Check and configure firewalls

Before you attempt to deploy an NFM-P system, you must ensure that each firewall between NFM-P components allows the required traffic to pass between the components, or is disabled. You can configure and enable the firewall after the installation, if required.

Note: The RHEL firewalld service is typically enabled by default in a new RHEL OS installation.

Perform one of the following.

1. Configure each firewall to allow the required traffic to pass. See the NSP Planning Guide for a list of the ports that must be open on each component.

   Note: The RHEL firewalld service must be configured using the firewalld rules in the NSP Planning Guide, which describes using NFM-P templates for rule creation.

2. Disable each firewall; see the external firewall documentation, or perform To disable the RHEL firewalld service.

Add NFM-P to NSP configuration

Log in as the root or NSP admin user on the NSP deployer host.

Open the following file using a plain-text editor such as vi:

/opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

Configure the parameters in the integration section, nfmp subsection, as shown below:

Note: You must preserve the leading spaces in each line of the file.

Note: If the NFM-P system is standalone, you do not need to configure the standbyIp parameter.

Note: In the client section of samconfig on the NFM-P main servers, if the address for client access is set using the hostname parameter, the primaryIp and standbyIp values in the nfmp section of the NSP configuration file, nsp-config.yml, must be set to hostnames.

Likewise, if the public-ip parameter in the client section is configured on the main server, the primaryIp and standbyIp values in the nsp-config.yml file must be set to IP addresses.

 integrations:

   nfmp:

     primaryIp: "server_1_address"

     standbyIp: "server_2_address"

     tlsEnabled: value

where

server_1_address is the IP address of the standalone main server, or the primary main server in a redundant NFM-P system

server_2_address is the IP address of the standby main server in a redundant NFM-P system

value is true or false

If both of the following are true, configure the following parameters in the integrations section:

• The NSP system includes the NFM-P.

• The NFM-P main server and main database are on separate stations:

    nfmpDB:

      primaryIp: ""

      standbyIp: ""

If the NFM-P system includes one or more auxiliary servers, configure the following parameters in the integrations section:

    auxServer:

      primaryIpList: ""

      standbyIpList: ""

If the NFM-P includes an auxiliary database, enable the auxiliary database in the NSP configuration.

1. Locate the following section:

       auxDb:

         secure: "value"

         ipList: ""

         standbyIpList: ""

2. Edit the section to read as follows:

       auxDb:

         secure: "true"

         ipList: "cluster_1_IP1,cluster_1_IP2...cluster_1_IPn"

         standbyIpList: "cluster_2_IP1,cluster_2_IP2...cluster_2_IPn"

   where

   cluster_1_IP1, cluster_1_IP2...cluster_1_IPn are the external IP addresses of the stations in the local cluster

   cluster_2_IP1, cluster_2_IP2...cluster_2_IPn are the external IP addresses of the stations in the peer cluster; required only for geo-redundant deployment

Save and close the file.

Enter the following:

Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member:

nspdeployerctl --ask-pass install --config --deploy

# ./nspdeployerctl install --config --deploy ↵

The configuration update is put into effect.

Download installation files

Download the following installation files to an empty directory on the main server station:

• nsp-nfmp-jre-R.r.p-rel.v.rpm

• nsp-nfmp-config-R.r.p-rel.v.rpm

• nsp-nfmp-nspos-R.r.p-rel.v.rpm

• nsp-nfmp-main-server-R.r.p-rel.v.rpm

• nsp-nfmp-nodeexporter-R.r.p-rel.v.rpm

where

R.r.p is the NSP release identifier, in the form MAJOR.minor.patch

v is a version identifier

Note: In subsequent steps, the directory is called the NFM-P software directory.

Perform one of the following.

1. For a collocated NFM-P deployment, download the following files to the NFM-P software directory on the station that hosts the main server and database:

   • nsp-nfmp-oracle-R.r.p-rel.v.rpm

   • nsp-nfmp-main-db-R.r.p-rel.v.rpm

2. For a distributed NFM-P deployment, download the following files to an empty directory on the main database station:

   • nsp-nfmp-jre-R.r.p-rel.v.rpm

   • nsp-nfmp-config-R.r.p-rel.v.rpm

   • nsp-nfmp-oracle-R.r.p-rel.v.rpm

   • nsp-nfmp-main-db-R.r.p-rel.v.rpm

   • nsp-nfmp-nodeexporter-R.r.p-rel.v.rpm

   Note: In subsequent steps, the directory is called the NFM-P software directory.

Transfer the following downloaded file to an empty directory on the main database station:

• OracleSw_PreInstall.sh

Install standalone database

Log in as the root user on the main database station.

Open a console window.

Navigate to the directory that contains the OracleSw_PreInstall.sh file.

Enter the following:

# chmod +x OracleSw_PreInstall.sh ↵

Enter the following:

# ./OracleSw_PreInstall.sh ↵

Note: A default value is displayed in brackets []. To accept the default, press ↵.

Note: If you specify a value other than the default, you must record the value for use when the OracleSw_PreInstall.sh script is run during a software upgrade, or when the Oracle management user information is required by technical support.

The following prompt is displayed:

This script will prepare the system for a new install/restore of an NFM-P Version Release main database.

Do you want to continue? [Yes/No]:

Enter Yes. The following prompt is displayed:

Enter the Oracle dba group name [group]:

Enter a group name.

Note: To reduce the complexity of subsequent software upgrades and technical support activities, it is recommended that you accept the default.

The following messages and prompt are displayed:

Creating group group if it does not exist...

done

Enter the Oracle user name:

Enter a username.

Note: To reduce the complexity of subsequent software upgrades and technical support activities, it is recommended that you accept the default.

The following messages and prompt are displayed:

Oracle user [username] new home directory will be [/opt/nsp/nfmp/oracle19].

Checking or Creating the Oracle user home directory /opt/nsp/nfmp/oracle19...

Checking user username...

Adding username...

Changing ownership of the directory /opt/nsp/nfmp/oracle19 to username:group.

About to unlock the UNIX user [username]

Unlocking password for user username.

passwd: Success

Unlocking the UNIX user [username] completed

Please assign a password to the UNIX user username ..

New Password:

Enter a password. The following prompt is displayed:

Re-enter new Password:

Re-enter the password. The following is displayed if the password change is successful:

passwd: password successfully changed for username

The following message and prompt are displayed:

Specify whether an NFM-P Main Server will be installed on this workstation.

The database memory requirements will be adjusted to account for the additional load.

Will the database co-exist with an NFM-P Main Server on this workstation [Yes/No]:

Enter Yes or No, as required.

Messages like the following are displayed as the script execution completes:

INFO: About to set kernel parameters in /etc/sysctl.conf...

INFO: Completed setting kernel parameters in /etc/sysctl.conf...

INFO: About to change the current values of the kernel parameters

INFO: Completed changing the current values of the kernel parameters

INFO: About to set ulimit parameters in /etc/security/limits.conf...

INFO: Completed setting ulimit parameters in /etc/security/limits.conf...

INFO: Completed running Oracle Pre-Install Tasks

When the script execution is complete, enter the following to reboot the main database station:

# systemctl reboot ↵

The station reboots.

When the reboot is complete, log in as the root user on the main database station.

Open a console window.

Navigate to the NFM-P software directory.

Note: Ensure that the directory contains only the installation files.

Enter the following:

# chmod +x * ↵

Enter the following:

# dnf install *.rpm ↵

The dnf utility resolves any package dependencies, and displays the following prompt:

Total size: nn G

Installed size: nn G 

Is this ok [y/d/N]: 

Enter y. The following and the installation status are displayed as each package is installed:

Downloading Packages:

Running transaction check

Transaction check succeeded.

Running transaction test

Transaction test succeeded.

Running transaction

The package installation is complete when the following is displayed:

Complete!

Enter the following:

# samconfig -m db ↵

The following is displayed:

Start processing command line inputs...

<db>

Enter the following:

<db> show-detail ↵

The database configuration is displayed.

To configure one or more parameters, enter the following; otherwise, go to Step 39:

<db> configure ↵

The prompt changes to <db configure>.

As required, configure the general parameters in the following table.

Note: The instance parameter is configurable only during database creation.

Table 14-3: Standalone database parameters, general

If required, configure one or more passwords parameters in the following table, and then enter back ↵.

Note: After you save the configuration, you cannot use samconfig to change a database password; you must use the method described in the NSP System Administrator Guide.

Table 14-4: Standalone database parameters —

passwords

A password must:

• be between 4 and 30 characters long

• contain at least three of the following:

  • lower-case alphabetic character

  • upper-case alphabetic character

  • numeric character

  • special character, which is one of the following: # $ _

• not contain four or more of the same character type in sequence

• not be the same as the user name, or the reverse of the user name

• not contain a space character

To enable IP validation, which restricts the server components that have access to the main database, configure the parameters in the following table, and then enter back ↵.

Note: For security reasons, it is strongly recommended that you enable IP validation.

Note: You must configure the remote-servers parameter if the deployment includes any of the following:

• auxiliary servers

• NSP Flow Collectors

• NSP Analytics

Table 14-5: Standalone database parameters —

ip-validation

To enable the forwarding of NFM-P system metrics to the NSP; configure the parameters in the following table, and then enter back ↵.

Note: The parameters are required only for a distributed main database, so are not shown or configurable if the main server and database are collocated.

Table 14-6: Standalone database parameters —

tls

Verify the database configuration.

1. Enter the following:

   <db configure> show-detail ↵

   The database configuration is displayed.

2. Review each parameter to ensure that the value is correct.

3. Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.

4. When you are certain that the configuration is correct, enter the following:

   <db configure> back ↵

   The prompt changes to <db>.

Enter the following to begin the database creation:

<db> apply ↵

The database creation begins, and progress messages are displayed.

The following is displayed when the database creation is complete:

DONE

db configurations updated.

When the database creation is complete, enter the following:

<db> exit ↵

The samconfig utility closes.

It is recommended that as a security measure, you limit the number of database user login failures that the NFM-P allows before the database user account is locked; see the NFM-P database management procedures in the NSP System Administrator Guide for more information.

Install standalone main server

Log in as the root user on the main server station.

Open a console window.

Navigate to the NFM-P software directory.

Note: Ensure that the directory contains only the installation files.

Enter the following:

# chmod +x * ↵

Enter the following:

# dnf install *.rpm ↵

The dnf utility resolves any package dependencies, and displays the following prompt:

Total size: nn G

Installed size: nn G 

Is this ok [y/d/N]: 

Enter y. The following and the installation status are displayed as each package is installed:

Downloading Packages:

Running transaction check

Transaction check succeeded.

Running transaction test

Transaction test succeeded.

Running transaction

The package installation is complete when the following is displayed:

Complete!

The initial NFM-P server installation on a station creates the nsp user account and assigns a randomly generated password.

If this is the first installation of an NFM-P main or auxiliary server on the station, change the nsp password.

1. Enter the following:

   # passwd nsp ↵

   The following prompt is displayed:

   New Password:

2. Enter a password.

   The following prompt is displayed:

   Confirm Password:

3. Re-enter the password.

4. Record the password and store it in a secure location.

If you are using the manual TLS deployment method, generate and distribute the required TLS files for the system, as described in To generate custom TLS certificate files for the NSP.

Enter the following:

# samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main> 

Enter the following:

<main> configure ↵

The prompt changes to <main configure>.

Enter the following:

<main configure> show-detail ↵

The main server configuration is displayed.

As required, configure the general parameters in the following table.

Table 14-7: Standalone main server parameters, general

As required, configure the client parameters in the following table, and then enter back ↵.

Table 14-8: Standalone main server parameters —

client

As required, configure the database parameters in the following table, and then enter back ↵.

Note: The NFM-P uses the database backup settings to initialize the database during installation only. To change the backup settings after installation, you must use the Database Manager form in the NFM-P client GUI, as described in the NSP System Administrator Guide.

Table 14-9: Standalone main server parameters —

database

If the NFM-P system is to include auxiliary servers, configure the aux parameters in the following table, and then enter back ↵.

Note: At least one auxiliary server that you specify must be a Preferred auxiliary server.

Table 14-10: Standalone main server parameters —

aux

As required, configure the mediation parameters in the following table, and then enter back ↵.

Note: Some device types do not support an SNMP port value other than 162. Before you configure the snmp-port parameter to a value other than the default, you must ensure that each device type in the managed network supports the port value.

Table 14-11: Standalone main server parameters —

mediation

Configure the tls parameters in the following table, and then enter back ↵.

Table 14-12: Standalone main server parameters —

tls

As required, configure the oss parameters in the following table, and then enter back ↵.

Note: The parameters are configurable only if no auxiliary servers are specified in Step 56. Otherwise, OSS access is restricted to the auxiliary servers, which require the configuration of OSS access parameters during installation.

Table 14-13: Standalone main server parameters —

oss

If the NSP deployment includes an auxiliary database, configure the auxdb parameters in the following table, and then enter back ↵.

Table 14-14: Standalone main server parameters —

auxdb

As required, configure the aa-stats parameters in the following table, and then enter back ↵.

Table 14-15: Standalone main server parameters —

aa-stats

Configure the nspos parameters in the following table, and then enter back ↵.

Table 14-16: Standalone main server parameters —

nspos

Configure the remote-syslog parameters in the following table, and then enter back ↵.

Table 14-17: Standalone main server parameters —

remote-syslog

Configure the server-logs-to-remote-syslog parameters in the following table, and then enter back ↵.

Table 14-18: Standalone main server parameters —

server-logs-to-remote-syslog

If the NFM-P deployment includes the 1830 SMS netHSM, configure the hsm parameters in the following table; otherwise, go to Step 67.

Table 14-19: Standalone main server parameters —

hsm

By default, the NFM-P generates TLS authentication files for web-client access to the NFM-P HSM server.

If you want to provide your own TLS authentication files, configure the twoway HSM parameters in the following table, and then enter back ↵.

Table 14-20: Standalone main server parameters —

hsm, twoway

Enter back ↵.

The prompt changes to <main configure>.

Verify the main server configuration.

1. Enter the following:

   <main configure> show-detail ↵

   The main server configuration is displayed.

2. Review each parameter to ensure that the value is correct.

3. Configure one or more parameters, if required.

4. When you are certain that the configuration is correct, enter the following:

   <main configure> back ↵

   The prompt changes to <main>.

Enter the following:

<main> apply ↵

The configuration is applied.

Enter the following:

<main> exit ↵

The samconfig utility closes.

To enable mTLS for internal Kafka authentication using two-way TLS, perform the following steps.

Note: Enabling mTLS for internal Kafka authentication is supported only in an NSP deployment that uses separate interfaces for internal and client communication.

1. Enter the following:

   # samconfig -m main ↵

   The following is displayed:

   Start processing command line inputs...

   <main> 

2. Enter the following:

   # configure nspos mtls-kafka-enabled back ↵

3. Enter the following:

   <main> apply ↵

   The configuration is applied.

4. Enter the following:

   <main> exit ↵

   The samconfig utility closes.

Enable Windows Active Directory access

If you intend to use Windows Active Directory, or AD, for single sign-on client access, you must configure LDAP remote authentication for AD; otherwise, go to Step 81.

Open the following file as a reference for use in subsequent steps:

/opt/nsp/os/install/examples/config.yml

Note: Consider the following.

• The NFM-P does not assign a default user group to users of a remote authentication source that you define for Windows AD; the authentication source must provide the user group attributes.

• Windows AD supports the following LDAP server types for remote authentication:

  AD—The user group of an AD user is derived from the group_base_dn attribute in the server configuration; group search filters are not supported.

  AUTHENTICATED—The server configuration must include bind credentials; group search filters are supported. After NFM-P initialization, you add the AD server bind credentials to the NSP password vault using the NSP Session Manager RESTCONF API.

Locate the section that begins with the following lines:

#   ldap:

#     enabled: true

#     servers:

#       - type: AUTHENTICATED/AD/ANONYMOUS

#         url: ldaps://ldap.example.com:636

#         security: SSL/STARTTLS/NONE

Open the following file using a plain-text editor such as vi:

/opt/nsp/os/install/config.json

Locate the section that begins with the following line:

"sso": {

The section has one subsection for each type of SSO access.

Note: You can enable multiple remote authentication methods such as LDAP and RADIUS in the config.json file, or by using the NFM-P GUI. Using the GUI also allows you to specify the order in which the methods are tried during login attempts; however, no ordering is applied to multiple methods enabled in the config.json file.

In the sso section, create an ldap subsection as shown below using the parameter names from the ldap section of config.yml and the required values for your configuration.

The following example shows the LDAP configuration for two AD servers:

    "ldap": {

      "enabled": true,

      "servers": [

        {

          "type": "auth_type",

          "url": "ldaps://server1:port",

          "server1_parameter_1": "value",

          "server1_parameter_2": "value",

          .

          .

          "server1_parameter_n": "value",

          },

        {

          "type": "auth_type",

          "url": "ldaps://server2:port",

          "server2_parameter_1": "value",

          "server2_parameter_2": "value",

          .

          .

          "server2_parameter_n": "value",

          },

      }]

    }

where auth_type is AD or AUTHENTICATED

Save and close the files.

Enter the following:

# samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main> 

Enter the following:

<main> apply ↵

The AD LDAP configuration is applied.

Enter the following:

<main> exit ↵

The samconfig utility closes.

Start standalone main server

Start the main server.

Note: If you did not specify a license file during the installation, you cannot start the main server until you import a license; see the NSP System Administrator Guide for information about importing a license.

1. Log in as the nsp user on the main server station.

2. Open a console window.

3. Enter the following:

   bash$ cd /opt/nsp/nfmp/server/nms/bin ↵

4. Enter the following:

   bash$ ./nmsserver.bash start ↵

5. Enter the following:

   bash$ ./nmsserver.bash appserver_status ↵

   The server status is displayed; the server is fully initialized if the status is the following:

   Application Server process is running.  See nms_status for more detail.

   If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized.

If you have enabled Windows Active Directory access using the AUTHENTICATED type of LDAP server, you must add the LDAP server bind credentials to the NSP security configuration.

Use the NSP Session Manager RESTCONF API to add the bind credentials; see the Network Developer Portal for information.

Specify the memory requirement for GUI clients based on the type of network that the NFM-P is to manage.

1. Enter the following:

   bash$ ./nmsdeploytool.bash clientmem -option ↵

   where option is one of the following:

   • m—medium, for management of limited-scale network

   • l—large, for a network of 15 000 or more NEs

2. Record the setting, which is not preserved through an upgrade, for future use.

3. Enter the following to commit the configuration change:

   bash$ ./nmsdeploytool.bash deploy ↵

Close the console window.

Install optional components

Install and enable one or more auxiliary servers, if required; see Auxiliary server installation.

Install and enable an auxiliary database, if required; see NSP auxiliary database installation.

Install GUI clients

Install NFM-P single-user GUI clients or client delegate servers, as required; see the following for information:

• NFM-P single-user GUI client installation

• NFM-P client delegate server installation

See the NSP NFM-P User Guide for information about using the NFM-P GUI.

Configure and enable firewalls

If you intend to use any firewalls between the NFM-P components, and the firewalls are disabled, configure and enable each required firewall.

Perform one of the following.

1. Configure each external firewall to allow the required traffic using the port assignments in the NSP Planning Guide, and enable the firewall.

2. Configure and enable firewalld on each component station, as required.

   1. Use an NFM-P template to create the firewalld rules for the component, as described in the NSP Planning Guide.

   2. Log in to the station as the root user.

   3. Open a console window.

   4. Enter the following:

      # systemctl enable firewalld ↵

   5. Enter the following:

      # systemctl start firewalld ↵

   6. Close the console window.

End of steps