Workflow for migration of NGE management from CLI to NFM-P

Stages

The following is the sequence of high-level actions required to migrate NGE management from CLI to NFM-P. Some steps may not be needed depending on the CLI and NFM-P configuration of the services and key group; see Migration scenarios.

 

Configure the global encryption label; see To create the NGE global encryption label.

Perform the prerequisite steps. These steps must be completed before starting to discover CLI managed NGE nodes because migration is automatic when discovery starts.

Perform the following:

  1. Ensure the Global Encrypt label used on the CLI managed nodes is identical to that configured in the NFM-P.

  2. Choose Manage→Network Group Encryption from the NFM-P main menu. The Manage Network Group Encryption form opens.

    Choose Key Group (NetworkGroupEncryption) from the drop-down menu and click Search to display the list of key groups.

  3. Verify that both encryption and authentication algorithms of key groups on CLI managed nodes are identical to those configured on the NFM-P.

  4. Disable re-keying for all key groups currently managed by the NFM-P if re-keying is enabled.

  5. Choose Manage→Network Group Encryption from the NFM-P main menu and choose Cleanup Scheduled Task from the drop-down menu. Select the NGE Scheduled Task and click Shut Down to disable the task.

  6. Check the list of Active Outbound Security Associations in the key group list against the CLI allocated SPIs to verify that there are no SPI conflicts on the CLI managed nodes.

  7. If SPI or algorithm conflicts are found, resolve them in CLI.

Discover the nodes in the NFM-P; see Workflow for device discovery.

If needed, create a key group with the same ID as configured in the CLI; see To create an NGE key group.

If needed, add the services to the key group and enable encryption:

  1. Choose Manage→Network Group Encryption from the NFM-P main menu. The Manage Network Group Encryption form opens.

    Choose Key Group (NetworkGroupEncryption) from the drop-down menu and click Search to display the list of key groups.

  2. Select a key group and click Properties. The Key Group (Edit) form opens.

  3. Click on the Encryption tab, then the sub-tab for the type of service you need to add.

  4. Click Add and use the form that opens to choose one or more objects.

  5. Add any other services that are configured to the key group.

  6. Click Encrypt Services to enable encryption.

Perform the following post-requisite steps:

  1. Choose Manage→Network Group Encryption from the NFM-P main menu and choose Cleanup Scheduled Task from the drop-down menu. Select the NGE Cleanup Scheduled Task.

  2. Click Turn Up to re-enable the NGE cleanup scheduled task, and Execute to run it.

    Nokia recommends running the NGE Cleanup Scheduled Task before re-keying is enabled. This will remove unused key groups and remove unused SPIs from the key group, allowing room for the new keys.

  3. Enable any re-keying schedules you disabled in Stage 2.