To enable or disable TLS on an NSP auxiliary database

Purpose

CAUTION

Service Outage

A change to the auxiliary database security settings requires a restart of each NFM-P main server and each NSP cluster, so is service-affecting.

Ensure that you perform the procedure only during a scheduled maintenance period.

CAUTION

Data Loss

No data is written to an auxiliary database unless the auxiliary database setting that defines whether TLS is enabled or disabled matches the auxiliary database security setting in the NSP and NFM-P.

You must ensure that the security setting on the auxiliary database cluster, NSP cluster, and NFM-P main server match.

The following steps describe how to enable or disable TLS for auxiliary database communication.

Note: TLS must be enabled in the NSP and NFM-P configurations before you can enable TLS on an auxiliary database.

Note: You require root user privileges on each auxiliary database station, each NFM-P main server station, and each NSP deployer host.

Note: You also require nsp user privileges on each NFM-P main server station.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps

Start the PKI server, if the server is not running; perform To configure and enable a PKI server.

Note: The PKI server is required for internal system configuration purposes.

Note: In a DR NSP deployment, you must log in on a station in the primary auxiliary database cluster.

If you are configuring a standalone auxiliary database, go to Step 6.

Verify DR cluster-copy

If you are upgrading the first auxiliary database cluster in a DR NSP deployment, you must verify the success of the most recent copy-cluster operation, which synchronizes the database data between the clusters.

Note: You must not proceed to the next step until the operation is complete and successful.

Issue the following RESTCONF API call periodically to check the copy-cluster status:

Note: In order to issue a RESTCONF API call, you require a token; see this tutorial on the Network Developer Portal for information.

GET https://address/RESTCONF/data/auxdb:/auxdb-agent

where address is the advertised address of the primary NSP cluster

The call returns a status of SUCCESS, as shown below, for a successfully completed copy-cluster operation:

<HashMap>

<auxdb-agent>

<name>nspos-auxdb-agent</name>

<application-mode>ACTIVE</application-mode>

<copy-cluster>

<source-cluster>cluster_M</source-cluster>

<target-cluster>cluster_N</target-cluster>

<time-started>timestamp</time-started>

<status>SUCCESS</status>

</copy-cluster>

</auxdb-agent>

</HashMap>

Stop database proxies

Perform the following steps on each auxiliary database station in each auxiliary database cluster to stop the database proxy.

Log in to the station as the root user.
Open a console window.
Enter the following:

# systemctl stop nspos-auxdbproxy.service ↵
Enter the following:

# systemctl status nspos-auxdbproxy ↵

The proxy status is displayed; the proxy is stopped if the status includes the following:

Active: inactive
You must ensure that the proxy is stopped.

If the proxy is not stopped, repeat substep 4.

Configure TLS, standalone or primary auxiliary database cluster

Open the following file using a plain-text editor such as vi:

/opt/nsp/nfmp/auxdb/install/config/install.config

CAUTION

Service disruption

Changing a parameter in the auxiliary database install.config file can have serious consequences that include service disruption.

Do not change any parameter in the install.config file, other than the parameters described in the step, without guidance from technical support.

Edit the following lines in the file to read as shown below:

Note: TLS must be enabled in the NSP and NFM-P configurations before you can enable TLS on an auxiliary database.

secure=value

pki_server=server

pki_server_port=port

where

value is true or false, and indicates whether TLS is enabled

server is the PKI server IP address or hostname

port is the PKI server port number

Save and close the install.config file.

Enter the following:

# /opt/nsp/nfmp/auxdb/install/bin/auxdbAdmin.sh configureTLS ↵

The script prompts for the auxiliary database dba password.

Enter the required password.

The script configures TLS on the station.

Perform the following steps on each auxiliary database station in the cluster.

Log in to the station as the root user.
Open a console window.
Enter the following:

# systemctl stop nspos-auxdbproxy.service ↵
Enter the following:

# systemctl start nspos-auxdbproxy.service ↵

If you are configuring a standalone auxiliary database, go to Step 32.

Configure TLS, standby auxiliary database cluster

Perform the following steps on each auxiliary database station in the cluster.

Log in to the station as the root user.
Open a console window.
Enter the following:

# systemctl stop nspos-auxdbproxy.service ↵
Enter the following:

# systemctl start nspos-auxdbproxy.service ↵

Enter the following:

# ./auxdbAdmin.sh start ↵

The auxiliary database cluster starts.

Open the following file using a plain-text editor such as vi:

/opt/nsp/nfmp/auxdb/install/config/install.config

CAUTION

Service disruption

Changing a parameter in the auxiliary database install.config file can have serious consequences that include service disruption.

Do not change any parameter in the install.config file, other than the parameters described in the step, without guidance from technical support.

Edit the following lines in the file to read as shown below:

secure=value

pki_server=server

pki_server_port=port

where

value is true or false, and indicates whether TLS is enabled

server is the PKI server IP address or hostname

port is the PKI server port number

Save and close the install.config file.

Enter the following:

# /opt/nsp/nfmp/auxdb/install/bin/auxdbAdmin.sh configureTLS ↵

The script sequentially prompts for the root user password of each auxiliary database station.

Enter the required password at each prompt. The script configures TLS on the station.

Enter the following:

# ./auxdbAdmin.sh stop ↵

The auxiliary database cluster stops.

Perform the following steps on each auxiliary database station in the cluster.

Log in to the station as the root user.
Open a console window.
Enter the following:

# systemctl stop nspos-auxdbproxy.service ↵
Enter the following:

# systemctl start nspos-auxdbproxy.service ↵

Start database proxies

Perform the following steps on each auxiliary database station in each auxiliary database cluster to start the database proxy.

Log in to the station as the root user.
Open a console window.
Enter the following:

# systemctl start nspos-auxdbproxy.service ↵

The proxy starts.
Enter the following to verify that the proxy is started:

# systemctl status nspos-auxdbproxy ↵

The proxy status is displayed; the proxy is started if the status includes the following:

Active: active

Configure NSP clusters

Open the following file using a plain-text editor such as vi:

/opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

Locate the following section:

auxDb:

secure: "value"

ipList: "local_cluster_IPs"

standbyIpList: "peer_cluster_IPs"

where value is true or false, and specifies whether TLS is enabled

Set the secure parameter to true or false, as required.

Save and close the nsp-config.yml file.

Enter the following to start the NSP cluster:

# /opt/nsp/NSP-CN-DEP-release-ID/bin/nspdeployerctl install --config --deploy ↵

The NSP cluster starts, and the TLS configuration update is put into effect.

If the NSP is a DR deployment, perform Step 24 to Step 29 on the standby NSP cluster.

If no other components are to be deployed, stop the PKI server by entering Ctrl+C in the console window.

Configure NFM-P

If the NSP deployment includes the NFM-P, perform Step 33 to Step 35 on each main server; otherwise, go to Step 36.

Stop the main server.

Log in to the main server station as the nsp user.
Open a console window.
Enter the following:

bash$ cd /opt/nsp/nfmp/server/nms/bin ↵
Enter the following:

bash$ ./nmsserver.bash stop ↵
Enter the following:

bash$ ./nmsserver.bash appserver_status ↵

The server status is displayed; the server is fully stopped if the status is the following:

Application Server is stopped

If the server is not fully stopped, wait five minutes and then repeat this step. Do not perform the next step until the server is fully stopped.
Enter the following to switch to the root user:

bash$ su ↵

When the main server is stopped, enable secure auxiliary database communication on the main server.

Enter the following:

# samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main>
Enter the following:

<main> configure auxdb secure ↵

The prompt changes to <main configure auxdb>.
Enter the following:

<main configure auxdb> exit ↵

The prompt changes to <main>.
Enter the following:

<main> apply ↵

The configuration is applied.
Enter the following:

<main> exit ↵

The samconfig utility closes.

Start the main server.

Enter the following to switch back to the nsp user:

# su ↵
Open a console window.
Enter the following:

bash$ cd /opt/nsp/nfmp/server/nms/bin ↵
Enter the following:

bash$ ./nmsserver.bash start ↵
Enter the following:

bash$ ./nmsserver.bash appserver_status ↵

The server status is displayed; the server is fully initialized if the status is the following:

Application Server process is running. See nms_status for more detail.

If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized.

Close the open console windows.

End of steps