recieved : true
 ...

 

Support Bundle

Database Connectivity and Queries Executed cannot be tracked from ISE Logs.

To track Top Queries from ISE, you need to generate a Support Bundle in MnT selecting Include Debug Logs:

Data Connect - Support Bundle.png

 

This Support Bundle contains AWR Reports, located at \support\logs\oracle\support_awr_addm_xxxx.txt, where you can check the Top Queries.

 

Scripts

News coming soon !!!

 

References

What's New in ISE 3.2 - Part 2 - Data Connect - YouTube

DevNet - Data Connect

Cisco ISE Administrator Guide, Release 3.2 - Data Connect

Cisco ISE Administrator Guide, Release 3.4 - Data Connect

How to Get Data Out of ISE - YouTube

Thomas Howard - ISE Python Scripts - ISEQL - GitHub

Configure ISE 3.2 Data Connect Integration with Splunk

Cisco Identity Service Engine (ISE) Big Encyclopedic Resources Guide (BERG) - Data Connect

 

Comments
Adonay dos Anjos
Level 1
Level 1
‎04-02-2025 04:54 AM

Interesting... Thanks for sharing, so our applications more efficient

Marcelo Morais
VIP
VIP
‎04-03-2025 05:59 AM

@Adonay dos Anjos ... muito obrigado !!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents