General description

General description
CAUTION 

CAUTION

Service Degradation

Ensure that you regularly remove from NFM-P the device software images that are no longer required; for example, by deleting the images.

An accumulation of device software images can dramatically increase the length of an operation such as an NFM-P database backup, restore, or reinstantiation.

This chapter contains information about how to perform an on-demand software upgrade on Wavence devices and the specific software upgrade policy requirements to perform the upgrade.

See Software upgrades on Wavence SCM devices for information about performing software upgrades on Wavence SCM devices.

See the “NE software upgrades” chapter of the NSP NFM-P Classic Management User Guide for general software upgrade requirements and information.

The Wavence software is stored in two banks on a compact flash card:

Note:

Wavence software upgrade policy requirements

Before performing a software upgrade, you must create a software upgrade policy that specifies the device family, software image, image backup location, and the actions to perform; for example, image download, activation, or ISSU. Using a software upgrade policy, an NFM-P operator can independently perform the image download, upgrade, and activation tasks.

The following conditions apply to software upgrade policies:

Note: The file storage location path must be an absolute path from the / directory, and the SFTP user must have access to the location.

To determine a host fingerprint

Determine the version of SSH that NFM-P is using (RSA or ECDSA), using the following command:

ssh -v localhost 

Example 1: if the output of the command is:

 
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is 89:57:0c:64:63:8c:70:b7:cb:6e:db:33:97:9b:25:32. [Note the host fingerprint varies from machine to machine] 
Are you sure you want to continue connecting (yes/no)? 
Use:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub | sed 's/://g' | awk '{print $2}'

Example 2: if the output of the command is:

 
debug1: Server host key: ECDSA 71:1a:b1:4e:1c:66:06:0c:a4:bc:dd:c5:fc:29:b2:70
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is 71:1a:b1:4e:1c:66:06:0c:a4:bc:dd:c5:fc:29:b2:70. [Note the host fingerprint varies from machine to machine] 
Are you sure you want to continue connecting (yes/no)? 
Use:
ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub | sed 's/://g' | awk '{print$2}'

Example 3: if the output of the command is:

 
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:RRUksTgiJwIzJeSfs59dCkT+5+50nTs4YN8rLrCi9lM
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:RRUksTgiJwIzJeSfs59dCkT+5+50nTs4YN8rLrCi9lM. 
ECDSA key fingerprint is MD5:20:cb:e9:c8:9d:b3:67:99:48:3c:5d:67:7a:8a:85:f5.
Are you sure you want to continue connecting (yes/no)?
Use:
ssh-keygen -E md5 -l -f /etc/ssh/ssh_host_ecdsa_key.pub | sed 's/://g' | sed 's/MD5//g'| awk '{print$2}

MSS-E/HE/XE and UBT-NIM nodes using Wavence Release 23 or earlier and all UBT-SA nodes support only RSA fingerprint for software download and backup operations. Use the following cipher algorithm to generate fingerprint, irrespective of higher preference algorithm (RSA or ECDSA) on the server:

ssh-keygen -E md5 -l -f /etc/ssh/ssh_host_rsa_key.pub | sed 's/://g' | sed 's/MD5//g'| awk '{print$2}'

Note: For UBT-SA nodes, SSH server configuration (/etc/ssh/sshd_config) must contain following options. Ciphers: aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc, 3des-cbc, arcfour128

MSS-E/HE/XE and UBT-NIM nodes using Wavence Release 23A or later support only ED25519 fingerprint for software download operation. Use the following cipher algorithm to generate fingerprint, irrespective of higher preference algorithm (RSA or ECDSA) on the server:

ssh-keygen -E md5 -l -f /etc/ssh/ssh_host_ed25519_key.pub | sed 's/://g' | sed 's/MD5//g'| awk '{print$2}'