Dell AppDefense on VxRail Installation Manual
Install and Config Guide
Installing and Configuring VMware AppDefense on VxRail
Abstract
This document describes the procedure used for installing VMware AppDefense on a VxRail cluster and for protecting the VxRail Manager virtual machine.
January 2021
Revisions
Revisions
Date |
Description |
|
|
May 2019 |
Initial release |
|
|
The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
Copyright © 2019-2021 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. [1/6/2021]
2 Installing and Configuring VMware AppDefense on VxRail Manager
Table of contents
Table of contents
Revisions |
............................................................................................................................................................................. |
2 |
|
Table of contents ................................................................................................................................................................ |
3 |
||
1 |
AppDefense Installation ............................................................................................................................................... |
4 |
|
|
1.1 |
Enable Platinum License .................................................................................................................................... |
4 |
|
1.1.1 ................................................................................................................................. |
Install AppDefense Plug - in |
4 |
|
1.1.2 .................................................................................. |
Register the AppDefense Appliance with vCenter Server |
5 |
|
1.1.3 ................................................................................... |
Enable AppDefense Service (SaaS Connectivity Mode) |
6 |
|
1.2 ....................................................................................................................................... |
Install the Host Module |
8 |
|
1.3 ..................................................................................................................................... |
Install the Guest Module |
8 |
|
1.3.1 .................................................................................................................................. |
Linux Guest Prerequisites |
8 |
|
1.3.2 .......................................................................... |
Install Guest Module on Linux System Using Local Download |
9 |
|
1.3.3 ............................................................................................................................................. |
For SLES systems: |
9 |
|
1.4 ................................................................................................................................................ |
After Installation |
12 |
2 |
Using ......................................................................................................................................AppDefense Manager |
15 |
|
|
2.1.1 ............................................................................................................................................... |
Creating a scope |
15 |
|
2.1.2 ............................................................................................ |
Review of state in AppDefense Manager (Cloud) |
16 |
|
2.1.3 .................................................................................................. |
Switching from Discovery to Protection Mode |
18 |
|
2.1.4 ........................................................................................................... |
AppDefense Informational screenshots |
20 |
|
2.2 ............................................................................................ |
VxRail Manager issues when in protection mode |
22 |
|
2.2.1 ........................................................................................................................ |
Adding node: Attestation Alarm |
22 |
|
2.2.2 ...................................................................................................... |
Adding Node – raised AppDefense Events |
23 |
|
2.2.3 ............................................................................................................................................. |
Re - adding a node |
28 |
|
2.2.4 ................................................................................................................................................. |
Post - Add Node |
29 |
|
2.2.5 .................................................................................................................................... |
LCM: Upgrading VxRail |
31 |
3 Installing and Configuring VMware AppDefense on VxRail Manager
1 AppDefense Installation
Installation is straightforward, as described in the VMware guide, Installing AppDefense with AppDefense Plug-In. The main steps are:
1.Enable the Platinum license.
2.Install the AppDefense plug-in.
3.Install the host module on the cluster host.
4.Install the Guest module on the VMs that you want to protect.
1.1Enable Platinum license
1.In vCenter, navigate to: Home > Administration > Licenses.
2.Click: +Add New Licenses.
3.Add license.
4.Set Name: VMware vSphere 6 for Platinum with AppDefense Plugin
5.Navigate to: Licenses > Assets > Hosts.
6.Select all hosts on the VxRail cluster.
7.Click: Assign License and select Platinum from the list. Click OK.
1.1.1Install AppDefense plug-in
Refer to the VMware guide here.
1.Download the AppDefense OVA.
2.Install the AppDefense appliance by installing the OVA template in vCenter, and use the following settings:
•VM Name: AppDefense-Appliance
•Location: <VxRail-Datacenter name>
•Compute Resource: <VxRail cluster name>
•Storage: VxRail vSAN Datastore, policy: VXRAIL-SYSTEM-STORAGE-PROFILE
•Network: Management Network
•Customize template:
i.Initial root, admin pwds
ii.Default GW
iii.Domain name
iv.Domain search path
v.DNS
vi.IP
vii.Netmask
The following figure shows how the Deploy OVF template screen should look:
4 Installing and Configuring VMware AppDefense on VxRail Manager
OVF template
•Click Finish. vCenter imports the OVF and displays the AppDefense appliance VM in the VxRail cluster.
•Log out of vCenter and log back in. Notice the AppDefense icon is now part of the Home menu in vCenter.
1.1.2Register the AppDefense appliance with vCenter Server
1.Browse to the AppDefense appliance at https://<AppDefense-IP>.
2.Go to the Configuration > Registration tab.
3.Leave Connectivity Mode set to Online for the moment.
4.Under the SSO lookup configuration, enter the PSC hostname and provide its credentials.
5.Select the vCenter server from the dropdown list and register it.
The following figure shows how the AppDefense Manager registration screen should look:
5 Installing and Configuring VMware AppDefense on VxRail Manager
AppDefense Manager Registration
1.1.3Enable AppDefense service (SaaS connectivity mode)
You can enable the AppDefense service when you register the AppDefense appliance with vCenter server. Switching the AppDefense appliance connectivity to SaaS enables the AppDefense appliance to communicate with the AppDefense service, enabling the complete solution.
1.1.3.1Prerequisites
•You have installed the AppDefense appliance.
•The AppDefense appliance VM is powered-on.
•You have provisioned the AppDefense appliance as described in the following steps.
1.Log in to AppDefense Manager.
2.Navigate to the settings icon > Appliance > Provision New Appliance page. The New appliance window opens.
3.Create an appliance by entering the appliance name.
The appliance name is an identifier and does not need to match the actual VM name within the vCenter Server, but the best practice is to match the names. For example, AppDefense appliance.
4.Click Provision.
5.The New Appliance Created window displays the URL for the manager in the region, UUID, and appliance API key. Keep this window open until the appliance configuration is done, or make a note of the information which will be used in SaaS configuration.
1.1.3.2Procedure
1.Open a web browser and navigate to the AppDefense appliance GUI at https://<appliance ip address>. The Select a Certificate window opens.
2.Log in to the AppDefense appliance using either the admin credentials or using the certificate.
•If you want to log in to the AppDefense appliance using the admin credentials, click Cancel. Use the admin credentials that you added while installing the AppDefense appliance OVA file.
Important: Do not click OK to accept the certificate.
6 Installing and Configuring VMware AppDefense on VxRail Manager
•If you want to log in to the AppDefense appliance using a self-signed or CA certificate, follow the procedure described in the VMware Log In to AppDefense Appliance with Certificate topic.
The AppDefense dashboard opens as the default home page.
3.Go to the Configuration > Registration tab.
4.In the AppDefense Manager section, click Edit, change connectivity mode to SAAS, and configure the following values (noted during the appliance creation process in section 1.1.3.1):
•AppDefense Manager URL
•Manager UUID
•Manager API key
5.Click Save.
The AppDefense Manager pane in the Registration screen of the AppDefense appliance should now reflect the new SAAS connectivity mode as shown in the following figure:
AppDefense Manager pane
Having registered the required information in the AppDefense appliance, we can now see the AppDefense plug-in showing the AppDefense dashboard in vSphere Client as shown in the following figure:
Vsphere Client – AppDefense dashboard
Notice the connectivity mode is now SAAS and no hosts or virtual machines have the AppDefense module installed yet.
7 Installing and Configuring VMware AppDefense on VxRail Manager
1.2Install the host module
After you have installed and registered the plug-in, you are ready to install the AppDefense host module on your ESXi hosts. As the VMware manual page shows, you can install it on all hosts in a cluster at the same time, or you can install it individually on each host.
The easiest way is to install it on all hosts, with a single click from the Cluster > Configuration, and click
Enable AppDefense For All Hosts.
1.3Install the guest module
The installation of the AppDefense guest module includes the AppDefense package, Guest Introspection package, and the netfilter dependencies. The guest module must be installed on all workload VMs that you want to protect.
LIMITATIONS:
•AppDefense does not work with virtual machines that have Fault Tolerance enabled. This limitation applies to both Linux and Windows guest virtual machines.
•Monitoring vCenter, PSC’s and AppDefense itself is currently not supported.
NOTE: If a resource allocation such as CPU or memory is changed at any time, you must reboot the guest VM.
In the following screenshot, taken from AppDefense Manager, the only VMs in our cluster are the vCSA, PSC, VxRail Manager and AppDefense appliance.
Unassigned VMs
1.3.1Linux guest prerequisites
Ensure that the guest virtual machine (VM) complies with the following prerequisites:
•ESXi 6.5 U1 or later is installed.
The VxRail Manager VM runs on the cluster hosts, which run VMware ESXi 6.7.0.
•A supported version of Linux is installed.
The VxRail Manager VM running SLES 12.2.
•iptables package of 1.4.11 version or later is installed.
Iptables version is: v1.4.21
8 Installing and Configuring VMware AppDefense on VxRail Manager
•Verify glib 2 is installed on the Linux VM.
The following glib packages are already installed:
1.3.2Install guest module on Linux system using local download
VMware manual page here.
This is a common step for any Linux distribution. Download and import the complete VMware package using the given URLs. Use the following commands to unpack the required tar files:
18w-app03-vxm:~ # cd /AppDefense/LinuxGuestModule
18w-app03-vxm:~/AppDefense/LinuxGuestModule # |
ls -l |
||||
total 2676 |
root |
696320 |
Oct 20 19:33 |
AppDefense.tar |
|
-rw-r--r-- 1 root |
|||||
-rw-r--r-- 1 root |
root |
522240 |
Oct 20 19:33 |
guest-introspection-for-vmware-nsx.tar |
|
-rw-r--r-- 1 root |
root 1495040 Oct 20 19:33 |
guest-introspection-os-bundle.tar |
|||
18w-app03-vxm:~/AppDefense/LinuxGuestModule # |
for f in *.tar;do tar -xf $f; done |
||||
18w-app03-vxm:~/AppDefense/LinuxGuestModule # |
ls -l |
||||
total 2676 |
201 |
4096 |
Oct 20 18:44 |
AppDefense |
|
drwxr-xr-x 6 361763 |
|||||
-rw-r--r-- 1 root |
root |
696320 |
Oct 20 19:33 |
AppDefense.tar |
|
drwxr-xr-x 4 361763 |
201 |
4096 |
Oct 20 |
18:44 |
guest-introspection-for-vmware-nsx |
-rw-r--r-- 1 root |
root |
522240 |
Oct 20 |
19:33 |
guest-introspection-for-vmware-nsx.tar |
drwxr-xr-x 6 361763 |
201 |
4096 |
Oct 20 |
18:44 |
guest-introspection-os-bundle |
-rw-r--r-- 1 root |
root 1495040 Oct 20 |
19:33 |
guest-introspection-os-bundle.tar |
||
1.3.3 |
For SLES systems: |
|||||||
|
1. Get the public key and import into rpm: |
|||||||
|
18w-app03-vxm:~ # |
cd |
/root/AppDefense/LinuxGuestModule/AppDefense/key |
|||||
|
18w-app03- |
|
vxm:~/AppDefense/LinuxGuestModule/AppDefense/key # |
rpm |
--import VMWARE-APPDEFENSE- |
|||
|
PACKAGING-GPG-RSA-KEY.pub |
|
|
|
||||
|
2. Add the following repositories: |
|||||||
|
18w-app03-vxm:~/AppDefense # |
zypper ar "file:/root/AppDefense/LinuxGuestModule/AppDefense/latest" AppDefense |
|
|||||
|
Adding repository 'AppDefense' |
|
|
|||||
|
............................................................................................................... |
|||||||
|
................................ |
|
|
|
[done] |
|||
|
Repository 'AppDefense' successfully added |
|||||||
|
URI |
: file:/root/AppDefense/LinuxGuestModule/AppDefense/latest |
||||||
|
Enabled |
: Yes |
||||||
|
GPG Check |
: Yes |
||||||
|
Autorefresh |
: No |
||||||
|
Priority |
: 99 (default priority) |
||||||
Repository priorities are without effect. All enabled repositories share the same priority. 18w-app03-vxm:~/AppDefense # zypper ar "file:/root/AppDefense/LinuxGuestModule/guest-introspection-for-vmware- nsx/latest/sles/x86_64/" guest-introspection-for-vmware-nsx
Adding repository 'guest-introspection-for-vmware-nsx'
...............................................................................................................
........[done]
Repository 'guest-introspection-for-vmware-nsx' successfully added
URI |
: file:/root/AppDefense/LinuxGuestModule/guest-introspection-for-vmware-nsx/latest/sles/x86_64/ |
|
Enabled |
: Yes |
|
GPG Check |
: Yes |
|
Autorefresh |
: No |
(default priority) |
Priority |
: 99 |
|
Repository priorities are without effect. All enabled repositories share the same priority.
9 Installing and Configuring VMware AppDefense on VxRail Manager
3.For SLES 11.4, 12.2, or 12.3: To install a dependent component, run the following command to add the extra repository:
18w-app03-vxm:~/AppDefense # zypper ar "file:/root/AppDefense/LinuxGuestModule/guest-introspection-
os-bundle/sles/12.2/" gios Adding repository 'gios'
...............................................................................................................
...................................... |
|
[done] |
Repository 'gios' successfully added |
||
URI |
: file:/root/AppDefense/LinuxGuestModule/guest-introspection-os-bundle/sles/12.2/ |
|
Enabled |
: Yes |
|
GPG Check |
: Yes |
|
Autorefresh |
: No |
(default priority) |
Priority |
: 99 |
|
Repository priorities are without effect. All enabled repositories share the same priority.
4. Install the AppDefense Guest Module package.
Note: There is a pre-existing SLES repo defined, which points to a remote IP location. This causes a timeout and prevents using the AppDefense repos that have just been added, resulting in a failure to install.
The repository that you must remove is a default SLES repository and can be identified as follows:
To identify the repositories that are currently defined in zipper:
18w-app03-vxm:~/AppDefense # zypper lr
Repository priorities are without effect. All enabled repositories share the same priority.
# | Alias |
| |
Name |
| Enabled |
| GPG Check |
| Refresh |
|
--+------------------------------------ |
+ |
------------------------------------SLES12 - SP2 - 12.2 - 0 |
+--------- |
+----------- |
+-------- |
|
1 |
| SLES12-SP2-12.2-0 |
| |
| Yes |
| (r ) Yes |
| Yes |
|
2 |
| AppDefense |
| |
AppDefense |
| Yes |
| ( p) Yes |
| No |
3 |
| gios |
| |
gios |
| Yes |
| ( p) Yes |
| No |
4 |
| guest-introspection-for-vmware-nsx | |
guest - introspection - for - vmware - nsx | Yes |
| ( p) Yes |
| No |
||
18w-app03-vxm:~/AppDefense # ls -l /etc/zypp/repos.d/
total 16 |
1 |
root root 147 |
Nov 30 |
12:56 SLES12-SP2-12.2-0.repo |
|||
-rw-r--r-- |
|||||||
-rw-r--r-- |
1 |
root root 112 |
Feb |
5 |
09:28 AppDefense.repo |
||
-rw-r-- |
r-- |
1 |
root root |
129 |
Feb |
5 |
09:28 gios.repo |
-rw-r-- |
r-- |
1 |
root root |
173 |
Feb |
5 |
09:28 guest-introspection-for-vmware-nsx.repo |
The pre-existing SLES repository is currently enabled:
18w-app03-vxm:~/AppDefense # more /etc/zypp/repos.d/SLES12-SP2-12.2-0.repo
::::::::::::::
/etc/zypp/repos.d/SLES12-SP2-12.2-0.repo
::::::::::::::
[SLES12-SP2-12.2-0] name=SLES12-SP2-12.2-0 enabled=1 autorefresh=1
baseurl=http://<baseurlIP>/build/.0/repo/iso
path=/
type=yast2
keeppackages=0
With all repos having equal priority and the SLES repo being repo #1, it will use that repo first. For now, disabling that repo should resolve the installation issue. In the SLES repository file, change the value for enabled from 1 to 0:
::::::::::::::
/etc/zypp/repos.d/SLES12-SP2-12.2-0.repo
::::::::::::::
[SLES12-SP2-12.2-0] name=SLES12-SP2-12.2-0
enabled=0 # DISABLED BY CHANGING THIS FROM 1 to 0
10 Installing and Configuring VMware AppDefense on VxRail Manager
Loading...