General description

General description

CAUTION Service Degradation

Ensure that you regularly remove from NFM-P the device software images that are no longer required; for example, by deleting the images.

An accumulation of device software images can dramatically increase the length of an operation such as an NFM-P database backup, restore, or reinstantiation.

This chapter contains information about how to perform an on-demand software upgrade on Wavence devices and the specific software upgrade policy requirements to perform the upgrade.

See Software upgrades on Wavence SCM devices for information about performing software upgrades on Wavence SCM devices.

To perform upgrades on Wavence devices discovered using the NSP, see the NSP Device Management Guide. For upgrades using the NFM-P, see the “NE software upgrades” chapter of the NSP NFM-P Classic Management User Guide for general software upgrade requirements and information.

The Wavence software is stored in two banks on a compact flash card:

• The committed bank contains the software that is currently running.

• The standby bank contains downloaded software that has not been activated, or software that was active before the current committed software.

Note:

• A Wavence NE that has never been upgraded displays only the committed bank. The standby bank is not displayed until new software is downloaded for the first time.

• You require an NFM-P user account with an administrator or network element software management scope of command role, or a scope of command role with write access to the mediation package, before you can perform a Wavence software download.

Wavence software upgrade policy requirements

Before performing a software upgrade, you must create a software upgrade policy that specifies the device family, software image, image backup location, and the actions to perform; for example, image download, activation, or ISSU. Using a software upgrade policy, an NFM-P operator can independently perform the image download, upgrade, and activation tasks.

The following conditions apply to software upgrade policies:

• The policy provides the NE with the location of the software image files on an FTP/SFTP server.

• Select the Forced Download check box on the Software Upgrade Policy (Create) form if you want to make the download forceful.

• The policy is configured with the SFTP transfer protocol specified; determine the following attributes for the transport protocol:

  1. SFTP User ID

  2. SFTP password

  3. Path to file storage location on the SFTP server

  4. Host fingerprint

Note: The file storage location path must be an absolute path from the / directory, and the SFTP user must have access to the location.

To determine a host fingerprint

Determine the version of SSH that NFM-P is using (RSA or ECDSA), using the following command:

ssh -v localhost 

Example 1: if the output of the command is:

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

The authenticity of host 'localhost (::1)' can't be established.

RSA key fingerprint is 89:57:0c:64:63:8c:70:b7:cb:6e:db:33:97:9b:25:32. [Note the host fingerprint varies from machine to machine] 

Are you sure you want to continue connecting (yes/no)? 
Use:

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub | sed 's/://g' | awk '{print $2}'

Example 2: if the output of the command is:

debug1: Server host key: ECDSA 71:1a:b1:4e:1c:66:06:0c:a4:bc:dd:c5:fc:29:b2:70

The authenticity of host 'localhost (::1)' can't be established.

ECDSA key fingerprint is 71:1a:b1:4e:1c:66:06:0c:a4:bc:dd:c5:fc:29:b2:70. [Note the host fingerprint varies from machine to machine] 

Are you sure you want to continue connecting (yes/no)? 
Use:

ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub | sed 's/://g' | awk '{print$2}'

Example 3: if the output of the command is:

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:RRUksTgiJwIzJeSfs59dCkT+5+50nTs4YN8rLrCi9lM
The authenticity of host 'localhost (::1)' can't be established.

ECDSA key fingerprint is SHA256:RRUksTgiJwIzJeSfs59dCkT+5+50nTs4YN8rLrCi9lM. 

ECDSA key fingerprint is MD5:20:cb:e9:c8:9d:b3:67:99:48:3c:5d:67:7a:8a:85:f5.
Are you sure you want to continue connecting (yes/no)?
Use:

ssh-keygen -E md5 -l -f /etc/ssh/ssh_host_ecdsa_key.pub | sed 's/://g' | sed 's/MD5//g'| awk '{print$2}

MSS-E/HE/XE and UBT-NIM nodes using Wavence Release 23 or earlier and all UBT-SA nodes support only RSA fingerprint for software download and backup operations. Use the following cipher algorithm to generate fingerprint, irrespective of higher preference algorithm (RSA or ECDSA) on the server:

ssh-keygen -E md5 -l -f /etc/ssh/ssh_host_rsa_key.pub | sed 's/://g' | sed 's/MD5//g'| awk '{print$2}'

Note: For UBT-SA nodes, SSH server configuration (/etc/ssh/sshd_config) must contain following options. Ciphers: aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc, 3des-cbc, arcfour128

MSS-E/HE/XE and UBT-NIM nodes using Wavence Release 23A or later support only ED25519 fingerprint for software download operation. Use the following cipher algorithm to generate fingerprint, irrespective of higher preference algorithm (RSA or ECDSA) on the server:

ssh-keygen -E md5 -l -f /etc/ssh/ssh_host_ed25519_key.pub | sed 's/://g' | sed 's/MD5//g'| awk '{print$2}'