Install the Skyhigh Agent via Chef Script
To use Cloud Workload Protection (CWP) with Skyhigh CASB, you must install the Agent.
Prerequisites
Configure Skyhigh CASB for CWP
See the instructions in Configure Skyhigh CASB for CWP.
Configure the Chef Infrastructure
If you haven't already, configure the Chef infrastructure. For details, see Configure the Chef Infrastructure.
Download the Chef Script to Install the Skyhigh Agent
Click here to Download the Chef Script.
Install the Skyhigh Agent
- Log in to the Chef controller system where you want to install the Skyhigh Agent.
- Unzip the file cwsDevOps.zip, which contains the files and folders required to install the Skyhigh Agent.
- Run the following command to create a databag on the server and a secret key in cwsDevOps/files/encrypted_data_bag_secret:
ruby CreateMvisionCloudDataBag.rb <MVC_username> <MVC_password> <MVC_URL>
- Run the following command to create a cookbook:
chef generate cookbook <cookbook_name>
- Go to the folder cwsDevOps and copy the recipes, files, and libraries folders to the cookbook.
- Run the following command:
cp ./recipes/ <cookbook_name>/ -r && ./libraries/ <cookbook_name>/ -r && ./files/ <cookbook_name>/ -r
- Push the cookbook using the following commands:
cd <cookbook_name> chef install chef push <cookbook_name> knife node policy set <chef_client_name> POLICY_GROUP POLICY_NAME
Configure the Chef Infrastructure
Use the following instructions to create a Chef controller and server. Then link the controller and the server. Finally, create a Chef client. These instructions focus on Microsoft Azure.
Create the Chef Controller
- In Azure, create a virtual machine to act as your Chef controller.
- Provide a username and password for authentication, then enable the SSH port.
- Log in to the virtual machine.
- Generate the SSH keys using the following command:
ssh-keygen -t rsa -b 2048
- Copy the public key from <Root_Dir>/.ssh/id_rsa.pub.
Create the Chef Server
- Log in to the Azure Portal
- Click Create a new resource. Then search for Chef Automate, select it, and click Create.
- The first blade contains a summary of the Chef Automate solution. Click Create.
NOTE: If you don’t have a license, you can deploy and use Chef with a free 30-day trial. Just leave the license field empty.
- In the Basics blade, define a username, and paste the previously copied public key.
- To provision a Chef server, use a new or empty Resource Group.
- Click OK to create the server.
- Note the following settings of the Chef server:
- Chef Automate FQDN DNS Label. This is the name of this server. It is publicly available.
- Virtual Network. This is where the server is located. Use the same segment of the current production servers.
- Subnets. Use an existing subnet where this server can communicate with existing servers (if any).
- Once the provisioning process is complete, check the Chef Automate VM on the Resource Group that you created.
- In the Overview tab, copy the DNS Name.
Link the Chef Controller to the Chef Server
- Connect to the Chef server from Chef controller machine.
- Copy the file \starterkit-trial.zip.
- Unzip the file starterkit-trial.zip.
- Run the following commands:
cd .chef/ wget https://packages.chef.io/files/stable/chefdk/4.5.0/ubuntu/18.04/chefdk_4.5.0-1_amd64.deb sudo dpkg -i chefdk_4.5.0-1_amd64.deb chef verify knife ssl fetch knife ssl check
Create the Chef Client
- In Azure, create a virtual machine to act as your Chef client.
- Provide a username and password for authentication, then enable the SSH port.
- Copy the FQDN/IP of the VM you created as the Chef controller.
- Run following command:
knife bootstrap <FQDN/IP of client> --ssh-user <username of chef client> --ssh-password <password of chef client> --node-name <provide a name to chef client>
- Verify that the new Chef client is created by logging into the Chef Automate dashboard.