Introduction
This document outlines the official procedure for deploying the Cequence Sensor virtual appliance within your VMware ESXi environment. Sensor serves as a passive component within the comprehensive Cequence Unified API Protection (UAP) platform, safeguarding your critical APIs.
Prerequisites
- Pre-deployed Cequence UAP platform: Ensure your Cequence UAP platform is fully operational. Refer to the Cequence documentation for specific deployment instructions.
- Enable Traffic Filter on Cequence UAP platform: Make sure all traffic filters are enabled using the following guide - Enable Traffic Filters.
- VMware Compatibility: The target environment must be a VMware ESXi 6.7 or later system.
- vCenter Access: You must possess authorized access to the VMware vCenter Management Console.
- OVA Management Capabilities: The ability to upload and launch OVA templates through vCenter is required.
- Hardware Resources: Allocate sufficient resources for optimal performance: 2 vCPUs (x86_64 architecture), 4 GB RAM, and 8 GB SSD or better storage.
Deployment Procedure
Acquire Sensor OVA
Access the Cequence portal and download the latest available version of the Sensor OVA here Download Sensor OVA
Launch Sensor Instance
- Utilize your authorized credentials to log in to the vSphere HTML5 Client.
- Navigate to the target host or cluster for deployment within the vSphere interface.
- Select the "Actions" menu and choose "Deploy OVF Template" to initiate the wizard.
- Browse and locate the downloaded Sensor OVA file.
- Carefully review and confirm all displayed OVF template details for accuracy.
- Assign a descriptive name and deployment location for the virtual machine.
- Choose the appropriate deployment configuration based on your specific environment's needs.
- Review and finalize any necessary configuration adjustments before proceeding.
- Click "Finish" to begin the deployment process.
Monitor and Power On
- Utilize the vSphere HTML5 Client to track the deployment progress in real-time.
- Once complete, power on the newly deployed virtual machine.
Generate Traffic Client and Secret
Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.
- Log in to the UAP management portal UI.
The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name. - Select General Settings > User Management.
The User Management pane appears. - Click the Clients tab.
- Click Add New Client.
The new client dialog box appears. - Type the client name in the Client Name field.
This name is the client ID. Note the client ID for later use. - Enable the Traffic Management toggle.
- (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
- Click Save.
A dialog box with the client secret appears. - Click the blue Copy icon to copy the secret to the clipboard, then click Close.
The client is now set up. Note the client name for future use.
The client list appears. - Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.
Sensor Setup
SSH to the Sensor Virtual Machine
username: cq-user
password: apiprotection
- Collect and note down the following and set them as environment variables for future reference:
- cqai.yourdomain.com: your subdomain used in the DNS for the Cequence UAP platform
- client-id: "Client Name" created in the previous step
- client-secret: "Client Secret" created in the previous step
- interface-id: The network interface on the sensor box receiving traffic passively ( e.g eth0)
UAP_SUBDOMAIN=<cqai.yourdomain.com> CLIENT_ID=<client-id> CLIENT_SECRET=<client-secret> INTERFACE_ID=<network-interface>
- Test connectivity with the Cequence UAP platform: Successful execution of the curl returns HTTP request with 200 OK.
curl -k -v -o /dev/null \
--location "https://auth.${UAP_SUBDOMAIN}/auth/realms/cequence/protocol/openid-connect/token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "client_id=${CLIENT_ID}" \
--data-urlencode "client_secret=${CLIENT_SECRET}" \
--data-urlencode "grant_type=client_credentials"- Run setup command with the same parameters:
/opt/cequence/bin/setup.sh \
${UAP_SUBDOMAIN} \
${CLIENT_ID} \
${CLIENT_SECRET} \
${INTERFACE_ID}
Note: For advanced configuration options and detailed troubleshooting procedures, refer to the in-product Cequence documentation.