To convert a standalone NFM-P system to a redundant system
Description
The following steps describe how to convert an NFM-P system in a standalone deployment to a redundant system. This involves the following:
-
Converting the standalone main server and database to a primary main server and database
-
Reinstantiating the database on the new standby main database station
Ensure that you record the information that you specify, for example, directory names, passwords, and IP addresses.
Note: Command-line examples use the following to represent the RHEL CLI prompts:
Do not type the leading # symbol or bash$ when you enter a command.
Note: You require the following user privileges:
Note: The nsp user account is created on the standby main server station during this procedure.
Note: The Oracle management user account is created on the standby main database station during this procedure.
Steps
Perform security preconfiguration | ||||||||||||||||||||||||
1 |
Start the PKI server, regardless of whether you are using the automated or manual TLS configuration method; perform To configure and enable a PKI server. Note: The PKI server is required for internal system configuration purposes. | |||||||||||||||||||||||
2 |
If you are using the manual TLS deployment method, generate and distribute the required TLS files for the system, as described in NSP TLS configuration. | |||||||||||||||||||||||
3 |
Before you attempt an NFM-P system conversion to redundancy, you must ensure that each firewall between NFM-P components allows the required traffic to pass between the components, or is disabled. You can configure and enable the firewall after the installation, if required. Note: The RHEL firewalld service is typically enabled by default in a new RHEL OS installation. Perform one of the following.
| |||||||||||||||||||||||
Back up configuration files | ||||||||||||||||||||||||
4 |
Make a backup copy of each file that you have created or customized in or under the /opt/nsp/nfmp/server/nms and /opt/nsp/nfmp/server/jre directories on each server station. Note: At the beginning of an NFM-P server conversion, the NFM-P installation utility backs up specific configuration and log files to a timestamped directory under the installation directory. The utility then deletes directories under the main server installation directory. If you have created or customized a file under the installation directory, you risk losing the file unless you back up the file before the conversion to a storage location that is unaffected by the conversion. Store the files in a secure location that is unaffected by the conversion activity. | |||||||||||||||||||||||
Download installation files | ||||||||||||||||||||||||
5 |
Download the following NFM-P installation files for the installed release to an empty directory on a station that is not affected by the conversion activity: Note: The station must be reachable by each station that is to host an NFM-P main server or main database. where R.r.p is the NSP release identifier, in the form MAJOR.minor.patch v is a version identifier | |||||||||||||||||||||||
Gather required information | ||||||||||||||||||||||||
6 |
Obtain the following information from the main server station and record it for use during the conversion:
| |||||||||||||||||||||||
7 |
Obtain the following information from the main database station and record it for use during the conversion: | |||||||||||||||||||||||
8 |
If the system includes one or more auxiliary servers, click on the Auxiliary Servers tab; otherwise, go to Step 10. A list of auxiliary servers is displayed. | |||||||||||||||||||||||
9 |
Perform the following steps for each auxiliary server listed on the form.
| |||||||||||||||||||||||
10 |
If the NFM-P system includes one or more client delegate servers, perform the following steps. Otherwise, go to Step 12.
| |||||||||||||||||||||||
11 |
Perform the following steps for each client delegate server listed on the form:
| |||||||||||||||||||||||
12 |
Close the System Information form, if it is open. | |||||||||||||||||||||||
Close LogViewer utility | ||||||||||||||||||||||||
13 |
If the LogViewer utility is running during an NFM-P conversion to redundancy, the conversion fails. You must ensure that the LogViewer is closed. Close the LogViewer utility, if it is open. | |||||||||||||||||||||||
Close client sessions | ||||||||||||||||||||||||
14 |
Close the open NFM-P GUI and XML API client sessions.
| |||||||||||||||||||||||
Back up database | ||||||||||||||||||||||||
15 |
The path of the main database backup directory must not include the main database installation directory, or data loss may occur. Ensure that the backup directory path that you specify does not include /opt/nsp/nfmp/db. Note: Before the NFM-P performs a database backup, it deletes the contents of the specified backup directory. Ensure that the backup directory that you specify does not contain files that you want to retain. You must perform a database backup before you convert an NFM-P system to redundancy. Back up the main database from the client GUI or a CLI; see the NSP System Administrator Guide for information. | |||||||||||||||||||||||
Add hostname mappings | ||||||||||||||||||||||||
16 |
As the root user, update the /etc/hosts file on each standalone and new standby component station to include an entry for each peer component. See Management network configuration example for a configuration example. | |||||||||||||||||||||||
Stop main server | ||||||||||||||||||||||||
17 |
Stop the main server.
| |||||||||||||||||||||||
18 |
Disable the automatic main server startup so that the main server does not start in the event of a power disruption during the conversion.
| |||||||||||||||||||||||
Convert standalone database to primary database | ||||||||||||||||||||||||
19 |
Log in to the standalone main database station as the root user. | |||||||||||||||||||||||
20 |
Open a console window. | |||||||||||||||||||||||
21 |
Enter the following: # samconfig -m db ↵ The following is displayed: Start processing command line inputs... <db> | |||||||||||||||||||||||
22 |
Enter the following, and then enter back ↵. <db> configure redundant ip address ↵ where address is the IP address of the new standby database The prompt changes to <db configure redundant>. | |||||||||||||||||||||||
23 |
To enable IP validation, which restricts the server components that have access to the main database; configure the parameters in the following table, and then enter back ↵. Note: For security reasons, it is strongly recommended that you enable IP validation. Note: When you enable IP validation on an NFM-P system that includes auxiliary servers, NSP Flow Collectors, or NSP analytics servers, you must configure the remote-servers parameter; otherwise, the servers cannot reach the database. Table 17-29: Primary database parameters —
| |||||||||||||||||||||||
24 |
Verify the database configuration.
| |||||||||||||||||||||||
25 |
Enter the following to begin the database conversion: <db> apply ↵ The database conversion begins, and messages are displayed as the operation progresses. The following is displayed when the database conversion is complete: DONE db configurations updated. | |||||||||||||||||||||||
26 |
When the database conversion is complete, enter the following: <db> exit ↵ The samconfig utility closes. | |||||||||||||||||||||||
Convert standalone main server to primary main server | ||||||||||||||||||||||||
27 |
Log in to the standalone main server station as the root user. | |||||||||||||||||||||||
28 |
Open a console window. | |||||||||||||||||||||||
29 |
Ensure that no-one is logged in to the station as the nsp user.
| |||||||||||||||||||||||
30 |
Enter the following: # samconfig -m main ↵ The following is displayed: Start processing command line inputs... <main> | |||||||||||||||||||||||
31 |
Enter the following: <main> configure redundancy enabled ↵ The prompt changes to <main configure redundancy>. | |||||||||||||||||||||||
32 |
Configure the general redundancy parameters in the following table. Table 17-30: Primary main server parameters —
|
Parameter |
Description |
---|---|
ip-to-peer |
The primary main server IP address that the standby main server must use for general communication Default: IP address of primary network interface |
rsync-ip |
The primary main server IP address that the standby main server must use for data synchronization Default: IP address of primary network interface |
Configure the database redundancy parameters in the following table, and then enter back ↵.
Table 17-31: Primary main server parameters — redundancy, database
Parameter |
Description | |
---|---|---|
ip |
The IP address that the primary main server must use to reach the standby database Default: — | |
instance |
Standby database instance name Default: — | |
backup-sync |
Whether database backup file synchronization is enabled When the parameter is enabled, each database backup file set is copied to the peer main database station after the backup completes. You must ensure that there is sufficient network bandwidth between the main database stations before you enable this parameter. See the NSP Planning Guide for information about the bandwidth requirements of database backup file synchronization. You must set the parameter to the same value on each main server. Default: false | |
alignment |
Whether automatic database alignment is enabled If automatic database alignment is enabled, a main server and database attempt to assume a common role, primary or standby, after an event such as a server activity switch or database failover. In a geographically dispersed system, the function helps to ensure that a main server communicates with the local database in order to reduce the network latency between the components. For more information about database alignment, see the NSP System Administrator Guide. Default: false | |
preferred-instance |
The name of the database instance with which the primary main server is to align The parameter is configurable when the alignment parameter is enabled. Default: — | |
reinstantiation-delay |
The delay, in minutes, between the completion of a database failover and the automatic reinstantiation of the standby database A value of 0 disables automatic database reinstantiation. Default: 60 |
Configure the peer-server redundancy parameters in the following table, and then enter back ↵.
Table 17-32: Primary main server parameters — redundancy, peer-server
Parameter |
Description |
---|---|
ip |
The standby main server IP address that the primary main server uses for general communication Default: — |
hostname |
The standby main server hostname that the primary main server uses for general communication If the TLS certificate contains the FQDN, you must specify the FQDN as the parameter value. The parameter is configurable and mandatory when the hostname parameter in the client level is configured. Default: — |
rsync-ip |
The standby main server IP address that the primary main server uses for data synchronization Default: — |
public-ip |
The IP address that the GUI and XML API clients must use to reach the standby main server Default: — |
jndi-port |
The TCP port on the standby main server station used for EJB JNDI messaging to GUI clients It is recommended that you accept the default unless another application uses the port, or there is a firewall between the GUI clients and the standby main server. Default: 1099 |
ip-to-auxes |
The standby main server IP address that the auxiliary servers must use to reach the standby main server You must configure the parameter If the NFM-P system includes one or more auxiliary servers. Default: — |
snmp-ipv4 |
The IPv4 address that the managed NEs must use to reach the standby main server |
snmp-ipv6 |
The IPv6 address that the managed NEs must use to reach the standby main server |
snmp-port |
The TCP port on the standby main server station used for SNMP communication with the managed NEs Default: 162 |
traplog-id |
The SNMP trap log ID associated with the standby main server Default: 98 |
Enter the following:
<main configure redundancy> back ↵
The prompt changes to <main configure>.
Configure the nspos parameters in the following table, and then enter back ↵.
Table 17-33: Standalone main server parameters — nspos
Verify the main server configuration.
-
<main configure> show-detail ↵
The main server configuration is displayed.
-
Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.
-
When you are certain that the configuration is correct, enter the following:
<main configure> back ↵
The prompt changes to <main>.
Enter the following:
<main> apply ↵
The configuration is applied.
Enter the following:
<main> exit ↵
The samconfig utility closes.
Start the primary main server.
-
Enter the following to switch to the nsp user:
# su - nsp ↵
-
bash$ cd /opt/nsp/nfmp/server/nms/bin ↵
-
bash$ ./nmsserver.bash start ↵
-
bash$ ./nmsserver.bash appserver_status ↵
The server status is displayed; the server is fully initialized if the status is the following:
Application Server process is running. See nms_status for more detail.
If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized.
Close the console window.
Enable primary main server automatic startup
Enable automatic startup on the primary main server.
-
Enter the following to switch back to the root user:
bash$ exit ↵
-
Enter the following to disable the main server startup:
# systemctl enable nfmp-main.service ↵
Prepare new station for standby database installation
Log in as the root user on the standby main database station.
Perform one of the following.
Note: You must not download or install nsp-nfmp-nodeexporter unless the package is already installed on the existing standalone main server station or collocated station.
-
If the main server and database are to be collocated on one station, perform the following steps.
-
Download the following installation files to an empty directory on the collocated station:
-
nsp-nfmp-nodeexporter-R.r.p-rel.v.rpm, if the NFM-P is in a shared-mode deployment and you want to forward NFM-P system metrics to the NSP
Note: In subsequent steps, the directory is called the NFM-P software directory.
-
-
If the main server and database are on separate stations, transfer the following downloaded installation files to an empty directory on the main database station:
-
nsp-nfmp-nodeexporter-R.r.p-rel.v.rpm, if the NFM-P is in a shared-mode deployment and you want to forward NFM-P system metrics to the NSP
Note: In subsequent steps, the directory is called the NFM-P software directory.
Open a console window.
Navigate to the directory that contains the OracleSw_PreInstall.sh file.
Enter the following:
# chmod +x OracleSw_PreInstall.sh ↵
CAUTION Misconfiguration Risk |
The NFM-P software includes a script that configures the Oracle environment. The script is specific to an NFM-P release; using a different version may cause the database creation to fail.
You must run only the script that is included with the current NFM-P software.
Enter the following:
# ./OracleSw_PreInstall.sh ↵
Note: A default value is displayed in brackets []. To accept the default, press ↵.
The following prompt is displayed:
This script will prepare the system for a new install/restore of an NFM-P Version Release main database.
Do you want to continue? [Yes/No]:
Enter Yes. The following prompt is displayed:
Enter the Oracle dba group name [group]:
Enter a group name.
Note: The group name must match the group name specified during the primary database conversion.
The following messages and prompt are displayed:
Creating group group if it does not exist...
done
Enter the Oracle user name:
Enter a username.
Note: The username must match the username specified during the primary database conversion.
The following messages and prompt are displayed:
Oracle user [username] new home directory will be [/opt/nsp/nfmp/oracle19].
Checking or Creating the Oracle user home directory /opt/nsp/nfmp/oracle19...
Checking user username...
Adding username...
Changing ownership of the directory /opt/nsp/nfmp/oracle19 to username:group.
About to unlock the UNIX user [username]
Unlocking password for user username.
passwd: Success
Unlocking the UNIX user [username] completed
Please assign a password to the UNIX user username ..
New Password:
Enter a password.
Note: The password must match the password specified during the primary database conversion.
The following prompt is displayed:
Re-enter new Password:
Re-enter the password. The following is displayed if the password change is successful:
passwd: password successfully changed for username
The following message and prompt are displayed:
Specify whether an NFM-P Main Server will be installed on this workstation.
The database memory requirements will be adjusted to account for the additional load.
Will the database co-exist with an NFM-P Main Server on this workstation [Yes/No]:
Enter Yes or No, as required.
Messages like the following are displayed as the script execution completes:
INFO: About to set kernel parameters in /etc/sysctl.conf...
INFO: Completed setting kernel parameters in /etc/sysctl.conf...
INFO: About to change the current values of the kernel parameters
INFO: Completed changing the current values of the kernel parameters
INFO: About to set ulimit parameters in /etc/security/limits.conf...
INFO: Completed setting ulimit parameters in /etc/security/limits.conf...
INFO: Completed running Oracle Pre-Install Tasks
When the script execution is complete, enter the following to reboot the station:
# systemctl reboot ↵
The station reboots.
Install standby database
When the reboot is complete, log in as the root user on the standby main database station.
Open a console window.
Navigate to the NFM-P software directory.
Note: Ensure that the directory contains only the installation files.
Enter the following:
# chmod +x * ↵
Enter the following:
# dnf install *.rpm ↵
The dnf utility resolves any package dependencies, and displays the following prompt:
Total size: nn G
Installed size: nn G
Is this ok [y/d/N]:
Enter y. The following and the installation status are displayed as each package is installed:
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction check
The package installation is complete when the following is displayed:
Complete!
Enter the following:
# samconfig -m db ↵
The following is displayed:
Start processing command line inputs...
<db>
Enter the following:
<db> configure type standby ↵
The prompt changes to <db configure>.
If required, configure the ip parameter; enter the following:
Note: The default is the IP address of the primary network interface on the station.
<db configure> ip address ↵
where address is the IP address of this database
Enter the following:
<db configure> redundant ip address ↵
where address is the IP address of the primary database
The prompt changes to <db configure redundant>.
Enter the following, and then enter back ↵:
<db configure redundant> instance instance_name ↵
where instance_name is the primary database instance name
Configure the passwords parameters in the following table, and then enter back ↵.
Note: The values must match the primary database values.
Note: After you save the configuration, you cannot use samconfig to change a database password; you must use the method described in the NSP System Administrator Guide.
Table 17-34: Standby database parameters — passwords
Parameter |
Description |
---|---|
user |
Database user password; the password must match the password specified during the primary database installation Default: available from technical support |
sys |
Oracle SYS user password; the password must match the password specified during the primary database installation Default: available from technical support |
To enable IP validation, which restricts the server components that have access to the main database; configure the parameters in the following table, and then enter back ↵.
Note: For security reasons, it is strongly recommended that you enable IP validation.
Note: When you enable IP validation on an NFM-P system that includes auxiliary servers, NSP Flow Collectors, or analytics servers, you must configure the remote-servers parameter; otherwise, the servers cannot reach the database.
Table 17-35: Standby database parameters — ip-validation
To enable the forwarding of NFM-P system metrics to the NSP; configure the parameters in the following table, and then enter back ↵.
Note: The parameters are required only for a distributed main database, so are not shown or configurable if the main server and database are collocated.
Table 17-36: Standby database parameters — tls
Parameter |
Description |
---|---|
keystore-pass |
The TLS keystore password Default: available from technical support |
pki-server |
The PKI server IP address or hostname You must configure the parameter. Default: — |
pki-server-port |
The TCP port on which the PKI server listens for and services requests Default: 2391 |
Verify the database configuration.
-
<db configure> show-detail ↵
The database configuration is displayed.
-
Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.
-
When you are certain that the configuration is correct, enter the following:
<db configure> back ↵
The prompt changes to <db>.
Enter the following to begin the database creation:
<db> apply ↵
The database creation begins, and progress messages are displayed.
The following is displayed when the database creation is complete:
DONE
db configurations updated.
When the database creation is complete, enter the following:
<db> exit ↵
The samconfig utility closes.
Enter the following to reboot the standby main database station:
# systemctl reboot ↵
The station reboots.
Install standby main server
Log in as the root user on the standby main server station.
Perform one of the following.
-
If the standby main server and database are to be collocated on one station, download the following installation files to the NFM-P software directory on the collocated station:
where
R.r.p is the NSP release identifier, in the form MAJOR.minor.patch
v is a version identifier
-
If the standby main server and database are to be on separate stations, download the following files to an empty directory on the main server station:
Note: You must not download or install nsp-nfmp-nodeexporter unless the package is already installed on the existing standalone main server station or collocated station.
-
nsp-nfmp-nodeexporter-R.r.p-rel.v.rpm, if the NFM-P is in a shared-mode deployment and currently forwards NFM-P system metrics to the NSP
where
R.r.p is the NSP release identifier, in the form MAJOR.minor.patch
v is a version identifier
Note: In subsequent steps, the directory is called the NFM-P software directory.
You must remove the semvalidator package if it is installed; otherwise, the upgrade is blocked.
Perform the following steps.
-
# rpm -q nsp-nfmp-semvalidator ↵
If the package is installed, the following is displayed:
nsp-nfmp-semvalidator-version
If the package is not installed, the following is displayed:
package nsp-nfmp-semvalidator is not installed
-
If the package is installed, enter the following:
# dnf remove nsp-nfmp-semvalidator ↵
The package is removed.
Open a console window.
Ensure that no-one is logged in to the station as the nsp user.
-
# who ↵
The active user sessions are listed.
-
If the nsp user is listed, close each nsp user session; see the OS documentation for information about closing user sessions.
Navigate to the NFM-P software directory.
Note: Ensure that the directory contains only the installation files.
Enter the following:
# chmod +x * ↵
Enter the following:
# dnf install *.rpm ↵
The dnf utility resolves any package dependencies, and displays the following prompt:
Total size: nn G
Installed size: nn G
Is this ok [y/d/N]:
Enter y. The following and the installation status are displayed as each package is installed:
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction check
The package installation is complete when the following is displayed:
Complete!
The initial NFM-P server installation on a station creates the nsp user account and assigns a randomly generated password.
If this is the first installation of a main or auxiliary server on the station, change the nsp password.
-
# passwd nsp ↵
The following prompt is displayed:
New Password:
-
The following prompt is displayed:
Confirm Password:
Enter the following:
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
Enter the following:
<main> configure ↵
The prompt changes to <main configure>.
Enter the following:
Note: You cannot start a main server unless the main server configuration includes a current and valid license. You can use samconfig to specify the license file in this step, or later import the license, as described in the NSP System Administrator Guide.
<main configure> license license_file ↵
where license_file is the path and file name of the NSP license bundle
Enter the following:
<main configure> redundancy enabled ↵
The prompt changes to <main configure redundancy>.
Configure the general redundancy parameters in the following table.
Table 17-37: Standby main server parameters — redundancy
Parameter |
Description |
---|---|
ip-to-peer |
The standby main server IP address that the primary main server must use for general communication Default: IP address of primary network interface |
rsync-ip |
The standby main server IP address that the primary main server must use for data synchronization Default: IP address of primary network interface |
Configure the database redundancy parameters in the following table, and then enter back ↵.
Table 17-38: Standby main server parameters — redundancy, database
Parameter |
Description | |
---|---|---|
ip |
The IP address that the standby main server must use to reach the primary database Default: — | |
instance |
Primary database instance name Default: — | |
backup-sync |
Whether database backup file synchronization is enabled When the parameter is enabled, each database backup file set is copied to the peer main database station after the backup completes. You must ensure that there is sufficient network bandwidth between the main database stations before you enable this parameter. See the NSP Planning Guide for information about the bandwidth requirements of database backup file synchronization. You must set the parameter to the same value on each main server. Default: false | |
alignment |
Whether automatic database alignment is enabled If automatic database alignment is enabled, a main server and database attempt to assume a common role, primary or standby, after an event such as a server activity switch or database failover. In a geographically dispersed system, the function helps to ensure that a main server communicates with the local database in order to reduce the network latency between the components. For more information about database alignment, see the NSP System Administrator Guide. Default: false | |
preferred-instance |
The name of the database instance with which the standby main server is to align The parameter is configurable when the alignment parameter is enabled. Default: — | |
reinstantiation-delay |
The delay, in minutes, between the completion of a database failover and the automatic reinstantiation of the standby database A value of 0 disables automatic database reinstantiation. Default: 60 |
Configure the peer-server redundancy parameters in the following table, and then enter back ↵.
Table 17-39: Standby main server parameters — redundancy, peer-server
Parameter |
Description |
---|---|
ip |
The primary main server IP address that the standby main server uses for general communication Default: — |
hostname |
The primary main server hostname that the standby main server uses for general communication If the TLS certificate contains the FQDN, you must specify the FQDN as the parameter value. The parameter is configurable and mandatory when the hostname parameter in the client level is configured. Default: — |
rsync-ip |
The primary main server IP address that the standby main server uses for data synchronization Default: — |
public-ip |
The IP address that the GUI and XML API clients must use to reach the standby main server Default: — |
jndi-port |
The TCP port on the primary main server station used for EJB JNDI messaging to GUI clients It is recommended that you accept the default unless another application uses the port, or there is a firewall between the GUI clients and the primary main server. Default: 1099 |
ip-to-auxes |
The primary main server IP address that the auxiliary servers must use to reach the primary main server You must configure the parameter If the NFM-P system includes one or more auxiliary servers. Default: — |
snmp-ipv4 |
The IPv4 address that the managed NEs must use to reach the primary main server |
snmp-ipv6 |
The IPv6 address that the managed NEs must use to reach the primary main server |
snmp-port |
The TCP port on the primary main server station used for SNMP communication with the managed NEs Default: 162 |
traplog-id |
The SNMP trap log ID associated with the primary main server Default: 98 |
Enter the following:
<main configure redundancy> back ↵
The prompt changes to <main configure>.
As required, configure the mediation parameters in the following table, and then enter back ↵.
Note: Some device types do not support an SNMP port value other than 162. Before you configure the snmp-port parameter to a value other than the default, you must ensure that each device type in the managed network supports the port value.
Table 17-40: Standby main server parameters — mediation
Parameter |
Description |
---|---|
nat |
Whether NAT is used between the main servers and the managed NEs Default: false |
snmp-ipv4 |
The IPv4 address that the managed NEs must use to reach the standby main server Default: IPv4 address of primary network interface |
snmp-ipv6 |
The IPv6 address that the managed NEs must use to reach the standby main server Default: IPv6 address of primary network interface |
snmp-port |
The TCP port on the standby main server station that the managed NEs must use to reach the standby main server Default: 162 |
traplog-id |
The SNMP trap log ID associated with the standby main server Default: 98 |
The standby main server requires a copy of the NFM-P TLS keystore and truststore files that are used by the primary main server.
Copy the keystore and truststore files from the /opt/nsp/os/tls directory on the primary main server station to a temporary location on the standby main server station, and record the location for use in Step 94.
Caution: You must not copy the files to the /opt/nsp/os/tls directory on the standby main server station, or the TLS configuration fails.
Note: The nsp user must be the owner of the directory path to the location.
Configure the tls parameters in the following table, and then enter back ↵.
Table 17-41: Standby main server parameters — tls
Parameter |
Description |
---|---|
keystore-file |
The absolute path of the TLS keystore file To enable automated TLS deployment, enter no keystore-file. Default: — |
keystore-pass |
The TLS keystore password Default: available from technical support |
truststore-file |
The absolute path of the TLS truststore file To enable automated TLS deployment, enter no truststore-file. Default: — |
truststore-pass |
The TLS truststore password Default: available from technical support |
alias |
The alias specified during keystore generation You must configure the parameter. Default: — |
pki-server |
The PKI server IP address or hostname Default: — |
pki-server-port |
The TCP port on which the PKI server listens for and services requests Default: 2391 |
regenerate-certs |
Whether to regenerate the internal TLS certificates Certificate regeneration is required when the current certificates are about to expire, or a new internal root certificate is available. A new internal root certificate is available when the root certificate is reset, or when the PKI server is run on a station other than the station used for the previous certificate deployment. Default: false |
hsts-enabled |
Whether HSTS browser security is enabled Default: false |
If required, configure the oss parameters in the following table, and then enter back ↵.
Note: The parameters are configurable only if the main server configuration does not include one or more auxiliary servers.
Table 17-42: Standby main server parameters — oss
Parameter |
Description |
---|---|
secure |
Whether communication between the main servers and the XML API clients is secured using TLS Default: secure |
public-ip |
The IP address that the XML API clients must use to reach the standby main server Default: IP address of primary network interface |
xml-output |
The directory in which to store the output of XML API file export operations Default: /opt/nsp/nfmp/server/xml_output |
If the NFM-P includes an auxiliary database, configure the auxdb parameters in the following table, and then enter back ↵.
Table 17-43: Standby main server parameters — auxdb
Parameter |
Description |
---|---|
enabled |
Whether the auxiliary database is enabled in the main server configuration |
secure |
Whether TLS is enabled on the auxiliary database If TLS is enabled on the main server, you must set the parameter to true, and enable TLS during the auxiliary database installation. Default: false |
ip-list |
A list of the auxiliary database station IP addresses that are accessible to the main server, in the following format: Note: For a geo-redundant auxiliary database, the order of the IP addresses must be the same on each main server in the geo-redundant system. cluster_1_IP1,cluster_1_IP2,cluster_1_IPn;cluster_2_IP1,cluster_2_IP2,cluster_2_IPn ↵ where cluster_1_IP1, cluster_1_IP2,cluster_1_IPn are the external IP addresses of the auxiliary database stations in one data center cluster_2_IP1, cluster_2_IP2,cluster_2_IPn are the external IP addresses of the stations in the other data center; required only for geo-redundant auxiliary database Default: — |
oam-test-results |
Whether the auxiliary database is to store OAM test results Default: false |
redundancy-level |
Boolean value that specifies whether the auxiliary database is to replicate data among multiple stations If the auxiliary database is deployed on a single station, you must set the parameter to 0. Caution: After you configure an auxdb parameter and apply the main server configuration, you cannot modify the redundancy-level parameter. Default: 1 |
As required, configure the aa-stats parameters in the following table, and then enter back ↵.
Table 17-44: Standby main server parameters — aa-stats
Configure the nspos parameters in the following table, and then enter back ↵.
Table 17-45: Standby main server parameters — nspos
Configure the remote-syslog parameters in the following table, and then enter back ↵.
Table 17-46: Standby main server parameters — remote-syslog
Parameter |
Description |
---|---|
enabled |
Enable the forwarding of the NFM-P User Activity logs in syslog format to a remote server Default: disabled |
syslog-host |
Remote syslog server hostname or IP address Default: — |
syslog-port |
Remote server TCP port Default: — |
ca-cert-path |
Absolute local path of public CA TLS certificate file copied from remote server The file requires nsp:nsp ownership. |
Configure the server-logs-to-remote-syslog parameters in the following table, and then enter back ↵.
Table 17-47: Standby main server parameters — server-logs-to-remote-syslog
Parameter |
Description |
---|---|
enabled |
Enable the forwarding of the NFM-P server logs in syslog format to a remote server Default: disabled |
secured |
Whether the communication with the remote server is TLS-secured Default: disabled |
syslog-host |
Remote syslog server hostname or IP address Default: — |
syslog-port |
Remote server TCP port Default: — |
ca-cert-path |
Absolute local path of public CA TLS certificate file copied from remote server The file requires nsp:nsp ownership. |
Verify the main server configuration.
-
<main configure> show-detail ↵
The main server configuration is displayed.
-
Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.
-
When you are certain that the configuration is correct, enter the following:
<main configure> back ↵
The prompt changes to <main>.
Enter the following:
<main> apply ↵
The configuration is applied.
Enter the following:
<main> exit ↵
The samconfig utility closes.
If the NFM-P is part of a shared-mode NSP system and you want to enable mTLS for internal Kafka authentication using two-way TLS, perform the following steps.
Note: Enabling mTLS for internal Kafka authentication is supported only in an NSP deployment that uses separate interfaces for internal and client communication.
Note: The parameter you must configure is displayed only if the ip-list parameter is set to a remote address.
Note: The parameter is configurable only if the secure and internal-certs parameters in the nspos section are set to true.
-
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
-
# configure nspos mtls-kafka-enabled back ↵
-
<main> apply ↵
The configuration is applied.
-
<main> exit ↵
The samconfig utility closes.
Enable Windows Active Directory access
If you intend to use Windows Active Directory, or AD, for single-sign-on client access, you must configure LDAP remote authentication for AD; otherwise, go to Step 124.
Open the following file as a reference for use in subsequent steps:
/opt/nsp/os/install/examples/config.yml
Note: Consider the following.
-
The NFM-P does not assign a default user group to users of a remote authentication source that you define for Windows AD; the authentication source must provide the user group attributes.
-
Windows AD supports the following LDAP server types for remote authentication:
AD—The user group of an AD user is derived from the group_base_dn attribute in the server configuration; group search filters are not supported.
AUTHENTICATED—The server configuration must include bind credentials; group search filters are supported. After NFM-P initialization, you add the AD server bind credentials to the NSP password vault using the NSP Session Manager REST API.
Locate the section that begins with the following lines:
# ldap:
# enabled: true
# servers:
# - type: AUTHENTICATED/AD/ANONYMOUS
# url: ldaps://ldap.example.com:636
# security: SSL/STARTTLS/NONE
Open the following file using a plain-text editor such as vi:
/opt/nsp/os/install/config.json
Locate the section that begins with the following line:
"sso": {
The section has one subsection for each type of SSO access.
Note: You can enable multiple remote authentication methods such as LDAP and RADIUS in the config.json file, or by using the NFM-P GUI. Using the GUI also allows you to specify the order in which the methods are tried during login attempts; however, no ordering is applied to multiple methods enabled in the config.json file.
In the sso section, create an ldap subsection as shown below using the parameter names from the ldap section of config.yml and the required values for your configuration.
The following example shows the LDAP configuration for two AD servers:
"ldap": { |
"enabled": true, |
"servers": [ |
{ |
"type": "auth_type", |
"url": "ldaps://server1:port", |
"server1_parameter_1": "value", |
"server1_parameter_2": "value", |
. |
. |
"server1_parameter_n": "value", |
}, |
{ |
"type": "auth_type", |
"url": "ldaps://server2:port", |
"server2_parameter_1": "value", |
"server2_parameter_2": "value", |
. |
. |
"server2_parameter_n": "value", |
}, |
}] |
} |
where auth_type is AD or AUTHENTICATED
Save and close the files.
Enter the following:
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
Enter the following:
<main> apply ↵
The AD LDAP configuration is applied.
Enter the following:
<main> exit ↵
The samconfig utility closes.
Enable CAC access
If you do not intend to enable Common Access Card, or CAC, technology for NFM-P client access, go to Step 124.
Download the federationmetadata.xml from the following ADFS link:
https://ADFS_server_name/FederationMetadata/2007-06/federationmetadata.xml
where ADFS_server_name is the ADFS server FQDN
Add an ADFS server entry to the /etc/hosts file on the main server.
-
Open the /etc/hosts file using a plain-text editor such as vi.
-
Add the following line below the line that contains the main server IP address:
IP_address FQDN
where
IP_address is the IP address of the ADFS server
FQDN is the FQDN of the ADFS server
In order to enable CAC for client access, you must configure Active Directory Federation Services, or ADFS.
Open the following file using a plain-text editor such as vi:
/opt/nsp/os/install/config.json
In the sso section, create an saml2 subsection as shown below using the parameter names from the saml2 section of config.yml and the required values for your configuration.
The following example shows the ADFS configuration.
Note: You must preserve the lead spacing of each line.
"sso" : {
"saml2": {
"enabled": true,
"service_provider_entity_id": "NFM-P_identifier",
"service_provider_metadata_filename": "casmetadata.xml",
"maximum_authentication_lifetime": 3600,
"accepted_skew": 300,
"destination_binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"identity_provider_metadata_path": "ADFS_metadata_file",
"authn_context_class_ref": "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient",
"authn_context_comparison_type": "minimum",
"name_id_policy_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"force_auth": true,
"passive": false,
"wants_assertions_signed": false,
"wants_responses_signed": false,
"all_signature_validation_disabled": false,
"sign_service_provider_metadata": false,
"principal_id_attribute": "UPN",
"use_name_qualifier": false,
"provider_name": "ADFS_server_URI",
"requested_attributes": [{
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"friendly_name": "E-Mail Address",
"name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"required": false
} ],
"mapped_attributes": [{
"name": "http://schemas.xmlsoap.org/claims/Group",
"mapped_to": "authorizationProfile"
}, {
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"mapped_to": "upn"
} ]
},
Configure the following parameters; leave all other parameters at the default:
NFM-P_identifier is the unique ADFS Relying Trust Party identifier
ADFS_metadata_file is the absolute path of the ADFS metadata XML file, for example, /opt/federationmetadata.xml
ADFS_server_name is the ADFS server FQDN
Save and close the files.
Enter the following:
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
Enter the following:
<main> apply ↵
The ADFS configuration is applied.
Enter the following:
<main> exit ↵
The samconfig utility closes.
Configure WS-NOC integration
If the NFM-P is integrated with a WS-NOC system, open the following file with a plain-text editor such as vi:
/opt/nsp/os/install/examples/config.json
Otherwise, go to Step 134.
Copy the following section:
"nfmt": {
"primary_ip": "",
"standby_ip": "",
"username": "",
"password": "",
"cert_provided": false
},
Close the file.
Open the following file with a plain-text editor such as vi:
/opt/nsp/os/install/config.json
Paste in the copied section.
Configure the required parameters to enable the WS-NOC integration:
Save and close the file.
Enter the following:
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
Enter the following:
<main> apply ↵
The configuration is applied.
Enter the following:
<main> exit ↵
The samconfig utility closes.
Start standby main server
Start the standby main server.
Note: If you did not specify a license file during the installation, you cannot start the main server until you import a license. See the NSP System Administrator Guide for information about importing a license.
-
bash$ cd /opt/nsp/nfmp/server/nms/bin ↵
-
bash$ ./nmsserver.bash start ↵
-
bash$ ./nmsserver.bash appserver_status ↵
The server status is displayed; the server is fully initialized if the status is the following:
Application Server process is running. See nms_status for more detail.
If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized.
Define the memory requirement for GUI clients based on the type of network that the NFM-P is to manage.
-
bash$ ./nmsdeploytool.bash clientmem -option ↵
where option is one of the following:
-
Enter the following to commit the configuration change:
bash$ ./nmsdeploytool.bash deploy ↵
If you have enabled CAC for NFM-P client access, download the casmetadata.xml file from the following URL, and then import the file into the ADFS server relying-trust-party:
https://server/cas/sp/metadata
where server is the main server IP address or hostname
After the download, the casmetadata.xml file is available in the following directory on the main server:
/opt/nsp/os/tomcat/conf/cas/saml
If you have enabled Windows Active Directory access using the AUTHENTICATED type of LDAP server, perform the following steps.
-
Use the NSP Session Manager REST API to add the LDAP server bind credentials; see the Network Developer Portal for information.
-
If the NFM-P is not part of a shared-mode NSP deployment, enter the following to restart the local nspos-tomcat service:
Note: The service restart may take a few minutes, during which NFM-P GUI and REST client access is degraded. General NFM-P operation is unaffected.
# systemctl restart nspos-tomcat ↵
If the NFM-P system includes one or more NSP Flow Collectors, configure the standby main server parameters and other redundancy parameters, as required; see the NSP documentation for information.
If the NFM-P system includes one or more analytics servers, enable redundancy support on each analytics server; see the NSP documentation for information.
Reinstantiate standby database
Open an NFM-P GUI client as the admin user.
Choose Administration→System Information from the main menu. The System Information form opens.
Click Re-Instantiate Standby.
Click Yes to confirm the action. The reinstantiation begins, and the GUI status bar displays reinstantiation information.
Note: Database reinstantiation takes considerable time if the database contains a large amount of statistics data.
You can also use the System Information form to monitor the reinstantiation progress. The Last Attempted Standby Re-instantiation Time is the start time; the Standby Re-instantiation State changes from In Progress to Success when the reinstantiation is complete.
When the reinstantiation is complete, close the System Information form.
Use an NFM-P GUI client to perform sanity testing of the newly redundant system.
Configure and enable firewalls
If you intend to use any firewalls between the NFM-P components, and the firewalls are disabled, configure and enable each firewall.
Perform one of the following.
-
Configure each external firewall to allow the required traffic using the port assignments in the NSP Planning Guide, and enable the firewall.
-
Configure and enable firewalld on each component station, as required.
End of steps