Administrator Guide for Cisco Trust Agent, Release 2.1, With Bundled Supplicant
Installing the Cisco Trust Agent on Linux Operating Systems
Download this chapter
Installing the Cisco Trust Agent on Linux Operating SystemsInstalling the Cisco Trust Agent on Linux Operating Systems
Download the complete book
Administrator Guide for Cisco Trust Agent, Release 2.1Administrator Guide for Cisco Trust Agent, Release 2.1 (PDF - 3 MB)
 Feedback

Table Of Contents

Installing the Cisco Trust Agent on Linux Operating Systems

Verifying System Requirements on Linux

Installation Files

Initial Deployments

CTA Scripting Interface Feature

Installing Cisco Trust Agent

General Installation Instructions

Extracting the Installation File and Accepting the EULA

Installing CTA from the Command Line

Creating a Custom CTA Installation Package

Upgrading to Cisco Trust Agent, Release 2.1

Verifying Cisco Trust Agent Installation on Linux

Verifying CTA is Running

Verifying CTA Package Information

Uninstalling Cisco Trust Agent on Linux


Installing the Cisco Trust Agent on Linux Operating Systems

This chapter provides system requirement and installation information for installing Cisco Trust Agent (CTA) on Red Hat Linux operating systems. Read this entire chapter before beginning the installation. There are advanced installation options detailed later in this chapter that you may want to use. For example, before deploying CTA on your network, you can create a custom installation package which allows you to set CTA configuration parameters and provision certificates and plug-ins. Proceeding in this manner could save you configuration time during the CTA deployment process.

See these other chapters for installation instructions for different operating systems:

Chapter 3, "Installing the Cisco Trust Agent on Macintosh Operating Systems"

Chapter 4, "Installing the Cisco Trust Agent on Windows Operating Systems"

This chapter contains the following sections:

Verifying System Requirements on Linux

Installation Files

Initial Deployments

CTA Scripting Interface Feature

Installing Cisco Trust Agent

General Installation Instructions

Extracting the Installation File and Accepting the EULA

Installing CTA from the Command Line

Creating a Custom CTA Installation Package

Upgrading to Cisco Trust Agent, Release 2.1

Verifying Cisco Trust Agent Installation on Linux

Verifying CTA is Running

Verifying CTA Package Information

Uninstalling Cisco Trust Agent on Linux

Verifying System Requirements on Linux

Before installing Cisco Trust Agent on a Linux operating system, verify that the target system meets the following requirements:

System Component
Requirement

System

Pentium class processor or better

Network connection

Operating System and Language Support

All available internationalized versions of these Linux operating systems support CTA 2.1.:

Red Hat Linux v9

Red Hat Enterprise Linux v3 (Enterprise, Advanced Server, and Workstation)

Red Hat Enterprise Linux v4 (Enterprise, Advanced Server, and Workstation)

Note Support for a localized operating system is different from localized version of CTA. The CTA interface and messages are presented in English.

Linux Installers

Red Hat Package Management (RPM) v4.2 or greater.

Hard Disk Space

20 MB

Memory

256 MB Red Hat Enterprise Linux v3 (Enterprise, Advanced, Workstation)

256 MB Red Hat Enterprise Linux v4 (Enterprise, Advanced, Workstation)

Listening Port

By default, Cisco Trust Agent listens on UDP port 21862.

You can change this port number. See, "The ctad.ini Configuration File" section on page 5-2 for more information.


Installation Files

The installation files for CTA for Linux are contained in the ctaadminex-linux-2.1.103-0.tar.gz file. That file may be downloaded from Cisco.com. Follow the procedures in "Installing Cisco Trust Agent" to use the file.

Initial Deployments

For large enterprise Linux deployments, administrators may want to deploy CTA with a customized package. This way all required certificates and plug-ins are administratively configured with no end-user interaction or interference. The customized packages can be delivered to many users at once using an automated software deployment mechanism.

CTA Scripting Interface Feature

The Scripting Interface feature allows software developers to write their own scripts to relay posture information, collected on the system, to CTA. The scripts would perform the equivalent function of a posture plugin. Users will not need this feature unless they intend to write posture scripts.

The Scripting Interface is installed by default on Linux installations.

Installing Cisco Trust Agent

In order to install Cisco Trust Agent you log in as the administrative user on the computer.

General Installation Instructions

Step 1 Download the ctaadminex-linux-2.1.103-0.tar.gz from Cisco.com. For the sake of this example, we will store the ctaadminex-linux-2.1.103-0.tar.gz file in /tmp.

Step 2 Follow the procedures in "Extracting the Installation File and Accepting the EULA" section.

Step 3 Install CTA using either of these methods:

Installing CTA from the Command Line

Creating a Custom CTA Installation Package

Extracting the Installation File and Accepting the EULA

After downloading the ctaadminex-linux-2.1.103-0.tar.gz file from Cisco.com, use this procedure to extract the CTA installation files and accept the end-user license agreement (EULA).

Step 1 Open a terminal window.

Step 2 Change the directory to the one that contains the ctaadminex-linux-2.1.103-0.tar.gz file. In our example, this directory is /tmp.

Step 3 At the prompt, type the following command and press <Enter>.

tar -zxvf ctaadminex-linux-2.1.103-0.tar.gz

The ctaadminex-linux-2.1.103-0.sh file is extracted and placed in the same directory as the ctaadminex-linux-2.1.103-0.tar.gz file.

Step 4 At the prompt, type ./ctaadminex-linux-2.1.103-0.sh and press <Enter>.

Step 5 When prompted, accept the EULA by typing "y" and pressing <Enter>. The CTA-2.1.103-0 subdirectory is created and the cta-linux-2.1.103-0.i386.rpm is unpacked and placed in that directory. In our example, this new directory would be /tmp/CTA-2.1.103-0.

Installing CTA from the Command Line

Step 1 Follow the procedure in the "Extracting the Installation File and Accepting the EULA" section.

Step 2 Open a terminal window on the client.

Step 3 Change the directory to the directory that contains the cta-linux-2.1.103-0.i386.rpm file. In our example, the directory is /tmp/CTA-2.1.103-0.

Step 4 At the prompt, type rpm -ivh cta-linux-2.1.103-0.i386.rpm and press <Enter>. You receive these messages indicating that CTA was installed.

Preparing... ################ 100%

1:cta-linux  ################ 100%

Step 5 Verify CTA installation using the procedures in "Verifying Cisco Trust Agent Installation on Linux" section.

Step 6 If a CA certificate or a matching root certificate from the Cisco Secure ACS server has not been installed on the network client on which you just installed CTA, you must install one or the other certificates. This enables CTA to establish a secure form of communication with the Cisco Secure ACS server. Refer to "Installing or Updating a Certificate on Linux Operating Systems, page 8-4" for information.

Creating a Custom CTA Installation Package

Use this section as an example of how to create a customized CTA installation on Linux systems.

The CTA installation file is a Red Hat Packet Manager (rpm) file and is installed with standard RPM commands. To create a custom installation package, you create a directory structure which includes the CTA installation file, .ini files, plugin subdirectory and certificate subdirectory. This directory structure can then be distributed by a software deployment mechanism, such as a script or a software deployment tool.

After the software deployment mechanism distributes the directory structure to the remote network clients, it runs the CTA installation file. The CTA installation file copies the contents of the directory structure to the proper locations on the remote network client. The software deployment mechanism does not need to recompile the CTA installation file to create a custom installation.

The customization choices in this procedure are optional. However, you will find that including some of these customizations is worthwhile. CTA is not a centrally managed product. If you do not plan to use the product defaults, it is to your benefit to pre-configure all available product settings before deploying CTA.

Please read this entire procedure before beginning. There are options detailed later in the instructions that you should be aware of before beginning.

Step 1 Before you create the custom installation package, install CTA on the client you will use to create the custom package. This will install the template ctad.ini file and give you exposure to the CTA installation process. Begin with the "General Installation Instructions" section to install CTA.

Step 2 Perform the procedure in the "Extracting the Installation File and Accepting the EULA" section.

Step 3 Change the directory to the one that contains the
cta-linux-2.1.103-0.i386.rpm file. In our example, this is the /tmp/CTA-2.1.103-0 directory.

Step 4 Create a certs subdirectory. For example: /tmp/CTA-2.1.103-0/certs

Copy the root certificate for your Cisco Secure ACS server to this directory. During installation, any certificates in this directory are added to the systems root certificate store.

If your Cisco Secure ACS server uses self-signed certificates, see the Cisco Secure ACS documentation for information about obtaining the certificate; if you use a CA server, refer to your CA server documentation.

Note This step is optional if a CA certificate or ACS root certificate have already been distributed to the network clients receiving this customized CTA installation. If these certificates have not been distributed, this step is required.

Step 5 Create a plugins subdirectory. For example: /tmp/CTA-2.1.103-0/plugins

Copy any third party plugins that you want to provision at installation time into this directory.

Step 6 Create a new ctad.ini file and store it in the installation directory at the same level as the cta-linux-2.1.103-0.i386.rpm file. In our example, this is the /tmp/CTA-2.1.103-0 directory.

The ctad.ini file is used to configure CTA communication settings, user notifications, and certificate validation rules. If you want to change the default communication settings, such as the port number CTA listens over, the maximum number of sessions, and session time-out values, include this file. Refer to Chapter 5, "Configuring Cisco Trust Agent" for instructions on how you should create and format this file.

Step 7 Create a new ctalogd.ini file and store it in the installation directory at the same level as the cta-linux-2.1.103-0.i386.rpm file. In our example, this is the /tmp/CTA-2.1.103-0 directory. Refer to Chapter 6, "Cisco Trust Agent Event Logging" for instructions on how you should create and format this file.

Step 8 A software deployment mechanism deploys the customized /tmp/CTA-2.1.103-0 directory to the appropriate network clients and saves it in a local directory.

Step 9 The software deployment mechanism installs CTA and its customizations by following the procedure in the "Installing CTA from the Command Line" section.

Upgrading to Cisco Trust Agent, Release 2.1

Use this procedure to upgrade your CTA installation:

Step 1 Download the ctaadminex-linux-2.1.103-0.tar.gz from Cisco.com. For the sake of this example, we will store the ctaadminex-linux-2.1.103-0.tar.gz file in /tmp.

Step 2 Follow the procedures in "Extracting the Installation File and Accepting the EULA" section.

Step 3 Install CTA using either of these methods:

Installing CTA from the Command Line. However, when you are ready to install the upgrade, change the installation command to the upgrade command. This is an example:

rpm -Uvh cta-linux-2.1.103-0.i386

Creating a Custom CTA Installation Package

Verifying Cisco Trust Agent Installation on Linux

After Cisco Trust Agent has been installed you will find the following directory structures containing CTA's executable files:

/opt/CiscoTrustAgent

/opt/PostureAgent

You may also verify which version of CTA is installed by following this procedure:

Step 1 Open a terminal window on the system.

Step 2 Type rpm -q cta-linux and press <Enter>.

The version of CTA is returned. In the case of CTA 2.1.103.0, this information will be returned: cta-linux-2.1.103-0.

Verifying CTA is Running

Step 1 Open a terminal window on the system.

Step 2 Type rpm -q cta-linux and press <Enter>.

Step 3 Type ps -A | grep cta and press <Enter.>

Step 4 Verify that the following daemons are running:

ctad

ctalogd

ctapsd

ctaeoud

If these daemons are not running, try rebooting the system. If the daemons still do not run, try reinstalling the application.

Verifying CTA Package Information

Step 1 Open a terminal window on the system.

Step 2 At any prompt, type rpm -q cta-linux and press <Enter>.

The full package name is returned, for example, cta-linux-2.1.103-0

Uninstalling Cisco Trust Agent on Linux

To uninstall Cisco Trust Agent, follow this procedure:

Step 1 Log in to the client as the root user.

Step 2 Open a terminal window.

Step 3 At the prompt, run the following command and press <Enter>.

#rpm -e cta-linux

Cisco Trust Agent is uninstalled. You do not need to reboot the system.

Note Certificates and plugin files are not deleted when CTA is uninstalled; they remain on the client.