To install a redundant NFM-P system
Description
The following steps describe how to install a collocated or distributed NFM-P system in a redundant configuration. The steps also include information about installing optional NFM-P components.
Ensure that you record the information that you specify, for example, directory names, passwords, and IP addresses.
Note: You require root user privileges on the main database and main server stations.
Note: Performing the procedure creates the following user accounts:
Note: The following RHEL CLI prompts in command lines denote the active user, and are not to be included in typed commands:
Steps
Check and configure firewalls | ||||||||||||||||||||||||
1 |
Before you attempt to deploy an NFM-P system, you must ensure that each firewall between NFM-P components allows the required traffic to pass between the components, or is disabled. You can configure and enable the firewall after the installation, if required. Note: The RHEL firewalld service is typically enabled by default in a new RHEL OS installation. Perform one of the following.
| |||||||||||||||||||||||
Download installation files | ||||||||||||||||||||||||
2 |
Download the following installation files to an empty directory on each main server station: where R.r.p is the NSP release identifier, in the form MAJOR.minor.patch v is a version identifier Note: In subsequent steps, the directory is called the NFM-P software directory. | |||||||||||||||||||||||
3 |
Perform one of the following.
| |||||||||||||||||||||||
4 |
Transfer the following downloaded file to an empty directory on each main database station: | |||||||||||||||||||||||
Install primary database | ||||||||||||||||||||||||
5 |
Log in as the root user on the primary main database station. | |||||||||||||||||||||||
6 |
Open a console window. | |||||||||||||||||||||||
7 |
Navigate to the directory that contains the OracleSw_PreInstall.sh file. | |||||||||||||||||||||||
8 |
Enter the following: # chmod +x OracleSw_PreInstall.sh ↵ | |||||||||||||||||||||||
9 |
Enter the following: # ./OracleSw_PreInstall.sh ↵ Note: A default value is displayed in brackets []. To accept the default, press ↵. Note: If you specify a value other than the default, you must record the value for use when the OracleSw_PreInstall.sh script is run during a software upgrade, or when the Oracle management user information is required by technical support. The following prompt is displayed: This script will prepare the system for a new install/restore of an NFM-P Version Release main database. Do you want to continue? [Yes/No]: | |||||||||||||||||||||||
10 |
Enter Yes. The following prompt is displayed: Enter the Oracle dba group name [group]: | |||||||||||||||||||||||
11 |
Enter a group name. Note: To reduce the complexity of subsequent software upgrades and technical support activities, it is recommended that you accept the default for this parameter. The following messages and prompt are displayed: Creating group group if it does not exist... done Enter the Oracle user name: | |||||||||||||||||||||||
12 |
Enter a username. Note: To reduce the complexity of subsequent software upgrades and technical support activities, it is recommended that you accept the default. The following messages and prompt are displayed: Oracle user [username] new home directory will be [/opt/nsp/nfmp/oracle19]. Checking or Creating the Oracle user home directory /opt/nsp/nfmp/oracle19... Checking user username... Adding username... Changing ownership of the directory /opt/nsp/nfmp/oracle19 to username:group. About to unlock the UNIX user [username] Unlocking password for user username. passwd: Success Unlocking the UNIX user [username] completed Please assign a password to the UNIX user username .. New Password: | |||||||||||||||||||||||
13 |
Enter a password. The following prompt is displayed: Re-enter new Password: | |||||||||||||||||||||||
14 |
Re-enter the password. The following is displayed if the password change is successful: passwd: password successfully changed for username The following message and prompt are displayed: Specify whether an NFM-P Main Server will be installed on this workstation. The database memory requirements will be adjusted to account for the additional load. Will the database co-exist with an NFM-P Main Server on this workstation [Yes/No]: | |||||||||||||||||||||||
15 |
Enter Yes or No, as required. Messages like the following are displayed as the script execution completes: INFO: About to set kernel parameters in /etc/sysctl.conf... INFO: Completed setting kernel parameters in /etc/sysctl.conf... INFO: About to change the current values of the kernel parameters INFO: Completed changing the current values of the kernel parameters INFO: About to set ulimit parameters in /etc/security/limits.conf... INFO: Completed setting ulimit parameters in /etc/security/limits.conf... INFO: Completed running Oracle Pre-Install Tasks | |||||||||||||||||||||||
16 |
When the script execution is complete, enter the following to reboot the primary main database station: # systemctl reboot ↵ The station reboots. | |||||||||||||||||||||||
17 |
When the reboot is complete, log in as the root user on the primary main database station. | |||||||||||||||||||||||
18 |
Open a console window. | |||||||||||||||||||||||
19 |
Navigate to the NFM-P software directory. Note: Ensure that the directory contains only the installation files. | |||||||||||||||||||||||
20 |
Enter the following: # chmod +x * ↵ | |||||||||||||||||||||||
21 |
Enter the following: # dnf install *.rpm ↵ The dnf utility resolves any package dependencies, and displays the following prompt: Total size: nn G Installed size: nn G Is this ok [y/d/N]: | |||||||||||||||||||||||
22 |
Enter y. The following and the installation status are displayed as each package is installed: Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction check The package installation is complete when the following is displayed: Complete! | |||||||||||||||||||||||
23 |
Enter the following: # samconfig -m db ↵ The following is displayed: Start processing command line inputs... <db> | |||||||||||||||||||||||
24 |
Enter the following: <db> show-detail ↵ The primary database configuration is displayed. | |||||||||||||||||||||||
25 |
Enter the following: <db> configure ↵ The prompt changes to <db configure>. | |||||||||||||||||||||||
26 |
As required, configure the general parameters in the following table. Note: The instance parameter is configurable only during database creation. Table 14-22: Primary database parameters, general
| |||||||||||||||||||||||
27 |
Configure the redundant parameters in the following table, and then enter back ↵. Note: The instance parameter is configurable only during database creation. Table 14-23: Primary database parameters —
|
Parameter |
Description |
---|---|
ip |
Standby database IP address Default: — |
instance |
Standby database instance name, which must: Default: maindb2 |
If required, configure one or more passwords parameters in the following table, and then enter back ↵.
Note: After you save the configuration, you cannot use samconfig to change a database password; you must use the method described in the NSP System Administrator Guide.
Table 14-24: Primary database parameters — passwords
Parameter |
Description |
---|---|
user |
Database user password Default: available from technical support |
sys |
Oracle SYS user password Default: available from technical support |
A password must:
-
contain at least three of the following:
-
not contain four or more of the same character type in sequence
-
not be the same as the user name, or the reverse of the user name
To enable IP validation, which restricts the server components that have access to the main database; configure the parameters in the following table, and then enter back ↵.
Note: For security reasons, it is strongly recommended that you enable IP validation.
Note: When you enable IP validation on an NFM-P system that includes auxiliary servers, NSP Flow Collectors, or NSP analytics servers, you must configure the remote-servers parameter; otherwise, the servers cannot reach the database.
Table 14-25: Primary database parameters — ip-validation
To enable the forwarding of NFM-P system metrics to the NSP; configure the parameters in the following table, and then enter back ↵.
Note: The parameters are required only for a distributed main database, so are not shown or configurable if the main server and database are collocated.
Table 14-26: Primary database parameters — tls
Parameter |
Description |
---|---|
keystore-pass |
The TLS keystore password Default: available from technical support |
pki-server |
The PKI server IP address or hostname You must configure the parameter. Default: — |
pki-server-port |
The TCP port on which the PKI server listens for and services requests Default: 2391 |
Verify the database configuration.
-
<db configure> show-detail ↵
The database configuration is displayed.
-
Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.
-
When you are certain that the configuration is correct, enter the following:
<db configure> back ↵
The prompt changes to <db>.
Enter the following to begin the database creation:
<db> apply ↵
The database creation begins, and progress messages are displayed.
The following is displayed when the database creation is complete:
DONE
db configurations updated.
When the database creation is complete, enter the following:
<db> exit ↵
The samconfig utility closes.
It is recommended that as a security measure, you limit the number of database user login failures that the NFM-P allows before the database user account is locked; see the NSP System Administrator Guide for information.
Install standby database
Log in as the root user on the standby main database station.
Open a console window.
Navigate to the directory that contains the OracleSw_PreInstall.sh file.
Enter the following:
# chmod +x OracleSw_PreInstall.sh ↵
Enter the following:
# ./OracleSw_PreInstall.sh ↵
Note: A default value is displayed in brackets []. To accept the default, press ↵.
Note: If you specify a value other than the default, you must record the value for use when the OracleSw_PreInstall.sh script is run during a software upgrade, or when the Oracle management user information is required by technical support.
The following prompt is displayed:
This script will prepare the system for a new install/restore of an NFM-P Version Release main database.
Do you want to continue? [Yes/No]:
Enter Yes. The following prompt is displayed:
Enter the Oracle dba group name [group]:
Enter a group name.
Note: The group name must match the group name specified during the primary database installation.
The following messages and prompt are displayed:
Creating group group if it does not exist...
done
Enter the Oracle user name:
Enter a username.
Note: The username must match the username specified during the primary database installation.
The following messages and prompt are displayed:
Oracle user [username] new home directory will be [/opt/nsp/nfmp/oracle19].
Checking or Creating the Oracle user home directory /opt/nsp/nfmp/oracle19...
Checking user username...
Adding username...
Changing ownership of the directory /opt/nsp/nfmp/oracle19 to username:group.
About to unlock the UNIX user [username]
Unlocking password for user username.
passwd: Success
Unlocking the UNIX user [username] completed
Please assign a password to the UNIX user username ..
New Password:
Enter a password.
Note: The password must match the password specified during the primary database installation.
The following prompt is displayed:
Re-enter new Password:
Re-enter the password. The following is displayed if the password change is successful:
passwd: password successfully changed for username
The following message and prompt are displayed:
Specify whether an NFM-P Main Server will be installed on this workstation.
The database memory requirements will be adjusted to account for the additional load.
Will the database co-exist with an NFM-P Main Server on this workstation [Yes/No]:
Enter Yes or No, as required.
Messages like the following are displayed as the script execution completes:
INFO: About to set kernel parameters in /etc/sysctl.conf...
INFO: Completed setting kernel parameters in /etc/sysctl.conf...
INFO: About to change the current values of the kernel parameters
INFO: Completed changing the current values of the kernel parameters
INFO: About to set ulimit parameters in /etc/security/limits.conf...
INFO: Completed setting ulimit parameters in /etc/security/limits.conf...
INFO: Completed running Oracle Pre-Install Tasks
When the script execution is complete, enter the following to reboot the standby main database station:
# systemctl reboot ↵
The station reboots.
When the reboot is complete, log in as the root user on the standby main database station.
Open a console window.
Navigate to the NFM-P software directory.
Note: Ensure that the directory contains only the installation files.
Enter the following:
# chmod +x * ↵
Enter the following:
# dnf install *.rpm ↵
The dnf utility resolves any package dependencies, and displays the following prompt:
Total size: nn G
Installed size: nn G
Is this ok [y/d/N]:
Enter y. The following and the installation status are displayed as each package is installed:
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction check
The package installation is complete when the following is displayed:
Complete!
Enter the following:
# samconfig -m db ↵
The following is displayed:
Start processing command line inputs...
<db>
Enter the following:
<db> configure type standby ↵
The prompt changes to <db configure>.
If required, configure the ip parameter; enter the following:
Note: The default is the IP address of the primary network interface on the station.
<db configure> ip address ↵
where address is the IP address of this database
Enter the following:
<db configure> redundant ip address ↵
where address is the IP address of the primary database
The prompt changes to <db configure redundant>.
Enter the following, and then enter back ↵:
<db configure redundant> instance instance_name ↵
where instance_name is the primary database instance name
If required, configure one or more passwords parameters in the following table, and then enter back ↵.
Note: After you save the configuration, you cannot use samconfig to change a database password; you must use the method described in the NSP System Administrator Guide.
Table 14-27: Standby database parameters — passwords
Parameter |
Description |
---|---|
user |
Database user password; the password must match the password specified during the primary database installation Default: available from technical support |
sys |
Oracle SYS user password; the password must match the password specified during the primary database installation Default: available from technical support |
To enable IP validation, which restricts the server components that have access to the main database; configure the parameters in the following table, and then enter back ↵.
Note: For security reasons, it is strongly recommended that you enable IP validation.
Note: When you enable IP validation on an NFM-P system that includes auxiliary servers, NSP Flow Collectors, or NSP analytics servers, you must configure the remote-servers parameter; otherwise, the servers cannot reach the database.
Table 14-28: Standby database parameters — ip-validation
To enable the forwarding of NFM-P system metrics to the NSP; configure the parameters in the following table, and then enter back ↵.
Note: The parameters are required only for a distributed main database, so are not shown or configurable if the main server and database are collocated.
Table 14-29: Standby database parameters — tls
Parameter |
Description |
---|---|
keystore-pass |
The TLS keystore password Default: available from technical support |
pki-server |
The PKI server IP address or hostname You must configure the parameter. Default: — |
pki-server-port |
The TCP port on which the PKI server listens for and services requests Default: 2391 |
Verify the database configuration.
-
<db configure> show-detail ↵
The database configuration is displayed.
Note: The instance value is not set until the database is reinstantiated later in the procedure.
-
Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.
-
When you are certain that the configuration is correct, enter the following:
<db configure> back ↵
The prompt changes to <db>.
Enter the following to begin the database creation:
<db> apply ↵
The database creation begins, and progress messages are displayed.
The following is displayed when the database creation is complete:
DONE
db configurations updated.
When the database creation is complete, enter the following:
<db> exit ↵
The samconfig utility closes.
Install primary main server
Log in as the root user on the primary main server station.
Open a console window.
Navigate to the NFM-P software directory.
Note: Ensure that the directory contains only the installation files.
Enter the following:
# chmod +x * ↵
Enter the following:
# dnf install *.rpm ↵
The dnf utility resolves any package dependencies, and displays the following prompt:
Total size: nn G
Installed size: nn G
Is this ok [y/d/N]:
Enter y. The following and the installation status are displayed as each package is installed:
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction check
The package installation is complete when the following is displayed:
Complete!
The initial NFM-P server installation on a station creates the nsp user account and assigns a randomly generated password.
If this is the first installation of an NFM-P main or auxiliary server on the station, change the nsp password.
-
# passwd nsp ↵
The following prompt is displayed:
New Password:
-
The following prompt is displayed:
Confirm Password:
Start the PKI server, regardless of whether you are using the automated or manual TLS configuration method; perform To configure and enable a PKI server.
Note: The PKI server is required for internal system configuration purposes.
If you are using the manual TLS deployment method, generate and distribute the required TLS files for the system, as described in To configure and enable a PKI server.
Enter the following:
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
Enter the following:
<main> configure ↵
The prompt changes to <main configure>.
As required, configure the general parameters in the following table.
Table 14-30: Primary main server parameters, general
Parameter |
Description |
---|---|
ip |
The primary main server IP address Default: IP address of primary network interface |
domain |
The NFM-P system identifier Default: NFM-P |
initial-admin-passwd |
The NSP admin user password It is strongly recommended that you change the password from the default; if you choose not to configure the parameter, the default password remains in effect The parameter is configurable only during a main server installation. Note: The NFM-P uses the password configured on the first main server that initializes after the installation. A password must: |
license |
Absolute path of NFM-P license zip file You cannot start a main server unless the main server configuration includes a current and valid license. You can use samconfig to specify the license file, or import a license, as described in the NSP System Administrator Guide. Default: — |
fips |
Whether FIPS security is enabled for network management See Enabling FIPS security for NFM-P network management for information about using FIPS security. Default: false |
As required, configure the client parameters in the following table, and then enter back ↵.
Table 14-31: Primary main server parameters — client
Configure the database parameters in the following table, and then enter back ↵.
Note: The NFM-P uses the database backup settings to initialize the database during installation only. To change the backup settings after installation, you must use the Database Manager form in the NFM-P client GUI, as described in the NSP System Administrator Guide.
Table 14-32: Primary main server parameters — database
Parameter |
Description |
---|---|
ip |
The IP address that the primary main server must use to reach the primary database Default: — |
instance |
Primary database instance name Default: maindb1 |
user-password |
Primary database user password Default: available from technical support |
backup-dest |
The backup directory on the primary main database station It is recommended that you specify a directory that can hold at least five times the expected database size, and can accommodate the database growth associated with network growth. Default: /opt/nsp/nfmp/dbbackup |
backup-interval |
How frequently, in hours, to back up the main database Default: 24 |
backup-sets |
The number of main database backup sets to retain Default: 3 |
If the NFM-P system is to include auxiliary servers, configure the aux parameters in the following table, and then enter back ↵.
Note: At least one auxiliary server that you specify must be a Preferred auxiliary server.
Table 14-33: Primary main server parameters — aux
Parameter |
Description |
---|---|
stats |
If enabled, specifies that one or more auxiliary servers are to be used for statistics collection Default: false |
ip-to-auxes |
The primary main server IP address that the auxiliary servers must use to reach the primary main server Default: — |
preferred-list |
Comma-separated list of Preferred auxiliary server IP addresses Default: — |
reserved-list |
Comma-separated list of Reserved auxiliary server IP addresses Default: — |
peer-list |
Comma-separated list of Remote auxiliary server IP addresses Default: — |
Enter the following:
<main> configure redundancy enabled ↵
The prompt changes to <main configure redundancy>.
Configure the general redundancy parameters in the following table.
Table 14-34: Primary main server parameters — redundancy
Parameter |
Description |
---|---|
ip-to-peer |
The primary main server IP address that the standby main server must use for general communication Default: IP address of primary network interface |
rsync-ip |
The primary main server IP address that the standby main server must use for data synchronization Default: IP address of primary network interface |
Configure the database redundancy parameters in the following table, and then enter back ↵.
Table 14-35: Primary main server parameters — redundancy, database
Parameter |
Description | |
---|---|---|
ip |
The IP address that the primary main server must use to reach the standby database Default: — | |
instance |
The standby database instance name Default: — | |
backup-sync |
Whether database backup file synchronization is enabled When the parameter is enabled, each database backup file set is copied to the peer main database station after the backup completes. You must ensure that there is sufficient network bandwidth between the main database stations before you enable this parameter. See the NSP Planning Guide for information about the bandwidth requirements of database backup file synchronization. You must set the parameter to the same value on each main server. Default: false | |
alignment |
Whether automatic database alignment is enabled If automatic database alignment is enabled, a main server and database attempt to assume a common role, primary or standby, after an event such as a server activity switch or database failover. In a geographically dispersed system, the function helps to ensure that a main server communicates with the local database in order to reduce the network latency between the components. For more information about database alignment, see the NSP System Administrator Guide. Default: false | |
preferred-instance |
The name of the database instance with which the primary main server is to align The parameter is configurable when the alignment parameter is enabled. Default: — | |
reinstantiation-delay |
The delay, in minutes, between the completion of a database failover and the automatic reinstantiation of the standby database A value of 0 disables automatic database reinstantiation. Default: 60 |
Configure the peer-server redundancy parameters in the following table, and then enter back ↵.
Table 14-36: Primary main server parameters — redundancy, peer-server
Parameter |
Description |
---|---|
ip |
The standby main server IP address that the primary main server uses for general communication Default: — |
hostname |
The standby main server hostname that the primary main server uses for general communication The parameter is configurable and mandatory when the hostname parameter in Step 76 is configured. If the TLS certificate contains the FQDN, you must specify the FQDN as the parameter value. Default: — |
rsync-ip |
The standby main server IP address that the primary main server uses for data synchronization Default: — |
public-ip |
The IP address that the GUI and XML API clients must use to reach the standby main server Default: — |
jndi-port |
The TCP port on the standby main server station used for EJB JNDI messaging to GUI clients It is recommended that you accept the default unless another application uses the port, or there is a firewall between the GUI clients and the standby main server. Default: 1099 |
ip-to-auxes |
The standby main server IP address that the auxiliary servers must use to reach the standby main server You must configure the parameter If the NFM-P system includes one or more auxiliary servers. Default: — |
snmp-ipv4 |
The IPv4 address that the managed NEs must use to reach the standby main server |
snmp-ipv6 |
The IPv6 address that the managed NEs must use to reach the standby main server |
snmp-port |
The TCP port on the standby main server station used for SNMP communication with the managed NEs Default: 162 |
traplog-id |
The SNMP trap log ID associated with the standby main server Default: 98 |
Enter back ↵.
The prompt changes to <main configure>.
As required, configure the mediation parameters in the following table, and then enter back ↵.
Note: Some device types do not support an SNMP port value other than 162. Before you configure the snmp-port parameter to a value other than the default, you must ensure that each device type in the managed network supports the port value.
Table 14-37: Primary main server parameters — mediation
Parameter |
Description |
---|---|
nat |
Whether NAT is used between the main servers and the managed NEs Default: false |
snmp-ipv4 |
The IPv4 address that the managed NEs must use to reach the primary main server Default: IPv4 address of primary network interface |
snmp-ipv6 |
The IPv6 address that the managed NEs must use to reach the primary main server Default: IPv6 address of primary network interface |
snmp-port |
The TCP port on the primary main server station that the managed NEs must use to reach the primary main server Default: 162 |
traplog-id |
The SNMP trap log ID associated with the primary main server Default: 98 |
If required, configure the tls parameters in the following table, and then enter back ↵.
Table 14-38: Primary main server parameters — tls
Parameter |
Description |
---|---|
keystore-file |
The absolute path of the TLS keystore file To enable automated TLS deployment, enter no keystore-file. Default: — |
keystore-pass |
The TLS keystore password Default: available from technical support |
truststore-file |
The absolute path of the TLS truststore file To enable automated TLS deployment, enter no truststore-file. Default: — |
truststore-pass |
The TLS truststore password Default: available from technical support |
alias |
The alias specified during keystore generation You must configure the parameter. Default: — |
pki-server |
The PKI server IP address or hostname Default: — |
pki-server-port |
The TCP port on which the PKI server listens for and services requests Default: 2391 |
regenerate-certs |
Whether to regenerate the internal TLS certificates Certificate regeneration is required when the current certificates are about to expire, or a new internal root certificate is available. A new internal root certificate is available when the root certificate is reset, or when the PKI server is run on a station other than the station used for the previous certificate deployment. Default: false |
hsts-enabled |
Whether HSTS browser security is enabled Default: false |
As required, configure the oss parameters in the following table, and then enter back ↵.
Note: The parameters are configurable only if no auxiliary servers are specified in Step 78. Otherwise, OSS access is restricted to the auxiliary servers, which require the configuration of OSS access parameters during installation.
Table 14-39: Primary main server parameters — oss
Parameter |
Description |
---|---|
secure |
Whether communication between the main servers and the XML API clients is secured using TLS Default: secure |
public-ip |
The IP address that the XML API clients must use to reach the primary main server Default: IP address of primary network interface |
xml-output |
The directory in which to store the output of XML API file export operations Default: /opt/nsp/nfmp/server/xml_output |
If the NFM-P includes an auxiliary database, configure the auxdb parameters in the following table, and then enter back ↵.
Table 14-40: Primary main server parameters — auxdb
Parameter |
Description |
---|---|
enabled |
Whether the auxiliary database is enabled in the main server configuration |
secure |
Whether TLS is enabled on the auxiliary database If TLS is enabled on the main server, you must set the parameter to true, and enable TLS during the auxiliary database installation. Default: true |
ip-list |
A list of the auxiliary database station IP addresses that are accessible to the main server, in the following format: Note: For a geo-redundant auxiliary database, the order of the IP addresses must be the same on each main server in the geo-redundant system. cluster_1_IP1,cluster_1_IP2,cluster_1_IPn;cluster_2_IP1,cluster_2_IP2,cluster_2_IPn ↵ where cluster_1_IP1, cluster_1_IP2,cluster_1_IPn are the external IP addresses of the auxiliary database stations in one data center cluster_2_IP1, cluster_2_IP2,cluster_2_IPn are the external IP addresses of the stations in the other data center; required only for geo-redundant auxiliary database Default: — |
oam-test-results |
Whether the auxiliary database is to store OAM test results Default: false |
redundancy-level |
Boolean value that specifies whether the auxiliary database is to replicate data among multiple stations If the auxiliary database is deployed on a single station, you must set the parameter to 0. Caution: After you configure an auxdb parameter and start the main server, you cannot modify the redundancy-level parameter. Default: 1 |
As required, configure the aa-stats parameters in the following table, and then enter back ↵.
Table 14-41: Primary main server parameters — aa-stats
Configure the nspos parameters in the following table, and then enter back ↵.
Table 14-42: Primary main server parameters — nspos
Configure the remote-syslog parameters in the following table, and then enter back ↵.
Table 14-43: Primary main server parameters — remote-syslog
Parameter |
Description |
---|---|
enabled |
Enable the forwarding of the NFM-P User Activity logs in syslog format to a remote server Default: disabled |
syslog-host |
Remote syslog server hostname or IP address Default: — |
syslog-port |
Remote server TCP port Default: — |
ca-cert-path |
Absolute local path of public CA TLS certificate file copied from remote server The file requires nsp:nsp ownership. |
Configure the server-logs-to-remote-syslog parameters in the following table, and then enter back ↵.
Table 14-44: Primary main server parameters — server-logs-to-remote-syslog
Parameter |
Description |
---|---|
enabled |
Enable the forwarding of the NFM-P server logs in syslog format to a remote server Default: disabled |
secured |
Whether the communication with the remote server is TLS-secured Default: disabled |
syslog-host |
Remote syslog server hostname or IP address Default: — |
syslog-port |
Remote server TCP port Default: — |
ca-cert-path |
Absolute local path of public CA TLS certificate file copied from remote server The file requires nsp:nsp ownership. |
If the NFM-P deployment includes the 1830 SMS netHSM, configure the hsm parameters in the following table; otherwise, go to Step 94.
Table 14-45: Primary main server parameters — hsm
Parameter |
Description |
---|---|
enabled |
Whether HSM is enabled Default: false |
server-certs |
The location of the 1830 SMS netHSM TLS client certificate for NFM-P access Specify a client certificate location in the following format: address#file_path where address is the 1830 SMS netHSM IP address or hostname file_path is the absolute path and file name of the certificate file on the 1830 SMS netHSM Default: — |
mode |
Operation mode; 0 specifies one HSM instance with load balancing disabled, and 2 specifies load balancing among multiple instances Default: 0 |
client-key |
The auto-generated TLS key file that the NFM-P provides to the 1830 SMS netHSM for two-way web-client authentication Default: client.key |
client-cert |
The auto-generated TLS certificate file that the NFM-P provides to the 1830 SMS netHSM for two-way web-client authentication Default: client.cert |
By default, the NFM-P generates TLS authentication files for web-client access to the NFM-P HSM server.
If you want to provide your own TLS authentication files, configure the twoway HSM parameters in the following table, and then enter back ↵.
Table 14-46: Primary main server parameters — hsm, twoway
Parameter |
Description |
---|---|
keystore-file |
The absolute path and name of the TLS keystore file for web-client access to the NFM-P HSM server Default: — |
keystore-pass |
The keystore password Default: — |
keystore-alias |
The keystore alias Default: NSP |
truststore-file |
The absolute path and name of the TLS truststore file for web-client access to the NFM-P HSM server Default: — |
truststore-pass |
The truststore password Default: — |
truststore-alias |
The truststore alias Default: NSP |
If the NFM-P is not integrated with an NSP cluster, you must skip this step..
If required, enable the forwarding of the EmsServer.log and server_console.log entries from the main server to NSP OpenSearch.
Enter the following:
<main configure> server-logs-to-opensearch enabled ↵
The prompt changes to <main configure server-logs-to-opensearch>.
Enter back ↵.
The prompt changes to <main configure>.
Verify the main server configuration.
-
<main configure> show-detail ↵
The main server configuration is displayed.
-
When you are certain that the configuration is correct, enter the following:
<main configure> back ↵
The prompt changes to <main>.
Enter the following:
<main> apply ↵
The configuration is applied.
Enter the following:
<main> exit ↵
The samconfig utility closes.
If you want to enable mTLS for internal Kafka authentication using two-way TLS, perform the following steps.
Note: Enabling mTLS for internal Kafka authentication is supported only in an NSP deployment that uses separate interfaces for internal and client communication.
Note: The parameter you must configure is displayed only if the ip-list parameter is set to a remote address.
Note: The parameter is configurable only if the secure and internal-certs parameters in the nspos section are set to true.
-
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
-
# configure nspos mtls-kafka-enabled back ↵
-
<main> apply ↵
The configuration is applied.
-
<main> exit ↵
The samconfig utility closes.
Enable Windows Active Directory access
If you intend to use Windows Active Directory, or AD, for single-sign-on client access, you must configure LDAP remote authentication for AD; otherwise, go to Step 119.
Open the following file as a reference for use in subsequent steps:
/opt/nsp/os/install/examples/config.yml
Note: Consider the following.
-
The NFM-P does not assign a default user group to users of a remote authentication source that you define for Windows AD; the authentication source must provide the user group attributes.
-
Windows AD supports the following LDAP server types for remote authentication:
AD—The user group of an AD user is derived from the group_base_dn attribute in the server configuration; group search filters are not supported.
AUTHENTICATED—The server configuration must include bind credentials; group search filters are supported. After NFM-P initialization, you add the AD server bind credentials to the NSP password vault using the NSP Session Manager REST API.
Locate the section that begins with the following lines:
# ldap:
# enabled: true
# servers:
# - type: AUTHENTICATED/AD/ANONYMOUS
# url: ldaps://ldap.example.com:636
# security: SSL/STARTTLS/NONE
Open the following file using a plain-text editor such as vi:
/opt/nsp/os/install/config.json
Locate the section that begins with the following line:
"sso": {
The section has one subsection for each type of SSO access.
Note: You can enable multiple remote authentication methods such as LDAP and RADIUS in the config.json file, or by using the NFM-P GUI. Using the GUI also allows you to specify the order in which the methods are tried during login attempts; however, no ordering is applied to multiple methods enabled in the config.json file.
In the sso section, create an ldap subsection as shown below using the parameter names from the ldap section of config.yml and the required values for your configuration.
The following example shows the LDAP configuration for two AD servers:
"ldap": { |
"enabled": true, |
"servers": [ |
{ |
"type": "auth_type", |
"url": "ldaps://server1:port", |
"server1_parameter_1": "value", |
"server1_parameter_2": "value", |
. |
. |
"server1_parameter_n": "value", |
}, |
{ |
"type": "auth_type", |
"url": "ldaps://server2:port", |
"server2_parameter_1": "value", |
"server2_parameter_2": "value", |
. |
. |
"server2_parameter_n": "value", |
}, |
}] |
} |
where auth_type is AD or AUTHENTICATED
Save and close the files.
Enter the following:
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
Enter the following:
<main> apply ↵
The AD LDAP configuration is applied.
Enter the following:
<main> exit ↵
The samconfig utility closes.
Enable CAC access
If you do not intend to enable Common Access Card, or CAC, technology for NFM-P client access, go to Step 119.
Download the federationmetadata.xml from the following ADFS link:
https://ADFS_server_name/FederationMetadata/2007-06/federationmetadata.xml
where ADFS_server_name is the ADFS server FQDN
Add an ADFS server entry to the /etc/hosts file on the main server.
-
Open the /etc/hosts file using a plain-text editor such as vi.
-
Add the following line below the line that contains the main server IP address:
IP_address FQDN
where
IP_address is the IP address of the ADFS server
FQDN is the FQDN of the ADFS server
In order to enable CAC for client access, you must configure Active Directory Federation Services, or ADFS.
Open the following file using a plain-text editor such as vi:
/opt/nsp/os/install/config.json
In the sso section, create an saml2 subsection as shown below using the parameter names from the saml2 section of config.yml and the required values for your configuration.
The following example shows the ADFS configuration.
Note: You must preserve the lead spacing of each line.
"sso" : {
"saml2": {
"enabled": true,
"service_provider_entity_id": "NFM-P_identifier",
"service_provider_metadata_filename": "casmetadata.xml",
"maximum_authentication_lifetime": 3600,
"accepted_skew": 300,
"destination_binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"identity_provider_metadata_path": "ADFS_metadata_file",
"authn_context_class_ref": "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient",
"authn_context_comparison_type": "minimum",
"name_id_policy_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"force_auth": true,
"passive": false,
"wants_assertions_signed": false,
"wants_responses_signed": false,
"all_signature_validation_disabled": false,
"sign_service_provider_metadata": false,
"principal_id_attribute": "UPN",
"use_name_qualifier": false,
"provider_name": "ADFS_server_URI",
"requested_attributes": [{
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"friendly_name": "E-Mail Address",
"name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"required": false
} ],
"mapped_attributes": [{
"name": "http://schemas.xmlsoap.org/claims/Group",
"mapped_to": "authorizationProfile"
}, {
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"mapped_to": "upn"
} ]
},
Configure the following parameters; leave all other parameters at the default:
NFM-P_identifier is the unique ADFS Relying Trust Party identifier
ADFS_metadata_file is the absolute path of the ADFS metadata XML file, for example, /opt/federationmetadata.xml
ADFS_server_name is the ADFS server FQDN
Save and close the files.
Enter the following:
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
Enter the following:
<main> apply ↵
The ADFS configuration is applied.
Enter the following:
<main> exit ↵
The samconfig utility closes.
Start primary main server
Start the primary main server.
Note: If you did not specify a license file during the installation, you cannot start the main server until you import a license. See the NSP System Administrator Guide for information about importing a license.
-
bash$ cd /opt/nsp/nfmp/server/nms/bin ↵
-
bash$ ./nmsserver.bash start ↵
-
bash$ ./nmsserver.bash appserver_status ↵
The server status is displayed; the server is fully initialized if the status is the following:
Application Server process is running. See nms_status for more detail.
If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized.
If you have enabled CAC for NFM-P client access, download the casmetadata.xml file from the following URL, and then import the file into the ADFS server relying-trust-party:
https://server/cas/sp/metadata
where server is the main server IP address or hostname
After the download, the casmetadata.xml file is available in the following directory on the main server:
/opt/nsp/os/tomcat/conf/cas/saml
If you have enabled Windows Active Directory access using the AUTHENTICATED type of LDAP server, you must add the LDAP server bind credentials to the NSP security configuration.
Use the NSP Session Manager REST API to add the bind credentials; see the Network Developer Portal for information.
Specify the memory requirement for GUI clients based on the type of network that the NFM-P is to manage.
-
bash$ ./nmsdeploytool.bash clientmem -option ↵
where option is one of the following:
-
Record the setting, which is not preserved through an upgrade, for future use.
-
Enter the following to commit the configuration change:
bash$ ./nmsdeploytool.bash deploy ↵
Close the console window.
Install GUI client
You require an NFM-P GUI client to complete the procedure; see the following for information:
Note: Single-user GUI client installation takes less time, so may be the preferred option if your maintenance period is limited; you can uninstall an unused single-user client after you complete the procedure.
See the NSP NFM-P User Guide for information about using the NFM-P GUI to view and manage objects.
Instantiate standby database
Open an NFM-P GUI client as the admin user.
Choose Administration→System Information from the main menu. The System Information form opens.
Click Re-Instantiate Standby.
Click Yes to confirm the action. The instantiation begins, and the GUI status bar displays the current phase of the operation.
Note: Database instantiation takes considerable time if the database contains a large amount of statistics data.
You can also use the System Information form to monitor the operation progress. The Last Attempted Standby Re-instantiation Time is the start time; the Standby Re-instantiation State changes from In Progress to Success when the instantiation is complete.
When the instantiation is complete, close the System Information form.
Install standby main server
Log in as the root user on the standby main server station.
Open a console window.
Navigate to the NFM-P software directory.
Note: Ensure that the directory contains only the installation files.
Enter the following:
# chmod +x * ↵
Enter the following:
# dnf install *.rpm ↵
The dnf utility resolves any package dependencies, and displays the following prompt:
Total size: nn G
Installed size: nn G
Is this ok [y/d/N]:
Enter y. The following and the installation status are displayed as each package is installed:
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction check
The package installation is complete when the following is displayed:
Complete!
The initial NFM-P server installation on a station creates the nsp user account and assigns a randomly generated password.
If this is the first installation of an NFM-P main or auxiliary server on the station, change the nsp password.
-
# passwd nsp ↵
The following prompt is displayed:
New Password:
-
The following prompt is displayed:
Confirm Password:
Enter the following:
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
Enter the following:
<main> configure ↵
The prompt changes to <main configure>.
As required, configure the general parameters in the following table.
Table 14-47: Standby main server parameters, general
Parameter |
Description |
---|---|
ip |
The standby main server IP address Default: IP address of primary network interface |
domain |
The NFM-P system identifier Default: NFM-P |
initial-admin-passwd |
The NSP admin user password; which must match the password specified in the primary main server configuration It is strongly recommended that you change the password from the default; if you choose not to configure the parameter, the default password remains in effect The parameter is configurable only during a main server installation. Note: The NFM-P uses the password configured on the first main server that initializes after the installation. A password must: |
license |
Absolute path of NFM-P license zip file You cannot start a main server unless the main server configuration includes a current and valid license. You can use samconfig to specify the license file, or import a license, as described in the NSP System Administrator Guide. Default: — |
fips |
Whether FIPS security is enabled for network management See Enabling FIPS security for NFM-P network management for information about using FIPS security. Default: false |
As required, configure the client parameters in the following table, and then enter back ↵.
Table 14-48: Standby main server parameters — client
Configure the database parameters in the following table, and then enter back ↵.
Note: The NFM-P uses the database backup settings to initialize the database during installation only. To change the backup settings after installation, you must use the Database Manager form in the NFM-P client GUI, as described in the NSP System Administrator Guide.
Table 14-49: Standby main server parameters — database
Parameter |
Description |
---|---|
ip |
The IP address that the standby main server must use to reach the standby database Default: — |
instance |
Standby database instance name You must set this parameter to the same value as the instance parameter in step Step 81. Default: maindb1 |
user-password |
Standby database user password Default: available from technical support |
backup-dest |
The backup directory on the primary main database station It is recommended that you specify a directory that can hold at least five times the expected database size, and can accommodate the database growth associated with network growth. Default: /opt/nsp/nfmp/dbbackup |
backup-interval |
How frequently, in hours, to back up the main database Default: 24 |
backup-sets |
The number of main database backup sets to retain Default: 3 |
If the NFM-P system is to include auxiliary servers, configure the aux parameters in the following table, and then enter back ↵.
Note: At least one auxiliary server that you specify must be a Preferred auxiliary server.
Table 14-50: Standby main server parameters — aux
Parameter |
Description |
---|---|
stats |
If enabled, specifies that one or more auxiliary servers are to be used for statistics collection Default: false |
ip-to-auxes |
The standby main server IP address that the auxiliary servers must use to reach the standby main server Default: — |
preferred-list |
Comma-separated list of Preferred auxiliary server IP addresses Default: — |
reserved-list |
Comma-separated list of Reserved auxiliary server IP addresses Default: — |
peer-list |
Comma-separated list of Remote auxiliary server IP addresses Default: — |
Enter the following:
<main> configure redundancy enabled ↵
The prompt changes to <main configure redundancy>.
Configure the general redundancy parameters in the following table.
Table 14-51: Standby main server parameters — redundancy
Parameter |
Description |
---|---|
ip-to-peer |
The standby main server IP address that the primary main server must use for general communication Default: IP address of primary network interface |
rsync-ip |
The standby main server IP address that the primary main server must use for data synchronization Default: IP address of primary network interface |
Configure the database redundancy parameters in the following table, and then enter back ↵.
Table 14-52: Standby main server parameters — redundancy, database
Parameter |
Description | |
---|---|---|
ip |
The IP address that the standby main server must use to reach the primary database Default: — | |
instance |
Primary database instance name Default: — | |
backup-sync |
Whether database backup file synchronization is enabled When the parameter is enabled, each database backup file set is copied to the peer main database station after the backup completes. You must ensure that there is sufficient network bandwidth between the main database stations before you enable this parameter. See the NSP Planning Guide for information about the bandwidth requirements of database backup file synchronization. You must set the parameter to the same value on each main server. Default: false | |
alignment |
Whether automatic database alignment is enabled If automatic database alignment is enabled, a main server and database attempt to assume a common role, primary or standby, after an event such as a server activity switch or database failover. In a geographically dispersed system, the function helps to ensure that a main server communicates with the local database in order to reduce the network latency between the components. For more information about database alignment, see the NSP System Administrator Guide Default: false | |
preferred-instance |
The name of the database instance with which the standby main server is to align The parameter is configurable when the alignment parameter is enabled. Default: — | |
reinstantiation-delay |
The delay, in minutes, between the completion of a database failover and the automatic reinstantiation of the standby database A value of 0 disables automatic database reinstantiation. Default: 60 |
Configure the peer-server redundancy parameters in the following table, and then enter back ↵.
Table 14-53: Standby main server parameters — redundancy, peer-server
Parameter |
Description |
---|---|
ip |
The primary main server IP address that the standby main server must use for general communication Default: — |
hostname |
The primary main server hostname that the standby main server must use for general communication The parameter is configurable and mandatory when the hostname parameter in Step 140 is configured. If the TLS certificate contains the FQDN, you must specify the FQDN as the parameter value. Default: — |
rsync-ip |
The primary main server IP address that the standby main server must use for data synchronization Default: — |
public-ip |
The IP address that the GUI clients, XML API clients, and auxiliary servers must use to reach the primary main server Default: — |
jndi-port |
The TCP port on the primary main server station used for EJB JNDI messaging to GUI clients It is recommended that you accept the default unless another application uses the port, or there is a firewall between the GUI clients and the primary main server. Default: 1099 |
ip-to-auxes |
The primary main server IP address that the auxiliary servers must use to reach the primary main server You must configure the parameter If the NFM-P system includes one or more auxiliary servers. Default: — |
snmp-ipv4 |
The IPv4 address that the managed NEs must use to reach the primary main server |
snmp-ipv6 |
The IPv6 address that the managed NEs must use to reach the primary main server |
snmp-port |
The TCP port on the primary main server station used for SNMP communication with the managed NEs Default: 162 |
traplog-id |
The SNMP trap log ID associated with the primary main server Default: 98 |
Enter back ↵.
The prompt changes to <main configure>.
As required, configure the mediation parameters in the following table, and then enter back ↵.
Note: Some device types do not support an SNMP port value other than 162. Before you configure the snmp-port parameter to a value other than the default, you must ensure that each device type in the managed network supports the port value.
Table 14-54: Standby main server parameters — mediation
Parameter |
Description |
---|---|
nat |
Whether NAT is used between the main servers and the managed NEs Default: false |
snmp-ipv4 |
The IPv4 address that the managed NEs must use to reach the standby main server Default: IPv4 address of primary network interface |
snmp-ipv6 |
The IPv6 address that the managed NEs must use to reach the standby main server Default: IPv6 address of primary network interface |
snmp-port |
The TCP port on the standby main server station that the managed NEs must use to reach the standby main server Default: 162 |
traplog-id |
The SNMP trap log ID associated with the standby main server Default: 98 |
If you are not using the PKI server to configure TLS, the standby main server requires a copy of the NFM-P TLS keystore and truststore files that are used by the primary main server.
Ensure that the required TLS keystore and truststore files are in a temporary location on the standby main server station.
Caution: The files must not be in the /opt/nsp/os/tls directory on the standby main server station, or the TLS configuration fails.
Note: The nsp user must be the owner of the directory path to the location.
If required, configure the tls parameters in the following table, and then enter back ↵.
Table 14-55: Standby main server parameters — tls
Parameter |
Description |
---|---|
keystore-file |
The absolute path of the TLS keystore file To enable automated TLS deployment, enter no keystore-file. Default: — |
keystore-pass |
The TLS keystore password Default: available from technical support |
truststore-file |
The absolute path of the TLS truststore file To enable automated TLS deployment, enter no truststore-file. Default: — |
truststore-pass |
The TLS truststore password Default: available from technical support |
alias |
The alias specified during keystore generation You must configure the parameter. Default: — |
pki-server |
The PKI server IP address or hostname Default: — |
pki-server-port |
The TCP port on which the PKI server listens for and services requests Default: 2391 |
regenerate-certs |
Whether to regenerate the internal TLS certificates Certificate regeneration is required when the current certificates are about to expire, or a new internal root certificate is available. A new internal root certificate is available when the root certificate is reset, or when the PKI server is run on a station other than the station used for the previous certificate deployment. Default: false |
hsts-enabled |
Whether HSTS browser security is enabled Default: false |
As required, configure the oss parameters in the following table, and then enter back ↵.
Note: The parameters are configurable only if no auxiliary servers are specified in Step 142. Otherwise, OSS access is restricted to the auxiliary servers, which require the configuration of OSS access parameters during installation.
Table 14-56: Standby main server parameters — oss
Parameter |
Description |
---|---|
secure |
Whether communication between the main servers and the XML API clients is secured using TLS Default: secure |
public-ip |
The IP address that the XML API clients must use to reach the standby main server Default: IP address of primary network interface |
xml-output |
The directory in which to store the output of XML API file export operations Default: /opt/nsp/nfmp/server/xml_output |
If the NFM-P includes an auxiliary database, configure the auxdb parameters in the following table, and then enter back ↵.
Table 14-57: Standby main server parameters — auxdb
Parameter |
Description |
---|---|
enabled |
Whether the auxiliary database is enabled in the main server configuration |
secure |
Whether TLS is enabled on the auxiliary database If TLS is enabled on the main server, you must set the parameter to true, and enable TLS during the auxiliary database installation. Default: true |
ip-list |
A list of the auxiliary database station IP addresses that are accessible to the main server, in the following format: Note: For a geo-redundant auxiliary database, the order of the IP addresses must be the same on each main server in the geo-redundant system. cluster_1_IP1,cluster_1_IP2,cluster_1_IPn;cluster_2_IP1,cluster_2_IP2,cluster_2_IPn ↵ where cluster_1_IP1, cluster_1_IP2,cluster_1_IPn are the external IP addresses of the auxiliary database stations in one data center cluster_2_IP1, cluster_2_IP2,cluster_2_IPn are the external IP addresses of the stations in the other data center; required only for geo-redundant auxiliary database Default: — |
oam-test-results |
Whether the auxiliary database is to store OAM test results Default: false |
redundancy-level |
Boolean value that specifies whether the auxiliary database is to replicate data among multiple stations If the auxiliary database is deployed on a single station, you must set the parameter to 0. Caution: After you configure an auxdb parameter and start the main server, you cannot modify the redundancy-level parameter. Default: 1 |
As required, configure the aa-stats parameters in the following table, and then enter back ↵.
Table 14-58: Standby main server parameters — aa-stats
Configure the nspos parameters in the following table, and then enter back ↵.
Table 14-59: Standby main server parameters — nspos
Configure the remote-syslog parameters in the following table, and then enter back ↵.
Table 14-60: Standby main server parameters — remote-syslog
Parameter |
Description |
---|---|
enabled |
Enable the forwarding of the NFM-P User Activity logs in syslog format to a remote server Default: disabled |
syslog-host |
Remote syslog server hostname or IP address Default: — |
syslog-port |
Remote server TCP port Default: — |
ca-cert-path |
Absolute local path of public CA TLS certificate file copied from remote server The file requires nsp:nsp ownership. |
Configure the server-logs-to-remote-syslog parameters in the following table, and then enter back ↵.
Table 14-61: Standby main server parameters — server-logs-to-remote-syslog
Parameter |
Description |
---|---|
enabled |
Enable the forwarding of the NFM-P server logs in syslog format to a remote server Default: disabled |
secured |
Whether the communication with the remote server is TLS-secured Default: disabled |
syslog-host |
Remote syslog server hostname or IP address Default: — |
syslog-port |
Remote server TCP port Default: — |
ca-cert-path |
Absolute local path of public CA TLS certificate file copied from remote server The file requires nsp:nsp ownership. |
If the NFM-P deployment includes the 1830 SMS netHSM, configure the hsm parameters in the following table; otherwise, go to Step 159.
Table 14-62: Standby main server parameters — hsm
Parameter |
Description |
---|---|
enabled |
Whether HSM is enabled Default: false |
server-certs |
The location of the 1830 SMS netHSM TLS client certificate for NFM-P access Specify a client certificate location in the following format: address#file_path where address is the 1830 SMS netHSM IP address or hostname file_path is the absolute path and file name of the certificate file on the 1830 SMS netHSM Default: — |
mode |
Operation mode; 0 specifies one HSM instance with load balancing disabled, and 2 specifies load balancing among multiple instances Default: 0 |
client-key |
The auto-generated TLS key file that the NFM-P provides to the 1830 SMS netHSM for two-way web-client authentication Default: client.key |
client-cert |
The auto-generated TLS certificate file that the NFM-P provides to the 1830 SMS netHSM for two-way web-client authentication Default: client.cert |
By default, the NFM-P generates TLS authentication files for web-client access to the NFM-P HSM server.
If you want to provide your own TLS authentication files, configure the twoway HSM parameters in the following table, and then enter back ↵.
Table 14-63: Standby main server parameters — hsm, twoway
Parameter |
Description |
---|---|
keystore-file |
The absolute path and name of the TLS keystore file for web-client access to the NFM-P HSM server Default: — |
keystore-pass |
The keystore password Default: — |
keystore-alias |
The keystore alias Default: NSP |
truststore-file |
The absolute path and name of the TLS truststore file for web-client access to the NFM-P HSM server Default: — |
truststore-pass |
The truststore password Default: — |
truststore-alias |
The truststore alias Default: NSP |
If the NFM-P is not integrated with an NSP cluster, you must skip this step..
If required, enable the forwarding of the EmsServer.log and server_console.log entries from the main server to NSP OpenSearch.
Enter the following:
<main configure> server-logs-to-opensearch enabled ↵
The prompt changes to <main configure server-logs-to-opensearch>.
Enter back ↵.
The prompt changes to <main configure>.
Verify the main server configuration.
-
<main configure> show-detail ↵
The main server configuration is displayed.
-
When you are certain that the configuration is correct, enter the following:
<main configure> back ↵
The prompt changes to <main>.
Enter the following:
<main> apply ↵
The configuration is applied.
Enter the following:
<main> exit ↵
The samconfig utility closes.
If you want to enable mTLS for internal Kafka authentication using two-way TLS, perform the following steps.
Note: Enabling mTLS for internal Kafka authentication is supported only in an NSP deployment that uses separate interfaces for internal and client communication.
Note: The parameter you must configure is displayed only if the ip-list parameter is set to a remote address.
Note: The parameter is configurable only if the secure and internal-certs parameters in the nspos section are set to true.
-
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
-
# configure nspos mtls-kafka-enabled back ↵
-
<main> apply ↵
The configuration is applied.
-
<main> exit ↵
The samconfig utility closes.
Enable Windows Active Directory access
If you intend to use Windows Active Directory, or AD, for single-sign-on client access, you must configure LDAP remote authentication for AD; otherwise, go to Step 184.
Open the following file as a reference for use in subsequent steps:
/opt/nsp/os/install/examples/config.yml
Note: Consider the following.
-
The NFM-P does not assign a default user group to users of a remote authentication source that you define for Windows AD; the authentication source must provide the user group attributes.
-
Windows AD supports the following LDAP server types for remote authentication:
AD—The user group of an AD user is derived from the group_base_dn attribute in the server configuration; group search filters are not supported.
AUTHENTICATED—The server configuration must include bind credentials; group search filters are supported. After NFM-P initialization, you add the AD server bind credentials to the NSP password vault using the NSP Session Manager REST API.
Locate the section that begins with the following lines:
# ldap:
# enabled: true
# servers:
# - type: AUTHENTICATED/AD/ANONYMOUS
# url: ldaps://ldap.example.com:636
# security: SSL/STARTTLS/NONE
Open the following file using a plain-text editor such as vi:
/opt/nsp/os/install/config.json
Locate the section that begins with the following line:
"sso": {
The section has one subsection for each type of SSO access.
Note: You can enable multiple remote authentication methods such as LDAP and RADIUS in the config.json file, or by using the NFM-P GUI. Using the GUI also allows you to specify the order in which the methods are tried during login attempts; however, no ordering is applied to multiple methods enabled in the config.json file.
In the sso section, create an ldap subsection as shown below using the parameter names from the ldap section of config.yml and the required values for your configuration.
The following example shows the LDAP configuration for two AD servers:
"ldap": { |
"enabled": true, |
"servers": [ |
{ |
"type": "auth_type", |
"url": "ldaps://server1:port", |
"server1_parameter_1": "value", |
"server1_parameter_2": "value", |
. |
. |
"server1_parameter_n": "value", |
}, |
{ |
"type": "auth_type", |
"url": "ldaps://server2:port", |
"server2_parameter_1": "value", |
"server2_parameter_2": "value", |
. |
. |
"server2_parameter_n": "value", |
}, |
}] |
} |
where auth_type is AD or AUTHENTICATED
Save and close the files.
Enter the following:
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
Enter the following:
<main> apply ↵
The AD LDAP configuration is applied.
Enter the following:
<main> exit ↵
The samconfig utility closes.
Enable CAC access
If you do not intend to enable Common Access Card, or CAC, technology for NFM-P client access, go to Step 184.
Download the federationmetadata.xml from the following ADFS link:
https://ADFS_server_name/FederationMetadata/2007-06/federationmetadata.xml
where ADFS_server_name is the ADFS server FQDN
Add an ADFS server entry to the /etc/hosts file on the main server.
-
Open the /etc/hosts file using a plain-text editor such as vi.
-
Add the following line below the line that contains the main server IP address:
IP_address FQDN
where
IP_address is the IP address of the ADFS server
FQDN is the FQDN of the ADFS server
In order to enable CAC for client access, you must configure Active Directory Federation Services, or ADFS.
Open the following file using a plain-text editor such as vi:
/opt/nsp/os/install/config.json
In the sso section, create an saml2 subsection as shown below using the parameter names from the saml2 section of config.yml and the required values for your configuration.
The following example shows the ADFS configuration.
Note: You must preserve the lead spacing of each line.
"sso" : {
"saml2": {
"enabled": true,
"service_provider_entity_id": "NFM-P_identifier",
"service_provider_metadata_filename": "casmetadata.xml",
"maximum_authentication_lifetime": 3600,
"accepted_skew": 300,
"destination_binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"identity_provider_metadata_path": "ADFS_metadata_file",
"authn_context_class_ref": "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient",
"authn_context_comparison_type": "minimum",
"name_id_policy_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"force_auth": true,
"passive": false,
"wants_assertions_signed": false,
"wants_responses_signed": false,
"all_signature_validation_disabled": false,
"sign_service_provider_metadata": false,
"principal_id_attribute": "UPN",
"use_name_qualifier": false,
"provider_name": "ADFS_server_URI",
"requested_attributes": [{
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"friendly_name": "E-Mail Address",
"name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"required": false
} ],
"mapped_attributes": [{
"name": "http://schemas.xmlsoap.org/claims/Group",
"mapped_to": "authorizationProfile"
}, {
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"mapped_to": "upn"
} ]
},
Configure the following parameters; leave all other parameters at the default:
NFM-P_identifier is the unique ADFS Relying Trust Party identifier
ADFS_metadata_file is the absolute path of the ADFS metadata XML file, for example, /opt/federationmetadata.xml
ADFS_server_name is the ADFS server FQDN
Save and close the files.
Enter the following:
# samconfig -m main ↵
The following is displayed:
Start processing command line inputs...
<main>
Enter the following:
<main> apply ↵
The ADFS configuration is applied.
Enter the following:
<main> exit ↵
The samconfig utility closes.
Start standby main server
Start the standby main server.
Note: If you did not specify a license file during the installation, you cannot start the main server until you import a license. See the NSP System Administrator Guide for information about importing a license.
-
bash$ cd /opt/nsp/nfmp/server/nms/bin ↵
-
bash$ ./nmsserver.bash start ↵
-
bash$ ./nmsserver.bash appserver_status ↵
The server status is displayed; the server is fully initialized if the status is the following:
Application Server process is running. See nms_status for more detail.
If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized.
If you have enabled CAC for NFM-P client access, download the casmetadata.xml file from the following URL, and then import the file into the ADFS server relying-trust-party:
https://server/cas/sp/metadata
where server is the main server IP address or hostname
After the download, the casmetadata.xml file is available in the following directory on the main server:
/opt/nsp/os/tomcat/conf/cas/saml
If you have enabled Windows Active Directory access using the AUTHENTICATED type of LDAP server, you must add the LDAP server bind credentials to the NSP security configuration.
Use the NSP Session Manager REST API to add the bind credentials; see the Network Developer Portal for information.
Specify the memory requirement for GUI clients based on the type of network that the NFM-P is to manage.
-
bash$ ./nmsdeploytool.bash clientmem -option ↵
where option is one of the following:
-
Record the setting, which is not preserved through an upgrade, for future use.
-
Enter the following to commit the configuration change:
bash$ ./nmsdeploytool.bash deploy ↵
Close the console window.
Install optional components
Install and enable one or more auxiliary servers, if required; see Auxiliary server installation.
Install and enable an auxiliary database, if required; see Auxiliary database installation.
Install and enable one or more NSP analytics servers, if required; see NSP analytics server installation for information.
Stop PKI server
If no other components are to be deployed, stop the PKI server by entering Ctrl+C in the console window.
Install additional GUI clients
Install additional NFM-P GUI clients or client delegate servers, as required; see the following for information:
Configure and enable firewalls
If you intend to use any firewalls between the NFM-P components, and the firewalls are disabled, configure and enable each firewall.
Perform one of the following.
-
Configure each external firewall to allow the required traffic using the port assignments in the NSP Planning Guide, and enable the firewall.
-
Configure and enable firewalld on each component station, as required.
End of steps