Secure certification mode (SCM)
Introduction
The NFM-P supports the management of the CorEvo-based Wavence devices (Release 7.1 or later) that are configured in a secure certification mode and are managed using the secure protocols. The security certification mode is configured in split-mount systems where the encryption block is installed in the radio transceiver connected to the MSS shelf over a Gigabit Ethernet interface.
Trusted manager
The NFM-P can manage a Wavence SCM device only when the server IP address is configured as a trusted manager in the WebCT. NFM-P generates the PollerProblem alarm when you try to discover the Wavence SCM device without adding the IP address in the trusted manager. You can add a maximum of five IP addresses in the trusted manager. If the limit is exceeded you need to delete an entry to add another trusted manager. See the Wavence documentation for more information about configuring the trusted managers in the WebCT.
Enable HTTPS protocol
NFM-P allows you to enable or disable the HTTPS protocol from the System Settings tab of the Network Element (Edit) form. When you set the HTTPS Protocol parameter as Enabled, you can access the node from NFM-P and from the WebCT.
Disable HTTPS protocol
DANGER If the Wavence SCM device is unmanaged with the HTTPS Protocol parameter set to Disabled, no other EMS or NMS that does not have the server IP address registered in the trusted manager of the Wavence SCM device can access the Wavence SCM device. |
To recover the Wavence SCM device, you must remanage the device in the NMS that has the IP address added in the trusted manager of the Wavence SCM device and enable the HTTPS protocol. If the NFM-P server is not available, you should reset the Wavence SCM device to factory settings.
See the Wavence documentation for more information about resetting the Wavence SCM device to factory settings.
WARNING Disabling HTTPS protocol |
When you set the HTTPS Protocol parameter as Disabled, you can access the node only from NFM-P that has the IP address added in the trusted manager of the Wavence SCM device.
You should ensure that the HTTPS Protocol parameter is set to Enabled in the System Settings tab of the Network Element (Edit) form, before unmanaging the Wavence SCM device.
SCM log file retrieval
The NFM-P supports the retrieval of SCM log files stored by the Wavence SCM devices.
The logs include:
-
all user administration operations and the configuration changes in user activity logs in a user readable format. One entry is captured for each user action.
-
all the security-related events in a security audit trail. These events include all security-related settings changes, user accounts management, exporting audit logs, and user login attempt failure.
Three types of log files are stored:
SCM log file compression
You can use the File Compression parameter on the Log Retrieval configuration form (Administration→NE Maintenance→Log Retrieval) to compress SCM log files before storing. The following compression options are supported: none, ZIP, and GZIP.
For each log file type, the Wavence SCM device stores a maximum of five log files. When the maximum number is exceeded, the oldest log file is deleted. See To retrieve log files stored by Wavence devices for more information about retrieving logs.
Exporting SCM log files to an OSS client
You can create and run an XML API script to allow an OSS client to determine the SCM log transfer status, such as when the log transfer request is complete and whether the file is available. The script can be run for the three supported SCM log file types: UAL LG, SNMP LOG, and AUDIT LOG.
The findToFile default location for file retrieval on a local or remote host is used.
For information about creating an XML API script and the findToFile method for retrieving SCM log files, see the NSP NFM-P Scripts and Templates Developer Guide.
Backup and restore
The NFM-P does not support the backup and restore function for Wavence SCM devices.
Software upgrades on Wavence SCM devices
NFM-P supports the following two variants of Wavence SCM devices:
The Wavence SCM devices that support software upgrades display the “Secure Certificated and Remote Management” value for the SNMP Mode parameter in the System Settings tab of the Network Element (Edit) form. The Wavence SCM devices that do not support software upgrades display the “Secure Certificated” value for the SNMP Mode parameter in the System Settings tab of the Network Element (Edit) form.
The Wavence SCM devices only support SFTP transport protocol. The software upgrade policy for 9500 MPR SCM devices must comply with certain conditions; see Wavence software upgrade policy requirements for more information.
See the NE software upgrades chapter in the NSP NFM-P Classic Management User Guide for more information about how to configure a software upgrade policy and how to perform a software upgrade.
Alarms
The following alarms are supported in the SCM:
ECFM, TACACS+, and IPv6
The Wavence SCM devices do not support ECFM, TACACS+, or IPv6.
Protection configuration
Ensure that you power off the Wavence SCM device after the protection configuration is removed from the Wavence SCM device. Then, power on the Wavence SCM device for the correct protection configuration to reflect in the NFM-P for the Wavence SCM device.