search

Advanced Configuration Options for CAF Agents

This article covers the main advanced configuration options available when running Enterprise Agents on Cisco Application Hosting Framework (CAF) based devices.

The article assumes that you are following the relevant installation instructions for your device, available under the Cisco Devicesarrow-up-right landing page.

circle-exclamation

These advanced configuration options are only available for CAF Enterprise Agent version 5.1.1 and later. Please ensure that your agent is upgraded to the latest version before adding these advanced configuration options.

Upgrade instructions can be found here: Upgrade Cisco Application Hosting Agentsarrow-up-right.

hashtag
NTP Server Configuration on the Cisco Application Hosting Framework Agents (CAF)

Enterprise Agents running inside a Cisco application hosting container use the clock provided by the Cisco device's kernel. This system clock should be kept in sync using an appropriate time protocol configured on the network operating system, as the agent does not adjust the clock on the Cisco device.

The agent makes periodic NTP requests to determine the clock offset and adjust the test measurements timestamps as needed. These requests are sent to pool.ntp.org by default. This can be changed by providing the agent with a list of NTP servers via an environment variable during the configuration stage. An initialization script within the application container will then set up the /etc/ntp.conf file with the provided NTP servers, and the agent will use the configured NTP servers upon startup.

To configure the NTP server list:

  1. For new Enterprise Agents, continue to step two. For existing agents, ensure you stop and deactivate the application before continuing. For more information on how to stop/deactivate the container, see the Lifecycle of an Applicationarrow-up-right section of the Cisco documentation.

  2. In config mode, enter into the submode for the application-hosting container used for the ThousandEyes agent, and use the run-opts option to configure a semi-colon (;) separated list of NTP server pools, names, or addresses. An example is shown below.

    Device(config)#app-hosting appid example
Device(config-app-hosting)# app-resource docker
Device(config-app-hosting-docker)# prepend-pkg-opts
Device(config-app-hosting-docker)# run-opts 1 "-e TEAGENT_ACCOUNT_TOKEN=<token>"
Device(config-app-hosting-docker)# run-opts 2 "--hostname $(SYSTEM_NAME)"
Device(config-app-hosting-docker)# run-opts 3 "-e TEAGENT_NTP_LIST=<ntp1>;<ntp2>;<ntp3>"
Device(config-app-hosting)# end

  3. Activate the container, and verify it is in the ACTIVATED state:

    Device#app-hosting activate appid example
Device#show app-hosting list
App id                               	      State
---------------------------------------------------------
example                                  	ACTIVATED

  4. Start the container and ensure it is in the RUNNING state:

    Device#app-hosting start appid example
Device#show app-hosting list
App id                               	      State
---------------------------------------------------------
example                                  	RUNNING

For more information on configuring the clock on Cisco devices, see the following reference documentation:

hashtag
CA Certificates for Cisco Application Hosting Framework (CAF) Agents

For detailed instructions on installing a CA certificate on Cisco devices that support the Cisco application hosting framework (CAF), see Installing CA Certificates on Enterprise Agentsarrow-up-right.

hashtag
Security Mode for Cisco Application Hosting Framework (CAF) Agents

Enterprise Agents running in application hosting containers can operate in a FIPS compliant mode that restricts the set of protocols used when interacting with the ThousandEyes platform.

circle-info

This does not prevent the Enterprise Agents from performing synthetic tests to servers using less secure protocols.

To configure the Enterprise Agent to operate in FIPS mode:

  1. For new Enterprise Agents, continue to step two. For existing agents, ensure you stop and deactivate the application before continuing. For more information on how to stop/deactivate the container, see the Lifecycle of an Applicationarrow-up-right section of the Cisco documentation.

  2. Set the TEAGENT_SECURITY_MODE environment variable to FIPS as shown in the example below:

  3. Activate the container, and verify it is in the ACTIVATED state:

  4. Start the container and ensure it is in the RUNNING state:

An initialization script within the application container will set up the security-mode parameter in the agent configuration file. When the agent starts, it will be operating in FIPS mode.

To take the agent out of FIPS mode:

  1. Stop and deactivate the application.

  2. Remove the security mode environment variable by using the no run-opts command, followed by the index number for that environment variable. This example uses index number 3, as seen in the setup instructions above. The option text is not required when using the no run-opts command is used:

  3. Activate the container, and verify it is in the ACTIVATED state:

  4. Start the container and ensure it is in the RUNNING state:

When the agent starts in the container, it will now operate in default mode.

{% hint style="tip" %} You can also set the agent to operate in default mode by configuring the environment variable to `

TEAGENT_SECURITY_MODE=DEFAULT`.

PreviousInstalling CA Certificates on Enterprise AgentsNextConfiguring rDNS Lookups for Enterprise Agents

Last updated