To install a redundant NFM-P system

Description

The following steps describe how to install a collocated or distributed NFM-P system in a redundant configuration. The steps also include information about installing optional NFM-P components.

Ensure that you record the information that you specify, for example, directory names, passwords, and IP addresses.

Note: You require root user privileges on the main database and main server stations.

Note: Performing the procedure creates the following user accounts:

Note: The following RHEL CLI prompts in command lines denote the active user, and are not to be included in typed commands:

Steps
Check and configure firewalls
 

Before you attempt to deploy an NFM-P system, you must ensure that each firewall between NFM-P components allows the required traffic to pass between the components, or is disabled. You can configure and enable the firewall after the installation, if required.

Note: The RHEL firewalld service is typically enabled by default in a new RHEL OS installation.

Perform one of the following.

  1. Configure each firewall to allow the required traffic to pass. See the NSP Planning Guide for a list of the ports that must be open on each component.

    Note: The RHEL firewalld service must be configured using the firewalld rules in the NSP Planning Guide, which describes using NFM-P templates for rule creation.

  2. Disable each firewall; see the external firewall documentation, or perform To disable the RHEL firewalld service.

Add NFM-P to NSP configuration
 

Log in as the root or NSP admin user on the NSP deployer host.

Perform Step 5 to Step 11 in each data center.

Go to Step 12.

Open the following file using a plain-text editor such as vi:

/opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

Configure the parameters in the integration section, nfmp subsection, as shown below:

Note: You must preserve the leading spaces in each line of the file.

Note: If the NFM-P system is standalone, you do not need to configure the standbyIp parameter.

Note: In the client section of samconfig on the NFM-P main servers, if the address for client access is set using the hostname parameter, the primaryIp and standbyIp values in the nfmp section of the NSP configuration file, nsp-config.yml, must be set to hostnames.

Likewise, if the public-ip parameter in the client section is configured on the main server, the primaryIp and standbyIp values in the nsp-config.yml file must be set to IP addresses.

 integrations:

   nfmp:

     primaryIp: "server_1_address"

     standbyIp: "server_2_address"

     tlsEnabled: value

where

server_1_address is the IP address of the standalone main server, or the primary main server in a redundant NFM-P system

server_2_address is the IP address of the standby main server in a redundant NFM-P system

value is true or false

If both of the following are true, configure the following parameters in the integrations section:

  • The NSP system includes the NFM-P.

  • The NFM-P main server and main database are on separate stations:

    nfmpDB:

      primaryIp: ""

      standbyIp: ""

If the NFM-P system includes one or more auxiliary servers, configure the following parameters in the integrations section:

    auxServer:

      primaryIpList: ""

      standbyIpList: ""

If the NFM-P includes an auxiliary database, enable the auxiliary database in the NSP configuration.

  1. Locate the following section:

        auxDb:

          secure: "value"

          ipList: ""

          standbyIpList: ""

  2. Edit the section to read as follows:

        auxDb:

          secure: "true"

          ipList: "cluster_1_IP1,cluster_1_IP2...cluster_1_IPn"

          standbyIpList: "cluster_2_IP1,cluster_2_IP2...cluster_2_IPn"

    where

    cluster_1_IP1, cluster_1_IP2...cluster_1_IPn are the external IP addresses of the stations in the local cluster

    cluster_2_IP1, cluster_2_IP2...cluster_2_IPn are the external IP addresses of the stations in the peer cluster; required only for geo-redundant deployment

10 

Save and close the file.

11 

Enter the following:

Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member:

nspdeployerctl --ask-pass install --config --deploy

./nspdeployerctl install --config --deploy ↵

The configuration update is put into effect.

Download installation files
 
12 

Download the following installation files to an empty directory on each main server station:

  • nsp-nfmp-jre-R.r.p-rel.v.rpm

  • nsp-nfmp-config-R.r.p-rel.v.rpm

  • nsp-nfmp-nspos-R.r.p-rel.v.rpm

  • nsp-nfmp-main-server-R.r.p-rel.v.rpm

  • nsp-nfmp-nodeexporter-R.r.p-rel.v.rpm

where

R.r.p is the NSP release identifier, in the form MAJOR.minor.patch

v is a version identifier

Note: In subsequent steps, the directory is called the NFM-P software directory.

13 

Perform one of the following.

  1. For a collocated NFM-P deployment, download the following files to the NFM-P software directory on each station that hosts a main server and database:

    • nsp-nfmp-oracle-R.r.p-rel.v.rpm

    • nsp-nfmp-main-db-R.r.p-rel.v.rpm

  2. For a distributed NFM-P deployment, download the following files to an empty directory on each main database station:

    • nsp-nfmp-jre-R.r.p-rel.v.rpm

    • nsp-nfmp-config-R.r.p-rel.v.rpm

    • nsp-nfmp-oracle-R.r.p-rel.v.rpm

    • nsp-nfmp-main-db-R.r.p-rel.v.rpm

    • nsp-nfmp-nodeexporter-R.r.p-rel.v.rpm

    Note: In subsequent steps, the directory is called the NFM-P software directory.

14 

Transfer the following downloaded file to an empty directory on each main database station:

  • OracleSw_PreInstall.sh

Install primary database
 
15 

Log in as the root user on the primary main database station.

16 

Open a console window.

17 

Navigate to the directory that contains the OracleSw_PreInstall.sh file.

18 

Enter the following:

chmod +x OracleSw_PreInstall.sh ↵

19 

Enter the following:

./OracleSw_PreInstall.sh ↵

Note: A default value is displayed in brackets []. To accept the default, press ↵.

Note: If you specify a value other than the default, you must record the value for use when the OracleSw_PreInstall.sh script is run during a software upgrade, or when the Oracle management user information is required by technical support.

The following prompt is displayed:

This script will prepare the system for a new install/restore of an NFM-P Version Release main database.

Do you want to continue? [Yes/No]: 

20 

Enter Yes. The following prompt is displayed:

Enter the Oracle dba group name [group]:

21 

Enter a group name.

Note: To reduce the complexity of subsequent software upgrades and technical support activities, it is recommended that you accept the default for this parameter.

The following messages and prompt are displayed:

Creating group group if it does not exist...

done

Enter the Oracle user name:

22 

Enter a username.

Note: To reduce the complexity of subsequent software upgrades and technical support activities, it is recommended that you accept the default.

The following messages and prompt are displayed:

Oracle user [username] new home directory will be [/opt/nsp/nfmp/oracle19].

Checking or Creating the Oracle user home directory /opt/nsp/nfmp/oracle19...

Checking user username...

Adding username...

Changing ownership of the directory /opt/nsp/nfmp/oracle19 to username:group.

About to unlock the UNIX user [username]

Unlocking password for user username.

passwd: Success

Unlocking the UNIX user [username] completed

Please assign a password to the UNIX user username ..

New Password:

23 

Enter a password. The following prompt is displayed:

Re-enter new Password:

24 

Re-enter the password. The following is displayed if the password change is successful:

passwd: password successfully changed for username

The following message and prompt are displayed:

Specify whether an NFM-P Main Server will be installed on this workstation.

The database memory requirements will be adjusted to account for the additional load.

Will the database co-exist with an NFM-P Main Server on this workstation [Yes/No]:

25 

Enter Yes or No, as required.

Messages like the following are displayed as the script execution completes:

INFO: About to set kernel parameters in /etc/sysctl.conf...

INFO: Completed setting kernel parameters in /etc/sysctl.conf...

INFO: About to change the current values of the kernel parameters

INFO: Completed changing the current values of the kernel parameters

INFO: About to set ulimit parameters in /etc/security/limits.conf...

INFO: Completed setting ulimit parameters in /etc/security/limits.conf...

INFO: Completed running Oracle Pre-Install Tasks

26 

When the script execution is complete, enter the following to reboot the primary main database station:

systemctl reboot ↵

The station reboots.

27 

When the reboot is complete, log in as the root user on the primary main database station.

28 

Open a console window.

29 

Navigate to the NFM-P software directory.

Note: Ensure that the directory contains only the installation files.

30 

Enter the following:

chmod +x * ↵

31 

Enter the following:

dnf install *.rpm ↵

The dnf utility resolves any package dependencies, and displays the following prompt:

Total size: nn G

Installed size: nn G 

Is this ok [y/d/N]: 

32 

Enter y. The following and the installation status are displayed as each package is installed:

Downloading Packages:

Running transaction check

Transaction check succeeded.

Running transaction test

Transaction test succeeded.

Running transaction

The package installation is complete when the following is displayed:

Complete!

33 

Enter the following:

samconfig -m db ↵

The following is displayed:

Start processing command line inputs...

<db> 

34 

Enter the following:

<db> show-detail ↵

The primary database configuration is displayed.

35 

Enter the following:

<db> configure ↵

The prompt changes to <db configure>.

36 

As required, configure the general parameters in the following table.

Note: The instance parameter is configurable only during database creation.

Table 14-21: Primary database parameters, general

Parameter

Description

ip

Primary database IP address

Default: IP address of primary network interface

instance

Primary database instance name, which must:

  • contain 8 or fewer characters

  • consist of ASCII characters only

  • have a letter as the first character

Default: maindb1

37 

Configure the redundant parameters in the following table, and then enter back ↵.

Note: The instance parameter is configurable only during database creation.

Table 14-22: Primary database parameters — 
redundant

Parameter

Description

ip

Standby database IP address

Default: —

instance

Standby database instance name, which must:

  • contain 8 or fewer characters

  • consist of ASCII characters only

  • have a letter as the first character

Default: maindb2

38 

If required, configure one or more passwords parameters in the following table, and then enter back ↵.

Note: After you save the configuration, you cannot use samconfig to change a database password; you must use the method described in the NSP System Administrator Guide.

Table 14-23: Primary database parameters — 
passwords

Parameter

Description

user

Database user password

Default: available from technical support

sys

Oracle SYS user password

Default: available from technical support

A password must:

  • be between 4 and 30 characters long

  • contain at least three of the following:

    • lower-case alphabetic character

    • upper-case alphabetic character

    • numeric character

    • special character, which is one of the following: # $ _

  • not contain four or more of the same character type in sequence

  • not be the same as the user name, or the reverse of the user name

  • not contain a space character

39 

To enable IP validation, which restricts the server components that have access to the main database, configure the parameters in the following table, and then enter back ↵.

Note: For security reasons, it is strongly recommended that you enable IP validation.

Note: You must configure the remote-servers parameter if the deployment includes any of the following:

  • auxiliary servers

  • NSP Flow Collectors

  • NSP Analytics

Table 14-24: Primary database parameters — 
ip-validation

Parameter

Description

main-one

IP address of primary main server

Configuring the parameter enables IP validation.

Default: —

main-two

IP address of standby main server

Default: —

remote-servers

Comma-separated list of the following:

  • auxiliary server IP addresses

  • For NSP Flow Collectors, the following in the flowForwarder section of the NSP cluster configuration file, nsp-config.yml:

    • if configured, the advertisedV4 and advertisedV6 values

    • otherwise, the virtualIpV4 and virtualIpV6 values

  • For NSP Analytics:

    • If the NSP cluster uses separate client, mediation and internal interfaces, the private IP address of the internal interface on each NSP cluster node

    • If the NSP cluster uses one interface for all communication, the private IP address of each NSP cluster node

Default: —

40 

To enable the forwarding of NFM-P system metrics to the NSP; configure the parameters in the following table, and then enter back ↵.

Note: The parameters are required only for a distributed main database, so are not shown or configurable if the main server and database are collocated.

Table 14-25: Primary database parameters — 
tls

Parameter

Description

keystore-pass

The TLS keystore password

Default: available from technical support

pki-server

One of the following in the platformingressApplicationsingressController section of the nsp-config.yml file on the local NSP deployer host:

In the internalAddresses subsection, if configured, otherwise, in the clientAddresses subsection:

  • if configured, the advertised value

  • otherwise, the virtualIp value

You must configure the parameter.

Default: —

pki-server-port

The TCP port on which the PKI server listens for and services requests

Default: 80

41 

Verify the database configuration.

  1. Enter the following:

    <db configure> show-detail ↵

    The database configuration is displayed.

  2. Review each parameter to ensure that the value is correct.

  3. Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.

  4. When you are certain that the configuration is correct, enter the following:

    <db configure> back ↵

    The prompt changes to <db>.

42 

Enter the following to begin the database creation:

<db> apply ↵

The database creation begins, and progress messages are displayed.

The following is displayed when the database creation is complete:

DONE

db configurations updated.

43 

When the database creation is complete, enter the following:

<db> exit ↵

The samconfig utility closes.

44 

It is recommended that as a security measure, you limit the number of database user login failures that the NFM-P allows before the database user account is locked; see the NSP System Administrator Guide for information.

Install standby database
 
45 

Log in as the root user on the standby main database station.

46 

Open a console window.

47 

Navigate to the directory that contains the OracleSw_PreInstall.sh file.

48 

Enter the following:

chmod +x OracleSw_PreInstall.sh ↵

49 

Enter the following:

./OracleSw_PreInstall.sh ↵

Note: A default value is displayed in brackets []. To accept the default, press ↵.

Note: If you specify a value other than the default, you must record the value for use when the OracleSw_PreInstall.sh script is run during a software upgrade, or when the Oracle management user information is required by technical support.

The following prompt is displayed:

This script will prepare the system for a new install/restore of an NFM-P Version Release main database.

Do you want to continue? [Yes/No]: 

50 

Enter Yes. The following prompt is displayed:

Enter the Oracle dba group name [group]:

51 

Enter a group name.

Note: The group name must match the group name specified during the primary database installation.

The following messages and prompt are displayed:

Creating group group if it does not exist...

done

Enter the Oracle user name:

52 

Enter a username.

Note: The username must match the username specified during the primary database installation.

The following messages and prompt are displayed:

Oracle user [username] new home directory will be [/opt/nsp/nfmp/oracle19].

Checking or Creating the Oracle user home directory /opt/nsp/nfmp/oracle19...

Checking user username...

Adding username...

Changing ownership of the directory /opt/nsp/nfmp/oracle19 to username:group.

About to unlock the UNIX user [username]

Unlocking password for user username.

passwd: Success

Unlocking the UNIX user [username] completed

Please assign a password to the UNIX user username ..

New Password:

53 

Enter a password.

Note: The password must match the password specified during the primary database installation.

The following prompt is displayed:

Re-enter new Password:

54 

Re-enter the password. The following is displayed if the password change is successful:

passwd: password successfully changed for username

The following message and prompt are displayed:

Specify whether an NFM-P Main Server will be installed on this workstation.

The database memory requirements will be adjusted to account for the additional load.

Will the database co-exist with an NFM-P Main Server on this workstation [Yes/No]:

55 

Enter Yes or No, as required.

Messages like the following are displayed as the script execution completes:

INFO: About to set kernel parameters in /etc/sysctl.conf...

INFO: Completed setting kernel parameters in /etc/sysctl.conf...

INFO: About to change the current values of the kernel parameters

INFO: Completed changing the current values of the kernel parameters

INFO: About to set ulimit parameters in /etc/security/limits.conf...

INFO: Completed setting ulimit parameters in /etc/security/limits.conf...

INFO: Completed running Oracle Pre-Install Tasks

56 

When the script execution is complete, enter the following to reboot the standby main database station:

systemctl reboot ↵

The station reboots.

57 

When the reboot is complete, log in as the root user on the standby main database station.

58 

Open a console window.

59 

Navigate to the NFM-P software directory.

Note: Ensure that the directory contains only the installation files.

60 

Enter the following:

chmod +x * ↵

61 

Enter the following:

dnf install *.rpm ↵

The dnf utility resolves any package dependencies, and displays the following prompt:

Total size: nn G

Installed size: nn G 

Is this ok [y/d/N]: 

62 

Enter y. The following and the installation status are displayed as each package is installed:

Downloading Packages:

Running transaction check

Transaction check succeeded.

Running transaction test

Transaction test succeeded.

Running transaction

The package installation is complete when the following is displayed:

Complete!

63 

Enter the following:

samconfig -m db ↵

The following is displayed:

Start processing command line inputs...

<db> 

64 

Enter the following:

<db> configure type standby ↵

The prompt changes to <db configure>.

65 

If required, configure the ip parameter; enter the following:

Note: The default is the IP address of the primary network interface on the station.

<db configure> ip address

where address is the IP address of this database

66 

Enter the following:

<db configure> redundant ip address

where address is the IP address of the primary database

The prompt changes to <db configure redundant>.

67 

Enter the following, and then enter back ↵:

<db configure redundant> instance instance_name

where instance_name is the primary database instance name

68 

If required, configure one or more passwords parameters in the following table, and then enter back ↵.

Note: After you save the configuration, you cannot use samconfig to change a database password; you must use the method described in the NSP System Administrator Guide.

Table 14-26: Standby database parameters — 
passwords

Parameter

Description

user

Database user password; the password must match the password specified during the primary database installation

Default: available from technical support

sys

Oracle SYS user password; the password must match the password specified during the primary database installation

Default: available from technical support

69 

To enable IP validation, which restricts the server components that have access to the main database, configure the parameters in the following table, and then enter back ↵.

Note: For security reasons, it is strongly recommended that you enable IP validation.

Note: You must configure the remote-servers parameter if the deployment includes any of the following:

  • auxiliary servers

  • NSP Flow Collectors

  • NSP Analytics

Table 14-27: Standby database parameters — 
ip-validation

Parameter

Description

main-one

IP address of primary main server

Configuring the parameter enables IP validation.

Default: —

main-two

IP address of standby main server

Default: —

remote-servers

Comma-separated list of the following:

  • auxiliary server IP addresses

  • For NSP Flow Collectors, the following in the flowForwarder section of the NSP cluster configuration file, nsp-config.yml:

    • if configured, the advertisedV4 and advertisedV6 values

    • otherwise, the virtualIpV4 and virtualIpV6 values

  • For NSP Analytics:

    • If the NSP cluster uses separate client, mediation and internal interfaces, the private IP address of the internal interface on each NSP cluster node

    • If the NSP cluster uses one interface for all communication, the private IP address of each NSP cluster node

Default: —

70 

To enable the forwarding of NFM-P system metrics to the NSP; configure the parameters in the following table, and then enter back ↵.

Note: The parameters are required only for a distributed main database, so are not shown or configurable if the main server and database are collocated.

Table 14-28: Standby database parameters — 
tls

Parameter

Description

keystore-pass

The TLS keystore password

Default: available from technical support

pki-server

One of the following in the platformingressApplicationsingressController section of the nsp-config.yml file on the local NSP deployer host:

In the internalAddresses subsection, if configured, otherwise, in the clientAddresses subsection:

  • if configured, the advertised value

  • otherwise, the virtualIp value

You must configure the parameter.

Default: —

pki-server-port

The TCP port on which the PKI server listens for and services requests

Default: 80

71 

Verify the database configuration.

  1. Enter the following:

    <db configure> show-detail ↵

    The database configuration is displayed.

    Note: The instance value is not set until the database is reinstantiated later in the procedure.

  2. Review each parameter to ensure that the value is correct.

  3. Configure one or more parameters, if required; see NFM-P samconfig utility for information about using the samconfig utility.

  4. When you are certain that the configuration is correct, enter the following:

    <db configure> back ↵

    The prompt changes to <db>.

72 

Enter the following to begin the database creation:

<db> apply ↵

The database creation begins, and progress messages are displayed.

The following is displayed when the database creation is complete:

DONE

db configurations updated.

73 

When the database creation is complete, enter the following:

<db> exit ↵

The samconfig utility closes.

Install primary main server
 
74 

Log in as the root user on the primary main server station.

75 

Open a console window.

76 

Navigate to the NFM-P software directory.

Note: Ensure that the directory contains only the installation files.

77 

Enter the following:

chmod +x * ↵

78 

Enter the following:

dnf install *.rpm ↵

The dnf utility resolves any package dependencies, and displays the following prompt:

Total size: nn G

Installed size: nn G 

Is this ok [y/d/N]: 

79 

Enter y. The following and the installation status are displayed as each package is installed:

Downloading Packages:

Running transaction check

Transaction check succeeded.

Running transaction test

Transaction test succeeded.

Running transaction

The package installation is complete when the following is displayed:

Complete!

80 

The initial NFM-P server installation on a station creates the nsp user account and assigns a randomly generated password.

If this is the first installation of an NFM-P main or auxiliary server on the station, change the nsp password.

  1. Enter the following:

    passwd nsp ↵

    The following prompt is displayed:

    New Password:

  2. Enter a password.

    The following prompt is displayed:

    Confirm Password:

  3. Re-enter the password.

  4. Record the password and store it in a secure location.

81 

If you are using the manual TLS deployment method, generate and distribute the required TLS files for the system.

82 

Enter the following:

samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main> 

83 

Enter the following:

<main> configure ↵

The prompt changes to <main configure>.

84 

As required, configure the general parameters in the following table.

Table 14-29: Primary main server parameters, general

Parameter

Description

ip

The primary main server IP address

Default: IP address of primary network interface

domain

The NFM-P system identifier

Default: NFM-P

initial-admin-passwd

The NSP admin user password

It is strongly recommended that you change the password from the default; if you choose not to configure the parameter, the default password remains in effect

The parameter is configurable only during a main server installation.

Note: The NFM-P uses the password configured on the first main server that initializes after the installation.

A password must:

  • be a minimum of 8 characters

  • contain at least three of the following:

    • lower-case alphabetic character

    • upper-case alphabetic character

    • numeric character

    • special character, which is one of the following: ( ) ? ~ ! @ # $ & * _ +

  • not contain more than three consecutive instances of the same character

license

Absolute path of NFM-P license zip file

You cannot start a main server unless the main server configuration includes a current and valid license. You can use samconfig to specify the license file, or import a license, as described in the NSP System Administrator Guide.

Default: —

fips

Whether FIPS security is enabled for network management

See Enabling FIPS security for NFM-P network management for information about using FIPS security.

Default: false

85 

As required, configure the client parameters in the following table, and then enter back ↵.

Table 14-30: Primary main server parameters — 
client

Parameter

Description

nat

Whether NAT is used between the main servers and the GUI and XML API clients

Default: false

hostname

The primary main server hostname, if NFM-P components are to use hostnames, rather than IP addresses, for communication with the main servers

You must configure the parameter if one of the following is true:

  • The main server is to use multiple interfaces for GUI and XML API client communication.

  • NFM-P clients are to connect to the main server using IPv4 and IPv6 interfaces.

  • NAT is used.

  • The NFM-P clients and the auxiliary or peer main servers, and NSP cluster VMs use different main server interfaces.

If the TLS certificate contains the FQDN, you must specify the FQDN as the parameter value.

Default: main server hostname

public-ip

The IP address that the GUI and XML API clients must use to reach the primary main server

The parameter is configurable when the hostname parameter is unconfigured.

Default: —

jndi-port

The TCP port on the primary main server station to use for EJB JNDI messaging to GUI clients

It is strongly recommended that you accept the default unless another application uses the port, or there is a firewall between the GUI clients and the primary main server.

Default: 1099

delegates

A list of the client delegate servers in the NFM-P system

Use the following list format; a path value is the absolute file path of the client installation location on the client delegate server station:

address1;path1,address2;path2...addressN;pathN

Note: The installation location cannot include a space character.

Note: Before you can install a client delegate server using a browser, each main server configuration must include the client delegate server address and file path.

Default: —

86 

Configure the database parameters in the following table, and then enter back ↵.

Note: The NFM-P uses the database backup settings to initialize the database during installation only. To change the backup settings after installation, you must use the Database Manager form in the NFM-P client GUI, as described in the NSP System Administrator Guide.

Table 14-31: Primary main server parameters — 
database

Parameter

Description

ip

The IP address that the primary main server must use to reach the primary database

Default: —

instance

Primary database instance name

Default: maindb1

user-password

Primary database user password

Default: available from technical support

backup-dest

The backup directory on the primary main database station

It is recommended that you specify a directory that can hold at least five times the expected database size, and can accommodate the database growth associated with network growth.

Default: /opt/nsp/nfmp/dbbackup

backup-interval

How frequently, in hours, to back up the main database

Default: 24

backup-sets

The number of main database backup sets to retain

Default: 3

87 

If the NFM-P system is to include auxiliary servers, configure the aux parameters in the following table, and then enter back ↵.

Note: At least one auxiliary server that you specify must be a Preferred auxiliary server.

Table 14-32: Primary main server parameters — 
aux

Parameter

Description

stats

If enabled, specifies that one or more auxiliary servers are to be used for statistics collection

Default: false

ip-to-auxes

The primary main server IP address that the auxiliary servers must use to reach the primary main server

Default: —

preferred-list

Comma-separated list of Preferred auxiliary server IP addresses

Default: —

reserved-list

Comma-separated list of Reserved auxiliary server IP addresses

Default: —

peer-list

Comma-separated list of Remote auxiliary server IP addresses

Default: —

88 

Enter the following:

<main> configure redundancy enabled ↵

The prompt changes to <main configure redundancy>.

89 

Configure the general redundancy parameters in the following table.

Table 14-33: Primary main server parameters — 
redundancy

Parameter

Description

ip-to-peer

The primary main server IP address that the standby main server must use for general communication

Default: IP address of primary network interface

rsync-ip

The primary main server IP address that the standby main server must use for data synchronization

Default: IP address of primary network interface

90 

Configure the database redundancy parameters in the following table, and then enter back ↵.

Table 14-34: Primary main server parameters — 
redundancy, database

Parameter

Description

ip

The IP address that the primary main server must use to reach the standby database

Default: —

instance

The standby database instance name

Default: —

backup-sync

Whether database backup file synchronization is enabled

When the parameter is enabled, each database backup file set is copied to the peer main database station after the backup completes.

You must ensure that there is sufficient network bandwidth between the main database stations before you enable this parameter. See the NSP Planning Guide for information about the bandwidth requirements of database backup file synchronization.

You must set the parameter to the same value on each main server.

Default: false

alignment

Whether automatic database alignment is enabled

If automatic database alignment is enabled, a main server and database attempt to assume a common role, primary or standby, after an event such as a server activity switch or database failover. In a geographically dispersed system, the function helps to ensure that a main server communicates with the local database in order to reduce the network latency between the components.

For more information about database alignment, see the NSP System Administrator Guide.

Default: false

preferred-instance

The name of the database instance with which the primary main server is to align

The parameter is configurable when the alignment parameter is enabled.

Default: —

reinstantiation-delay

The delay, in minutes, between the completion of a database failover and the automatic reinstantiation of the standby database

A value of 0 disables automatic database reinstantiation.

Default: 60

91 

Configure the peer-server redundancy parameters in the following table, and then enter back ↵.

Table 14-35: Primary main server parameters — 
redundancy, peer-server

Parameter

Description

ip

The standby main server IP address that the primary main server uses for general communication

Default: —

hostname

The standby main server hostname that the primary main server uses for general communication

The parameter is configurable and mandatory when the hostname parameter in Step 85 is configured.

If the TLS certificate contains the FQDN, you must specify the FQDN as the parameter value.

Default: —

rsync-ip

The standby main server IP address that the primary main server uses for data synchronization

Default: —

public-ip

The IP address that the GUI and XML API clients must use to reach the standby main server

Default: —

jndi-port

The TCP port on the standby main server station used for EJB JNDI messaging to GUI clients

It is recommended that you accept the default unless another application uses the port, or there is a firewall between the GUI clients and the standby main server.

Default: 1099

ip-to-auxes

The standby main server IP address that the auxiliary servers must use to reach the standby main server

You must configure the parameter If the NFM-P system includes one or more auxiliary servers.

Default: —

snmp-ipv4

The IPv4 address that the managed NEs must use to reach the standby main server

snmp-ipv6

The IPv6 address that the managed NEs must use to reach the standby main server

snmp-port

The TCP port on the standby main server station used for SNMP communication with the managed NEs

Default: 162

traplog-id

The SNMP trap log ID associated with the standby main server

Default: 98

92 

Enter back ↵.

The prompt changes to <main configure>.

93 

As required, configure the mediation parameters in the following table, and then enter back ↵.

Note: Some device types do not support an SNMP port value other than 162. Before you configure the snmp-port parameter to a value other than the default, you must ensure that each device type in the managed network supports the port value.

Table 14-36: Primary main server parameters — 
mediation

Parameter

Description

nat

Whether NAT is used between the main servers and the managed NEs

Default: false

snmp-ipv4

The IPv4 address that the managed NEs must use to reach the primary main server

Default: IPv4 address of primary network interface

snmp-ipv6

The IPv6 address that the managed NEs must use to reach the primary main server

Default: IPv6 address of primary network interface

snmp-port

The TCP port on the primary main server station that the managed NEs must use to reach the primary main server

Default: 162

traplog-id

The SNMP trap log ID associated with the primary main server

Default: 98

94 

If required, configure the tls parameters in the following table, and then enter back ↵.

Table 14-37: Primary main server parameters — 
tls

Parameter

Description

keystore-file

The absolute path of the TLS keystore file

To enable automated TLS deployment, enter no keystore-file.

Default: —

keystore-pass

The TLS keystore password

Default: available from technical support

truststore-file

The absolute path of the TLS truststore file

To enable automated TLS deployment, enter no truststore-file.

Default: —

truststore-pass

The TLS truststore password

Default: available from technical support

alias

The alias specified during keystore generation

You must configure the parameter.

Default: —

pki-server

One of the following in the platformingressApplicationsingressController section of the nsp-config.yml file on the local NSP deployer host:

In the internalAddresses subsection, if configured, otherwise, in the clientAddresses subsection:

  • if configured, the advertised value

  • otherwise, the virtualIp value

Default: —

pki-server-port

The TCP port on which the PKI server listens for and services requests

Default: 80

regenerate-certs

Whether to regenerate the internal TLS certificates

Certificate regeneration is required when the current certificates are about to expire, or a new internal root certificate is available.

Default: false

hsts-enabled

Whether HSTS browser security is enabled

Default: false

95 

As required, configure the oss parameters in the following table, and then enter back ↵.

Note: The parameters are configurable only if no auxiliary servers are specified in Step 87. Otherwise, OSS access is restricted to the auxiliary servers, which require the configuration of OSS access parameters during installation.

Table 14-38: Primary main server parameters — 
oss

Parameter

Description

secure

Whether communication between the main servers and the XML API clients is secured using TLS

Default: false

public-ip

The IP address that the XML API clients must use to reach the primary main server

Default: IP address of primary network interface

xml-output

The directory in which to store the output of XML API file export operations

Default: /opt/nsp/nfmp/server/xml_output

96 

If the NSP deployment includes an auxiliary database, configure the auxdb parameters in the following table, and then enter back ↵.

Table 14-39: Primary main server parameters — 
auxdb

Parameter

Description

enabled

Whether the NSP deployment includes an auxiliary database

secure

Whether TLS is enabled on the auxiliary database

Default: true

ip-list

A list of the auxiliary database station IP addresses that are accessible to the main server, in the following format:

Note: For a geo-redundant auxiliary database, the order of the IP addresses must be the same on each main server in the geo-redundant system.

cluster_1_IP1,cluster_1_IP2,cluster_1_IPn;cluster_2_IP1,cluster_2_IP2,cluster_2_IPn

where

cluster_1_IP1, cluster_1_IP2,cluster_1_IPn are the external IP addresses of the auxiliary database stations in one data center

cluster_2_IP1, cluster_2_IP2,cluster_2_IPn are the external IP addresses of the stations in the other data center; required only for geo-redundant auxiliary database

Default: —

oam-test-results

Whether the auxiliary database is to store OAM test results

Default: false

redundancy-level

Boolean value that specifies whether the auxiliary database is to replicate data among multiple stations

If the auxiliary database is deployed on a single station, you must set the parameter to 0.

Caution: After you configure an auxdb parameter and start the main server, you cannot modify the redundancy-level parameter.

Default: 1

97 

As required, configure the aa-stats parameters in the following table, and then enter back ↵.

Table 14-40: Primary main server parameters — 
aa-stats

Parameter

Description

enabled

Whether the NFM-P is to collect AA accounting statistics

Default: false

formats

AA accounting statistics file formats; the options are the following:

  • ipdr—IPDR format

  • ram—format for NSP Analytics reporting

  • ipdr,ram—both formats

The parameter is configurable when the enabled parameter is set to true.

Default: ram

aux-db storage

Whether the NFM-P is to store the statistics in an auxiliary database

The parameter is configurable when the enabled parameter is set to true.

Default: false

98 

Configure the nspos parameters in the following table, and then enter back ↵.

Table 14-41: Primary main server parameters — 
nspos

Parameter

Description

ip-list

The NSP cluster IP addresses, separated by a semicolon

Each address is one of the following in the platformingressApplicationsingressController section of the nsp-config.yml file on the NSP deployer host:

In the internalAddresses subsection, if configured, otherwise, in the clientAddresses subsection:

  • if configured, the advertised value

  • otherwise, the virtualIp value

Default: —

address-to-nspos

The main server IP address that is reachable by the NSP clusters

Default: —

dc-name

The DR data center name for aligning NSP components with the local NFM-P main server; must match the dcName value in the NSP cluster configuration file

The parameter is required only in a DR deployment, but Nokia strongly recommends that you configure the parameter, regardless of the deployment type.

Default: —

mtls-kafka-enabled

Specifies whether mTLS is enabled for Kafka communication with the NSP

The parameter is displayed only after the configuration is initially applied in a subsequent step.

Note: The function is supported only in an NSP system that uses separate interfaces for internal and client communication.

Default: false

99 

Configure the remote-syslog parameters in the following table, and then enter back ↵.

Table 14-42: Primary main server parameters — 
remote-syslog

Parameter

Description

enabled

Enable the forwarding of the NFM-P User Activity logs in syslog format to a remote server

Default: disabled

syslog-host

Remote syslog server hostname or IP address

Default: —

syslog-port

Remote server TCP port

Default: —

ca-cert-path

Absolute local path of public CA TLS certificate file copied from remote server

The file requires nsp:nsp ownership.

100 

Configure the server-logs-to-remote-syslog parameters in the following table, and then enter back ↵.

Table 14-43: Primary main server parameters — 
server-logs-to-remote-syslog

Parameter

Description

enabled

Enable the forwarding of the NFM-P server logs in syslog format to a remote server

Default: disabled

secured

Whether the communication with the remote server is TLS-secured

Default: disabled

syslog-host

Remote syslog server hostname or IP address

Default: —

syslog-port

Remote server TCP port

Default: —

ca-cert-path

Absolute local path of public CA TLS certificate file copied from remote server

The file requires nsp:nsp ownership.

101 

If the NFM-P deployment includes the 1830 SMS netHSM, configure the hsm parameters in the following table; otherwise, go to Step 103.

Table 14-44: Primary main server parameters — 
hsm

Parameter

Description

enabled

Whether HSM is enabled

Default: false

server-certs

The location of the 1830 SMS netHSM TLS client certificate for NFM-P access

Specify a client certificate location in the following format:

address#file_path

where

address is the 1830 SMS netHSM IP address or hostname

file_path is the absolute path and file name of the certificate file on the 1830 SMS netHSM

Default: —

mode

Operation mode; 0 specifies one HSM instance with load balancing disabled, and 2 specifies load balancing among multiple instances

Default: 0

client-key

The auto-generated TLS key file that the NFM-P provides to the 1830 SMS netHSM for two-way web-client authentication

Default: client.key

client-cert

The auto-generated TLS certificate file that the NFM-P provides to the 1830 SMS netHSM for two-way web-client authentication

Default: client.cert

102 

By default, the NFM-P generates TLS authentication files for web-client access to the NFM-P HSM server.

If you want to provide your own TLS authentication files, configure the twoway HSM parameters in the following table, and then enter back ↵.

Table 14-45: Primary main server parameters — 
hsm, twoway

Parameter

Description

keystore-file

The absolute path and name of the TLS keystore file for web-client access to the NFM-P HSM server

Default: —

keystore-pass

The keystore password

Default: —

keystore-alias

The keystore alias

Default: NSP

truststore-file

The absolute path and name of the TLS truststore file for web-client access to the NFM-P HSM server

Default: —

truststore-pass

The truststore password

Default: —

truststore-alias

The truststore alias

Default: NSP

103 

Enter back ↵.

The prompt changes to <main configure>.

104 

Verify the main server configuration.

  1. Enter the following:

    <main configure> show-detail ↵

    The main server configuration is displayed.

  2. Review each parameter to ensure that the value is correct.

  3. Configure one or more parameters, if required.

  4. When you are certain that the configuration is correct, enter the following:

    <main configure> back ↵

    The prompt changes to <main>.

105 

Enter the following:

<main> apply ↵

The configuration is applied.

106 

Enter the following:

<main> exit ↵

The samconfig utility closes.

107 

To enable mTLS for internal Kafka authentication using two-way TLS, perform the following steps.

Note: Enabling mTLS for internal Kafka authentication is supported only in an NSP deployment that uses separate interfaces for internal and client communication.

  1. Enter the following:

    samconfig -m main ↵

    The following is displayed:

    Start processing command line inputs...

    <main> 

  2. Enter the following:

    configure nspos mtls-kafka-enabled back ↵

  3. Enter the following:

    <main> apply ↵

    The configuration is applied.

  4. Enter the following:

    <main> exit ↵

    The samconfig utility closes.

Enable Windows Active Directory access
 
108 

If you intend to use Windows Active Directory, or AD, for single sign-on client access, you must configure LDAP remote authentication for AD; otherwise, go to Step 117.

Open the following file as a reference for use in subsequent steps:

/opt/nsp/os/install/examples/config.yml

Note: Consider the following.

  • The NFM-P does not assign a default user group to users of a remote authentication source that you define for Windows AD; the authentication source must provide the user group attributes.

  • Windows AD supports the following LDAP server types for remote authentication:

    AD—The user group of an AD user is derived from the group_base_dn attribute in the server configuration; group search filters are not supported.

    AUTHENTICATED—The server configuration must include bind credentials; group search filters are supported. After NFM-P initialization, you add the AD server bind credentials to the NSP password vault using the NSP Session Manager RESTCONF API.

109 

Locate the section that begins with the following lines:

#   ldap:

#     enabled: true

#     servers:

#       - type: AUTHENTICATED/AD/ANONYMOUS

#         url: ldaps://ldap.example.com:636

#         security: SSL/STARTTLS/NONE

110 

Open the following file using a plain-text editor such as vi:

/opt/nsp/os/install/config.json

111 

Locate the section that begins with the following line:

"sso": {

The section has one subsection for each type of SSO access.

Note: You can enable multiple remote authentication methods such as LDAP and RADIUS in the config.json file, or by using the NFM-P GUI. Using the GUI also allows you to specify the order in which the methods are tried during login attempts; however, no ordering is applied to multiple methods enabled in the config.json file.

112 

In the sso section, create an ldap subsection as shown below using the parameter names from the ldap section of config.yml and the required values for your configuration.

The following example shows the LDAP configuration for two AD servers:

    "ldap": {
      "enabled": true,
      "servers": [
        {
          "type": "auth_type",
          "url": "ldaps://server1:port",
          "server1_parameter_1": "value",
          "server1_parameter_2": "value",
          .
          .
          "server1_parameter_n": "value",
          },
        {
          "type": "auth_type",
          "url": "ldaps://server2:port",
          "server2_parameter_1": "value",
          "server2_parameter_2": "value",
          .
          .
          "server2_parameter_n": "value",
          },
      }]
    }

where auth_type is AD or AUTHENTICATED

113 

Save and close the files.

114 

Enter the following:

samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main> 

115 

Enter the following:

<main> apply ↵

The AD LDAP configuration is applied.

116 

Enter the following:

<main> exit ↵

The samconfig utility closes.

Start primary main server
 
117 

Start the primary main server.

Note: If you did not specify a license file during the installation, you cannot start the main server until you import a license. See the NSP System Administrator Guide for information about importing a license.

  1. Log in as the nsp user on the main server station.

  2. Open a console window.

  3. Enter the following:

    bash$ cd /opt/nsp/nfmp/server/nms/bin ↵

  4. Enter the following:

    bash$ ./nmsserver.bash start ↵

  5. Enter the following:

    bash$ ./nmsserver.bash appserver_status ↵

    The server status is displayed; the server is fully initialized if the status is the following:

    Application Server process is running.  See nms_status for more detail.

    If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized.

118 

If you have enabled Windows Active Directory access using the AUTHENTICATED type of LDAP server, you must add the LDAP server bind credentials to the NSP security configuration.

Use the NSP Session Manager RESTCONF API to add the bind credentials; see the Network Developer Portal for information.

119 

Specify the memory requirement for GUI clients based on the type of network that the NFM-P is to manage.

  1. Enter the following:

    bash$ ./nmsdeploytool.bash clientmem -option

    where option is one of the following:

    • m—medium, for management of limited-scale network

    • l—large, for a network of 15 000 or more NEs

  2. Record the setting, which is not preserved through an upgrade, for future use.

  3. Enter the following to commit the configuration change:

    bash$ ./nmsdeploytool.bash deploy ↵

120 

Close the console window.

Install GUI client
 
121 

You require an NFM-P GUI client to complete the procedure; see the following for information:

Note: Single-user GUI client installation takes less time, so may be the preferred option if your maintenance period is limited; you can uninstall an unused single-user client after you complete the procedure.

See the NSP NFM-P User Guide for information about using the NFM-P GUI to view and manage objects.

Instantiate standby database
 
122 

Open an NFM-P GUI client as the admin user.

123 

Choose Administration→System Information from the main menu. The System Information form opens.

124 

Click Re-Instantiate Standby.

125 

Click Yes to confirm the action. The instantiation begins, and the GUI status bar displays the current phase of the operation.

Note: Database instantiation takes considerable time if the database contains a large amount of statistics data.

You can also use the System Information form to monitor the operation progress. The Last Attempted Standby Re-instantiation Time is the start time; the Standby Re-instantiation State changes from In Progress to Success when the instantiation is complete.

126 

When the instantiation is complete, close the System Information form.

Install standby main server
 
127 

Log in as the root user on the standby main server station.

128 

Open a console window.

129 

Navigate to the NFM-P software directory.

Note: Ensure that the directory contains only the installation files.

130 

Enter the following:

chmod +x * ↵

131 

Enter the following:

dnf install *.rpm ↵

The dnf utility resolves any package dependencies, and displays the following prompt:

Total size: nn G

Installed size: nn G 

Is this ok [y/d/N]: 

132 

Enter y. The following and the installation status are displayed as each package is installed:

Downloading Packages:

Running transaction check

Transaction check succeeded.

Running transaction test

Transaction test succeeded.

Running transaction

The package installation is complete when the following is displayed:

Complete!

133 

The initial NFM-P server installation on a station creates the nsp user account and assigns a randomly generated password.

If this is the first installation of an NFM-P main or auxiliary server on the station, change the nsp password.

  1. Enter the following:

    passwd nsp ↵

    The following prompt is displayed:

    New Password:

  2. Enter a password.

    The following prompt is displayed:

    Confirm Password:

  3. Re-enter the password.

  4. Record the password and store it in a secure location.

134 

Enter the following:

samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main> 

135 

Enter the following:

<main> configure ↵

The prompt changes to <main configure>.

136 

As required, configure the general parameters in the following table.

Table 14-46: Standby main server parameters, general

Parameter

Description

ip

The standby main server IP address

Default: IP address of primary network interface

domain

The NFM-P system identifier

Default: NFM-P

initial-admin-passwd

The NSP admin user password; which must match the password specified in the primary main server configuration

It is strongly recommended that you change the password from the default; if you choose not to configure the parameter, the default password remains in effect

The parameter is configurable only during a main server installation.

Note: The NFM-P uses the password configured on the first main server that initializes after the installation.

A password must:

  • be a minimum of 8 characters

  • contain at least three of the following:

    • lower-case alphabetic character

    • upper-case alphabetic character

    • numeric character

    • special character, which is one of the following: ( ) ? ~ ! @ # $ & * _ +

  • not contain more than three consecutive instances of the same character

license

Absolute path of NFM-P license zip file

You cannot start a main server unless the main server configuration includes a current and valid license. You can use samconfig to specify the license file, or import a license, as described in the NSP System Administrator Guide.

Default: —

fips

Whether FIPS security is enabled for network management

See Enabling FIPS security for NFM-P network management for information about using FIPS security.

Default: false

137 

As required, configure the client parameters in the following table, and then enter back ↵.

Table 14-47: Standby main server parameters — 
client

Parameter

Description

nat

Whether NAT is used between the main servers and the GUI and XML API clients

Default: false

hostname

The standby main server hostname, if NFM-P components are to use hostnames, rather than IP addresses, for communication with the main servers

You must configure the parameter if one of the following is true:

  • The main server is to use multiple interfaces for GUI and XML API client communication.

  • NFM-P clients are to connect to the main server using IPv4 and IPv6 interfaces.

  • NAT is used.

  • The NFM-P clients and the auxiliary or peer main servers, and NSP cluster VMs use different main server interfaces.

If the TLS certificate contains the FQDN, you must specify the FQDN as the parameter value.

Default: main server hostname

public-ip

The IP address that the GUI and XML API clients must use to reach the standby main server

The parameter is configurable when the hostname parameter is unconfigured.

Default: —

jndi-port

The TCP port on the standby main server station to use for EJB JNDI messaging to GUI clients

It is recommended that you accept the default unless another application uses the port, or there is a firewall between the GUI clients and the standby main server.

Default: 1099

delegates

A list of the client delegate servers in the NFM-P system

Use the following list format; a path value is the absolute file path of the client installation location on the client delegate server station:

address1;path1,address2;path2...addressN;pathN

Note: Before you can install a client delegate server using a browser, each main server configuration must include the client delegate server address and file path.

Default: —

138 

Configure the database parameters in the following table, and then enter back ↵.

Note: The NFM-P uses the database backup settings to initialize the database during installation only. To change the backup settings after installation, you must use the Database Manager form in the NFM-P client GUI, as described in the NSP System Administrator Guide.

Table 14-48: Standby main server parameters — 
database

Parameter

Description

ip

The IP address that the standby main server must use to reach the standby database

Default: —

instance

Standby database instance name

You must set this parameter to the same value as the instance parameter in step Step 90.

Default: maindb1

user-password

Standby database user password

Default: available from technical support

backup-dest

The backup directory on the primary main database station

It is recommended that you specify a directory that can hold at least five times the expected database size, and can accommodate the database growth associated with network growth.

Default: /opt/nsp/nfmp/dbbackup

backup-interval

How frequently, in hours, to back up the main database

Default: 24

backup-sets

The number of main database backup sets to retain

Default: 3

139 

If the NFM-P system is to include auxiliary servers, configure the aux parameters in the following table, and then enter back ↵.

Note: At least one auxiliary server that you specify must be a Preferred auxiliary server.

Table 14-49: Standby main server parameters — 
aux

Parameter

Description

stats

If enabled, specifies that one or more auxiliary servers are to be used for statistics collection

Default: false

ip-to-auxes

The standby main server IP address that the auxiliary servers must use to reach the standby main server

Default: —

preferred-list

Comma-separated list of Preferred auxiliary server IP addresses

Default: —

reserved-list

Comma-separated list of Reserved auxiliary server IP addresses

Default: —

peer-list

Comma-separated list of Remote auxiliary server IP addresses

Default: —

140 

Enter the following:

<main> configure redundancy enabled ↵

The prompt changes to <main configure redundancy>.

141 

Configure the general redundancy parameters in the following table.

Table 14-50: Standby main server parameters — 
redundancy

Parameter

Description

ip-to-peer

The standby main server IP address that the primary main server must use for general communication

Default: IP address of primary network interface

rsync-ip

The standby main server IP address that the primary main server must use for data synchronization

Default: IP address of primary network interface

142 

Configure the database redundancy parameters in the following table, and then enter back ↵.

Table 14-51: Standby main server parameters — 
redundancy, database

Parameter

Description

ip

The IP address that the standby main server must use to reach the primary database

Default: —

instance

Primary database instance name

Default: —

backup-sync

Whether database backup file synchronization is enabled

When the parameter is enabled, each database backup file set is copied to the peer main database station after the backup completes.

You must ensure that there is sufficient network bandwidth between the main database stations before you enable this parameter. See the NSP Planning Guide for information about the bandwidth requirements of database backup file synchronization.

You must set the parameter to the same value on each main server.

Default: false

alignment

Whether automatic database alignment is enabled

If automatic database alignment is enabled, a main server and database attempt to assume a common role, primary or standby, after an event such as a server activity switch or database failover. In a geographically dispersed system, the function helps to ensure that a main server communicates with the local database in order to reduce the network latency between the components.

For more information about database alignment, see the NSP System Administrator Guide

Default: false

preferred-instance

The name of the database instance with which the standby main server is to align

The parameter is configurable when the alignment parameter is enabled.

Default: —

reinstantiation-delay

The delay, in minutes, between the completion of a database failover and the automatic reinstantiation of the standby database

A value of 0 disables automatic database reinstantiation.

Default: 60

143 

Configure the peer-server redundancy parameters in the following table, and then enter back ↵.

Table 14-52: Standby main server parameters — 
redundancy, peer-server

Parameter

Description

ip

The primary main server IP address that the standby main server must use for general communication

Default: —

hostname

The primary main server hostname that the standby main server must use for general communication

The parameter is configurable and mandatory when the hostname parameter in Step 137 is configured.

If the TLS certificate contains the FQDN, you must specify the FQDN as the parameter value.

Default: —

rsync-ip

The primary main server IP address that the standby main server must use for data synchronization

Default: —

public-ip

The IP address that the GUI clients, XML API clients, and auxiliary servers must use to reach the primary main server

Default: —

jndi-port

The TCP port on the primary main server station used for EJB JNDI messaging to GUI clients

It is recommended that you accept the default unless another application uses the port, or there is a firewall between the GUI clients and the primary main server.

Default: 1099

ip-to-auxes

The primary main server IP address that the auxiliary servers must use to reach the primary main server

You must configure the parameter If the NFM-P system includes one or more auxiliary servers.

Default: —

snmp-ipv4

The IPv4 address that the managed NEs must use to reach the primary main server

snmp-ipv6

The IPv6 address that the managed NEs must use to reach the primary main server

snmp-port

The TCP port on the primary main server station used for SNMP communication with the managed NEs

Default: 162

traplog-id

The SNMP trap log ID associated with the primary main server

Default: 98

144 

Enter back ↵.

The prompt changes to <main configure>.

145 

As required, configure the mediation parameters in the following table, and then enter back ↵.

Note: Some device types do not support an SNMP port value other than 162. Before you configure the snmp-port parameter to a value other than the default, you must ensure that each device type in the managed network supports the port value.

Table 14-53: Standby main server parameters — 
mediation

Parameter

Description

nat

Whether NAT is used between the main servers and the managed NEs

Default: false

snmp-ipv4

The IPv4 address that the managed NEs must use to reach the standby main server

Default: IPv4 address of primary network interface

snmp-ipv6

The IPv6 address that the managed NEs must use to reach the standby main server

Default: IPv6 address of primary network interface

snmp-port

The TCP port on the standby main server station that the managed NEs must use to reach the standby main server

Default: 162

traplog-id

The SNMP trap log ID associated with the standby main server

Default: 98

146 

If required, configure the tls parameters in the following table, and then enter back ↵.

Table 14-54: Standby main server parameters — 
tls

Parameter

Description

keystore-file

The absolute path of the TLS keystore file

To enable automated TLS deployment, enter no keystore-file.

Default: —

keystore-pass

The TLS keystore password

Default: available from technical support

truststore-file

The absolute path of the TLS truststore file

To enable automated TLS deployment, enter no truststore-file.

Default: —

truststore-pass

The TLS truststore password

Default: available from technical support

alias

The alias specified during keystore generation

You must configure the parameter.

Default: —

pki-server

One of the following in the platformingressApplicationsingressController section of the nsp-config.yml file on the local NSP deployer host:

In the internalAddresses subsection, if configured, otherwise, in the clientAddresses subsection:

  • if configured, the advertised value

  • otherwise, the virtualIp value

Default: —

pki-server-port

The TCP port on which the PKI server listens for and services requests

Default: 80

regenerate-certs

Whether to regenerate the internal TLS certificates

Certificate regeneration is required when the current certificates are about to expire, or a new internal root certificate is available.

Default: false

hsts-enabled

Whether HSTS browser security is enabled

Default: false

147 

As required, configure the oss parameters in the following table, and then enter back ↵.

Note: The parameters are configurable only if no auxiliary servers are specified in Step 139. Otherwise, OSS access is restricted to the auxiliary servers, which require the configuration of OSS access parameters during installation.

Table 14-55: Standby main server parameters — 
oss

Parameter

Description

secure

Whether communication between the main servers and the XML API clients is secured using TLS

Default: false

public-ip

The IP address that the XML API clients must use to reach the standby main server

Default: IP address of primary network interface

xml-output

The directory in which to store the output of XML API file export operations

Default: /opt/nsp/nfmp/server/xml_output

148 

If the NSP deployment includes an auxiliary database, configure the auxdb parameters in the following table, and then enter back ↵.

Table 14-56: Standby main server parameters — 
auxdb

Parameter

Description

enabled

Whether the NSP deployment includes an auxiliary database

secure

Whether TLS is enabled on the auxiliary database

Default: true

ip-list

A list of the auxiliary database station IP addresses that are accessible to the main server, in the following format:

Note: For a geo-redundant auxiliary database, the order of the IP addresses must be the same on each main server in the geo-redundant system.

cluster_1_IP1,cluster_1_IP2,cluster_1_IPn;cluster_2_IP1,cluster_2_IP2,cluster_2_IPn

where

cluster_1_IP1, cluster_1_IP2,cluster_1_IPn are the external IP addresses of the auxiliary database stations in one data center

cluster_2_IP1, cluster_2_IP2,cluster_2_IPn are the external IP addresses of the stations in the other data center; required only for geo-redundant auxiliary database

Default: —

oam-test-results

Whether the auxiliary database is to store OAM test results

Default: false

redundancy-level

Boolean value that specifies whether the auxiliary database is to replicate data among multiple stations

If the auxiliary database is deployed on a single station, you must set the parameter to 0.

Caution: After you configure an auxdb parameter and start the main server, you cannot modify the redundancy-level parameter.

Default: 1

149 

As required, configure the aa-stats parameters in the following table, and then enter back ↵.

Table 14-57: Standby main server parameters — 
aa-stats

Parameter

Description

enabled

Whether the NFM-P is to collect AA accounting statistics

Default: false

formats

AA accounting statistics file formats; the options are the following:

  • ipdr—IPDR format

  • ram—format for NSP Analytics reporting

  • ipdr,ram—both formats

The parameter is configurable when the enabled parameter is set to true.

Default: ram

aux-db storage

Whether the NFM-P is to store the statistics in an auxiliary database

The parameter is configurable when the enabled parameter is set to true.

Default: false

150 

Configure the nspos parameters in the following table, and then enter back ↵.

Table 14-58: Standby main server parameters — 
nspos

Parameter

Description

ip-list

The NSP cluster IP addresses, separated by a semicolon

Each address is one of the following in the platformingressApplicationsingressController section of the nsp-config.yml file on the NSP deployer host:

In the internalAddresses subsection, if configured, otherwise, in the clientAddresses subsection:

  • if configured, the advertised value

  • otherwise, the virtualIp value

Default: —

address-to-nspos

The main server IP address that is reachable by the NSP clusters

Default: —

dc-name

The DR data center name for aligning NSP components with the local NFM-P main server; must match the dcName value in the NSP cluster configuration file

The parameter is required only in a DR deployment, but Nokia strongly recommends that you configure the parameter, regardless of the deployment type.

Default: —

mtls-kafka-enabled

Specifies whether mTLS is enabled for Kafka communication with the NSP

The parameter is displayed only after the configuration is initially applied in a subsequent step.

Note: The function is supported only in an NSP system that uses separate interfaces for internal and client communication.

Default: false

151 

Configure the remote-syslog parameters in the following table, and then enter back ↵.

Table 14-59: Standby main server parameters — 
remote-syslog

Parameter

Description

enabled

Enable the forwarding of the NFM-P User Activity logs in syslog format to a remote server

Default: disabled

syslog-host

Remote syslog server hostname or IP address

Default: —

syslog-port

Remote server TCP port

Default: —

ca-cert-path

Absolute local path of public CA TLS certificate file copied from remote server

The file requires nsp:nsp ownership.

152 

Configure the server-logs-to-remote-syslog parameters in the following table, and then enter back ↵.

Table 14-60: Standby main server parameters — 
server-logs-to-remote-syslog

Parameter

Description

enabled

Enable the forwarding of the NFM-P server logs in syslog format to a remote server

Default: disabled

secured

Whether the communication with the remote server is TLS-secured

Default: disabled

syslog-host

Remote syslog server hostname or IP address

Default: —

syslog-port

Remote server TCP port

Default: —

ca-cert-path

Absolute local path of public CA TLS certificate file copied from remote server

The file requires nsp:nsp ownership.

153 

If the NFM-P deployment includes the 1830 SMS netHSM, configure the hsm parameters in the following table; otherwise, go to Step 155.

Table 14-61: Standby main server parameters — 
hsm

Parameter

Description

enabled

Whether HSM is enabled

Default: false

server-certs

The location of the 1830 SMS netHSM TLS client certificate for NFM-P access

Specify a client certificate location in the following format:

address#file_path

where

address is the 1830 SMS netHSM IP address or hostname

file_path is the absolute path and file name of the certificate file on the 1830 SMS netHSM

Default: —

mode

Operation mode; 0 specifies one HSM instance with load balancing disabled, and 2 specifies load balancing among multiple instances

Default: 0

client-key

The auto-generated TLS key file that the NFM-P provides to the 1830 SMS netHSM for two-way web-client authentication

Default: client.key

client-cert

The auto-generated TLS certificate file that the NFM-P provides to the 1830 SMS netHSM for two-way web-client authentication

Default: client.cert

154 

By default, the NFM-P generates TLS authentication files for web-client access to the NFM-P HSM server.

If you want to provide your own TLS authentication files, configure the twoway HSM parameters in the following table, and then enter back ↵.

Table 14-62: Standby main server parameters — 
hsm, twoway

Parameter

Description

keystore-file

The absolute path and name of the TLS keystore file for web-client access to the NFM-P HSM server

Default: —

keystore-pass

The keystore password

Default: —

keystore-alias

The keystore alias

Default: NSP

truststore-file

The absolute path and name of the TLS truststore file for web-client access to the NFM-P HSM server

Default: —

truststore-pass

The truststore password

Default: —

truststore-alias

The truststore alias

Default: NSP

155 

Enter back ↵.

The prompt changes to <main configure>.

156 

Verify the main server configuration.

  1. Enter the following:

    <main configure> show-detail ↵

    The main server configuration is displayed.

  2. Review each parameter to ensure that the value is correct.

  3. Configure one or more parameters, if required.

  4. When you are certain that the configuration is correct, enter the following:

    <main configure> back ↵

    The prompt changes to <main>.

157 

Enter the following:

<main> apply ↵

The configuration is applied.

158 

Enter the following:

<main> exit ↵

The samconfig utility closes.

159 

To enable mTLS for internal Kafka authentication using two-way TLS, perform the following steps.

Note: Enabling mTLS for internal Kafka authentication is supported only in an NSP deployment that uses separate interfaces for internal and client communication.

  1. Enter the following:

    samconfig -m main ↵

    The following is displayed:

    Start processing command line inputs...

    <main> 

  2. Enter the following:

    configure nspos mtls-kafka-enabled back ↵

  3. Enter the following:

    <main> apply ↵

    The configuration is applied.

  4. Enter the following:

    <main> exit ↵

    The samconfig utility closes.

Enable Windows Active Directory access
 
160 

If you intend to use Windows Active Directory, or AD, for single sign-on client access, you must configure LDAP remote authentication for AD; otherwise, go to Step 169.

Open the following file as a reference for use in subsequent steps:

/opt/nsp/os/install/examples/config.yml

Note: Consider the following.

  • The NFM-P does not assign a default user group to users of a remote authentication source that you define for Windows AD; the authentication source must provide the user group attributes.

  • Windows AD supports the following LDAP server types for remote authentication:

    AD—The user group of an AD user is derived from the group_base_dn attribute in the server configuration; group search filters are not supported.

    AUTHENTICATED—The server configuration must include bind credentials; group search filters are supported. After NFM-P initialization, you add the AD server bind credentials to the NSP password vault using the NSP Session Manager RESTCONF API.

161 

Locate the section that begins with the following lines:

#   ldap:

#     enabled: true

#     servers:

#       - type: AUTHENTICATED/AD/ANONYMOUS

#         url: ldaps://ldap.example.com:636

#         security: SSL/STARTTLS/NONE

162 

Open the following file using a plain-text editor such as vi:

/opt/nsp/os/install/config.json

163 

Locate the section that begins with the following line:

"sso": {

The section has one subsection for each type of SSO access.

Note: You can enable multiple remote authentication methods such as LDAP and RADIUS in the config.json file, or by using the NFM-P GUI. Using the GUI also allows you to specify the order in which the methods are tried during login attempts; however, no ordering is applied to multiple methods enabled in the config.json file.

164 

In the sso section, create an ldap subsection as shown below using the parameter names from the ldap section of config.yml and the required values for your configuration.

The following example shows the LDAP configuration for two AD servers:

    "ldap": {
      "enabled": true,
      "servers": [
        {
          "type": "auth_type",
          "url": "ldaps://server1:port",
          "server1_parameter_1": "value",
          "server1_parameter_2": "value",
          .
          .
          "server1_parameter_n": "value",
          },
        {
          "type": "auth_type",
          "url": "ldaps://server2:port",
          "server2_parameter_1": "value",
          "server2_parameter_2": "value",
          .
          .
          "server2_parameter_n": "value",
          },
      }]
    }

where auth_type is AD or AUTHENTICATED

165 

Save and close the files.

166 

Enter the following:

samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main> 

167 

Enter the following:

<main> apply ↵

The AD LDAP configuration is applied.

168 

Enter the following:

<main> exit ↵

The samconfig utility closes.

Start standby main server
 
169 

Start the standby main server.

Note: If you did not specify a license file during the installation, you cannot start the main server until you import a license. See the NSP System Administrator Guide for information about importing a license.

  1. Log in as the nsp user on the main server station.

  2. Open a console window.

  3. Enter the following:

    bash$ cd /opt/nsp/nfmp/server/nms/bin ↵

  4. Enter the following:

    bash$ ./nmsserver.bash start ↵

  5. Enter the following:

    bash$ ./nmsserver.bash appserver_status ↵

    The server status is displayed; the server is fully initialized if the status is the following:

    Application Server process is running.  See nms_status for more detail.

    If the server is not fully initialized, wait five minutes and then repeat this step. Do not perform the next step until the server is fully initialized.

170 

If you have enabled Windows Active Directory access using the AUTHENTICATED type of LDAP server, you must add the LDAP server bind credentials to the NSP security configuration.

Use the NSP Session Manager RESTCONF API to add the bind credentials; see the Network Developer Portal for information.

171 

Specify the memory requirement for GUI clients based on the type of network that the NFM-P is to manage.

  1. Enter the following:

    bash$ ./nmsdeploytool.bash clientmem -option

    where option is one of the following:

    • m—medium, for management of limited-scale network

    • l—large, for a network of 15 000 or more NEs

  2. Record the setting, which is not preserved through an upgrade, for future use.

  3. Enter the following to commit the configuration change:

    bash$ ./nmsdeploytool.bash deploy ↵

172 

Close the console window.

Install optional components
 
173 

Install and enable one or more auxiliary servers, if required; see Auxiliary server installation.

174 

Install and enable an auxiliary database, if required; see NSP auxiliary database installation.

Install additional GUI clients
 
175 

Install additional NFM-P GUI clients or client delegate servers, as required; see the following for information:

Configure and enable firewalls
 
176 

If you intend to use any firewalls between the NFM-P components, and the firewalls are disabled, configure and enable each firewall.

Perform one of the following.

  1. Configure each external firewall to allow the required traffic using the port assignments in the NSP Planning Guide, and enable the firewall.

  2. Configure and enable firewalld on each component station, as required.

    1. Use an NFM-P template to create the firewalld rules for the component, as described in the NSP Planning Guide.

    2. Log in to the station as the root user.

    3. Open a console window.

    4. Enter the following:

      systemctl enable firewalld ↵

    5. Enter the following:

      systemctl start firewalld ↵

    6. Close the console window.

End of steps