# Advanced Configuration Options for CAF Agents This article covers the main advanced configuration options available when running Enterprise Agents on Cisco Application Hosting Framework (CAF) based devices. The article assumes that you are following the relevant installation instructions for your device, available under the [Cisco Devices](https://docs.thousandeyes.com/product-documentation/global-vantage-points/enterprise-agents/installing/cisco-devices) landing page. {% hint style="warning" %} These advanced configuration options are only available for CAF Enterprise Agent version 5.1.1 and later. Please ensure that your agent is upgraded to the latest version before adding these advanced configuration options. Upgrade instructions can be found here: [Upgrade Cisco Application Hosting Agents](https://docs.thousandeyes.com/product-documentation/global-vantage-points/enterprise-agents/managing/upgrading-enterprise-agents#cisco-application-hosting). {% endhint %} ## NTP Server Configuration on the Cisco Application Hosting Framework Agents (CAF) Enterprise Agents running inside a Cisco application hosting container use the clock provided by the Cisco device's kernel. This system clock should be kept in sync using an appropriate time protocol configured on the network operating system, as the agent does not adjust the clock on the Cisco device. The agent makes periodic NTP requests to determine the clock offset and adjust the test measurements timestamps as needed. These requests are sent to `pool.ntp.org` by default. This can be changed by providing the agent with a list of NTP servers via an environment variable during the configuration stage. An initialization script within the application container will then set up the **/etc/ntp.conf** file with the provided NTP servers, and the agent will use the configured NTP servers upon startup. To configure the NTP server list: 1. For new Enterprise Agents, continue to step two. For existing agents, ensure you stop and deactivate the application before continuing. For more information on how to stop/deactivate the container, see the [Lifecycle of an Application](https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/176/b_176_programmability_cg/m_176_prog_app_hosting.html#id_74345) section of the Cisco documentation. 2. In config mode, enter into the submode for the application-hosting container used for the ThousandEyes agent, and use the `run-opts` option to configure a semi-colon (;) separated list of NTP server pools, names, or addresses. An example is shown below. ``` Device(config)#app-hosting appid example Device(config-app-hosting)# app-resource docker Device(config-app-hosting-docker)# prepend-pkg-opts Device(config-app-hosting-docker)# run-opts 1 "-e TEAGENT_ACCOUNT_TOKEN=" Device(config-app-hosting-docker)# run-opts 2 "--hostname $(SYSTEM_NAME)" Device(config-app-hosting-docker)# run-opts 3 "-e TEAGENT_NTP_LIST=;;" Device(config-app-hosting)# end ``` 3. Activate the container, and verify it is in the **ACTIVATED** state: ``` Device#app-hosting activate appid example Device#show app-hosting list App id State --------------------------------------------------------- example ACTIVATED ``` 4. Start the container and ensure it is in the **RUNNING** state: ``` Device#app-hosting start appid example Device#show app-hosting list App id State --------------------------------------------------------- example RUNNING ``` For more information on configuring the clock on Cisco devices, see the following reference documentation: * [Network Time Protocol for Cisco IOS XE 17.x](https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/syst-mgmt/b-system-management/m_bsm-time-calendar-set.html) * [Cisco Nexus 9000 Series NX-OS Fundamentals Configuration Guide](https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/105x/configuration/fundamentals/cisco-nexus-9000-series-nx-os-fundamentals-configuration-guide-release-105x/m-basic-device-management.html) ## CA Certificates for Cisco Application Hosting Framework (CAF) Agents For detailed instructions on installing a CA certificate on Cisco devices that support the Cisco application hosting framework (CAF), see [Installing CA Certificates on Enterprise Agents](https://docs.thousandeyes.com/product-documentation/global-vantage-points/enterprise-agents/configuring/installing-ca-certificates-on-enterprise-agents#installing-on-cisco-devices-supporting-the-cisco-application-hosting-framework-caf). ## Security Mode for Cisco Application Hosting Framework (CAF) Agents Enterprise Agents running in application hosting containers can operate in a FIPS compliant mode that restricts the set of protocols used when interacting with the ThousandEyes platform. {% hint style="info" %} This does not prevent the Enterprise Agents from performing synthetic tests to servers using less secure protocols. {% endhint %} To configure the Enterprise Agent to operate in FIPS mode: 1. For new Enterprise Agents, continue to step two. For existing agents, ensure you stop and deactivate the application before continuing. For more information on how to stop/deactivate the container, see the [Lifecycle of an Application](https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/176/b_176_programmability_cg/m_176_prog_app_hosting.html#id_74345) section of the Cisco documentation. 2. Set the `TEAGENT_SECURITY_MODE` environment variable to FIPS as shown in the example below: ``` Device(config)#app-hosting appid example Device(config-app-hosting)# app-resource docker Device(config-app-hosting-docker)# prepend-pkg-opts Device(config-app-hosting-docker)# run-opts 1 "-e TEAGENT_ACCOUNT_TOKEN=" Device(config-app-hosting-docker)# run-opts 2 "--hostname $(SYSTEM_NAME)" Device(config-app-hosting-docker)# run-opts 3 "-e TEAGENT_SECURITY_MODE=FIPS" Device(config-app-hosting)# end ``` 3. Activate the container, and verify it is in the **ACTIVATED** state: ``` Device#app-hosting activate appid example Device#show app-hosting list App id State --------------------------------------------------------- example ACTIVATED ``` 4. Start the container and ensure it is in the **RUNNING** state: ``` Device#app-hosting start appid example Device#show app-hosting list App id State --------------------------------------------------------- example RUNNING ``` An initialization script within the application container will set up the **security-mode** parameter in the agent configuration file. When the agent starts, it will be operating in FIPS mode. To take the agent out of FIPS mode: 1. Stop and deactivate the application. 2. Remove the security mode environment variable by using the `no run-opts` command, followed by the index number for that environment variable. This example uses index number 3, as seen in the setup instructions above. The option text is not required when using the `no run-opts` command is used: ``` Device(config)#app-hosting appid example Device(config-app-hosting)# app-resource docker Device(config-app-hosting-docker)# no run-opts 3 Device(config-app-hosting)# end ``` 3. Activate the container, and verify it is in the **ACTIVATED** state: ``` Device#app-hosting activate appid example Device#show app-hosting list App id State --------------------------------------------------------- example ACTIVATED ``` 4. Start the container and ensure it is in the **RUNNING** state: ``` Device#app-hosting start appid example Device#show app-hosting list App id State --------------------------------------------------------- example RUNNING ``` When the agent starts in the container, it will now operate in default mode. {% hint style="tip" %} You can also set the agent to operate in default mode by configuring the environment variable to \` TEAGENT\_SECURITY\_MODE=DEFAULT\`.