To convert a standalone NFM-P system to a redundant system

Description

The following steps describe how to convert an NFM-P system in a standalone deployment to a redundant system. This involves the following:

  • Converting the standalone main server and database to a primary main server and database

  • Installing the standby main server and database software

  • Reinstantiating the database on the new standby main database station

Ensure that you record the information that you specify, for example, directory names, passwords, and IP addresses.

Note: Command-line examples use the following to represent the RHEL CLI prompts:

  • #—represents the prompt for the root user

  • bash$—represents the prompt for the nsp user

Do not type the leading # symbol or bash$ when you enter a command.

Note: You require the following user privileges:

  • on the standalone main server station—root, nsp

  • on the standby main server station—root

  • on the standalone main database station—root. Oracle management

  • on the standby main database station—root

Note: The nsp user account is created on the standby main server station during this procedure.

Note: The Oracle management user account is created on the standby main database station during this procedure.

Steps
Perform security preconfiguration
 

Start the PKI server, regardless of whether you are using the automated or manual TLS configuration method; perform To configure and enable a PKI server.

Note: The PKI server is required for internal system configuration purposes.


If you are using the manual TLS deployment method, generate and distribute the required TLS files for the system, as described in NSP TLS configuration.


Before you attempt an NFM-P system conversion to redundancy, you must ensure that each firewall between NFM-P components allows the required traffic to pass between the components, or is disabled. You can configure and enable the firewall after the installation, if required.

Note: The RHEL firewalld service is typically enabled by default in a new RHEL OS installation.

Perform one of the following.

  1. Configure each firewall to allow the required traffic to pass. See the NSP Planning Guide for a list of the ports that must be open on each component.

    Note: The RHEL firewalld service must be configured using the firewalld rules in the NSP Planning Guide, which describes using NFM-P templates for rule creation.

  2. Disable each firewall; see the external firewall documentation, or perform To disable the RHEL firewalld service.


Back up configuration files
 

Make a backup copy of each file that you have created or customized in or under the /opt/nsp/nfmp/server/nms and /opt/nsp/nfmp/server/jre directories on each server station.

Note: At the beginning of an NFM-P server conversion, the NFM-P installation utility backs up specific configuration and log files to a timestamped directory under the installation directory. The utility then deletes directories under the main server installation directory. If you have created or customized a file under the installation directory, you risk losing the file unless you back up the file before the conversion to a storage location that is unaffected by the conversion.

Store the files in a secure location that is unaffected by the conversion activity.


Download installation files
 

Download the following NFM-P installation files for the installed release to an empty directory on a station that is not affected by the conversion activity:

Note: The station must be reachable by each station that is to host an NFM-P main server or main database.

  • nsp-nfmp-jre-R.r.p-rel.v.rpm

  • nsp-nfmp-config-R.r.p-rel.v.rpm

  • nsp-nfmp-nspos-R.r.p-rel.v.rpm

  • nsp-nfmp-main-server-R.r.p-rel.v.rpm

  • nsp-nfmp-oracle-R.r.p-rel.v.rpm

  • nsp-nfmp-main-db-R.r.p-rel.v.rpm

  • OracleSw_PreInstall.sh

where

R.r.p is the NSP release identifier, in the form MAJOR.minor.patch

v is a version identifier


Gather required information
 

Obtain the following information from the main server station and record it for use during the conversion:

  • hostname, which is one of the following:

    • the hostname specified for the main server station during the previous NFM-P software installation or upgrade

    • the local hostname, if an IP address was specified for the main server station during the previous NFM-P software installation or upgrade

  • IP addresses

    • IP address that the current and new main databases require to reach the main server

    • IP address that the NFM-P GUI and XML API clients require to reach the main server (public IP address, if NAT is used)

    • IP address that NFM-P auxiliary servers require to reach the main server

    • private IP address (if NAT is used)

  • root user password


Obtain the following information from the main database station and record it for use during the conversion:

  • hostname

  • IP addresses

    • IP addresses that the current and new main servers use to reach the database

    • IP address that the auxiliary servers use to reach the database

  • root user password

  • Oracle database user password

  • Oracle SYS password


If the system includes one or more auxiliary servers, click on the Auxiliary Servers tab; otherwise, go to Step 10.

A list of auxiliary servers is displayed.


Perform the following steps for each auxiliary server listed on the form.

  1. Select the auxiliary server and click Properties. The Auxiliary Server [Edit] form opens.

  2. Record the following information for use during the conversion:

    • Host Name

    • Auxiliary Server Type

    • Server Status

    • Public IP address

    • Private IP address, if displayed

  3. Close the Auxiliary Server [Edit] form.


10 

If the NFM-P system includes one or more client delegate servers, perform the following steps. Otherwise, go to Step 12.

  1. Open an NFM-P GUI client.

  2. Choose Administration→System Information from the main menu. The System Information form is displayed.

  3. Click on the Client Delegate Servers tab.


11 

Perform the following steps for each client delegate server listed on the form:

  1. Select a client delegate server in the list and click Properties. The properties form for the client delegate server opens.

  2. Record the IP Address value for use during the conversion.

  3. Close the client delegate server properties form.


12 

Close the System Information form, if it is open.


Close LogViewer utility
 
13 
CAUTION 

CAUTION

Service Disruption

If the LogViewer utility is running during an NFM-P conversion to redundancy, the conversion fails.

You must ensure that the LogViewer is closed.

Close the LogViewer utility, if it is open.


Close client sessions
 
14 

Close the open NFM-P GUI and XML API client sessions.

  1. Open an NFM-P GUI client using an account with security management privileges, such as admin.

  2. Choose Administration→Security→NFM-P User Security from the main menu. The NFM-P User Security - Security Management (Edit) form opens.

  3. Click on the Sessions tab.

  4. Click Search. The form lists the open GUI and XML API client sessions.

  5. Identify the GUI session that you are using based on the value in the Client IP column.

  6. Select all sessions except your current session and click Close Session.

  7. Click Yes to confirm the action.

  8. Click Search to refresh the list and verify that only the current session is open.

  9. Close the NFM-P User Security - Security Management (Edit) form.


Back up database
 
15 
CAUTION 

CAUTION

Data Loss

The path of the main database backup directory must not include the main database installation directory, or data loss may occur.

Ensure that the backup directory path that you specify does not include /opt/nsp/nfmp/db.

Note: Before the NFM-P performs a database backup, it deletes the contents of the specified backup directory. Ensure that the backup directory that you specify does not contain files that you want to retain.

You must perform a database backup before you convert an NFM-P system to redundancy.

Back up the main database from the client GUI or a CLI; see the NSP System Administrator Guide for information.


Add hostname mappings
 
16 

As the root user, update the /etc/hosts file on each standalone and new standby component station to include an entry for each peer component. See Management network configuration example for a configuration example.


Stop main server
 
17 

Stop the main server.

  1. Log in to the main server station as the nsp user.

  2. Open a console window.

  3. Enter the following:

    bash$ cd /opt/nsp/nfmp/server/nms/bin ↵

  4. Enter the following:

    bash$ ./nmsserver.bash stop ↵

  5. Enter the following:

    bash$ ./nmsserver.bash appserver_status ↵

    The server status is displayed; the server is fully stopped if the status is the following:

    Application Server is stopped

    If the server is not fully stopped, wait five minutes and then repeat this step. Do not perform the next step until the server is fully stopped.

  6. Enter the following to switch to the root user:

    bash$ su ↵

  7. If the NFM-P is not part of a shared-mode NSP deployment, enter the following to display the nspOS service status:

    nspdctl status ↵

    Information like the following is displayed.

    Mode:     standalone

    Role:     leader

    DC-Role:  active

    DC-Name:  dc_name

    Registry: IP_address:port

    State:    stopped

    Uptime:   0s

    SERVICE           STATUS

    service_a         inactive

    service_b         inactive

    service_c         inactive

    You must not proceed to the next step until all NSP services are stopped; if the State is not ‘stopped’, or the STATUS indicator of each listed service is not ‘inactive’, repeat this substep.


18 

Disable the automatic main server startup so that the main server does not start in the event of a power disruption during the conversion.

  1. Enter the following:

    systemctl disable nspos-nspd.service ↵

  2. Enter the following:

    systemctl disable nfmp-main-config.service ↵

  3. Enter the following:

    systemctl disable nfmp-main.service ↵


Convert standalone database to primary database
 
19 

Log in to the standalone main database station as the root user.


20 

Open a console window.


21 

Enter the following:

samconfig -m db ↵

The following is displayed:

Start processing command line inputs...

<db> 


22 

Enter the following, and then enter back ↵.

<db> configure redundant ip address

where address is the IP address of the new standby database

The prompt changes to <db configure redundant>.


23 

To enable IP validation, which restricts the server components that have access to the main database; configure the parameters in the following table, and then enter back ↵.

Note: For security reasons, it is strongly recommended that you enable IP validation.

Note: When you enable IP validation on an NFM-P system that includes auxiliary servers, NSP Flow Collectors, or NSP analytics servers, you must configure the remote-servers parameter; otherwise, the servers cannot reach the database.

Table 17-29: Primary database parameters —
ip-validation

Parameter

Description

main-one

IP address of primary main server

Configuring the parameter enables IP validation.

Default: —

main-two

IP address of standby main server

Default: —

remote-servers

Comma-separated list of the IP addresses of each of the following components that must connect to the database:

  • auxiliary servers

  • NSP Flow Collectors

  • NSP analytics servers

Default: —


24 

Verify the database configuration.

  1. Enter the following:

    <db configure> show-detail ↵

    The database configuration is displayed.

  2. Review each parameter to ensure that the value is correct.

  3. Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.

  4. When you are certain that the configuration is correct, enter the following:

    <db configure> back ↵

    The prompt changes to <db>.


25 

Enter the following to begin the database conversion:

<db> apply ↵

The database conversion begins, and messages are displayed as the operation progresses.

The following is displayed when the database conversion is complete:

DONE

db configurations updated.


26 

When the database conversion is complete, enter the following:

<db> exit ↵

The samconfig utility closes.


Convert standalone main server to primary main server
 
27 

Log in to the standalone main server station as the root user.


28 

Open a console window.


29 

Ensure that no-one is logged in to the station as the nsp user.

  1. Enter the following:

    who ↵

    The active user sessions are listed.

  2. If the nsp user is listed, close each nsp user session; see the RHEL documentation for more information.


30 

Enter the following:

samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main> 


31 

Enter the following:

<main> configure redundancy enabled ↵

The prompt changes to <main configure redundancy>.


32 

Configure the general redundancy parameters in the following table.

Table 17-30: Primary main server parameters —
redundancy

Parameter

Description

ip-to-peer

The primary main server IP address that the standby main server must use for general communication

Default: IP address of primary network interface

rsync-ip

The primary main server IP address that the standby main server must use for data synchronization

Default: IP address of primary network interface


33 

Configure the database redundancy parameters in the following table, and then enter back ↵.

Table 17-31: Primary main server parameters —
redundancy, database

Parameter

Description

ip

The IP address that the primary main server must use to reach the standby database

Default: —

instance

Standby database instance name

Default: —

backup-sync

Whether database backup file synchronization is enabled

When the parameter is enabled, each database backup file set is copied to the peer main database station after the backup completes.

You must ensure that there is sufficient network bandwidth between the main database stations before you enable this parameter. See the NSP Planning Guide for information about the bandwidth requirements of database backup file synchronization.

You must set the parameter to the same value on each main server.

Default: false

alignment

Whether automatic database alignment is enabled

If automatic database alignment is enabled, a main server and database attempt to assume a common role, primary or standby, after an event such as a server activity switch or database failover. In a geographically dispersed system, the function helps to ensure that a main server communicates with the local database in order to reduce the network latency between the components.

For more information about database alignment, see the NSP System Administrator Guide.

Default: false

preferred-instance

The name of the database instance with which the primary main server is to align

The parameter is configurable when the alignment parameter is enabled.

Default: —

reinstantiation-delay

The delay, in minutes, between the completion of a database failover and the automatic reinstantiation of the standby database

A value of 0 disables automatic database reinstantiation.

Default: 60


34 

Configure the peer-server redundancy parameters in the following table, and then enter back ↵.

Table 17-32: Primary main server parameters —
redundancy, peer-server

Parameter

Description

ip

The standby main server IP address that the primary main server uses for general communication

Default: —

hostname

The standby main server hostname that the primary main server uses for general communication

If the TLS certificate contains the FQDN, you must specify the FQDN as the parameter value.

The parameter is configurable and mandatory when the hostname parameter in the client level is configured.

Default: —

rsync-ip

The standby main server IP address that the primary main server uses for data synchronization

Default: —

public-ip

The IP address that the GUI and XML API clients must use to reach the standby main server

Default: —

jndi-port

The TCP port on the standby main server station used for EJB JNDI messaging to GUI clients

It is recommended that you accept the default unless another application uses the port, or there is a firewall between the GUI clients and the standby main server.

Default: 1099

ip-to-auxes

The standby main server IP address that the auxiliary servers must use to reach the standby main server

You must configure the parameter If the NFM-P system includes one or more auxiliary servers.

Default: —

snmp-ipv4

The IPv4 address that the managed NEs must use to reach the standby main server

snmp-ipv6

The IPv6 address that the managed NEs must use to reach the standby main server

snmp-port

The TCP port on the standby main server station used for SNMP communication with the managed NEs

Default: 162

traplog-id

The SNMP trap log ID associated with the standby main server

Default: 98


35 

Enter the following:

<main configure redundancy> back ↵

The prompt changes to <main configure>.


36 

Configure the nspos parameters in the following table, and then enter back ↵.

Table 17-33: Standalone main server parameters —
nspos

Parameter

Description

ip-list

The nspOS-server IP addresses, separated by a semicolon

Specify only one IP address for a standalone NSP system.

  • If the NFM-P system is in a shared-mode NSP deployment specify the advertised address of each NSP cluster.

  • If the NSP system includes only the NFM-P, specify the main server private IP address.

Default: —

address-to-nspos

The main server IP address that is reachable by the nspOS server

Default: —

secure

Whether communication with the nspOS servers is secured using TLS

It is strongly recommended to enable the parameter in an NFM-P-only deployment.

Default: false

internal-certs

Whether internal certificates are used to secure nspOS communication between components; the parameter is configurable when the secure parameter is set to true.

The parameter is deprecated, and must be set to the same value as the secure parameter.

Default: false

dc-name

The nspOS DR data center name for aligning NSP components with the local NFM-P main server; must match the dcName value in the NSP configuration file

The parameter is required only in a redundant deployment; however, in a shared-mode deployment, it is recommended that you configure the parameter, regardless of the NFM-P deployment type.

Default: —


37 

Verify the main server configuration.

  1. Enter the following:

    <main configure> show-detail ↵

    The main server configuration is displayed.

  2. Review each parameter to ensure that the value is correct.

  3. Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.

  4. When you are certain that the configuration is correct, enter the following:

    <main configure> back ↵

    The prompt changes to <main>.


38 

Enter the following:

<main> apply ↵

The configuration is applied.


39 

Enter the following:

<main> exit ↵

The samconfig utility closes.


40 

Start the primary main server.

  1. Enter the following to switch to the nsp user:

    su - nsp ↵

  2. Enter the following:

    bash$ cd /opt/nsp/nfmp/server/nms/bin ↵

  3. Enter the following:

    bash$ ./nmsserver.bash start ↵

  4. Enter the following:

    bash$ ./nmsserver.bash appserver_status ↵

    The server status is displayed; the server is fully initialized if the status is the following:

    Application Server process is running.  See nms_status for more detail.

    If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized.


41 

Close the console window.


Enable primary main server automatic startup
 
42 

Enable automatic startup on the primary main server.

  1. Enter the following to switch back to the root user:

    bash$ exit ↵

  2. Enter the following to disable the main server startup:

    systemctl enable nfmp-main.service ↵


Prepare new station for standby database installation
 
43 

Log in as the root user on the standby main database station.


44 

Perform one of the following.

Note: You must not download or install nsp-nfmp-nodeexporter unless the package is already installed on the existing standalone main server station or collocated station.

  1. If the main server and database are to be collocated on one station, perform the following steps.

    1. Download the following installation files to an empty directory on the collocated station:

      • nsp-nfmp-oracle-R.r.p-rel.v.rpm

      • nsp-nfmp-main-db-R.r.p-rel.v.rpm

      • nsp-nfmp-nspos-R.r.p.rpm

      • nsp-nfmp-jre-R.r.p-rel.v.rpm

      • nsp-nfmp-config-R.r.p-rel.v.rpm

      • nsp-nfmp-main-server-R.r.p.rpm

      • nsp-nfmp-nodeexporter-R.r.p-rel.v.rpm, if the NFM-P is in a shared-mode deployment and you want to forward NFM-P system metrics to the NSP

      • OracleSw_PreInstall.sh

      Note: In subsequent steps, the directory is called the NFM-P software directory.

  2. If the main server and database are on separate stations, transfer the following downloaded installation files to an empty directory on the main database station:

    • nsp-nfmp-jre-R.r.p-rel.v.rpm

    • nsp-nfmp-config-R.r.p-rel.v.rpm

    • nsp-nfmp-oracle-R.r.p-rel.v.rpm

    • nsp-nfmp-main-db-R.r.p-rel.v.rpm

    • nsp-nfmp-nodeexporter-R.r.p-rel.v.rpm, if the NFM-P is in a shared-mode deployment and you want to forward NFM-P system metrics to the NSP

    • OracleSw_PreInstall.sh

    Note: In subsequent steps, the directory is called the NFM-P software directory.


45 

Open a console window.


46 

Navigate to the directory that contains the OracleSw_PreInstall.sh file.


47 

Enter the following:

chmod +x OracleSw_PreInstall.sh ↵


48 
CAUTION 

CAUTION

Misconfiguration Risk

The NFM-P software includes a script that configures the Oracle environment. The script is specific to an NFM-P release; using a different version may cause the database creation to fail.

You must run only the script that is included with the current NFM-P software.

Enter the following:

./OracleSw_PreInstall.sh ↵

Note: A default value is displayed in brackets []. To accept the default, press ↵.

The following prompt is displayed:

This script will prepare the system for a new install/restore of an NFM-P Version Release main database.

Do you want to continue? [Yes/No]: 


49 

Enter Yes. The following prompt is displayed:

Enter the Oracle dba group name [group]:


50 

Enter a group name.

Note: The group name must match the group name specified during the primary database conversion.

The following messages and prompt are displayed:

Creating group group if it does not exist...

done

Enter the Oracle user name:


51 

Enter a username.

Note: The username must match the username specified during the primary database conversion.

The following messages and prompt are displayed:

Oracle user [username] new home directory will be [/opt/nsp/nfmp/oracle19].

Checking or Creating the Oracle user home directory /opt/nsp/nfmp/oracle19...

Checking user username...

Adding username...

Changing ownership of the directory /opt/nsp/nfmp/oracle19 to username:group.

About to unlock the UNIX user [username]

Unlocking password for user username.

passwd: Success

Unlocking the UNIX user [username] completed

Please assign a password to the UNIX user username ..

New Password:


52 

Enter a password.

Note: The password must match the password specified during the primary database conversion.

The following prompt is displayed:

Re-enter new Password:


53 

Re-enter the password. The following is displayed if the password change is successful:

passwd: password successfully changed for username

The following message and prompt are displayed:

Specify whether an NFM-P Main Server will be installed on this workstation.

The database memory requirements will be adjusted to account for the additional load.

Will the database co-exist with an NFM-P Main Server on this workstation [Yes/No]:


54 

Enter Yes or No, as required.

Messages like the following are displayed as the script execution completes:

INFO: About to set kernel parameters in /etc/sysctl.conf...

INFO: Completed setting kernel parameters in /etc/sysctl.conf...

INFO: About to change the current values of the kernel parameters

INFO: Completed changing the current values of the kernel parameters

INFO: About to set ulimit parameters in /etc/security/limits.conf...

INFO: Completed setting ulimit parameters in /etc/security/limits.conf...

INFO: Completed running Oracle Pre-Install Tasks


55 

When the script execution is complete, enter the following to reboot the station:

systemctl reboot ↵

The station reboots.


Install standby database
 
56 

When the reboot is complete, log in as the root user on the standby main database station.


57 

Open a console window.


58 

Navigate to the NFM-P software directory.

Note: Ensure that the directory contains only the installation files.


59 

Enter the following:

chmod +x * ↵


60 

Enter the following:

dnf install *.rpm ↵

The dnf utility resolves any package dependencies, and displays the following prompt:

Total size: nn G

Installed size: nn G 

Is this ok [y/d/N]: 


61 

Enter y. The following and the installation status are displayed as each package is installed:

Downloading Packages:

Running transaction check

Transaction check succeeded.

Running transaction test

Transaction test succeeded.

Running transaction check

The package installation is complete when the following is displayed:

Complete!


62 

Enter the following:

samconfig -m db ↵

The following is displayed:

Start processing command line inputs...

<db> 


63 

Enter the following:

<db> configure type standby ↵

The prompt changes to <db configure>.


64 

If required, configure the ip parameter; enter the following:

Note: The default is the IP address of the primary network interface on the station.

<db configure> ip address

where address is the IP address of this database


65 

Enter the following:

<db configure> redundant ip address

where address is the IP address of the primary database

The prompt changes to <db configure redundant>.


66 

Enter the following, and then enter back ↵:

<db configure redundant> instance instance_name

where instance_name is the primary database instance name


67 

Configure the passwords parameters in the following table, and then enter back ↵.

Note: The values must match the primary database values.

Note: After you save the configuration, you cannot use samconfig to change a database password; you must use the method described in the NSP System Administrator Guide.

Table 17-34: Standby database parameters —
passwords

Parameter

Description

user

Database user password; the password must match the password specified during the primary database installation

Default: available from technical support

sys

Oracle SYS user password; the password must match the password specified during the primary database installation

Default: available from technical support


68 

To enable IP validation, which restricts the server components that have access to the main database; configure the parameters in the following table, and then enter back ↵.

Note: For security reasons, it is strongly recommended that you enable IP validation.

Note: When you enable IP validation on an NFM-P system that includes auxiliary servers, NSP Flow Collectors, or analytics servers, you must configure the remote-servers parameter; otherwise, the servers cannot reach the database.

Table 17-35: Standby database parameters —
ip-validation

Parameter

Description

main-one

IP address of primary main server

Configuring the parameter enables IP validation.

Default: —

main-two

IP address of standby main server

Default: —

remote-servers

Comma-separated list of the IP addresses of each of the following components that must connect to the database:

  • auxiliary servers

  • NSP Flow Collectors

  • NSP analytics servers

Default: —


69 

To enable the forwarding of NFM-P system metrics to the NSP; configure the parameters in the following table, and then enter back ↵.

Note: The parameters are required only for a distributed main database, so are not shown or configurable if the main server and database are collocated.

Table 17-36: Standby database parameters —
tls

Parameter

Description

keystore-pass

The TLS keystore password

Default: available from technical support

pki-server

The PKI server IP address or hostname

You must configure the parameter.

Default: —

pki-server-port

The TCP port on which the PKI server listens for and services requests

Default: 2391


70 

Verify the database configuration.

  1. Enter the following:

    <db configure> show-detail ↵

    The database configuration is displayed.

  2. Review each parameter to ensure that the value is correct.

  3. Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.

  4. When you are certain that the configuration is correct, enter the following:

    <db configure> back ↵

    The prompt changes to <db>.


71 

Enter the following to begin the database creation:

<db> apply ↵

The database creation begins, and progress messages are displayed.

The following is displayed when the database creation is complete:

DONE

db configurations updated.


72 

When the database creation is complete, enter the following:

<db> exit ↵

The samconfig utility closes.


73 

Enter the following to reboot the standby main database station:

systemctl reboot ↵

The station reboots.


Install standby main server
 
74 

Log in as the root user on the standby main server station.


75 

Perform one of the following.

  1. If the standby main server and database are to be collocated on one station, download the following installation files to the NFM-P software directory on the collocated station:

    • nsp-nfmp-nspos-R.r.p-rel.v.rpm

    • nsp-nfmp-main-server-R.r.p-rel.v.rpm

    where

    R.r.p is the NSP release identifier, in the form MAJOR.minor.patch

    v is a version identifier

  2. If the standby main server and database are to be on separate stations, download the following files to an empty directory on the main server station:

    Note: You must not download or install nsp-nfmp-nodeexporter unless the package is already installed on the existing standalone main server station or collocated station.

    • nsp-nfmp-nspos-R.r.p-rel.v.rpm

    • nsp-nfmp-jre-R.r.p-rel.v.rpm

    • nsp-nfmp-config-R.r.p-rel.v.rpm

    • nsp-nfmp-main-server-R.r.p-rel.v.rpm

    • nsp-nfmp-nodeexporter-R.r.p-rel.v.rpm, if the NFM-P is in a shared-mode deployment and currently forwards NFM-P system metrics to the NSP

    where

    R.r.p is the NSP release identifier, in the form MAJOR.minor.patch

    v is a version identifier

    Note: In subsequent steps, the directory is called the NFM-P software directory.


76 

You must remove the semvalidator package if it is installed; otherwise, the upgrade is blocked.

Perform the following steps.

  1. Enter the following:

    rpm -q nsp-nfmp-semvalidator ↵

    If the package is installed, the following is displayed:

    nsp-nfmp-semvalidator-version

    If the package is not installed, the following is displayed:

    package nsp-nfmp-semvalidator is not installed

  2. If the package is installed, enter the following:

    dnf remove nsp-nfmp-semvalidator ↵

    The package is removed.


77 

Open a console window.


78 

Ensure that no-one is logged in to the station as the nsp user.

  1. Enter the following:

    who ↵

    The active user sessions are listed.

  2. If the nsp user is listed, close each nsp user session; see the OS documentation for information about closing user sessions.


79 

Navigate to the NFM-P software directory.

Note: Ensure that the directory contains only the installation files.


80 

Enter the following:

chmod +x * ↵


81 

Enter the following:

dnf install *.rpm ↵

The dnf utility resolves any package dependencies, and displays the following prompt:

Total size: nn G

Installed size: nn G 

Is this ok [y/d/N]: 


82 

Enter y. The following and the installation status are displayed as each package is installed:

Downloading Packages:

Running transaction check

Transaction check succeeded.

Running transaction test

Transaction test succeeded.

Running transaction check

The package installation is complete when the following is displayed:

Complete!


83 

The initial NFM-P server installation on a station creates the nsp user account and assigns a randomly generated password.

If this is the first installation of a main or auxiliary server on the station, change the nsp password.

  1. Enter the following:

    passwd nsp ↵

    The following prompt is displayed:

    New Password:

  2. Enter a password.

    The following prompt is displayed:

    Confirm Password:

  3. Re-enter the password.

  4. Record the password and store it in a secure location.


84 

Enter the following:

samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main>


85 

Enter the following:

<main> configure ↵

The prompt changes to <main configure>.


86 

Enter the following:

Note: You cannot start a main server unless the main server configuration includes a current and valid license. You can use samconfig to specify the license file in this step, or later import the license, as described in the NSP System Administrator Guide.

<main configure> license license_file

where license_file is the path and file name of the NSP license bundle


87 

Enter the following:

<main configure> redundancy enabled ↵

The prompt changes to <main configure redundancy>.


88 

Configure the general redundancy parameters in the following table.

Table 17-37: Standby main server parameters —
redundancy

Parameter

Description

ip-to-peer

The standby main server IP address that the primary main server must use for general communication

Default: IP address of primary network interface

rsync-ip

The standby main server IP address that the primary main server must use for data synchronization

Default: IP address of primary network interface


89 

Configure the database redundancy parameters in the following table, and then enter back ↵.

Table 17-38: Standby main server parameters —
redundancy, database

Parameter

Description

ip

The IP address that the standby main server must use to reach the primary database

Default: —

instance

Primary database instance name

Default: —

backup-sync

Whether database backup file synchronization is enabled

When the parameter is enabled, each database backup file set is copied to the peer main database station after the backup completes.

You must ensure that there is sufficient network bandwidth between the main database stations before you enable this parameter. See the NSP Planning Guide for information about the bandwidth requirements of database backup file synchronization.

You must set the parameter to the same value on each main server.

Default: false

alignment

Whether automatic database alignment is enabled

If automatic database alignment is enabled, a main server and database attempt to assume a common role, primary or standby, after an event such as a server activity switch or database failover. In a geographically dispersed system, the function helps to ensure that a main server communicates with the local database in order to reduce the network latency between the components.

For more information about database alignment, see the NSP System Administrator Guide.

Default: false

preferred-instance

The name of the database instance with which the standby main server is to align

The parameter is configurable when the alignment parameter is enabled.

Default: —

reinstantiation-delay

The delay, in minutes, between the completion of a database failover and the automatic reinstantiation of the standby database

A value of 0 disables automatic database reinstantiation.

Default: 60


90 

Configure the peer-server redundancy parameters in the following table, and then enter back ↵.

Table 17-39: Standby main server parameters —
redundancy, peer-server

Parameter

Description

ip

The primary main server IP address that the standby main server uses for general communication

Default: —

hostname

The primary main server hostname that the standby main server uses for general communication

If the TLS certificate contains the FQDN, you must specify the FQDN as the parameter value.

The parameter is configurable and mandatory when the hostname parameter in the client level is configured.

Default: —

rsync-ip

The primary main server IP address that the standby main server uses for data synchronization

Default: —

public-ip

The IP address that the GUI and XML API clients must use to reach the standby main server

Default: —

jndi-port

The TCP port on the primary main server station used for EJB JNDI messaging to GUI clients

It is recommended that you accept the default unless another application uses the port, or there is a firewall between the GUI clients and the primary main server.

Default: 1099

ip-to-auxes

The primary main server IP address that the auxiliary servers must use to reach the primary main server

You must configure the parameter If the NFM-P system includes one or more auxiliary servers.

Default: —

snmp-ipv4

The IPv4 address that the managed NEs must use to reach the primary main server

snmp-ipv6

The IPv6 address that the managed NEs must use to reach the primary main server

snmp-port

The TCP port on the primary main server station used for SNMP communication with the managed NEs

Default: 162

traplog-id

The SNMP trap log ID associated with the primary main server

Default: 98


91 

Enter the following:

<main configure redundancy> back ↵

The prompt changes to <main configure>.


92 

As required, configure the mediation parameters in the following table, and then enter back ↵.

Note: Some device types do not support an SNMP port value other than 162. Before you configure the snmp-port parameter to a value other than the default, you must ensure that each device type in the managed network supports the port value.

Table 17-40: Standby main server parameters —
mediation

Parameter

Description

nat

Whether NAT is used between the main servers and the managed NEs

Default: false

snmp-ipv4

The IPv4 address that the managed NEs must use to reach the standby main server

Default: IPv4 address of primary network interface

snmp-ipv6

The IPv6 address that the managed NEs must use to reach the standby main server

Default: IPv6 address of primary network interface

snmp-port

The TCP port on the standby main server station that the managed NEs must use to reach the standby main server

Default: 162

traplog-id

The SNMP trap log ID associated with the standby main server

Default: 98


93 

The standby main server requires a copy of the NFM-P TLS keystore and truststore files that are used by the primary main server.

Copy the keystore and truststore files from the /opt/nsp/os/tls directory on the primary main server station to a temporary location on the standby main server station, and record the location for use in Step 94.

Caution: You must not copy the files to the /opt/nsp/os/tls directory on the standby main server station, or the TLS configuration fails.

Note: The nsp user must be the owner of the directory path to the location.


94 

Configure the tls parameters in the following table, and then enter back ↵.

Table 17-41: Standby main server parameters —
tls

Parameter

Description

keystore-file

The absolute path of the TLS keystore file

To enable automated TLS deployment, enter no keystore-file.

Default: —

keystore-pass

The TLS keystore password

Default: available from technical support

truststore-file

The absolute path of the TLS truststore file

To enable automated TLS deployment, enter no truststore-file.

Default: —

truststore-pass

The TLS truststore password

Default: available from technical support

alias

The alias specified during keystore generation

You must configure the parameter.

Default: —

pki-server

The PKI server IP address or hostname

Default: —

pki-server-port

The TCP port on which the PKI server listens for and services requests

Default: 2391

regenerate-certs

Whether to regenerate the internal TLS certificates

Certificate regeneration is required when the current certificates are about to expire, or a new internal root certificate is available. A new internal root certificate is available when the root certificate is reset, or when the PKI server is run on a station other than the station used for the previous certificate deployment.

Default: false

hsts-enabled

Whether HSTS browser security is enabled

Default: false


95 

If required, configure the oss parameters in the following table, and then enter back ↵.

Note: The parameters are configurable only if the main server configuration does not include one or more auxiliary servers.

Table 17-42: Standby main server parameters —
oss

Parameter

Description

secure

Whether communication between the main servers and the XML API clients is secured using TLS

Default: secure

public-ip

The IP address that the XML API clients must use to reach the standby main server

Default: IP address of primary network interface

xml-output

The directory in which to store the output of XML API file export operations

Default: /opt/nsp/nfmp/server/xml_output


96 

If the NFM-P includes an auxiliary database, configure the auxdb parameters in the following table, and then enter back ↵.

Table 17-43: Standby main server parameters —
auxdb

Parameter

Description

enabled

Whether the auxiliary database is enabled in the main server configuration

secure

Whether TLS is enabled on the auxiliary database

If TLS is enabled on the main server, you must set the parameter to true, and enable TLS during the auxiliary database installation.

Default: false

ip-list

A list of the auxiliary database station IP addresses that are accessible to the main server, in the following format:

Note: For a geo-redundant auxiliary database, the order of the IP addresses must be the same on each main server in the geo-redundant system.

cluster_1_IP1,cluster_1_IP2,cluster_1_IPn;cluster_2_IP1,cluster_2_IP2,cluster_2_IPn

where

cluster_1_IP1, cluster_1_IP2,cluster_1_IPn are the external IP addresses of the auxiliary database stations in one data center

cluster_2_IP1, cluster_2_IP2,cluster_2_IPn are the external IP addresses of the stations in the other data center; required only for geo-redundant auxiliary database

Default: —

oam-test-results

Whether the auxiliary database is to store OAM test results

Default: false

redundancy-level

Boolean value that specifies whether the auxiliary database is to replicate data among multiple stations

If the auxiliary database is deployed on a single station, you must set the parameter to 0.

Caution: After you configure an auxdb parameter and apply the main server configuration, you cannot modify the redundancy-level parameter.

Default: 1


97 

As required, configure the aa-stats parameters in the following table, and then enter back ↵.

Table 17-44: Standby main server parameters —
aa-stats

Parameter

Description

enabled

Whether the NFM-P is to collect AA accounting statistics

Default: false

formats

AA accounting statistics file formats; the options are the following:

  • ipdr—IPDR format

  • ram—format for NSP Analytics reporting

  • ipdr,ram—both formats

The parameter is configurable when the enabled parameter is set to true.

Default: ram

aux-db storage

Whether the NFM-P is to store the statistics in an auxiliary database

The parameter is configurable when the enabled parameter is set to true.

Default: false


98 

Configure the nspos parameters in the following table, and then enter back ↵.

Table 17-45: Standby main server parameters —
nspos

Parameter

Description

ip-list

The nspOS-server IP addresses, separated by a semicolon

Specify only one IP address for a standalone NSP system.

  • If the NFM-P system is in a shared-mode NSP deployment specify the advertised address of each NSP cluster.

  • If the NSP system includes only the NFM-P, specify the main server private IP address.

Default: —

address-to-nspos

The main server IP address that is reachable by the nspOS server

Default: —

secure

Whether communication with the nspOS servers is secured using TLS

It is strongly recommended to enable the parameter in an NFM-P-only deployment.

Default: false

internal-certs

Whether internal certificates are used to secure nspOS communication between components; the parameter is configurable when the secure parameter is set to true.

The parameter is deprecated, and must be set to the same value as the secure parameter.

Default: false

dc-name

The nspOS DR data center name for aligning NSP components with the local NFM-P main server; must match the dcName value in the NSP configuration file

The parameter is required only in a redundant deployment; however, in a shared-mode deployment, it is recommended that you configure the parameter, regardless of the NFM-P deployment type.

Default: —

mtls-kafka-enabled

Specifies whether mTLS is enabled for Kafka communication with the NSP

The parameter is displayed only:

  • if the ip-list parameter is set to a remote address

  • after the configuration is initially applied in a subsequent step

Note: The parameter is configurable only if the secure and internal-certs parameters are set to true.

Note: The function is supported only in an NSP system that uses separate interfaces for internal and client communication.

Default: false

authMode

NSP authentication mode, which is one of the following:

  • oauth2—OAUTH2 user authentication

  • cas—CAS user authentication (deprecated)

The parameter is configurable only in a shared-mode NSP deployment.

The parameter setting must match the authMode setting in the NSP cluster configuration.

Default: oauth2


99 

Configure the remote-syslog parameters in the following table, and then enter back ↵.

Table 17-46: Standby main server parameters —
remote-syslog

Parameter

Description

enabled

Enable the forwarding of the NFM-P User Activity logs in syslog format to a remote server

Default: disabled

syslog-host

Remote syslog server hostname or IP address

Default: —

syslog-port

Remote server TCP port

Default: —

ca-cert-path

Absolute local path of public CA TLS certificate file copied from remote server

The file requires nsp:nsp ownership.


100 

Configure the server-logs-to-remote-syslog parameters in the following table, and then enter back ↵.

Table 17-47: Standby main server parameters —
server-logs-to-remote-syslog

Parameter

Description

enabled

Enable the forwarding of the NFM-P server logs in syslog format to a remote server

Default: disabled

secured

Whether the communication with the remote server is TLS-secured

Default: disabled

syslog-host

Remote syslog server hostname or IP address

Default: —

syslog-port

Remote server TCP port

Default: —

ca-cert-path

Absolute local path of public CA TLS certificate file copied from remote server

The file requires nsp:nsp ownership.


101 

Verify the main server configuration.

  1. Enter the following:

    <main configure> show-detail ↵

    The main server configuration is displayed.

  2. Review each parameter to ensure that the value is correct.

  3. Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.

  4. When you are certain that the configuration is correct, enter the following:

    <main configure> back ↵

    The prompt changes to <main>.


102 

Enter the following:

<main> apply ↵

The configuration is applied.


103 

Enter the following:

<main> exit ↵

The samconfig utility closes.


104 

If the NFM-P is part of a shared-mode NSP system and you want to enable mTLS for internal Kafka authentication using two-way TLS, perform the following steps.

Note: Enabling mTLS for internal Kafka authentication is supported only in an NSP deployment that uses separate interfaces for internal and client communication.

Note: The parameter you must configure is displayed only if the ip-list parameter is set to a remote address.

Note: The parameter is configurable only if the secure and internal-certs parameters in the nspos section are set to true.

  1. Enter the following:

    samconfig -m main ↵

    The following is displayed:

    Start processing command line inputs...

    <main> 

  2. Enter the following:

    configure nspos mtls-kafka-enabled back ↵

  3. Enter the following:

    <main> apply ↵

    The configuration is applied.

  4. Enter the following:

    <main> exit ↵

    The samconfig utility closes.


Enable Windows Active Directory access
 
105 

If you intend to use Windows Active Directory, or AD, for single-sign-on client access, you must configure LDAP remote authentication for AD; otherwise, go to Step 124.

Open the following file as a reference for use in subsequent steps:

/opt/nsp/os/install/examples/config.yml

Note: Consider the following.

  • The NFM-P does not assign a default user group to users of a remote authentication source that you define for Windows AD; the authentication source must provide the user group attributes.

  • Windows AD supports the following LDAP server types for remote authentication:

    AD—The user group of an AD user is derived from the group_base_dn attribute in the server configuration; group search filters are not supported.

    AUTHENTICATED—The server configuration must include bind credentials; group search filters are supported. After NFM-P initialization, you add the AD server bind credentials to the NSP password vault using the NSP Session Manager REST API.


106 

Locate the section that begins with the following lines:

#   ldap:

#     enabled: true

#     servers:

#       - type: AUTHENTICATED/AD/ANONYMOUS

#         url: ldaps://ldap.example.com:636

#         security: SSL/STARTTLS/NONE


107 

Open the following file using a plain-text editor such as vi:

/opt/nsp/os/install/config.json


108 

Locate the section that begins with the following line:

"sso": {

The section has one subsection for each type of SSO access.

Note: You can enable multiple remote authentication methods such as LDAP and RADIUS in the config.json file, or by using the NFM-P GUI. Using the GUI also allows you to specify the order in which the methods are tried during login attempts; however, no ordering is applied to multiple methods enabled in the config.json file.


109 

In the sso section, create an ldap subsection as shown below using the parameter names from the ldap section of config.yml and the required values for your configuration.

The following example shows the LDAP configuration for two AD servers:

    "ldap": {
      "enabled": true,
      "servers": [
        {
          "type": "auth_type",
          "url": "ldaps://server1:port",
          "server1_parameter_1": "value",
          "server1_parameter_2": "value",
          .
          .
          "server1_parameter_n": "value",
          },
        {
          "type": "auth_type",
          "url": "ldaps://server2:port",
          "server2_parameter_1": "value",
          "server2_parameter_2": "value",
          .
          .
          "server2_parameter_n": "value",
          },
      }]
    }

where auth_type is AD or AUTHENTICATED


110 

Save and close the files.


111 

Enter the following:

samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main> 


112 

Enter the following:

<main> apply ↵

The AD LDAP configuration is applied.


113 

Enter the following:

<main> exit ↵

The samconfig utility closes.


Enable CAC access
 
114 

If you do not intend to enable Common Access Card, or CAC, technology for NFM-P client access, go to Step 124.


115 

Download the federationmetadata.xml from the following ADFS link:

https://ADFS_server_name/FederationMetadata/2007-06/federationmetadata.xml

where ADFS_server_name is the ADFS server FQDN


116 

Add an ADFS server entry to the /etc/hosts file on the main server.

  1. Open the /etc/hosts file using a plain-text editor such as vi.

  2. Add the following line below the line that contains the main server IP address:

    IP_address FQDN

    where

    IP_address is the IP address of the ADFS server

    FQDN is the FQDN of the ADFS server

  3. Save and close the file.


117 

In order to enable CAC for client access, you must configure Active Directory Federation Services, or ADFS.

Open the following file using a plain-text editor such as vi:

/opt/nsp/os/install/config.json


118 

In the sso section, create an saml2 subsection as shown below using the parameter names from the saml2 section of config.yml and the required values for your configuration.

The following example shows the ADFS configuration.

Note: You must preserve the lead spacing of each line.

  "sso" : {

    "saml2": {

       "enabled": true,

       "service_provider_entity_id": "NFM-P_identifier",

       "service_provider_metadata_filename": "casmetadata.xml",

       "maximum_authentication_lifetime": 3600,

       "accepted_skew": 300,

       "destination_binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",

       "identity_provider_metadata_path": "ADFS_metadata_file",

       "authn_context_class_ref": "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient",

       "authn_context_comparison_type": "minimum",

       "name_id_policy_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",

       "force_auth": true,

       "passive": false,

       "wants_assertions_signed": false,

       "wants_responses_signed": false,

       "all_signature_validation_disabled": false,

       "sign_service_provider_metadata": false,

       "principal_id_attribute": "UPN",

       "use_name_qualifier": false,

       "provider_name": "ADFS_server_URI",

       "requested_attributes": [{

         "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",

          "friendly_name": "E-Mail Address",

          "name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",

          "required": false

      } ],

       "mapped_attributes": [{

           "name": "http://schemas.xmlsoap.org/claims/Group",

           "mapped_to": "authorizationProfile"

      }, {

           "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",

           "mapped_to": "upn"

      } ]

    },


119 

Configure the following parameters; leave all other parameters at the default:

  • "service_provider_entity_id": "NFM-P_identifier"

  • "identity_provider_metadata_path": "ADFS_metadata_file"

  • "provider_name": "ADFS_server_name"

NFM-P_identifier is the unique ADFS Relying Trust Party identifier

ADFS_metadata_file is the absolute path of the ADFS metadata XML file, for example, /opt/federationmetadata.xml

ADFS_server_name is the ADFS server FQDN


120 

Save and close the files.


121 

Enter the following:

samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main> 


122 

Enter the following:

<main> apply ↵

The ADFS configuration is applied.


123 

Enter the following:

<main> exit ↵

The samconfig utility closes.


Configure WS-NOC integration
 
124 

If the NFM-P is integrated with a WS-NOC system, open the following file with a plain-text editor such as vi:

/opt/nsp/os/install/examples/config.json

Otherwise, go to Step 134.


125 

Copy the following section:

  "nfmt": {

    "primary_ip": "",

    "standby_ip": "",

    "username": "",

    "password": "",

    "cert_provided": false

  },


126 

Close the file.


127 

Open the following file with a plain-text editor such as vi:

/opt/nsp/os/install/config.json


128 

Paste in the copied section.


129 

Configure the required parameters to enable the WS-NOC integration:

  • primary_ip—the primary WS-NOC server IP address

  • standby_ip—the standby WS-NOC server IP address

  • username—the username required for WS-NOC access

  • password—the password required for WS-NOC access

  • cert_provided—whether a TLS certificate is used


130 

Save and close the file.


131 

Enter the following:

samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main> 


132 

Enter the following:

<main> apply ↵

The configuration is applied.


133 

Enter the following:

<main> exit ↵

The samconfig utility closes.


Start standby main server
 
134 

Start the standby main server.

Note: If you did not specify a license file during the installation, you cannot start the main server until you import a license. See the NSP System Administrator Guide for information about importing a license.

  1. Enter the following:

    bash$ cd /opt/nsp/nfmp/server/nms/bin ↵

  2. Enter the following:

    bash$ ./nmsserver.bash start ↵

  3. Enter the following:

    bash$ ./nmsserver.bash appserver_status ↵

    The server status is displayed; the server is fully initialized if the status is the following:

    Application Server process is running.  See nms_status for more detail.

    If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized.


135 

Define the memory requirement for GUI clients based on the type of network that the NFM-P is to manage.

  1. Enter the following:

    bash$ ./nmsdeploytool.bash clientmem -option

    where option is one of the following:

    • m—medium, for management of limited-scale network

    • l—large, for a network of 15 000 or more NEs

  2. Enter the following to commit the configuration change:

    bash$ ./nmsdeploytool.bash deploy ↵


136 

If you have enabled CAC for NFM-P client access, download the casmetadata.xml file from the following URL, and then import the file into the ADFS server relying-trust-party:

https://server/cas/sp/metadata

where server is the main server IP address or hostname

After the download, the casmetadata.xml file is available in the following directory on the main server:

/opt/nsp/os/tomcat/conf/cas/saml


137 

If you have enabled Windows Active Directory access using the AUTHENTICATED type of LDAP server, perform the following steps.

  1. Use the NSP Session Manager REST API to add the LDAP server bind credentials; see the Network Developer Portal for information.

  2. If the NFM-P is not part of a shared-mode NSP deployment, enter the following to restart the local nspos-tomcat service:

    Note: The service restart may take a few minutes, during which NFM-P GUI and REST client access is degraded. General NFM-P operation is unaffected.

    systemctl restart nspos-tomcat ↵


138 

If the NFM-P system includes one or more NSP Flow Collectors, configure the standby main server parameters and other redundancy parameters, as required; see the NSP documentation for information.


139 

If the NFM-P system includes one or more analytics servers, enable redundancy support on each analytics server; see the NSP documentation for information.


Reinstantiate standby database
 
140 

Open an NFM-P GUI client as the admin user.


141 

Choose Administration→System Information from the main menu. The System Information form opens.


142 

Click Re-Instantiate Standby.


143 

Click Yes to confirm the action. The reinstantiation begins, and the GUI status bar displays reinstantiation information.

Note: Database reinstantiation takes considerable time if the database contains a large amount of statistics data.

You can also use the System Information form to monitor the reinstantiation progress. The Last Attempted Standby Re-instantiation Time is the start time; the Standby Re-instantiation State changes from In Progress to Success when the reinstantiation is complete.


144 

When the reinstantiation is complete, close the System Information form.


145 

Use an NFM-P GUI client to perform sanity testing of the newly redundant system.


Configure and enable firewalls
 
146 

If you intend to use any firewalls between the NFM-P components, and the firewalls are disabled, configure and enable each firewall.

Perform one of the following.

  1. Configure each external firewall to allow the required traffic using the port assignments in the NSP Planning Guide, and enable the firewall.

  2. Configure and enable firewalld on each component station, as required.

    1. Use an NFM-P template to create the firewalld rules for the component, as described in the NSP Planning Guide.

    2. Log in to the station as the root user.

    3. Open a console window.

    4. Enter the following:

      systemctl enable firewalld ↵

    5. Enter the following:

      systemctl start firewalld ↵

    6. Close the console window.

End of steps