To enable or disable TLS on an auxiliary database

Purpose
CAUTION 

CAUTION

Service Outage

A change to the auxiliary database security settings requires a restart of each NFM-P main server and each NSP cluster, so is service-affecting.

Ensure that you perform the procedure only during a scheduled maintenance period.

CAUTION 

CAUTION

Data Loss

No data is written to an auxiliary database unless the auxiliary database setting that defines whether TLS is enabled or disabled matches the auxiliary database security setting in the NSP and NFM-P.

You must ensure that the security setting on the auxiliary database cluster, NSP cluster, and NFM-P main server match.

The following steps describe how to enable or disable TLS for auxiliary database communication.

Note: TLS must be enabled in the NSP and NFM-P configurations before you can enable TLS on an auxiliary database.

Note: You require root user privileges on each auxiliary database station, each NFM-P main server station, and each NSP deployer host.

Note: You also require nsp user privileges on each NFM-P main server station.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps
 

Start the PKI server, if the server is not running; perform To configure and enable a PKI server.

Note: The PKI server is required for internal system configuration purposes.

Log in as the root user on an auxiliary database station.

Note: In a DR NSP deployment, you must log in on a station in the primary auxiliary database cluster.

If you are configuring a standalone auxiliary database, go to Step 6.

Verify DR cluster-copy
 

If you are upgrading the first auxiliary database cluster in a DR NSP deployment, you must verify the success of the most recent copy-cluster operation, which synchronizes the database data between the redundant clusters.

Note: You must not proceed to the next step until the copy-cluster operation is complete and successful.

Perform one of the following periodically to check the copy-cluster status.

  1. If the NFM-P is in a shared-mode NSP deployment, issue the following REST API call:

    Note: In order to issue a REST API call, you require a REST token; see this tutorial on the Network Developer Portal for information.

    GET https://address:8545/restconf/data/auxdb:/auxdb-agent

    where address is the advertised address of the primary NSP cluster

    The call returns a status of SUCCESS, as shown below, for a successfully completed copy-cluster operation:

    <HashMap>

          <auxdb-agent>

             <name>nspos-auxdb-agent</name>

             <application-mode>ACTIVE</application-mode>

             <copy-cluster>

                <source-cluster>cluster_M</source-cluster>

                <target-cluster>cluster_N</target-cluster>

                <time-started>timestamp</time-started>

                <status>SUCCESS</status>

             </copy-cluster>

          </auxdb-agent>

    </HashMap>

  2. If the NFM-P is not in a shared-mode NSP deployment, enter the following as the root user on the primary main server station:

    /opt/nsp/os/nspd/nspdctl auxdb agent-status ↵

    The command returns output like the following for a successfully completed copy-cluster operation:

         DC-ROLE HOST APPLICATION-MODE

         active leader 203.0.113.101 ACTIVE

         Copy Cluster Details

         SOURCE TARGET TIME-STARTED STATUS

         cluster_1 cluster_2 2022-03-14T15:09:26.535Z SUCCESS

Stop database proxies
 

Perform the following steps on each auxiliary database station in each auxiliary database cluster to stop the database proxy.

  1. Log in to the station as the root user.

  2. Open a console window.

  3. Enter the following:

    systemctl stop nspos-auxdbproxy.service ↵

  4. Enter the following:

    systemctl status nspos-auxdbproxy ↵

    The proxy status is displayed; the proxy is stopped if the status includes the following:

    Active: inactive

  5. You must ensure that the proxy is stopped.

    If the proxy is not stopped, repeat substep 4.

Configure TLS, standalone or primary cluster
 

Open the following file using a plain-text editor such as vi:

/opt/nsp/nfmp/auxdb/install/config/install.config
CAUTION 

CAUTION

Service disruption

Changing a parameter in the auxiliary database install.config file can have serious consequences that include service disruption.

Do not change any parameter in the install.config file, other than the parameters described in the step, without guidance from technical support.

Edit the following lines in the file to read as shown below:

Note: TLS must be enabled in the NSP and NFM-P configurations before you can enable TLS on an auxiliary database.

secure=value

pki_server=server

pki_server_port=port

where

value is true or false, and indicates whether TLS is enabled

server is the PKI server IP address or hostname

port is the PKI server port number

Save and close the install.config file.

Enter the following:

/opt/nsp/nfmp/auxdb/install/bin/auxdbAdmin.sh configureTLS ↵

The script prompts for the auxiliary database dba password.

10 

Enter the required password.

The script configures TLS on the station.

11 

Perform the following steps on each auxiliary database station in the cluster.

  1. Log in to the station as the root user.

  2. Open a console window.

  3. Enter the following:

    systemctl stop nspos-auxdbproxy.service ↵

  4. Enter the following:

    systemctl start nspos-auxdbproxy.service ↵

12 

If you are configuring a standalone auxiliary database, go to Step 24.

Configure TLS, standby cluster
 
13 

Log in as the root user on an auxiliary database station in the standby auxiliary database cluster.

14 

Perform the following steps on each auxiliary database station in the cluster.

  1. Log in to the station as the root user.

  2. Open a console window.

  3. Enter the following:

    systemctl stop nspos-auxdbproxy.service ↵

  4. Enter the following:

    systemctl start nspos-auxdbproxy.service ↵

15 

Enter the following:

./auxdbAdmin.sh start ↵

The auxiliary database cluster starts.

16 

Open the following file using a plain-text editor such as vi:

/opt/nsp/nfmp/auxdb/install/config/install.config

17 
CAUTION 

CAUTION

Service disruption

Changing a parameter in the auxiliary database install.config file can have serious consequences that include service disruption.

Do not change any parameter in the install.config file, other than the parameters described in the step, without guidance from technical support.

Edit the following lines in the file to read as shown below:

secure=value

pki_server=server

pki_server_port=port

where

value is true or false, and indicates whether TLS is enabled

server is the PKI server IP address or hostname

port is the PKI server port number

18 

Save and close the install.config file.

19 

Enter the following:

/opt/nsp/nfmp/auxdb/install/bin/auxdbAdmin.sh configureTLS ↵

The script sequentially prompts for the root user password of each auxiliary database station.

20 

Enter the required password at each prompt. The script configures TLS on the station.

21 

Enter the following:

./auxdbAdmin.sh stop ↵

The auxiliary database cluster stops.

22 

Perform the following steps on each auxiliary database station in the cluster.

  1. Log in to the station as the root user.

  2. Open a console window.

  3. Enter the following:

    systemctl stop nspos-auxdbproxy.service ↵

  4. Enter the following:

    systemctl start nspos-auxdbproxy.service ↵

Start database proxies
 
23 

Perform the following steps on each auxiliary database station in each auxiliary database cluster to start the database proxy.

  1. Log in to the station as the root user.

  2. Open a console window.

  3. Enter the following:

    systemctl start nspos-auxdbproxy.service ↵

    The proxy starts.

  4. Enter the following to verify that the proxy is started:

    systemctl status nspos-auxdbproxy ↵

    The proxy status is displayed; the proxy is started if the status includes the following:

    Active: active

Configure NFM-P
 
24 

Perform Step 25 to Step 27 on each main server.

25 

Stop the main server.

  1. Log in to the main server station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ cd /opt/nsp/nfmp/server/nms/bin ↵

  4. Enter the following:

    bash$ ./nmsserver.bash stop ↵

  5. Enter the following:

    bash$ ./nmsserver.bash appserver_status ↵

    The server status is displayed; the server is fully stopped if the status is the following:

    Application Server is stopped

    If the server is not fully stopped, wait five minutes and then repeat this step. Do not perform the next step until the server is fully stopped.

  6. Enter the following to switch to the root user:

    bash$ su ↵

  7. If the NFM-P is not part of a shared-mode NSP deployment, enter the following to display the nspOS service status:

    nspdctl status ↵

    Information like the following is displayed.

    Mode:     redundancy_mode

    Role:     redundancy_role

    DC-Role:  dc_role

    DC-Name:  dc_name

    Registry: IP_address:port

    State:    stopped

    Uptime:   0s

    SERVICE           STATUS

    service_a         inactive

    service_b         inactive

    service_c         inactive

    You must not proceed to the next step until all NSP services are stopped; if the State is not ‘stopped’, or the STATUS indicator of each listed service is not ‘inactive’, repeat this substep.

26 

When the main server is stopped, enable secure auxiliary database communication on the main server.

  1. Enter the following:

    samconfig -m main ↵

    The following is displayed:

    Start processing command line inputs...

    <main>

  2. Enter the following:

    <main> configure auxdb secure ↵

    The prompt changes to <main configure auxdb>.

  3. Enter the following:

    <main configure auxdb> exit ↵

    The prompt changes to <main>.

  4. Enter the following:

    <main> apply ↵

    The configuration is applied.

  5. Enter the following:

    <main> exit ↵

    The samconfig utility closes.

27 

Start the main server.

  1. Enter the following to switch back to the nsp user:

    su ↵

  2. Open a console window.

  3. Enter the following:

    bash$ cd /opt/nsp/nfmp/server/nms/bin ↵

  4. Enter the following:

    bash$ ./nmsserver.bash start ↵

  5. Enter the following:

    bash$ ./nmsserver.bash appserver_status ↵

    The server status is displayed; the server is fully initialized if the status is the following:

    Application Server process is running.  See nms_status for more detail.

    If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized.

  6. Close the console window.

Configure NSP clusters
 
28 

If the NFM-P is not part of a shared-mode deployment that includes an NSP cluster, go to Step 37.

29 

Log in as the root user on the NSP deployer host in the standalone or primary NSP cluster.

30 

Open the following file using a plain-text editor such as vi:

/opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

31 

Locate the following section:

    auxDb:

      secure: "value"

      ipList: "local_cluster_IPs"

      standbyIpList: "peer_cluster_IPs"

where value is true or false, and specifies whether TLS is enabled

32 

Set the secure parameter to true or false, as required.

33 

Save and close the nsp-config.yml file.

34 

Enter the following to start the NSP cluster:

/opt/nsp/NSP-CN-DEP-release-ID/bin/nspdeployerctl install --config --deploy ↵

The NSP cluster starts, and the TLS configuration update is put into effect.

35 

If the NSP is a DR deployment, perform Step 29 to Step 34 on the standby NSP cluster.

36 

If no other components are to be deployed, stop the PKI server by entering Ctrl+C in the console window.

37 

Close the open console windows.

End of steps