Advanced Configuration Options for CAF Agents
This article covers the main advanced configuration options available when running Enterprise Agents on Cisco Application Hosting Framework (CAF) based devices.
The article assumes that you are following the relevant installation instructions for your device, available under the Cisco Devices landing page.
These advanced configuration options are only available for CAF Enterprise Agent version 5.1.1 and later. Please ensure that your agent is upgraded to the latest version before adding these advanced configuration options.
Upgrade instructions can be found here: Upgrade Cisco Application Hosting Agents.
NTP Server Configuration on the Cisco Application Hosting Framework Agents (CAF)
Enterprise Agents running inside a Cisco application hosting container use the clock provided by the Cisco device's kernel. This system clock should be kept in sync using an appropriate time protocol configured on the network operating system, as the agent does not adjust the clock on the Cisco device.
The agent makes periodic NTP requests to determine the clock offset and adjust the test measurements timestamps as needed. These requests are sent to pool.ntp.org by default. This can be changed by providing the agent with a list of NTP servers via an environment variable during the configuration stage. An initialization script within the application container will then set up the /etc/ntp.conf file with the provided NTP servers, and the agent will use the configured NTP servers upon startup.
To configure the NTP server list:
For new Enterprise Agents, continue to step two. For existing agents, ensure you stop and deactivate the application before continuing. For more information on how to stop/deactivate the container, see the Lifecycle of an Application section of the Cisco documentation.
In config mode, enter into the submode for the application-hosting container used for the ThousandEyes agent, and use the
run-optsoption to configure a semi-colon (;) separated list of NTP server pools, names, or addresses. An example is shown below.Device(config)#app-hosting appid example Device(config-app-hosting)# app-resource docker Device(config-app-hosting-docker)# prepend-pkg-opts Device(config-app-hosting-docker)# run-opts 1 "-e TEAGENT_ACCOUNT_TOKEN=<token>" Device(config-app-hosting-docker)# run-opts 2 "--hostname $(SYSTEM_NAME)" Device(config-app-hosting-docker)# run-opts 3 "-e TEAGENT_NTP_LIST=<ntp1>;<ntp2>;<ntp3>" Device(config-app-hosting)# endActivate the container, and verify it is in the ACTIVATED state:
Device#app-hosting activate appid example Device#show app-hosting list App id State --------------------------------------------------------- example ACTIVATEDStart the container and ensure it is in the RUNNING state:
Device#app-hosting start appid example Device#show app-hosting list App id State --------------------------------------------------------- example RUNNING
For more information on configuring the clock on Cisco devices, see the following reference documentation:
CA Certificates for Cisco Application Hosting Framework (CAF) Agents
For detailed instructions on installing a CA certificate on Cisco devices that support the Cisco application hosting framework (CAF), see Installing CA Certificates on Enterprise Agents.
Security Mode for Cisco Application Hosting Framework (CAF) Agents
Enterprise Agents running in application hosting containers can operate in a FIPS compliant mode that restricts the set of protocols used when interacting with the ThousandEyes platform.
To configure the Enterprise Agent to operate in FIPS mode:
For new Enterprise Agents, continue to step two. For existing agents, ensure you stop and deactivate the application before continuing. For more information on how to stop/deactivate the container, see the Lifecycle of an Application section of the Cisco documentation.
Set the
TEAGENT_SECURITY_MODEenvironment variable to FIPS as shown in the example below:Device(config)#app-hosting appid example Device(config-app-hosting)# app-resource docker Device(config-app-hosting-docker)# prepend-pkg-opts Device(config-app-hosting-docker)# run-opts 1 "-e TEAGENT_ACCOUNT_TOKEN=<token>" Device(config-app-hosting-docker)# run-opts 2 "--hostname $(SYSTEM_NAME)" Device(config-app-hosting-docker)# run-opts 3 "-e TEAGENT_SECURITY_MODE=FIPS" Device(config-app-hosting)# endActivate the container, and verify it is in the ACTIVATED state:
Device#app-hosting activate appid example Device#show app-hosting list App id State --------------------------------------------------------- example ACTIVATEDStart the container and ensure it is in the RUNNING state:
Device#app-hosting start appid example Device#show app-hosting list App id State --------------------------------------------------------- example RUNNING
An initialization script within the application container will set up the security-mode parameter in the agent configuration file. When the agent starts, it will be operating in FIPS mode.
To take the agent out of FIPS mode:
Stop and deactivate the application.
Remove the security mode environment variable by using the
no run-optscommand, followed by the index number for that environment variable. This example uses index number 3, as seen in the setup instructions above. The option text is not required when using theno run-optscommand is used:Device(config)#app-hosting appid example Device(config-app-hosting)# app-resource docker Device(config-app-hosting-docker)# no run-opts 3 Device(config-app-hosting)# endActivate the container, and verify it is in the ACTIVATED state:
Device#app-hosting activate appid example Device#show app-hosting list App id State --------------------------------------------------------- example ACTIVATEDStart the container and ensure it is in the RUNNING state:
Device#app-hosting start appid example Device#show app-hosting list App id State --------------------------------------------------------- example RUNNING
When the agent starts in the container, it will now operate in default mode.
Last updated