To migrate from CAS to OAUTH2 NSP user authentication

Purpose

CAUTION

Service disruption

Performing the procedure requires a restart of each NSP cluster, which is service-affecting.

You must perform the procedure only during a scheduled maintenance period.

Nokia strongly recommends migrating from the deprecated CAS authentication mode to OAUTH2 authentication, as described in the following steps.

Steps

Prepare for migration

1	As required, edit NFM-P user accounts to prepare for importing to the NSP local user database; for example, remove duplicate user IDs, or enter e-mail addresses. Note: For users whose user account includes an e-mail address, the import operation sends a new randomly generated temporary password. Users who lack an e-mail address are assigned a global temporary password.
Undeploy standby NSP cluster

2	Log in as the root user on the NSP deployer host in the standby data center.
3	Open a console window.
4	Perform the following steps to preserve the existing cluster data. Open the following file using a plain-text editor such as vi: /opt/nsp/NSP-CN-DEP-old-release-ID/NSP-CN-old-release-ID/config/nsp-config.yml Edit the following line in the platform section, kubernetes subsection to read: `deleteOnUndeploy:false` Save and close the file.
5	Enter the following: `#` `cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵`
6	Enter the following: `#` `./nspdeployerctl uninstall --undeploy ↵`
Undeploy and configure primary NSP cluster

7	Log in as the root user on the NSP deployer host in the primary data center.
8	Open a console window.
9	Perform the following steps to preserve the existing cluster data. Open the following file using a plain-text editor such as vi: /opt/nsp/NSP-CN-DEP-old-release-ID/NSP-CN-old-release-ID/config/nsp-config.yml Edit the following line in the platform section, kubernetes subsection to read: `deleteOnUndeploy:false` Save and close the file.
10	Enter the following: `#` `cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵`
11	Enter the following: `#` `./nspdeployerctl uninstall --undeploy ↵`
12	Open the following file using a plain-text editor such as vi: /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml
13	Configure the authMode parameter in the sso section, as shown below. `sso:` `authMode: "oauth2"`
14	Configure other OAUTH2 parameters, as required, such as the following: session timeout or account lockout settings any NFM-P remote authentication sources that are migrating to the OAUTH2 configuration
15	Disable the CAS configuration; use a leading # symbol to comment out each CAS-specific SSO parameter line in the file.
16	Save and close the nsp-config.yml file.
17	Enter the following: `#` `cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵`
18	Enter the following: `#` `./nspdeployerctl install --config --deploy ↵` The NSP configuration change is put into effect, and OAUTH2 authentication is enabled.
Configure standby NSP cluster

19	Copy the secret files for OAUTH2 deployment from the NSP in DC A. If remote root access is disabled, switch to the designated root-equivalent user. Enter the following: `#` `mkdir -p /opt/nsp/nsp-configurator/generated ↵` Enter the following: `#` `scp address:/opt/nsp/nsp-configurator/generated/nsp-keycloak--secret /opt/nsp/nsp-configurator/generated/ ↵` where address* is the address of the NSP deployer host in DC A If remote root access is disabled, switch back to the root user.
20	On the standby NSP deployer host, open the following file using a plain-text editor such as vi: /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml
21	Configure the authMode parameter in the sso section, as shown below. `sso:` `authMode: "oauth2"`
22	Specify the same values for the OAUTH2 parameters that you configured in Step 14. Note: The primary and standby OAUTH2 configurations must match.
23	Disable the CAS configuration; use a leading # symbol to comment out each CAS-specific SSO parameter line in the file.
24	Save and close the nsp-config.yml file.
25	Enter the following: `#` `cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵`
26	Enter the following: `#` `./nspdeployerctl install --config --deploy ↵` The NSP configuration change is put into effect, and OAUTH2 authentication is enabled.
27	Close the open console windows.
Set OAUTH2 mode on NFM-P main servers

28	If the NSP deployment includes the NFM-P, you must configure each NFM-P main server to align with the NSP authentication mode. Otherwise, go to Step 41.
29	If the NFM-P system is redundant, perform Step 32 to Step 34 on the standby main server.
30	Perform Step 32 to Step 34 on the standalone or primary main server.
31	Go to Step 35.
32	Log in as the root user on the main server station.
33	Stop the main server. Enter the following to switch to the nsp user: `#` `su - nsp ↵` Enter the following: `bash$` `cd /opt/nsp/nfmp/server/nms/bin ↵` Enter the following to stop the main server: `bash$` `./nmsserver.bash stop ↵` Enter the following: `bash$` `./nmsserver.bash appserver_status ↵` The server status is displayed; the server is fully stopped if the status is the following: `Application Server is stopped` If the server is not fully stopped, wait five minutes and then repeat this step. Do not perform the next step until the server is fully stopped. Enter the following to switch back to the root user: `bash$` `su - ↵`
34	Update the main server configuration. Enter the following: `#` `samconfig -m main ↵` The following is displayed: `Start processing command line inputs...` `<main>` Enter the following: `<main>` `configure nspos authMode oauth2 ↵` The prompt changes to `<main configure nspos>`. Enter the following: `<main configure nspos>` `exit ↵` The prompt changes to `<main>`. Enter the following: `<main>` `apply ↵` The configuration is applied. Enter the following: `<main>` `exit ↵` The samconfig utility closes.
Start NFM-P main servers

35	Perform the following steps on each main server to start the main server. Note: You must perform the steps first on the standalone or primary main server. Enter the following to switch to the nsp user: `bash$` `su - nsp ↵` Enter the following: `bash$` `cd /opt/nsp/nfmp/server/nms/bin ↵` Enter the following to start the main server: `bash$` `./nmsserver.bash start ↵` Enter the following: `bash$` `./nmsserver.bash appserver_status ↵` The server status is displayed; the server is fully initialized if the status is the following: `Application Server process is running. See nms_status for more detail.` If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized. Close the console window.
Import NFM-P users and groups

36	Sign in to the NSP as the admin user. You are prompted to change your password.
37	Enter a new password. The NSP UI opens.
38	Open Users and Security.
39	Perform the NFM-P user import procedure in the NSP System Administrator Guide.
40	Inform each imported NFM-P user of the new password sent to their e-mail address, or of the global temporary password assigned to the user account, if an e-mail address is not assigned.
41	Close the open console windows. End of steps

To migrate from CAS to OAUTH2 NSP user authentication

Purpose

Steps

Prepare for migration

Undeploy standby NSP cluster

Undeploy and configure primary NSP cluster

Configure standby NSP cluster

Set OAUTH2 mode on NFM-P main servers

Start NFM-P main servers

Import NFM-P users and groups