Introduction
This document outlines the official procedure for deploying the Cequence Sensor virtual appliance within your VMware ESXi environment. Sensor serves as a passive component within the comprehensive Cequence Unified API Protection (UAP) platform, safeguarding your critical APIs.
Prerequisites
- Pre-deployed Cequence UAP platform: Ensure your Cequence UAP platform is fully operational. Refer to the Cequence documentation for specific deployment instructions.
- Enable Traffic Filter on Cequence UAP platform: Make sure all traffic filters are enabled using the following guide - Enable Traffic Filters.
- VMware Compatibility: The target environment must be a VMware ESXi 6.7 or later system.
- vCenter Access: You must possess authorized access to the VMware vCenter Management Console.
- OVA Management Capabilities: The ability to upload and launch OVA templates through vCenter is required.
- Hardware Resources: Allocate sufficient resources for optimal performance: 2 vCPUs (x86_64 architecture), 4 GB RAM, and 8 GB SSD or better storage.
Deployment Procedure
Acquire Sensor OVA:
Access the Cequence portal and download the latest available version of the Sensor OVA here Download Sensor OVA
Launch Sensor Instance:
- Utilize your authorized credentials to log in to the vSphere HTML5 Client.
- Navigate to the target host or cluster for deployment within the vSphere interface.
- Select the "Actions" menu and choose "Deploy OVF Template" to initiate the wizard.
- Browse and locate the downloaded Sensor OVA file.
- Carefully review and confirm all displayed OVF template details for accuracy.
- Assign a descriptive name and deployment location for the virtual machine.
- Choose the appropriate deployment configuration based on your specific environment's needs.
- Review and finalize any necessary configuration adjustments before proceeding.
- Click "Finish" to begin the deployment process.
Monitor and Power On
- Utilize the vSphere HTML5 Client to track the deployment progress in real-time.
- Once complete, power on the newly deployed virtual machine.
Sensor Setup
Generate Traffic Client and Secret
- Log in to the Cequence UAP web UI.
- Navigate to User Management, click on "Clients" and then click on "Add New Client"
- Provide a "Client Name", say defender-client-0 and select "Traffic Ingestion". Click "Save".
- Click on the secret icon.
- Dialog box with the Client Secret shows up.
- Hence forth, we will interchangeably refer to "Client Name" as "client-id" and "Client Secret" as "client-secret".
SSH to the Sensor Virtual Machine
username: cq-user
password: apiprotection
Sensor Config Setup
- Collect and note down the following and set them as environment variables for future reference:
- cqai.yourdomain.com: your subdomain used in the DNS for the Cequence UAP platform
- client-id: "Client Name" created in the previous step
- client-secret: "Client Secret" created in the previous step
- interface-id: The network interface on the sensor box receiving traffic passively ( e.g eth0)
UAP_SUBDOMAIN=<cqai.yourdomain.com> CLIENT_ID=<client-id> CLIENT_SECRET=<client-secret> INTERFACE_ID=<network-interface>
- Test connectivity with the Cequence UAP platform: Successful execution of the curl returns HTTP request with 200 OK.
curl -k -v -o /dev/null \ --location "https://auth.${UAP_SUBDOMAIN}/auth/realms/cequence/protocol/openid-connect/token" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "client_id=${CLIENT_ID}" \ --data-urlencode "client_secret=${CLIENT_SECRET}" \ --data-urlencode "grant_type=client_credentials"
- Run setup command with the same parameters:
/opt/cequence/bin/setup.sh \ ${UAP_SUBDOMAIN} \ ${CLIENT_ID} \ ${CLIENT_SECRET} \ ${INTERFACE_ID}
Note: For advanced configuration options and detailed troubleshooting procedures, please refer to the in-product Cequence documentation.