Nokia is a registered trademark of Nokia Corporation. Other products and company names mentioned herein may be trademarks or
tradenames of their respective owners.
The information presented is subject to change without notice. No responsibility is assumed for inaccuracies contained herein.
About this document............................................................................................................................................8
Part I: Getting started...........................................................................................................................................9
1Before you begin ..........................................................................................................................................11
3RHEL OS configuration ...............................................................................................................................39
3.8To deploy the RHEL OS for NFM-P using a qcow2 image ................................................................46
Manual RHEL OS installation......................................................................................................................52
3.9Manual RHEL OS installation requirements......................................................................................52
3.10Required RHEL environment and OS packages...............................................................................53
3.11Required additional OS packages, auxiliary database......................................................................65
Release 20.9
September 2020
Issue 133HE-16029-AAAC-TQZZA
Page 4
Contents
NFM-P
4RHEL disk configuration .............................................................................................................................67
Standalone NFM-P system installation ....................................................................................................132
6.3Standalone system installation workflow.........................................................................................132
6.4To install a standalone NFM-P system............................................................................................133
Redundant NFM-P system installation.....................................................................................................158
6.5Redundant system installation workflow .........................................................................................158
6.6To install a redundant NFM-P system .............................................................................................159
Auxiliary server installation ......................................................................................................................213
6.7Auxiliary server installation workflow...............................................................................................213
6.8To install an NFM-P auxiliary server................................................................................................214
6.9To add auxiliary servers to an NFM-P system.................................................................................220
8.9Redundant system upgrade workflow .............................................................................................305
8.10To upgrade a redundant NFM-P system .........................................................................................310
Release 20.9
September 2020
Issue 153HE-16029-AAAC-TQZZA
Page 6
Contents
NFM-P
Auxiliary server upgrade ...........................................................................................................................348
8.11To upgrade an NFM-P auxiliary server............................................................................................348
11.3NFM-P system uninstallation workflow............................................................................................472
11.4To uninstall an auxiliary server ........................................................................................................473
11.5To uninstall an auxiliary database ...................................................................................................475
11.6To uninstall a collocated main server and database .......................................................................476
11.7To uninstall a distributed main server or main database .................................................................479
Part III: NFM-P client deployment....................................................................................................................483
13.2Client delegate server deployment..................................................................................................516
Client delegate server installation............................................................................................................518
13.3To add a client delegate server to an NFM-P system......................................................................518
13.4To install an NFM-P client delegate server using the binary installer..............................................521
13.5To install an NFM-P client delegate server using the JNLP installer ...............................................527
Client delegate server upgrade.................................................................................................................538
13.6To upgrade an NFM-P client delegate server..................................................................................538
Client delegate server uninstallation .......................................................................................................544
13.7To uninstall a client delegate server installed using the binary installer ..........................................544
13.8To uninstall a client delegate server installed using the JNLP installer ...........................................545
NFM-P
Release 20.9
September 2020
Issue 173HE-16029-AAAC-TQZZA
Page 8
About this document
About this document
Purpose
The NSP NFM-P Installation and Upgrade Guide describes NFM-P installation, upgrade, and
platform modification operations such as system conversion to redundancy and system conversion
to IPv6.
Scope
The scope of this document is limited to the NFM-P application. Many configuration, monitoring,
and assurance functions that can be accomplished from the NFM-P Java GUI are also delivered in
NSP web-based applications accessible from the NSP Launchpad. Readers of this NFM-P guide
should familiarize themselves with the capabilities of the NSP applications, which often offer more
efficient and sophisticated features for network and service management. Help for all installed NSP
applications is available in the NSP Help Center.
Safety information
For your safety, this document contains safety statements. Safety statements are given at points
where risks of damage to personnel, equipment, and operation may exist. Failure to follow the
directions in a safety statement may result in serious consequences.
NFM-P
Document support
Customer documentation and product support URLs:
Documentation Center
•
• Technical support
How to comment
Documentation feedback
Release 20.9
September 2020
8Issue 1
3HE-16029-AAAC-TQZZA
Page 9
Getting started
Part I:Getting started
Overview
Purpose
This part describes how to prepare for NFM-P system or system component deployment, and
includes important requirements, restrictions, and platform configuration procedures.
Contents
Chapter 1, Before you begin11
Chapter 2, Using samconfig31
Chapter 3, RHEL OS configuration39
Chapter 4, RHEL disk configuration67
NFM-P
Chapter 5, TLS configuration and management85
Release 20.9
September 2020
Issue 193HE-16029-AAAC-TQZZA
Page 10
Getting started
NFM-P
Release 20.9
September 2020
10Issue 1
3HE-16029-AAAC-TQZZA
Page 11
Before you begin
Overview
1Before you begin
1.1Overview
1.1.1Purpose
This chapter describes the requirements and restrictions that apply to NFM-P system deployment,
and contains other important information that you must read and understand before you attempt to
deploy an NFM-P component.
1.1.2Contents
1.1 Overview11
General deployment information12
1.2 Introduction12
NFM-P
1.3 To obtain the UUID of a station14
1.4 Using hostnames in the management network15
1.5 Deployment in a VM18
1.6 GUI client deployment20
NFM-P deployment requirements and restrictions23
1.7 NFM-P deployment requirements23
1.8 NFM-P deployment restrictions26
Release 20.9
September 2020
Issue 1113HE-16029-AAAC-TQZZA
Page 12
Before you begin
General deployment information
Introduction
General deployment information
1.2Introduction
1.2.1Description
CAUTION
Service Disruption
An NFM-P system upgrade, conversion to redundancy, or conversion to IPv6 requires a thorough
understanding of NFM-P system administration and platform requirements, and is supported only
under the conditions described in this guide, the NSP NFM-P Planning Guide, and the NFM-P
Release Notice.
Such an operation must be planned, documented, and tested in advance on a trial system that is
representative of the target live network. Contact technical support to assess the requirements of
your NFM-P deployment, and for information about the upgrade service, which you are strongly
recommended to engage for any type of deployment.
NFM-P
This chapter describes the general conditions that apply to NFM-P deployment. Before you attempt
to deploy or configure an NFM-P component, you must comply with the conditions in this chapter
and ensure that the NFM-P platform is configured as described in the remaining chapters of
“Getting started”
Part III: “NFM-P client deployment” contains OS-specific information about single-user GUI client
and client delegate server deployment.
Guide conventions
This guide uses the following terminology:
• station—a discrete processing entity, such as a physical or virtual computer
• peer—an equivalent component in the same system. For example, the peer main server of the
primary main server in a redundant system is the standby main server. The term peer is
irrespective of the primary or standby role.
The procedures in this guide include default parameter values, when appropriate. A default value is
acceptable in most deployment environments, but must be validated against specific requirements,
for example, firewall constraints. For more information, see the NSP NFM-P Planning Guide and the
current NFM-P Release Notice, or contact technical support.
Platform support
You can deploy NFM-P components in a virtual machine, or VM. See the NSP NFM-P Planning
Guide for VM host system requirements, and
deployment requirements and restrictions.
.
1.5 “Deployment in a VM” (p. 18) for general
Part I:
An NFM-P system has the following required components:
• one standalone main server, or two in a redundant deployment
Release 20.9
September 2020
12Issue 1
3HE-16029-AAAC-TQZZA
Page 13
Before you begin
General deployment information
Introduction
• one standalone main database, or two in a redundant deployment
• one or more single-user GUI clients or client delegate servers
An NFM-P deployment can include the following optional components:
• auxiliary servers
• an auxiliary database
An NFM-P system may interwork with the following, which are former NFM-P components:
• NSP Flow Collectors
• NSP analytics servers
Note: For NSP Flow Collectors, the NSP NFM-P Installation and Upgrade Guide describes
only an upgrade from Release 18.
The NSP Deployment and Installation Guide describes the following NSP Flow Collector
deployment operations:
•installation
•upgrade from Release 19 or later
•uninstallation
NFM-P
Note: The NSP NFM-P Installation and Upgrade Guide describes only the upgrade of an
NFM-P analytics server to an NSP analytics server.
The NSP Deployment and Installation Guide describes the following NSP analytics server
deployment operations:
•installation
•upgrade
•uninstallation
Note: CPAM functions in an NFM-P system are enabled only when the system includes one
or more operational 7701 CPAA devices. See the 7701 CPAA and vCPAA Setup andInstallation Guide for 7701 CPAA deployment information.
The following table lists the supported platforms for each NFM-P component type.
Table 1-1 NFM-P platform support by component
NFM-P componentMac OS XMicrosoft WindowsRHEL
Main server✓
Main database✓
Auxiliary server✓
Auxiliary database✓
Client delegate server✓✓
Single-user client✓✓✓
Release 20.9
September 2020
Issue 1133HE-16029-AAAC-TQZZA
Page 14
Before you begin
General deployment information
To obtain the UUID of a station
nsp user account
NFM-P system operation and management require a RHEL user account called nsp in the nsp user
group.
• The initial installation of any of the following components on a station creates the group and
account:
− main server
− auxiliary server
• The nsp user owns all NFM-P server processes; only the nsp user can start or stop a server, or
run a server script.
• The nsp home directory is /opt/nsp.
• The initial nsp password is randomly generated, and must be changed by the root user.
• The root user owns some files in the /opt/nsp/nfmp/server directory for low-level installation and
support functions.
• Server uninstallation does not remove the nsp user account, user group, or home directory.
• Root user privileges are required only for component installation or upgrade, and for low-level
support functions.
NFM-P
1.2.2Integration with other products or NSP components
For information about NFM-P integration with other products or NSP components, see the NSP
Deployment and Installation Guide.
1.3To obtain the UUID of a station
1.3.1Description
An NFM-P license is specific to the UUID of a main server station, and must be provided in a
license request. The following steps describe how to obtain the UUID of a station that is to host an
NFM-P main server.
Note: If you are using an Integrated Lights Out Management system, ensure that you obtain
the UUID of the intended blade and not the UUID of the ILO module.
Note: You must perform this procedure on each station that is to host a main server.
Note: A leading # character in a command line represents the root user prompt, and is not to
be included in a typed command.
1.3.2Steps
1
Log in to the main server station as the root user.
Release 20.9
September 2020
14Issue 1
3HE-16029-AAAC-TQZZA
Page 15
Before you begin
General deployment information
Using hostnames in the management network
2
Open a console window.
3
Enter the following:
# cat /sys/devices/virtual/dmi/id/product_uuid ↵
The UUID is displayed; for example:
35F59783-2258-11E1-BBDA-38B41F432C41
4
Record the value for use when you request the NFM-P license for the main server.
END OF STEPS
1.4Using hostnames in the management network
NFM-P
1.4.1Overview
The topology of an NFM-P management network may be sufficiently complex to benefit from or
require the use of hostnames, rather than fixed IP addresses, for communication between NFM-P
components. Hostname resolution is of even greater benefit when NAT is used between NFM-P
clients and a main server.
Also, some CA signing authorities include only hostnames, and not IP addresses, in the SAN field
of a signed TLS certificate.
Note: If the SAN field of a signed certificate includes only hostnames, when you use the
samconfig utility to configure client access on a main server, you must specify a hostname,
rather than an IP address.
Description
This section provides a configuration example for hostname resolution in a moderately complex
NFM-P management network that may or may not include a NAT configuration.
Note: When the NFM-P clients and the auxiliary or peer main servers use different main
server interfaces to communicate with a main server, the clients must use a hostname to
reach the main server. See the NSP NFM-P Planning Guide for more information.
Note: If a TLS certificate to be signed by a public CA includes a hostname, the hostname
must be an FQDN and not a short hostname. A self-signed certificate can use an FQDN or a
short hostname.
Release 20.9
September 2020
Issue 1153HE-16029-AAAC-TQZZA
Page 16
Before you begin
General deployment information
Using hostnames in the management network
Note: Only local hostname resolution is supported. The use of a DNS server for NFM-P
hostname resolution is not supported.
To enable hostname resolution in an NFM-P management network, you must do the following:
• Configure the local /etc/hosts file on each component to ensure that each hostname translates to
the correct IP address; the hostname must:
− contain only ASCII alphanumeric and hyphen characters.
− not begin or end with a hyphen.
− not begin with a number.
− comply with the format defined in IETF RFC 1034.
− use period characters delimit the FQDN components.
− not exceed 63 characters.
• During component deployment, specify hostnames instead of IP addresses.
Note: Hostnames are case-sensitive.
Hostname usage requirements and restrictions
NFM-P
When two server components use hostnames to communicate, the /etc/hosts file must contain the
following:
• on a main server:
− an entry for each auxiliary server that maps the auxiliary server hostname to the IP address
of the auxiliary server interface that is used for main server communication
− an entry for each database that maps the database hostname to the IP address of the
database interface that is used for main server to database communication
• on an auxiliary server:
− an entry for each main server that maps the main server hostname to the IP address of the
main server interface that is used for auxiliary server communication
− an entry for each auxiliary server that maps the auxiliary server hostname to the IP address
of the auxiliary server interface that is used for main server communication
− an entry for each database that maps the database hostname to the IP address of the
database interface that is used for database communication
Note: Each main server must map an auxiliary server hostname to the same IP address.
Note: A component hostname that you specify in an /etc/hosts file must be the exact
hostname returned by the following command:
hostname
If the command returns localhost.localdomain, the hostname is not set; you must set the
hostname using the following command as the root user:
hostnamectl set-hostname
where hostname is the short hostname or FQDN, depending on your requirement
hostname
Note: Depending on the management network topology, the hosts files of various components
may map the same main server hostname to different IP addresses in order to reach the
correct main server interface.
Release 20.9
September 2020
16Issue 1
3HE-16029-AAAC-TQZZA
Page 17
...2.1
192.168.1.1
Main server
main_a
NIC 1
NIC 3
192.168.4.1
...2.5
...2.3...2.4
Switch/
Router
Switch/
Router
Switch/
Router
NFM-P
clients
IPv6 Managed
Network
...2.6
Switch/
Router
Switch/
Router
Switch/
Router
2001:0DB8::0001
NIC 4
192.168.4.2
192.168.1.2
...2.2
NIC 2
25709
2001:0DB8::0002
Auxiliary
server aux_a
NIC 1
NIC 3
NIC 4
NIC 2
Main database
db_a
NIC 1
NIC 4
Main server
main_b
NIC 2
NIC 3
NIC 4
NIC 1
Auxiliary
server aux_b
NIC 2
NIC 3
NIC 4
NIC 1
Main database
db_b
NIC 1
NIC 4
IPv4 Managed
Network
Before you begin
General deployment information
Using hostnames in the management network
Note: Each main and auxiliary server must have a network route to each address provided in
a TLS certificate.
Management network configuration example
The following example provides guidance about configuring local hostname resolution for NFM-P
components in a relatively complex management network. In the example, each main server
communicates with multiple networks using separate interfaces, as shown in
“Management network topology” (p. 16)
Figure 1-1 Management network topology
NFM-P
Figure 1-1,
.
The client IP addresses are in the 192.168.1 subnet, and the internal management IP addresses
are in the 192.168.2 subnet.
The component hostnames in the example are the following:
Release 20.9
September 2020
Issue 1173HE-16029-AAAC-TQZZA
Page 18
Before you begin
General deployment information
Deployment in a VM
• main servers—main_a and main_b
• main databases—db_a and db_b
• auxiliary servers—aux_a and aux_b
The same configuration methodology must be applied to all components in the internal
management network. The following are the configuration requirements for each component in the
192.168.2 subnet.
The /etc/hosts file on station main_a requires the following entries:
192.168.2.1 main_a
192.168.2.2 main_b
192.168.2.5 aux_a
192.168.2.6 aux_b
192.168.2.3 db_a
192.168.2.4 db_b
127.0.0.1 localhost
NFM-P
The /etc/hosts file on station aux_a requires the following entries:
192.168.2.5 aux_a
192.168.2.6 aux_b
192.168.2.1 main_a
192.168.2.2 main_b
192.168.2.3 db_a
192.168.2.4 db_b
127.0.0.1 localhost
The /etc/hosts file on station db_a requires the following entries:
192.168.2.3 db_a
192.168.2.4 db_b
127.0.0.1 localhost
1.5Deployment in a VM
1.5.1Description
The requirements and restrictions below apply to NFM-P component deployment in a virtual
machine, or VM. VM deployment is supported in the following environments:
• KVM
• Openstack
• VMware
Release 20.9
September 2020
18Issue 1
3HE-16029-AAAC-TQZZA
Page 19
Before you begin
General deployment information
Deployment in a VM
Note: The requirements and restrictions in “NFM-P deployment requirements and
restrictions” (p. 23)
Note: Before you deploy an NFM-P component in a VMware VM, you must install the latest
VMware Tools software.
See the NSP NFM-P Planning Guide for the hardware virtualization requirements, and for the
specific configuration requirements of a supported environment.
also apply to VM deployments.
1.5.2VM deployment using qcow images
You can use qcow2 disk images to deploy the following:
• RHEL OS, for subsequent component installation; see
• NFM-P system; see Chapter 7, “ NFM-P qcow deployment”
1.5.3NFM-P server and database virtualization
The following conditions apply to main server, auxiliary server, client delegate server, or database
deployments in VMs.
• The guest OS must be an NFM-P-supported version of RHEL 7 Server x86-64.
• A RHEL deployment on VMware requires VMXNET 3 NIC adapters; see the VMware
documentation for information.
NFM-P
“RHEL OS deployment in a VM” (p. 46)
1.5.4Client virtualization
The following conditions apply to NFM-P single-user GUI client deployment in a VM.
• You can deploy a VM client in a live network environment only if the client resources are
dedicated to the guest OS, and not shared or oversubscribed.
• The guest OS must be a supported OS version; see the NSP NFM-P Planning Guide.
• The supported connection application for a VMware ESXi Windows platform is Windows Remote
Desktop.
Additional EMS requirements and restrictions
The following conditions apply to an NFM-P single-user GUI client or client delegate server in a VM
that requires the installation of an additional element manager on the same platform, or is to use an
additional NE management interface.
• You can use two or more NICs to isolate network traffic between the client VM and the managed
NEs. Such a configuration may be required when an additional element manager, for example,
NEtO, must share the client resources, or when web-based NE management is to be performed
from the client station.
• Additional RAM, disk space, and CPU resources are required to accommodate an element
manager that shares a client platform; see the NSP NFM-P Planning Guide.
Release 20.9
September 2020
Issue 1193HE-16029-AAAC-TQZZA
Page 20
Before you begin
General deployment information
GUI client deployment
1.6GUI client deployment
1.6.1Single-user GUI client and client delegate server deployment
The following NFM-P GUI client deployment scenarios are supported:
• separate single-user client installations
• remote user connections to a common client instance on a client delegate server
You can install multiple single-user GUI clients on one station, or on separate stations. The multiple
clients installed on one station can be at various releases and associated with the different NFM-P
systems.
You can also configure one single-user client to connect to multiple NFM-P systems. For
information , see
(p. 490)
A client delegate server allows NFM-P access to multiple remote clients using one client software
instance. If multiple client delegate servers are required, they are deployed on separate stations.
The installation or upgrade of an NFM-P single-user GUI client or client delegate server is a
software push from a main server that you initiate using a browser on the client or client delegate
server station. The main server must be installed and fully initialized before you can install or
upgrade the client software.
.
12.4 “To configure a GUI client login form to list multiple NFM-P systems”
NFM-P
The software push mechanism enables centralized client software management. During startup, an
existing single-user client or client delegate server checks for available software updates on the
main server. Any available client configuration updates are also automatically applied.
See the following for client installation and upgrade information:
Chapter 13, “Client delegate server deployment” —client delegate server deployment
1.6.2Client delegate servers
A client delegate server supports multiple simultaneous GUI sessions using one client software
installation. A client delegate server can host local and remote user sessions, and supports the use
of a third-party remote access tool such as a Citrix gateway. Client delegate server deployment is
supported on multiple platforms.
A GUI session that is opened through a client delegate server is functionally identical to a singleuser client GUI session. The client delegate server locally stores the files that are unique to each
user session, such as the client logs and GUI preference files, using a directory structure that
includes the RHEL or Windows username.
Figure 1-2, “Client delegate servers” (p. 21) shows two client delegate servers in an NFM-P
management network. Multiple local users log in to a client delegate server directly, and remote
users log in through a client delegate server that hosts a third-party access tool, for example, a
Citrix gateway. Another local user opens a session on a single-user client station.
Release 20.9
September 2020
20Issue 1
3HE-16029-AAAC-TQZZA
Page 21
20165
Remote GUI users
Client delegate
server and
third-party access
server
Local GUI
users
Single-user
GUI client
Client delegate
server
main server and
database
Managed
network
Before you begin
General deployment information
GUI client deployment
Figure 1-2 Client delegate servers
NFM-P
If a client delegate server becomes unreachable, the NFM-P raises an alarm and changes the color
of the associated session entries in the GUI. The alarm clears when the server is again reachable.
You can use the client software on a client delegate server from the local console. It is
recommended that you install a client delegate server, rather than a single-user client, to facilitate
the deployment of additional clients.
A main server monitors the registered client delegate servers and displays information about them
in the GUI. To register a client delegate server, you specify the client delegate server IP address
and installation location during main server installation, upgrade, or configuration.
You can use a client GUI to list the following:
• registered client delegate servers and the availability of each
Release 20.9
September 2020
Issue 1213HE-16029-AAAC-TQZZA
Page 22
Before you begin
General deployment information
GUI client deployment
• active client delegate server sessions
• active client sessions on a specific client delegate server
• active client sessions for a specific NFM-P user
The number of allowed NFM-P client sessions on a client delegate server is configurable as a
threshold using the client GUI. If a user tries to open a client session that reaches or exceeds the
threshold, the session proceeds and the client delegate server raises an alarm. This thresholdcrossing function can help to balance the session load across multiple client delegate servers. You
require the Update user permission on the Server package to configure the threshold.
The following restrictions apply to client delegate servers.
• The installation of only one client delegate server on a station is supported.
• You cannot change a single-user client to a client delegate server.
• A client delegate server connects to one release of main server; multiple main servers to which
the client delegate server connects must be at the same release.
• Depending on the platform type, specific deployment requirements and restrictions may apply;
see the NSP NFM-P Installation and Upgrade Guide for information.
NFM-P
1.6.3Software upgrades
After an NFM-P main server upgrade, a single-user GUI client or client delegate server that
connects to the main server automatically detects the release mismatch and attempts an upgrade
to the main server release level.
During a software upgrade, an NFM-P client downloads and installs only the files required for the
upgrade. The upgrade process removes previously downloaded local files that are not required by
the updated client software.
1.6.4Configuration updates
When the single-user GUI clients or client delegate servers that connect to a main server require a
configuration update, an administrator updates the global client configuration stored on a main
server. Each client instance detects and applies the update at the start of the next client session.
See “System component configuration procedures” in the NSP NFM-P Administrator Guide for
information about globally updating client configurations.
Note: A client backs up the existing configuration files as part of a configuration update.
Release 20.9
September 2020
22Issue 1
3HE-16029-AAAC-TQZZA
Page 23
Before you begin
NFM-P deployment requirements and restrictions
NFM-P deployment requirements
NFM-P deployment requirements and restrictions
1.7NFM-P deployment requirements
1.7.1Network requirements
CAUTION
Service Disruption
The use of hostname resolution for GUI and XML API client communication with an NFM-P main
server in a NAT environment is strongly recommended.
When IP addresses are used in a NAT environment, the following conditions apply:
• All client communication with the main server must use the public IP address of the main server.
• The NAT firewall must be configured to allow the main server to communicate with itself using
the public IP address.
NFM-P
CAUTION
Service Disruption
In a redundant system, a GUI client that opens a browser connection to the primary NFM-P main
server may need to use the IP address or hostname of the peer main server after a main server
communication failure.
To resolve the two IP addresses or hostnames, a GUI client can use a common DNS name which
maps each main server IP address provided by the DNS server to the primary main server.
• Configure a DNS server for GUI clients to map each main server IP address to a common DNS
name.
• Configure each GUI client to use the common DNS name for browser connections to the NFM-P.
• Use a client browser that caches multiple IP addresses associated with one hostname.
The NFM-P network requirements apply to the following:
• management network—the network in which the NFM-P components communicate with each
other
• managed network and external systems—the managed NEs, and external management systems
that are integrated with the NFM-P
Management network
The following requirements apply to the NFM-P management network.
• During a main server installation or upgrade, you must use hostnames to identify the main server
interfaces under the following conditions:
− when the XML API and GUI clients communicate with a main server using multiple IP
addresses for the main server
Release 20.9
September 2020
Issue 1233HE-16029-AAAC-TQZZA
Page 24
Before you begin
NFM-P deployment requirements and restrictions
NFM-P deployment requirements
− when the XML API and GUI clients use different addresses to communicate with a main
server through one interface on the main server
• A standalone auxiliary server must be accessible to each main server and database in a
redundant NFM-P system. Optimally, all components in a deployment are in the same LAN and
have high-quality network interconnection.
• Each station in an auxiliary database cluster must be on the same side of the management LAN,
and not geographically dispersed.
• The internal communication among the stations in an auxiliary database cluster must be isolated
to a dedicated private network. Each station IP address used for internal communication must be
associated with an interface connected to the private network, and must be the only IP address
of the interface.
• When two components use hostnames to communicate, the /etc/hosts file on each component
station must contain the following:
− an entry that maps the hostname assigned to the interface on the other component to the IP
address used to reach the other component
− an entry that maps the hostname of the other component station to each IP address used to
reach the other component
• Specifying a TCP or UDP port other than the default during an installation or upgrade can affect
component communication through a firewall. Ensure that you record any changes to default
port numbers and make the ports available through the firewall.
NFM-P
Hostname usage in an NFM-P system has special configuration requirements. See
hostnames in the management network” (p. 15)
3.4.2 “Network-level OS configuration requirements” (p. 41) for specific configuration
and
information.
Managed network and external systems
for an example management network configuration,
1.4 “Using
CAUTION
Management Disruption
If an NFM-P system that is to be upgraded manages a device as a GNE, and the new NFM-P
release supports native management of the device, you must unmanage the device and delete it
from the main database before the upgrade.
After the upgrade, you can use the NFM-P to discover and manage the device natively, rather than
as a GNE.
Note: Before you upgrade an NFM-P system that manages 7705 SAR, 7705 SAR-Hm, or
VSR NEs using NGE, you must observe the following:
•7705 SAR - Release 8.0 R3 and earlier support only NGE version 1; Release 8.0 R4 and
later support only NGE version 2.
•7705 SAR-Hm and VSR - Release 15.0 R3 and earlier support only NGE version 1;
Release 15.0 R4 and later support only NGE version 2.
If you want to manage such devices after the NFM-P upgrade using NGE version 2, you must
do the following:
Release 20.9
September 2020
24Issue 1
3HE-16029-AAAC-TQZZA
Page 25
Before you begin
NFM-P deployment requirements and restrictions
NFM-P deployment requirements
1. Upgrade each device to a release that supports NGE version 2.
2. Use the NFM-P to specify NGE version 2 for each device.
The following requirements apply to the network of NFM-P-managed devices, and to the external
systems with which the NFM-P is integrated.
• Before you upgrade an NFM-P system, you must confirm that the new NFM-P software release
supports the release of each managed NE. If this is not true, you must perform one of the
following before you attempt the upgrade, or service disruption may occur.
− Upgrade the NE to a release that the new NFM-P release supports.
− Use an NFM-P client to unmanage the device, remove the device from the managed network,
and remove the discovery rule element for the device.
• Before you upgrade an NFM-P system, you must ensure that the new NFM-P software is
compatible with the software release of each integrated external system. Contact technical
support for information about external system compatibility.
• An NFM-P system that manages LTE RAN devices has special disk partitioning requirements.
Chapter 4, “RHEL disk configuration” for information.
See
• An NFM-P system upgrade does not preserve 9500 MPR device software images. If you want to
retain the images, you must export the images to a remote file system before the upgrade, and
import the images to the NFM-P after the upgrade.
• Before the NFM-P can manage some LTE RAN devices, functions such as PM statistics
transfers and network snapshots require configuration.
NFM-P
1.7.2Platform requirements
Note: For optimal storage performance on a supported Nokia AirFrame server, set the default
write cache policy for each created storage volume to Write Through. See the NokiaAirFrame
server documentation for information about verifying, configuring, and setting the write cache
policy for a volume.
The following are the NFM-P platform requirements.
• The platform must meet the minimum requirements described in the NSP NFM-P PlanningGuide.
• The OS release and patch level of all main server, main database, and optional component
stations in an NFM-P system must be identical unless NFM-P OS support restrictions exist.
• The platform must be dedicated to the NFM-P only; sharing the platform is not supported.
System operation may be adversely affected by the activity of other software on the same
station.
• Before you install or upgrade a redundant NFM-P system, you must enable SSH on each main
server, auxiliary server, and main database station in the system.
• If the NFM-P is to collect statistics on a large scale, as defined in the NSP NFM-P PlanningGuide, you must use a disk array with the main database to increase performance. See
4, “RHEL disk configuration”
• The NFM-P XML API and GUI client real-time clocks must always be synchronized with the main
server real-time clock. The use of NTP or an equivalent time protocol is strongly recommended.
Chapter
for information.
Release 20.9
September 2020
Issue 1253HE-16029-AAAC-TQZZA
Page 26
Before you begin
NFM-P deployment requirements and restrictions
NFM-P deployment restrictions
• The Bash shell is the supported command shell for RHEL CLI operations.
1.7.3Security requirements
Note: The use of sudo to gain root user privileges is supported for NFM-P installation, and for
any other operation in this guide that requires root user privileges.
The following are the NFM-P security requirements.
• The Oracle management user requires full read and write permissions on the main database
installation directory, /opt/nsp/nfmp/db, and any specifically created partitions, for example, /opt/
nsp/nfmp/dbbackup.
• The user that installs an NFM-P single-user GUI nt requires local user privileges only, but must
have full access permissions on the client installation directory. The user that opens the client
installer must have sufficient file permissions to create the installation directory, or the installation
fails.
1.7.4Software requirements
NFM-P
The following are the NFM-P software requirements.
• An NFM-P system deployment requires a license file in compressed format with a .zip extension.
A license file has the following characteristics.
− The UUID of the host station is required to generate the license.
station” (p. 14)
− The file can accommodate two system IDs, which enables the use of the same file on
redundant main servers, and is recommended.
− Renaming the compressed file has no effect on the validity of the contained license file, but
renaming the contained XML license file renders it invalid.
− The main server configuration utility copies the license file content to a backup location; a
change to the license file content or location after an installation or upgrade does not affect
the main server operation.
• You must ensure that you have sufficient time to complete a main database upgrade. The time
required for an upgrade depends on the platform resources, database complexity, and
tablespace configuration. See the NSP NFM-P Planning Guide for database upgrade time
estimates.
describes how to obtain a station UUID.
1.8NFM-P deployment restrictions
1.8.1Network restrictions
Note: The use of NAT between NFM-P server and database components is not supported.
The NFM-P supports NAT only between the following:
•main server and single-user client or client delegate server
•main or auxiliary server and XML API client
•main or auxiliary server and managed network
1.3 “To obtain the UUID of a
Release 20.9
September 2020
26Issue 1
3HE-16029-AAAC-TQZZA
Page 27
Before you begin
NFM-P deployment requirements and restrictions
NFM-P deployment restrictions
Note: Before you attempt to deploy an NFM-P system, or add a component to a system, you
must ensure that any firewalls between the components allow the required traffic to pass
between the components, or are disabled. The NSP NFM-P Planning Guide lists the open
ports required by each component, and provides information about using NFM-P templates to
create RHEL Firewalld rules.
Note: If you use SSH X forwarding to perform a procedure in this guide, the “su - oracle”
command fails. In such a scenario, you must log in directly as the Oracle management user to
perform the required actions.
The following restrictions apply to the network environment in which an NFM-P system or
component is deployed.
• DNS or NIS name resolution is not supported between NFM-P components, and a pre-existing
name service must not conflict with NFM-P address resolution. The restriction also applies to
XML API client communication with the NFM-P.
• You cannot use “localhost” or an alias IP address to identify a component.
• An NFM-P main server listens for GUI and XML API client communication on only one interface
unless you specify a hostname for the main server during an installation or upgrade.
• You cannot use a hostname to identify a main database station; NFM-P components can use
only an IP address to reach a database.
• All IP communication from an NFM-P auxiliary server to an NFM-P main server must originate
from one IP address, which is the auxiliary server address specified during the main server
configuration. A main server rejects communication from an auxiliary server if the auxiliary server
uses a source address other than the configured address.
• During a single-user client installation, you can specify a hostname instead of an IP address to
identify a main server. A client upgrade occurs automatically through a connection to a main
server named in the client configuration.
NFM-P
IPv4 and IPv6
• NFM-P components communicate with other NFM-P components and external entities using
IPv4 or IPv6 exclusively, with the following exceptions:
− You can configure an NFM-P system to concurrently manage IPv4 and IPv6 networks.
− An NFM-P GUI or browser-based application client can connect to the NFM-P using IPv4 or
IPv6, regardless of the protocol version in use between the NFM-P server and database
components.
Note: If the GUI or application clients are to connect to the NFM-P using IPv4 and IPv6, when
you use the samconfig utility to configure client access on a main server, you must specify a
hostname rather than an IP address.
• Before you can specify an IPv6 address for an NFM-P component, the IPv6 interface must be
plumbed and operational. See the OS documentation for information about enabling and
configuring an IPv6 interface.
• Before you attempt to perform a procedure in
Chapter 10, “NFM-P conversion to IPv6”, the
NFM-P system must be at the software release described in this guide; you cannot combine an
upgrade and a conversion to IPv6 in one operation.
Release 20.9
September 2020
Issue 1273HE-16029-AAAC-TQZZA
Page 28
Before you begin
NFM-P deployment requirements and restrictions
NFM-P deployment restrictions
1.8.2Platform restrictions
The following are the NFM-P platform restrictions.
• An NFM-P single-user client or client delegate server cannot be installed on the same station as
an NFM-P server or database.
• An NFM-P single-user client and client delegate server cannot be installed on the same station.
• An optional system component requires a dedicated station. The sharing of a station by optional
components is not supported; attempts to deploy multiple components on one station fail.
• If you plan to convert a standalone NFM-P system to a redundant system, and also plan to
upgrade the system, you must perform the upgrade before the conversion.
• An NFM-P system conversion from IPv4 to IPv6 is not supported during an upgrade or
conversion to redundancy.
1.8.3Security restrictions
The following are the NFM-P security restrictions.
• The user that starts an NFM-P client must be the user that installs the client software, or another
user that has read, write, and execute privileges on the client files and directories.
• An NFM-P domain name defines the network-management domain to which an NFM-P
component belongs, and must be unique to a network. An NFM-P component can interact only
with other NFM-P components in the same NFM-P domain. During system installation, you must
specify the same domain name for each component in the system.
NFM-P
1.8.4General software restrictions
The following are general NFM-P software deployment restrictions. See also the NFM-P Release
Notice, which contains important release-specific information, before you attempt an operation
described in this guide.
• You cannot share an existing Oracle installation with the NFM-P, and no other application can
use the NFM-P Oracle software.
• You can specify the installation directory for a single-user client or client delegate server, but not
for any other type of component.
• You can deploy a main server without specifying a license file. However, if you do not specify a
license file, you cannot start the main server until you import a license. See “Software and
license configuration procedures” in the NSP NFM-P Administrator Guide for information about
importing licenses.
Release 20.9
September 2020
28Issue 1
3HE-16029-AAAC-TQZZA
Page 29
Before you begin
NFM-P deployment requirements and restrictions
NFM-P deployment restrictions
Upgrade-specific restrictions
CAUTION
Service Disruption
An NFM-P upgrade does not preserve all non-default settings in configuration files such as nmsserver.xml.
If an NFM-P configuration file contains non-default settings that you want to retain after an upgrade,
contact technical support for assistance before the upgrade.
CAUTION
Data Loss
At the beginning of a main server upgrade, specific NFM-P configuration and log files are copied to
a time-stamped directory in the installation directory, and specific directories below the installation
directory are deleted.
NFM-P
If you create or modify a file under the main server installation directory, you risk losing the file
during an upgrade unless you first back up the file to a location that is unaffected by the upgrade.
CAUTION
Upgrade failure
An NFM-P main server upgrade fails if each main server in the system is not fully initialized and
functional before the upgrade.
Before you attempt to upgrade a main server, you must ensure that the initialization of each main
server in the NFM-P system is complete.
Note: An NFM-P server upgrade applies a default set of file permissions to each directory
below the main server installation directory. If you change the file permissions of a directory
below the main server installation directory and want the permissions to be in effect after an
upgrade, you must re-apply the permissions after the upgrade.
Note: After an analytics server upgrade:
•Scheduled report creation continues, but uses the new report versions, which may differ
from the former versions.
•Saved reports remain available, but lack any new features of the upgraded report versions;
it is recommended that you recreate and save the reports.
•If a report changes significantly between releases, the report may no longer function. See
the NFM-P Release Notice for limitations regarding specific reports.
• You can upgrade an NFM-P component that is no more than two major releases older than the
current release. For example, you can upgrade a Release 18 or 19 NFM-P system to Release
20, but you cannot upgrade a Release 17 system directly to Release 20; you must first perform
an intermediate upgrade to at least Release 18.
Release 20.9
September 2020
Issue 1293HE-16029-AAAC-TQZZA
Page 30
Before you begin
NFM-P deployment requirements and restrictions
NFM-P deployment restrictions
• After an upgrade to an intermediate release, for example, an upgrade from Release 17 to
Release 18 in preparation for a final upgrade to Release 20, you must allow each main server to
initialize fully before the final upgrade, or the upgrade fails.
• A redundant system upgrade requires a network-management outage and must be performed
only during a scheduled maintenance period of sufficient duration.
NFM-P
Release 20.9
September 2020
30Issue 1
3HE-16029-AAAC-TQZZA
Page 31
Using samconfig
Overview
2Using samconfig
2.1Overview
2.1.1Purpose
This chapter describes the NFM-P configuration utility called samconfig.
2.1.2Contents
2.1 Overview31
2.2 Introduction31
2.3 Usage instructions34
2.2Introduction
NFM-P
2.2.1General information
To deploy or configure most NFM-P system components, an operator uses the CLI-based
samconfig utility. After you install the samconfig RPM package on a station, you can use the
samconfig utility to:
• Immediately configure and deploy a component on the station.
• Create component configuration files for subsequent use in other deployments.
You can configure and deploy the following components using samconfig:
• main server
• main database
• auxiliary server
• client delegate server
2.2.2Functional description
The samconfig utility has a hierarchical menu structure similar to the menu structure of some NEs.
The top level is called the root level. The configuration level, which is directly below the root level,
contains the objects that you can configure. An object is a parameter, or a functional area that
contains parameters.
The following commands are available at any menu level:
• show—show the non-default configuration values
• show-detail—show all configuration values
• ?, h, or help—display a help menu
Release 20.9
September 2020
Issue 1313HE-16029-AAAC-TQZZA
Page 32
Using samconfig
Introduction
• help-detail—display a detailed help menu
• back—move to the parent level
• exit—move to the root level, or, from the root level, exit samconfig
Root level
The root level is the level at which samconfig opens. The root-level prompt includes the component
type, as shown below for a main server:
<main>
The following commands are exclusive to the root level:
• configure—enter the configuration level
• save filename—save the configuration in a file; the default is /opt/nsp/nfmp/config/nms/config/
• apply—apply the configuration
NFM-P
component_config.xml
If a previous configuration file exists, it is renamed to include a time stamp.
Configuration level
To configure an NFM-P component, you must enter the configuration level and specify objects,
parameters, and values, as required. To move to the configuration level from the root level, you
enter the following:
<
component
The configuration-level prompt is the following:
component
<
The configuration-level help menu lists the configurable objects, which are specific to the
component type. The following is a help-menu sample that lists the configurable objects for a main
server:
communications
[no] license- Absolute path to the NFM-P license file
> configure ↵
configure>
ip- Private IP address for local server
domain- NFM-P server complex domain name
client+ Client Configuration
database+ Database Configuration
mediation+ Mediation Configuration
[no] aux+ Auxiliary Server Configuration
[no] redundancy+ Redundancy Configuration
Release 20.9
September 2020
32Issue 1
3HE-16029-AAAC-TQZZA
Page 33
Using samconfig
Introduction
Activity Logging
The following table defines the special characters that may be displayed beside an object or
command
NFM-P
[no] tls+ Security Configuration
[no] oss+ OSS Configuration
auxdb+ Auxiliary Database Configuration
[no] aa-stats+ AA Stats Configuration
[no] nspos+ nspOs Configuration
[no] remote-syslog+ Configuration of Remote Syslog Location for
[no] hsm+ HSM Configuration
Note: The [no] option beside an object means that you can delete or disable the object
configuration using the following syntax:
no
object
Table 2-1 Special characters in samconfig menus
CharacterMeaning
+The object has child objects or parameters.
-The object does not have child objects or parameters.
*The object has one or more mandatory parameters that are not
configured.
Note: You can save, but not apply a configuration that includes an unconfigured mandatory
parameter.
Contextual help
At the configuration level, or in an object context below the configuration level, you can enter the
following to obtain the help information for a specific parameter:
parameter
The following example shows the help command and output for the ip parameter of a main
database:
<db configure> ip ?
NAME:ip
?
DESCRIPTION:Database IP address accessible to servers
Default Value [
Release 20.9
September 2020
Issue 1333HE-16029-AAAC-TQZZA
nnn.nnn.nnn.nnn
]
Page 34
Using samconfig
Usage instructions
NFM-P
Current Value [
USAGE:ip <IP>
FORMAT:where IP is a valid Local IPv4 (xxx.xxx.xxx.xxx) or
IPv6 formatted address.
VALID VALUES:
MANDATORY:true
nnn.nnn.nnn.nnn
2.2.3Advance creation of configuration files
You can use samconfig to create multiple configuration files for subsequent component
deployments on other stations.
For example, if you plan to deploy a standalone NFM-P system that includes two auxiliary servers,
you create the following files using the parameter values required for each component:
• one main server configuration file
• one main database configuration file
• two auxiliary server configuration files
You can then copy the files to stations in a staging environment for trial purposes, and then
subsequently use the files on the stations in a live system when testing is complete.
Note: You can create a configuration file for a component only when the RPM packages that
the component requires are installed on the component.
nnn.nnn.nnn.nnn
]
Note: After you specify a license, keystore, or truststore file using samconfig, the associated
parameter may display the following:
Use Current
In such a case, before you can apply the file on a different station, you must use samconfig on
the new station to specify the license, keystore, or truststore file.
object
2.3Usage instructions
2.3.1Opening samconfig
Note: Using samconfig requires root user privileges.
To invoke samconfig, you enter one of the following:
• To create and optionally deploy a new component configuration:
samconfig -m
• To open a saved configuration file:
samconfig -f
• To deploy a saved configuration:
samconfig -f
• To display the samconfig version information:
component
file
file
File
↵
↵
-apply ↵
Release 20.9
September 2020
34Issue 1
3HE-16029-AAAC-TQZZA
Page 35
Using samconfig
Usage instructions
samconfig -version ↵
where
file is a configuration file created using samconfig
component is one of the following:
• main—main server
• db—main database
• aux—auxiliary server
2.3.2General usage
The following steps describe general samconfig usage; see the samconfig man page for
comprehensive usage information.
Note: samconfig has an auto-complete function; pressing the TAB key in the samconfig CLI
has the following effects:
•at the prompt—lists the available options
•after one or more characters—completes a matching option name, or lists the possible
matches for further refinement
NFM-P
Note: samconfig has a history function; you can cycle through previous commands using the
up and down cursor keys, and can search for characters in a previous command by pressing
the Page Up key or by entering characters and pressing the Up cursor key..
General usage steps:
1. Enter the following in a console window to open samconfig.
# samconfig -m
The root prompt is displayed:
<
component
2. To move to the configuration level, enter the following:
<
component
The configuration prompt is displayed:
component
<
3. Perform one of the following.
a. To configure multiple parameters of an object, enter the following:
<
component
The object configuration prompt is displayed:
<
component
You can then configure one or more parameters by entering the following:
component
<
b. To configure only one parameter of an object, enter the following:
component
<
component
>
> configure ↵
configure>
configure>
configure
configure
configure>
↵
object
object
↵
>
object>parameter value
object parameter value
↵
↵
Release 20.9
September 2020
Issue 1353HE-16029-AAAC-TQZZA
Page 36
Using samconfig
Usage instructions
c. To enable a Boolean object, for example, the aa-stats object on a main server, enter the
d. To disable a Boolean object, for example, the aa-stats object on a main server, enter the
4. To return to the parent level, enter the following:
back ↵
5. Repeat steps
6. Enter the following to exit the configuration level and return to the root level:
exit ↵
7. Perform one or more of the following, as required.
a. To review only the non-default configuration values, enter the following:
b. To review the entire configuration, enter the following:
c. To save the configuration using the default filename, such as when you are configuring a
d. To save the configuration to a different file, for example, if you are creating a configuration
e. To immediately apply the component configuration, enter the following; you can apply a
f. To exit samconfig, enter the following:
NFM-P
samconfig moves to the object configuration level after the parameter is set, as shown
below:
component
<
following:
<
component
following:
component
<
component
<
The non-default values are listed.
<
component
The entire configuration is displayed.
component on the local station, enter the following:
<
component
The utility backs up the previous configuration file, if any, and displays the following:
Some configuration steps in procedures that require samconfig include a table that lists and
describes the available parameters in an object context. The table provides additional information
and default values, if available.
The table layout facilitates the copying and pasting of parameter names into a CLI, and the last
term in a table title is the name of the object that contains the parameters; for example, the title of
the table in the example below shows that the operator is in the mediation object context.
Note: If the parameters are at the top configuration level, the table title describes the
parameters as general parameters.
backup_file
NFM-P
component
_
Configuration step example
The following example uses a procedure step from the standalone main server installation
procedure. An operator needs to enable NAT and specify an IPv4 address other than the default for
network management; the remaining parameter defaults are deemed acceptable.
In an earlier step, the operator enters configure at the samconfig prompt to enter the configuration
level. To set the mediation parameters, the operator enters mediation to move to the mediation
object, and then the following configuration commands:
1. nat ↵ —enables NAT; to disable NAT, the no nat form is required
2. snmp-ipv4 192.168.3.141 ↵ —sets the snmp-ipv4 parameter to a non-default value
3. back ↵ —returns the operator to the parent menu, from which the operator can configure other
objects
Note: To configure only one parameter of an object, you can combine the object, parameter,
and value in one command; for example, configure mediation snmp-ipv4 192.168.3.141.
The following is the step from the installation procedure
27. Configure the mediation parameters in the following table, and then enter back ↵.
Table 2-2 Standalone main server parameters — mediation
ParameterDescription
natWhether NAT is used between the main server and the managed NEs
Default: false
Release 20.9
September 2020
Issue 1373HE-16029-AAAC-TQZZA
Page 38
Using samconfig
Usage instructions
Table 2-2 Standalone main server parameters — mediation(continued)
ParameterDescription
snmp-ipv4The IPv4 address that the managed NEs must use to reach the main
snmp-ipv6The IPv6 address that the managed NEs must use to reach the main
snmp-portThe TCP port on the main server station that the managed NEs must
traplog-idThe SNMP trap log ID associated with the main server
NFM-P
server
Default: IPv4 address of primary network interface
server
Default: IPv6 address of primary network interface
use to reach the main server
Default: 162
Default: 98
Release 20.9
September 2020
38Issue 1
3HE-16029-AAAC-TQZZA
Page 39
RHEL OS configuration
Overview
3RHEL OS configuration
3.1Overview
3.1.1Purpose
This chapter describes the following:
• RHEL OS specifications for NFM-P deployment
• RHEL OS deployment in a VM using a qcow2 image
• manual RHEL OS installation and package requirements
3.1.2Contents
3.1 Overview39
RHEL OS deployment restrictions and requirements40
NFM-P
3.2 Introduction40
3.3 RHEL OS deployment restrictions40
3.4 RHEL OS deployment requirements41
3.5 To prepare disk partitions for NFM-P installation43
3.6 To reset the disk partition reserved block counts44
RHEL OS deployment in a VM46
3.7 Introduction46
3.8 To deploy the RHEL OS for NFM-P using a qcow2 image46
Manual RHEL OS installation52
3.9 Manual RHEL OS installation requirements52
3.10 Required RHEL environment and OS packages53
3.11 Required additional OS packages, auxiliary database65
Release 20.9
September 2020
Issue 1393HE-16029-AAAC-TQZZA
Page 40
RHEL OS configuration
RHEL OS deployment restrictions and requirements
Introduction
RHEL OS deployment restrictions and requirements
3.2Introduction
3.2.1Description
CAUTION
Risk of excessive resource consumption
The RHEL gnome desktop may consume excessive memory and result in degraded system
performance.
NFM-P single-user GUI clients and client delegate servers require the gnome desktop, but other
NFM-P components do not. It is recommended that you disable the RHEL gnome desktop on each
NFM-P station other than the GUI client and client delegate server stations.
You can stop the gnome desktop using the following command as the root user:
systemctl stop gdm ↵
NFM-P
To disable the gnome desktop so that it does not start after a station reboot, enter the following as
the root user:
systemctl disable gdm ↵
You must comply with the conditions in
requirements in this chapter before you attempt to perform a procedure in this guide on a RHEL
station.
Note: See the current NFM-P Release Notice for the required RHEL version and patch
information.
Note: It is strongly recommended to install any OS, driver, or firmware update that your
hardware vendor advises for RHEL.
Note: It is strongly recommended that you verify the message digest of each NSP package or
file that you download from the Nokia Support portal. The download page lists the MD5 or
SHA-256 hash value of an item for comparison with the output of the RHEL md5sum or
sha256sum command. See the appropriate RHEL man page for information about using either
command.
Note: The Bash shell is the supported command shell for RHEL CLI operations.
Chapter 1, “Before you begin” and the specific
3.3RHEL OS deployment restrictions
3.3.1Description
The following are the RHEL OS restrictions for NFM-P components.
Release 20.9
September 2020
40Issue 1
3HE-16029-AAAC-TQZZA
Page 41
RHEL OS configuration
RHEL OS deployment restrictions and requirements
RHEL OS deployment requirements
• The NFM-P supports the use of RHEL IP bonding only when IP bonding is deployed in an active/
backup configuration; see the RHEL documentation for IP bonding information.
• The RHEL SELinux function is not supported; you must disable the function on a station after the
OS installation and before you attempt to install an NFM-P component.
• The RHEL TFTP server conflicts with the NFM-P TFTP server, and must be disabled on a main
or auxiliary server station.
Note: It is recommended that you create the NFM-P disk partitions during the RHEL OS
installation. Each partition created after the OS installation requires additional configuration,
as described in 4.4 “To configure and mount NFM-P disk partitions” (p. 69) .
3.4RHEL OS deployment requirements
3.4.1Overview
CAUTION
NFM-P
Upgrade Failure
The NFM-P system locale must remain unchanged after the initial system installation; otherwise, a
system upgrade fails.
Ensure that you set the system locale only before NFM-P system installation, and not afterward.
The following are general RHEL OS deployment requirements for NFM-P components.
Note: Before you deploy an NFM-P component on RHEL in a VM, you must also install the
latest VMware Tools software; see the VMware documentation for information.
• The file system type must be ext4.
• You must choose English (English) as the RHEL OS installation language.
• You must select the “Create custom layout” disk configuration option, and must then create the
file system partitions as specified in
• You must specify the required RHEL packages and package groups listed in
installation” (p. 52)
• After the OS installation, you must do the following.
− Configure each ext4 disk partition with the required options for NFM-P software deployment;
3.5 “To prepare disk partitions for NFM-P installation” (p. 43).
see
− Reset the reserved block count on each NFM-P disk partition; see 3.6 “To reset the disk
partition reserved block counts” (p. 44)
• If XML API clients are to use the registerLogToFile method, you must enable the RHEL FTP,
SCP, or SFTP services, as required, and ensure that firewalls allow the file-transfer traffic
between the clients and servers.
during the RHEL OS installation.
Chapter 4, “RHEL disk configuration”.
“Manual RHEL OS
.
3.4.2Network-level OS configuration requirements
• Regardless of the network addressing scheme and configuration, for example, whether NAT,
Release 20.9
September 2020
Issue 1413HE-16029-AAAC-TQZZA
Page 42
RHEL OS configuration
RHEL OS deployment restrictions and requirements
RHEL OS deployment requirements
hostnames, or multiple interfaces are used, the /etc/hosts file of a component must contain valid
address entries for reaching other components at the following times:
− during normal operation
− after a network or NFM-P component failure
• Using NAT adds an extra level of complexity to an NFM-P network. The use of hostname
resolution for GUI and XML API client communication is strongly recommended if NAT is used in
the NFM-P management network.
1.4 “Using hostnames in the management network” (p. 15) for an example management
See
network configuration using hostnames.
• The first uncommented entry in the /etc/hosts file must map the local hostname to the private IP
address of the interface to the other NFM-P components.
• The hostname of an NFM-P component must:
− contain only ASCII alphanumeric and hyphen characters.
− not begin or end with a hyphen.
− not begin with a number.
− comply with the format defined in IETF RFC 1034.
− use period characters delimit the FQDN components.
− not exceed 63 characters.
• When you use a hostname to identify an NFM-P component, you must use local hostname
resolution; the use of DNS is not supported.
• A component hostname that you specify in an /etc/hosts file must be the exact hostname
returned by the following command:
hostname
NFM-P
Note: Hostnames are case-sensitive.
3.4.3Firewall configuration requirements
The following firewall types are supported in an NFM-P system:
• native RHEL firewall implemented using Firewalld
• external firewall
Before you attempt to deploy an NFM-P system, or add a component to a system, you must ensure
that any firewalls between the components allow the required traffic to pass between the
components, or are disabled. The NSP NFM-P Planning Guide lists the open ports required by each
component.
Note: If you intend to use Firewalld, you must configure Firewalld according to the rules in the
NSP NFM-P Planning Guide, which describes using NFM-P templates to create Firewalld
rules.
Release 20.9
September 2020
42Issue 1
3HE-16029-AAAC-TQZZA
Page 43
RHEL OS configuration
RHEL OS deployment restrictions and requirements
To prepare disk partitions for NFM-P installation
3.5To prepare disk partitions for NFM-P installation
3.5.1Description
The following steps describe how to configure the disk partitions on a station after a manual RHEL
OS installation and before you attempt to install an NFM-P component on the station.
3.5.2Steps
1
Log in to the station as the root user.
2
Open a console window.
3
Open the /etc/fstab file using a plain-text editor such as vi. The following is an example partition
entry:
UUID=
UUIDmount_pointtypeoptions
where
mount_point is the partition mount point, for example, /opt/nsp/nfmp
NFM-P
4
Perform the following steps for the / and /tmp partition entries.
1. If the “defaults” option is shown, remove the option.
2. Insert “barrier=0” to make the entry read as follows:
UUID=
UUIDmount_point
5
Perform the following steps for each remaining ext4 partition entry.
1. If the “defaults” option is shown, remove the option.
2. For a partition in a physical hardware deployment, insert “barrier=0,noatime” to make the
entry read as follows:
UUIDmount_point
UUID=
3. For a partition in a VM deployment, insert “noatime” to make the entry read as follows:
UUIDmount_point
UUID=
6
Perform one of the following.
a. If the station is to host an NFM-P main database, perform the following steps.
1. Locate the tmpfs file system entry.
ext4barrier=0 1 1
ext4barrier=0,noatime 1 2
ext4noatime 1 2
Release 20.9
September 2020
Issue 1433HE-16029-AAAC-TQZZA
Page 44
RHEL OS configuration
RHEL OS deployment restrictions and requirements
To reset the disk partition reserved block counts
2. Remove the noexec option so that the entry reads as follows:
tmpfs /dev/shm tmpfs nodev 0 0
3. Save and close the /etc/fstab file.
4. Enter the following to remount the /dev/shm partition:
# mount -o remount /dev/shm ↵
b. Save and close the /etc/fstab file.
7
Close the console window.
END OF STEPS
3.6To reset the disk partition reserved block counts
3.6.1Description
The following steps describe how to ensure that the number of reserved blocks for the root user on
each NFM-P disk partition is zero.
NFM-P
Note: You must perform this procedure on each station that hosts one of the following NFM-P
system components:
•main server
•auxiliary server
•main database
3.6.2Steps
1
Log in to the station as the root user.
2
Open a console window.
3
Enter the following:
# mount | grep nfmp ↵
The NFM-P disk partitions are listed; for example:
/dev/sda2 on /opt/nsp/nfmp type ext4 (
/dev/sda3 on /opt/nsp/nfmp/dbbackup type ext4 (
/dev/sdb1 on /opt/nsp/nfmp/db/archivelog type ext4 (
options
)
options
)
options
)
Release 20.9
September 2020
44Issue 1
3HE-16029-AAAC-TQZZA
Page 45
RHEL OS configuration
RHEL OS deployment restrictions and requirements
To reset the disk partition reserved block counts
Note: The example lists physical disk partitions, which are named sdxn; a logical partition
is named vdxn.
4
Enter the following once for each NFM-P partition:
# tune2fs -m 0 /dev/
where partition is the partition name
5
Close the console window.
END OF STEPS
partition
NFM-P
↵
Release 20.9
September 2020
Issue 1453HE-16029-AAAC-TQZZA
Page 46
RHEL OS configuration
RHEL OS deployment in a VM
Introduction
RHEL OS deployment in a VM
3.7Introduction
3.7.1Description
You can install the required RHEL 7 OS for an NSP or NFM-P component using a qcow2 disk
image. The image contains only the RHEL 7 OS, and does not include any product-specific
packages or application files.
NFM-P
After you deploy the image as described in
image” (p. 46)
Note: Auxiliary database installation is not supported.
• main server
• main database
• collocated main server and database
• auxiliary server
• client delegate server
• single-user client
Note: The OS installation includes all required and optional packages for a component. See
3.10 “Required RHEL environment and OS packages” (p. 53) for a list of the required and
optional packages.
, you can install one of the following in the VM:
3.8 “To deploy the RHEL OS for NFM-P using a qcow2
3.8To deploy the RHEL OS for NFM-P using a qcow2 image
3.8.1Purpose
This procedure describes how to use a qcow2 image file to create one or more RHEL OS instances
for NFM-P component installation.
3.8.2Steps
Prepare required images
1
Log in to the VM host station as the root user.
2
Download the following file from the NSP downloads page on the Nokia Support portal to a
local directory on the station:
• NSP_RHEL7_yy_mm.qcow2
where yy_mm represents the year and month of the file issue
Release 20.9
September 2020
46Issue 1
3HE-16029-AAAC-TQZZA
Page 47
RHEL OS configuration
RHEL OS deployment in a VM
To deploy the RHEL OS for NFM-P using a qcow2 image
3
Open a console window.
4
For each VM that you require, enter the following to create a raw VM disk image file:
# qemu-img convert -f qcow2
where
qcow2_file is the name of the downloaded qcow2 file
raw_image is the name that you want to assign to the image; for example, NFM-P_Main_
Server_A
5
Perform one of the following:
a. If you want only one disk to contain all OS, product software, and data files on a VM, you
must resize the VM disk image in accordance with your Platform Sizing Response for the
specific component.
For each one-disk VM that you require, enter the following:
# qemu-img resize "
where
raw_image is the raw disk image name specified in
size is the required disk size, in Gbytes
raw_image
qcow2_file
.img"
-O raw -S 0
size
G ↵
Step 4
raw_image
NFM-P
.img ↵
b. If you want more than one disk in a VM, for example, one for the OS, and one for all main
server software and data, or separate disks for specific partitions, you must create a
separate raw image for each required disk. The disk size must be in accordance with your
Platform Sizing Response for the specific component or partition.
For each separate disk image that you require, enter the following:
# qemu-img create -f raw "
where
raw_image is the name that you want to assign to the disk image; for example, NFM-P_
Main_Database_A_Complete, for an image that is to contain all main database software and
data, or NFM-P_Main_Database_A_Tablespace, for an image that is to contain only the
database tablespace partition
size is the required disk size, in Gbytes
6
The raw image files that you create in Step 5 are in sparse format; conversion of an image file
to non-sparse format provides optimal disk performance.
Note: Non-sparse format is strongly recommended for a live system deployment.
For each disk image created in
following:
raw_image
Step 5 that you want to convert to non-sparse format, enter the
.img"
size
G ↵
Release 20.9
September 2020
Issue 1473HE-16029-AAAC-TQZZA
Page 48
RHEL OS configuration
RHEL OS deployment in a VM
To deploy the RHEL OS for NFM-P using a qcow2 image
NFM-P
# cp --sparse=never
raw_image is a raw disk image name specified in
non-sparse_raw_image is the name to assign to the non-sparse image
raw_image
.img
non-sparse_raw_image
Step 5
.img ↵
Deploy VMs
7
For each VM, enter the following to deploy the VM:
Note: One “--network bridge=bridge_name” entry is required for each VM interface that
you intend to configure.
8
Log in to the new VM as the root user; the default password is available from technical support.
9
Configure the RHEL OS as required for the component to be installed; for example:
• Plumb the required IPv4 and IPv6 addresses.
• Set the hostname.
• Update the /etc/hosts file.
Chapter 1, “Before you begin”, and the appropriate NSP documentation for information.
See
10
Perform one of the following; see Chapter 4, “RHEL disk configuration” for specific NFM-P disk
partitioning information.
Note: If you are using multiple disks in a VM, you must mount a parent partition before
you mount any child partition. For example, you cannot mount the /var/log/audit partition
before you mount the /var/log partition.
a. If you are using only one disk per VM, perform the following steps for each such VM.
Release 20.9
September 2020
48Issue 1
3HE-16029-AAAC-TQZZA
Page 49
RHEL OS configuration
RHEL OS deployment in a VM
To deploy the RHEL OS for NFM-P using a qcow2 image
1. Enter the following commands:
# mkdir -p /extra ↵
# mkdir -p /opt/nsp ↵
2. Use the RHEL fdisk utility to create the required sub-disks for the following directories:
• /extra
• /opt/nsp
• /var/log
• /var/log/audit
For each directory, enter the following and respond to the prompts; specify the directory
size from your Platform Sizing Response:
# fdisk /dev/
where virtual_device is the virtual device name, for example, vda in a KVM VM
3. Enter the following to reboot the VM:
# systemctl reboot ↵
4. After the reboot, perform one of the following.
a. If you are using LVM, perform the following steps.
1. Enter the following sequence of commands for each sub-disk:
# pvcreate /dev/
# vgcreate vg2 /dev/
where
virtual_device is the virtual device name, for example, vda in a KVM VM
n is the number associated with the sub-disk
2. Go to
b. If you are not using LVM, perform the following steps.
1. Enter the following for each sub-disk:
# mkfs.ext4 -L
where
path is the directory path associated with the sub-disk, for example, /opt/nsp
device is the device name, for example, vda in a KVM VM
n is the device number associated with the sub-disk
2. Open the /etc/fstab file using a plain-text editor such as vi.
3. Add one line in the following format for each sub-disk:
virtual_devicen pathfs_type
/dev/
where
device is the device name, for example, vda in a KVM VM
n is the number associated with the sub-disk
path is the directory path associated with the sub-disk, for example, /opt/nsp
fs_type is the file system type, which is ext4 for all sub-disks except /var/log and /var/
log/audit, for which it is xfs
4. Save and close the file.
5. Enter the following:
virtual_device
Step 11.
path
virtual_devicen
virtual_devicen
/dev/
↵
devicen
NFM-P
↵
↵
↵
defaults0 0
Release 20.9
September 2020
Issue 1493HE-16029-AAAC-TQZZA
Page 50
RHEL OS configuration
RHEL OS deployment in a VM
To deploy the RHEL OS for NFM-P using a qcow2 image
# mount -a ↵
6. Go to Step 12.
b. If you specify multiple disks per VM and are using LVM, enter the following sequence of
commands for each disk in each VM:
# pvcreate /dev/
# vgcreate
where
device is the device name for the disk
group is the name to assign to the volume group, and must be unique in the VM
group
device
/dev/
↵
device
Configure LVM
11
Create the LVM volumes and partitions.
Perform the following steps for each disk in a VM, beginning with the parent disk partitions.
NFM-P
↵
Note: If you are using multiple disks in a VM, you must mount a parent partition before
you mount any child partition. For example, you cannot mount the /opt/nsp/nfmp/
nebackup partition before you mount the /opt/nsp partition.
1. Enter the following to create a logical volume:
# lvcreate -n
where
volume is the name to assign to the logical volume
size is the volume size from your Platform Sizing Response
group is the name to assign to the volume group, and must be unique in the VM
device is the device name
2. Enter the following:
# mkdir
where directory is the name of the directory to associate with the volume, for example, /opt/
nsp
3. Enter the following:
# mkfs.ext4 -L
where
directory is the directory associated with the volume
group is the volume group
volume is the logical volume name
4. Open the /etc/fstab file using a plain-text editor such as vi.
5. Add an entry in the following format:
/dev/
directory
group/partition directory fs_type
volume
directory
-L
sizeGgroup
↵
/dev/
group/volume
/dev/
device
↵
noatime0 0
↵
Release 20.9
September 2020
50Issue 1
3HE-16029-AAAC-TQZZA
Page 51
RHEL OS configuration
RHEL OS deployment in a VM
To deploy the RHEL OS for NFM-P using a qcow2 image
where
group is the volume group
partition is the partition name
directory is the associated directory path
fs_type is the file system type, which is one of the following:
• ext4, for all partitions except /var/log and /var/log/audit
• xfs, for the /var/log and /var/log/audit partitions
6. Save and close the file.
7. Enter the following:
# mount -a ↵
Install and configure product software
12
As described in Chapter 6, “NFM-P installation” or the NSP documentation, install and
configure the product software on the VMs.
NFM-P
Note: The /extra partition is allocated for use as a temporary storage location for
downloaded product software.
END OF STEPS
Release 20.9
September 2020
Issue 1513HE-16029-AAAC-TQZZA
Page 52
RHEL OS configuration
Manual RHEL OS installation
Manual RHEL OS installation requirements
Manual RHEL OS installation
3.9Manual RHEL OS installation requirements
3.9.1Introduction
NFM-P
Each NFM-P component requires the following, as described in
and OS packages” (p. 53)
• a specific RHEL Software Selection as the base environment
• the installation of a base OS package set
• the installation of additional packages
• the removal of packages that are not required or that may interfere with NFM-P operation
If the required base environment and packages are not installed, a component installation fails.
Note: Management of LTE-N devices requires the installation of an additional package; see
“NFM-P server configuration tasks” in the NSP NFM-P MultiRadio BTS User Guide for
information.
Note: The RHEL rpm utility requires hardware driver files in binary format. If the RHEL driver
files provided by your server hardware vendor are in source rpm format, you may need to
install additional packages in order to compile the files into binary format. See the station
hardware documentation for information.
3.9.2Using the yum utility
To simplify package management, it is recommended that you use the RHEL yum utility to install
and remove OS packages.
The package installation syntax is the following:
3.10 “Required RHEL environment
:
yum -y install
The package removal syntax is the following:
yum -y remove
Note: Package installation using yum requires a yum repository. The following repository
types are available:
•local repository, which you can create during the RHEL OS installation
•Internet-based repository, which you can access after you register with the Red Hat
Network
See the RHEL documentation for information about setting up a yum repository.
Note: If a package has dependencies on one or more additional packages that are not listed
in a table, the yum utility installs the additional packages.
52Issue 1
package_1 package_2 ... package_n
package_1 package_2 ... package_n
3HE-16029-AAAC-TQZZA
↵
↵
Release 20.9
September 2020
Page 53
RHEL OS configuration
Manual RHEL OS installation
Required RHEL environment and OS packages
3.10Required RHEL environment and OS packages
3.10.1Description
During the RHEL OS installation for any NFM-P component, you must do the following.
1. Specify “Minimal Install” as the Software Selection in the RHEL installer.
2. Install specific OS packages, as described in
3. Remove specific packages, as described in
4. Perform RHEL version-specific package actions; see
.
(p. 59)
5. If the NFM-P deployment includes an auxiliary database, install the required additional OS
packages on each auxiliary database station; see
auxiliary database” (p. 65)
.
6. Optionally, install one or more packages listed in
3.10.2RHEL OS packages to install
You must install a set of RHEL OS packages that are common to each NFM-P component. Most of
the packages are available from the RHEL ISO disk image and the default RHEL package
repository. The packages are listed in
repository” (p. 52)
.
“Required packages, RHEL ISO image or default RHEL
3.10.2 “RHEL OS packages to install” (p. 52).
3.10.3 “RHEL OS packages to remove” (p. 57).
3.10.4 “Additional package requirements”
3.11 “Required additional OS packages,
3.10.5 “Optional RHEL OS packages” (p. 65).
NFM-P
You must also install additional packages that are available only from the RHEL optional package
repository. The packages are listed in
Table 3-2 Required OS packages from RHEL optional package repository
PackageDescription
compat-libstdc++-33.i686Compatibility standard C++ libraries
compat-libstdc++-33.x86_64Compatibility standard C++ libraries
3.10.3RHEL OS packages to remove
After you install the required OS packages on a component station, you must remove packages
that are installed by default but not required by the NFM-P.
For all RHEL 7 versions, you must remove the packages listed in
to remove, all RHEL versions” (p. 58)
To facilitate the package removal, you can paste the following command block in a CLI:
ndctl-libsManagement library for "libnvdimm" subsystem devices (Non-volatile Memory)
netcf-libsLibraries for netcf
nmap-ncatNmap's Netcat replacement
numadUserspace daemon that automatically binds workloads to NUMA node
NFM-P
oddjobA D-Bus service which runs odd jobs on behalf of client applications
oddjob-mkhomedirAn oddjob helper which creates and populates home directories
pykickstartA python library for manipulating kickstart files
pypartedPython module for GNU parted
pyserialPython serial port access library
python-blivetA python module for system storage configuration
python-coverageCode coverage measurement for Python
python-diPython library for dependency injection support
python-meh-guiGraphical user interface for the python-meh library
python-nssPython bindings for Network Security Services (NSS)
python-ntplibPython module that offers a simple interface to query NTP servers
python-pwqualityLibrary for password quality checking -- Python bindings
python-pyblockPython modules for dealing with block devices
python2-blockdevPython2 gobject-introspection bindings for libblockdev
python2-subprocess32Backport of subprocess module from Python 3.2 to Python 2
pytzWorld Timezone Definitions for Python
radvdA Router Advertisement daemon
realmdKerberos realm enrollment service
seabios-binSeabios for x86
Release 20.9
September 2020
64Issue 1
3HE-16029-AAAC-TQZZA
Page 65
RHEL OS configuration
Manual RHEL OS installation
Required additional OS packages, auxiliary database
Table 3-7 OS packages to remove, RHEL 7.6, 7.7, or 7.8 (continued)
PackageDescription
seavgabios-binSeavgabios for x86
sgabios-binSgabios for x86
spice-serverImplements the server side of the SPICE protocol
unbound-libsLibraries used by the unbound server and client applications
yajlYet Another JSON Library Tools
3.10.5Optional RHEL OS packages
Table 3-8, “Optional RHEL OS packages” (p. 65) lists the optional packages that you can install for
any component.
To facilitate the package installation, you can paste the following command block in a CLI:
yum -y install nfs-utils
NFM-P
Table 3-8 Optional RHEL OS packages
PackageDescription
nfs-utilsNFS utilities and supporting clients and daemons for the kernel
3.11Required additional OS packages, auxiliary database
3.11.1Description
Table 3-9, “Required additional OS packages, auxiliary database” (p. 66) lists the additional
required OS packages for an NFM-P auxiliary database.
Depending on the OS version, the packages may be included in the base package set. To identify
whether each package is installed, run the following commands as the root user on the auxiliary
database station:
# rpm -qa | grep bash ↵
# rpm -qa | grep chrony ↵
# rpm -qa | grep gdb ↵
# rpm -qa | grep grubby ↵
# rpm -qa | grep sysstat ↵
# rpm -qa | grep tzdata ↵
If any command returns no output, the package named in the command is not installed, and you
must install the package.
To facilitate the package installation, you can paste the following command block in a CLI:
Release 20.9
September 2020
Issue 1653HE-16029-AAAC-TQZZA
Page 66
RHEL OS configuration
Manual RHEL OS installation
Required additional OS packages, auxiliary database
Note: If a package named in the command line is already installed, the package installation is
skipped.
Table 3-9 Required additional OS packages, auxiliary database
PackageDescription
bashThe GNU Bourne Again shell
chronyAn NTP client/server
gdbA stub package for GNU source-level debugger
grubby.x86_64Command-line tool for updating bootloader configs
sysstat.x86_64Collection of performance monitoring tools for Linux
tzdataTimezone data
NFM-P
Release 20.9
September 2020
66Issue 1
3HE-16029-AAAC-TQZZA
Page 67
RHEL disk configuration
Overview
4RHEL disk configuration
4.1Overview
4.1.1Purpose
This chapter describes the disk configuration and partitioning requirements for NFM-P components
in trial and live deployments.
4.1.2Contents
4.1 Overview67
4.2 Introduction67
4.3 Sizing the NE configuration backup partition68
4.4 To configure and mount NFM-P disk partitions69
NFM-P
4.5 Disk partitioning for trial deployments71
4.6 Disk partitioning for live deployments78
4.2Introduction
4.2.1General information
If the NFM-P is to perform large-scale statistics collection, you must implement high-performance
disk throughput using one of the following:
• internal disks in a hardware RAID 0 configuration
• external disks in a hardware RAID 0 or RAID 1+0 configuration
• SAN storage
Note: An NFM-P disk subsystem requires read and write caching with fault protection.
Note: It is recommended that you create disk partitions during the RHEL OS installation. A
partition created after the OS installation requires additional configuration, as described in
4.4 “To configure and mount NFM-P disk partitions” (p. 69).
4.4 “To configure and mount NFM-P disk partitions” (p. 69) also describes mount options that you
must set on some system partitions. You must configure the mount options before any NSP
component is installed on the station.
You can determine the number of disks required for high-performance throughput by submitting an
NFM-P Platform Sizing Request. See the NSP NFM-P Planning Guide for scaling guidelines related
to statistics collection, and contact technical support for information about using a disk array.
Release 20.9
September 2020
Issue 1673HE-16029-AAAC-TQZZA
Page 68
RHEL disk configuration
Sizing the NE configuration backup partition
4.2.2RAID and the NFM-P
CAUTION
Service Disruption
An improper RAID configuration may result in throughput degradation or failure.
RAID in an NFM-P deployment is supported only when implemented as described in this guide and
in the NSP NFM-P Planning Guide. You must strictly follow the RAID specifications in the NSP
NFM-P Planning Guide before you attempt to install, upgrade, or convert an NFM-P system.
Contact technical support for more information.
A RAID implementation for the NFM-P requires a hardware RAID controller that can create and
manage the required number of volumes.
For optimal performance, an NFM-P station requires the recommended number of disks configured
in a striping, or RAID 0, volume. A single RAID 0 disk failure can cause a complete file system
failure, so for live deployments, disk mirroring using a RAID 1+0 configuration is recommended for
greater resiliency and to reduce the recovery time after a disk failure.
NFM-P
Note: The use of software RAID is not supported.
Note: The installation, administration, and recovery of RAID in an NFM-P system are the
responsibility of the owner of the system.
4.2.3Logical disk management using LVM
Logical disk implementation is supported using the LVM function according to the NSP NFM-P
Planning Guide specifications.
Note: LVM is supported only for resizing disk partitions, and not for creating software RAID
volumes. See the NSP NFM-P Planning Guide for information about the LVM features that are
supported in an NFM-P deployment.
Note: Before you use LVM to resize a partition, you must ensure that the throughput and
latency of the new configuration are within the allowed NFM-P tolerances. See “To test NFM-P
disk performance” in the NSP NFM-P Administrator Guide for information about performing the
required check.
4.3Sizing the NE configuration backup partition
4.3.1Description
Each NFM-P main server stores NE configuration backups on the local file system in the following
partition:
/opt/nsp/nfmp/nebackup
The partition size is specific to an NFM-P system, and is based on the following:
• number of managed NEs
Release 20.9
September 2020
68Issue 1
3HE-16029-AAAC-TQZZA
Page 69
RHEL disk configuration
To configure and mount NFM-P disk partitions
• average configuration backup size
• number of backups retained per NE
Note: Uninstalling a main server does not delete or otherwise affect the saved NE
configuration backup files.
The partition size is the amount of space required for the backup files of all managed NE types. You
must calculate the space required for each NE type using the following formula, and then use the
sum of the NE space requirements as the partition size:
data capacity = backup size × number of NEs × backups per NE × 2.5
Table 4-1, “Configuration backup file sizes by NE type” (p. 69) lists the backup size values.
Note: The formula is a guideline for planning purposes only; the actual size may require
adjustment. It is recommended that you use the size of the largest backup per NE type in your
network as the backup size, and multiply the result by 2.5, as shown in the formula. This
calculation accounts for network and NE backup growth, and accommodates the storage of
compressed archive files.
NFM-P
Table 4-1 Configuration backup file sizes by NE type
Perform this procedure on each NFM-P disk partition that you create after the RHEL OS installation.
CAUTION
Service Disruption
This procedure requires a restart of the station that hosts the partition.
If an NFM-P component is installed on the station, you must perform the procedure only during a
scheduled maintenance period.
Release 20.9
September 2020
Issue 1693HE-16029-AAAC-TQZZA
Page 70
RHEL disk configuration
To configure and mount NFM-P disk partitions
Note: The Bash shell is the supported command shell for RHEL CLI operations.
4.4.2Steps
1
Log in to the NFM-P station as the root user.
2
Open a console window.
3
Mount the partition; see the RHEL OS documentation for information.
4
Enter the following:
# tune2fs -m 0 -o +acl /dev/
where device is the name of the device associated with the partition
device
NFM-P
↵
5
Open the /etc/fstab file using a plain-text editor such as vi.
6
Perform one of the following.
a. For a partition in a physical hardware deployment, add the following entry:
/dev/
devicemount_point
b. For a partition in a VM deployment, add the following entry:
/dev/
devicemount_point
where
device is the name of the device associated with the partition
mount_point is the partition mount point, for example, /opt/nsp/nfmp
7
Optionally, in accordance with ANSSI and CIS specifications, configure the following partitions
using the following options:
Note: Configuring the mount options is strongly recommended.
Note: You must configure the options before any NFM-P component is installed on the
station.
ext4 barrier=0,noatime1 2
ext4 noatime1 2
Note: The NSP NFM-P Architecture Guide lists and describes the CIS specifications and
the NFM-P compliance with each.
Release 20.9
September 2020
70Issue 1
3HE-16029-AAAC-TQZZA
Page 71
RHEL disk configuration
Disk partitioning for trial deployments
Note: The options specified for the /var partition are only partially ANSSI-compliant.
/boot xfs nodev,noexec,nosuid 0 0
/home xfs nodev,noexec,nosuid 0 0
/tmp xfs nodev,nosuid 0 0
/var xfs nodev,nosuid 0 0
8
Save and close the /etc/fstab file.
9
Enter the following to reboot the station:
# systemctl reboot ↵
The station reboots.
END OF STEPS
NFM-P
4.5Disk partitioning for trial deployments
4.5.1Description
CAUTION
Service Disruption
Each disk partition described in this section must be a mounted partition and not a symbolic link.
The NFM-P does not support the use of symbolic links to represent partitions.
The following disk layouts are supported only for trial deployments in a lab environment, or for
demonstration purposes.
Note: See the NSP NFM-P Planning Guide or the response to your NFM-P Platform Sizing
Request for information about the supported disk types.
Note: For each database partitioning scheme, the Oracle management user home directory
specified by the ORACLE_HOME environment variable is /opt/nsp/nfmp/oracle19.
Trial partitioning, collocated main server and database
The following table lists the partitions required for the trial deployment of a collocated main
database and main server.
Release 20.9
September 2020
Issue 1713HE-16029-AAAC-TQZZA
Page 72
RHEL disk configuration
Disk partitioning for trial deployments
Table 4-2 Trial partitioning scheme, collocated main server and database
Disks required:
• Physical deployment—two 300-Gbyte (RAID 0)
• qcow deployment— minimum of 400 Gbytes, plus calculated /opt/nsp/nfmp/nebackup partition size
/opt/nsp/nfmp/server/nms/logNFM-P server log files15
/opt/nsp/nfmp/server/xml_outputOutput of XML API file export operations10
/opt/nsp/osNSP system files40
/extraNSP and NFM-P software storage50
Notes:
1. CMM PM statistics may require additional storage space, depending on the collection volume and retention
period; contact CMM technical support to define your PM storage requirement, which must be added to the
listed partition size
2. Derived using the formula in
4.3 “Sizing the NE configuration backup partition” (p. 68)
Trial partitioning, main server, distributed system
The following table lists the partitions required for the trial deployment of a main server in a
distributed NFM-P system.
Release 20.9
September 2020
72Issue 1
3HE-16029-AAAC-TQZZA
Page 73
RHEL disk configuration
Disk partitioning for trial deployments
Table 4-3 Trial partitioning scheme, main server, distributed system
Disks required: one 300-Gbyte, two 300-Gbyte, or one 600-Gbyte
/opt/nsp/nfmp/server/nms/logNFM-P server log files15
/opt/nsp/nfmp/server/xml_outputOutput of XML API file export operations10
/opt/nsp/osNSP system files40
/extraNSP and NFM-P software storage50
1
2
Two
300-Gbyte
or one
600-Gbyte
disk
64
3
Notes:
1. Insufficient capacity for application core files
2. CMM PM statistics may require additional storage space, depending on the collection volume and retention
period; contact CMM technical support to define your PM storage requirement, which must be added to the
listed partition size
3. Derived using the formula in
4.3 “Sizing the NE configuration backup partition” (p. 68)
Trial partitioning, main database, distributed system
The following table lists the partitions required for the trial deployment of a main database in a
distributed NFM-P system.
Table 4-4 Trial partitioning scheme, main database, distributed system
Disks required: two 300-Gbyte (RAID 0)
PartitionContentSize (Gbytes)
swapSwap space16
/Root26
Release 20.9
September 2020
Issue 1733HE-16029-AAAC-TQZZA
Page 74
RHEL disk configuration
Disk partitioning for trial deployments
Table 4-4 Trial partitioning scheme, main database, distributed system (continued)
Trial partitioning, statistics-collection auxiliary server
The following table lists the partitions required for the trial deployment of an auxiliary server that is
to collect statistics.
Table 4-5 Trial partitioning scheme, statistics-collection auxiliary server
Disks required: one 300-Gbyte, two 300-Gbyte, or one 600-GbyteSize (Gbytes)
PartitionContentOne
300-Gbyte
disk
swapSwap space16
/Root26
/homeUser home directories0.5
/tmpTemporary files4
/varSystem data64
/var/logSystem logs6
/var/log/auditSystem audit logs6
/opt/nspNFM-P server software, operating data4090
Two
300-Gbyte
or one
600-Gbyte
disk
/opt/nsp/nfmp/auxserver/nms/logNFM-P server log files2030
/opt/nsp/nfmp/auxserver/xml_outputOutput of XML API file export operations2030
Release 20.9
September 2020
74Issue 1
3HE-16029-AAAC-TQZZA
Page 75
RHEL disk configuration
Disk partitioning for trial deployments
Table 4-5 Trial partitioning scheme, statistics-collection auxiliary server (continued)
Disks required: one 300-Gbyte, two 300-Gbyte, or one 600-GbyteSize (Gbytes)
NFM-P
PartitionContentOne
/opt/nsp/nfmp/lte
/extraNSP and NFM-P software storage50
1
Collected wireless core statistics files20
300-Gbyte
disk
2
Two
300-Gbyte
or one
600-Gbyte
disk
2
60
Notes:
1. Required only if wireless core NE statistics are to be collected
2. CMM PM statistics may require additional storage space, depending on the collection volume and retention
period; contact CMM technical support to define your PM storage requirement, which must be added to the
listed partition size
Trial partitioning, call-trace auxiliary server
The following table lists the partitions required for the trial deployment of an auxiliary server that is
to collect call-trace data.
Table 4-6 Trial partitioning scheme, call-trace auxiliary server
Disks required: two 300-Gbyte (RAID 0)
PartitionContentSize (Gbytes)
swapSwap space16
/Root26
/homeUser home directories0.5
/tmpTemporary files4
/varSystem data64
/var/logSystem logs6
/var/log/auditSystem audit logs6
/opt/nspNFM-P server software, operating data40
/opt/nsp/nfmp/auxserver/nms/logNFM-P server log files20
/opt/nsp/nfmp/calltraceCall-trace output233
/extraNSP and NFM-P software storage50
Trial partitioning, PCMD auxiliary server
The following table lists the partitions required for the trial deployment of an auxiliary server that is
to collect PCMD records.
Release 20.9
September 2020
Issue 1753HE-16029-AAAC-TQZZA
Page 76
RHEL disk configuration
Disk partitioning for trial deployments
Table 4-7 Trial partitioning scheme, PCMD auxiliary server
Disks required: two 300-Gbyte (RAID 0)
PartitionContentSize (Gbytes)
swapSwap space16
/Root26
/homeUser home directories0.5
/tmpTemporary files4
/varSystem data64
/var/logSystem logs6
/var/log/auditSystem audit logs6
/opt/nspNFM-P server software, operating data40
/opt/nsp/nfmp/auxserver/nms/logNFM-P server log files20
/opt/nsp/nfmp/pcmd_outputPCMD output100
/extraNSP and NFM-P software storage50
NFM-P
Trial partitioning, auxiliary database
The following table lists the partitions required for the trial deployment of an auxiliary database.
For a multi-station auxiliary database, or a single-station database that has a high data rate, the
/opt/nsp/nfmp/auxdb/backup partition has the following special requirements:
• It is strongly recommended that the partition is a remote mount point or directly attached storage
connected by a minimum 10-Gbyte/s link.
• Each auxiliary database station requires a separate backup volume that is mounted as /opt/nsp/
nfmp/auxdb/backup on the auxiliary database station.
For example, if the auxiliary database backup location specified in the NFM-P client GUI is /opt/
nsp/nfmp/auxdb/backup, the auxiliary database stations require the following mount points:
− station 1:
remote_host:station_1_backup_volume_path
/opt/nsp/nfmp/auxdb/backup
− station 2:
remote_host:station_2_backup_volume_path
/opt/nsp/nfmp/auxdb/backup
− station 3:
remote_host:station_3_backup_volume_path
/opt/nsp/nfmp/auxdb/backup
• The supported file systems for the backup location are ext3, ext4, and NFS.
Note: The /opt/nsp/nfmp/auxdb/backup partition can be a local mount point in a single-station
database that has a low to moderate data rate.
/opt/nsp/nfmp/auxdb/backupAuxiliary database backup dataEqual to /opt/nsp/nfmp/
auxdb/data
Trial partitioning, single-user client or client delegate server
The following table lists the partitions required for the trial deployment of a single-user client or
client delegate server on RHEL.
Table 4-9 Trial partitioning scheme, single-user client or client delegate server
Disks required: one 300-Gbyte or larger
PartitionContentSize (Gbytes)
—Swap space16
/Root, including /usr and /var26
/opt/nspNFM-P client software16
At operator discretionCustomer data; can be partitioned according to
customer requirements
Remainder
Release 20.9
September 2020
Issue 1773HE-16029-AAAC-TQZZA
Page 78
RHEL disk configuration
Disk partitioning for live deployments
4.6Disk partitioning for live deployments
4.6.1Description
CAUTION
Service Disruption
Each disk partition described in this section must be a mounted partition and not a symbolic link.
The NFM-P does not support the use of symbolic links to represent partitions.
The following disk layouts are for a deployment in a live network environment.
Note: See the NSP NFM-P Planning Guide or the response to your NFM-P Platform Sizing
Request for information about the supported disk types.
Note: For each database partitioning scheme, the Oracle management user home directory
specified by the ORACLE_HOME environment variable is /opt/nsp/nfmp/oracle19.
NFM-P
Live partitioning, collocated main server and database
The following table lists the partitions required for the live deployment of a collocated main
database and main server.
Table 4-10 Live partitioning scheme, collocated main server and database
• qcow deployment—minimum of 558 Gbytes, plus calculated /opt/nsp/nfmp/nebackup partition size
PartitionContentPhysicalqcow
/opt/nsp/nfmp/server/nms/logNFM-P server log files5035
/opt/nsp/nfmp/server/xml_outputOutput of XML API file export operations2010
/opt/nsp/osNSP system files90
/extraNSP and NFM-P software storage50
Size (Gbytes)
Notes:
1. CMM PM statistics may require additional storage space, depending on the collection volume and retention
period; contact CMM technical support to define your PM storage requirement, which must be added to the
listed partition size
2. Derived using the formula in
4.3 “Sizing the NE configuration backup partition” (p. 68)
Live partitioning, main server, distributed system
The following table lists the partitions required for the live deployment of a main server in a
distributed NFM-P system.
Table 4-11 Live partitioning scheme, main server, distributed system
Disks required: two 300-Gbyte (RAID 0), or four 300-Gbyte (RAID 0)
/opt/nsp/nfmp/server/nms/logNFM-P server log files50
/opt/nsp/nfmp/server/xml_outputOutput of XML API file export operations20
1
Four
300-Gbyte
disks
2
Release 20.9
September 2020
Issue 1793HE-16029-AAAC-TQZZA
Page 80
RHEL disk configuration
Disk partitioning for live deployments
Table 4-11 Live partitioning scheme, main server, distributed system (continued)
Disks required: two 300-Gbyte (RAID 0), or four 300-Gbyte (RAID 0)
PartitionContentSize (Gbytes)
NFM-P
Two
300-Gbyte
disks
/opt/nsp/osNSP system files90140
/extraNSP and NFM-P software storage50
Four
300-Gbyte
disks
Notes:
1. CMM PM statistics may require additional storage space, depending on the collection volume and retention
period; contact CMM technical support to define your PM storage requirement, which must be added to the
listed partition size
2. Derived using the formula in
4.3 “Sizing the NE configuration backup partition” (p. 68)
Live partitioning, main database, distributed system
The following table lists the partitions required for the live deployment of a main database in a
distributed NFM-P system.
Table 4-12 Live partitioning scheme, main database, distributed system
Disks required: four 300-Gbyte (RAID 0) or six 300-Gbyte (RAID 0)Size (Gbytes)
Live partitioning, statistics-collection auxiliary server
The following table lists the partitions required for the live deployment of an auxiliary server that is
to collect statistics.
Table 4-13 Live partitioning scheme, statistics-collection auxiliary server
Disks required: four 300-Gbyte (RAID 0)
PartitionContentSize (Gbytes)
swapSwap space16
/Root26
/homeUser home directories0.5
/tmpTemporary files4
/varSystem data64
/var/logSystem logs6
/var/log/auditSystem audit logs6
NFM-P
/opt/nspAuxiliary server software, operating data180
/opt/nsp/nfmp/auxserver/nms/logAuxiliary server log files50
/opt/nsp/nfmp/auxserver/xml_outputOutput of XML API file export operations150
/opt/nsp/nfmp/lte
/extraNSP and NFM-P software storage50
1
Collected wireless core statistics files100
2
Notes:
1. Required only if wireless core NE statistics are to be collected
2. CMM PM statistics may require additional storage space, depending on the collection volume and retention
period; contact CMM technical support to define your PM storage requirement, which must be added to the
listed partition size
Live partitioning, call-trace auxiliary server
The following table lists the partitions required for the live deployment of an auxiliary server that is
to collect call-trace data.
Table 4-14 Live partitioning scheme, call-trace auxiliary server
Disks required: four 300-Gbyte (RAID 0)
PartitionContentSize (Gbytes)
swapSwap space16
/Root26
/homeUser home directories0.5
/tmpTemporary files4
Release 20.9
September 2020
Issue 1813HE-16029-AAAC-TQZZA
Page 82
RHEL disk configuration
Disk partitioning for live deployments
Table 4-14 Live partitioning scheme, call-trace auxiliary server(continued)
Disks required: four 300-Gbyte (RAID 0)
PartitionContentSize (Gbytes)
/varSystem data64
/var/logSystem logs6
/var/log/auditSystem audit logs6
/opt/nspAuxiliary server software, operating data60
/opt/nsp/nfmp/auxserver/nms/logAuxiliary server log files30
/opt/nsp/nfmp/calltraceCall-trace output600
/extraNSP and NFM-P software storage50
Live partitioning, PCMD auxiliary server
The following table lists the partitions required for the live deployment of an auxiliary server that is
to collect PCMD records.
NFM-P
Table 4-15 Live partitioning scheme, PCMD auxiliary server
Disks required: two 300-Gbyte (RAID 1) plus six 300-Gbyte (RAID 1+0)
PartitionContentSize (Gbytes)
Disks 1 and 2, RAID 1
swapSwap space16
/Root26
/homeUser home directories0.5
/tmpTemporary files4
/varSystem data64
/var/logSystem logs6
/var/log/auditSystem audit logs6
/opt/nspAuxiliary server software, operating data40
/opt/nsp/nfmp/auxserver/nms/logAuxiliary server log files20
/extraNSP and NFM-P software storage50
Disks 3 and above, RAID 1+0
/opt/nsp/nfmp/pcmd_outputPCMD files1800
Live partitioning, auxiliary database
The following table lists the partitions required for the live deployment of an auxiliary database.
For a multi-station auxiliary database, or a single-station database that has a high data rate, the
/opt/nsp/nfmp/auxdb/backup partition has the following special requirements:
Release 20.9
September 2020
82Issue 1
3HE-16029-AAAC-TQZZA
Page 83
RHEL disk configuration
Disk partitioning for live deployments
• It is strongly recommended that the partition is a remote mount point or directly attached storage
connected by a minimum 10-Gbyte/s link.
• Each auxiliary database station requires a separate backup volume that is mounted as /opt/nsp/
nfmp/auxdb/backup on the auxiliary database station.
For example, if the auxiliary database backup location specified in the NFM-P client GUI is /opt/
nsp/nfmp/auxdb/backup, the auxiliary database stations require the following mount points:
− station 1:
remote_host:station_1_backup_volume_path
− station 2:
remote_host:station_2_backup_volume_path
− station 3:
remote_host:station_3_backup_volume_path
• The supported file systems for the backup location are ext3, ext4, and NFS.
Note: The /opt/nsp/nfmp/auxdb/backup partition can be a local mount point in a single-station
database that has a low to moderate data rate.
NFM-P
/opt/nsp/nfmp/auxdb/backup
/opt/nsp/nfmp/auxdb/backup
/opt/nsp/nfmp/auxdb/backup
Table 4-16 Live partitioning scheme, auxiliary database
Disks required: two 300-Gbyte (RAID 1), plus data storage and database backup storage capacity
described in table
Release 20.9
September 2020
Issue 1833HE-16029-AAAC-TQZZA
Page 84
RHEL disk configuration
Disk partitioning for live deployments
NFM-P
Notes:
1. NFM-P auxiliary database backups are optional but strongly recommended to protect against complete data
loss due to disk failure, data corruption, or upgrade failure. The backups can be stored on a separate
volume, as indicated in the table above, or on a remote mount point reachable over a minimum 10-Gbyte/s
link. The listed capacity is sufficient for at least one persisted backup.
Live partitioning, single-user client or client delegate server
The following table lists the partitions required for the live deployment of a single-user client or
client delegate server on RHEL.
Table 4-17 Live partitioning scheme, single-user client or client delegate server
Disks required: one 300-Gbyte
PartitionContentSize (Gbytes)
swapSwap space16
/Root, including /usr and /var26
/opt/nspNFM-P client software16
At operator discretionCustomer data; can be partitioned according to
customer requirements
Remainder
Release 20.9
September 2020
84Issue 1
3HE-16029-AAAC-TQZZA
Page 85
TLS configuration and management
Overview
5TLS configuration and management
5.1Overview
5.1.1Purpose
This chapter describes how to configure and manage TLS for communication security in an NFM-P
system.
5.1.2Contents
5.1 Overview85
Introduction86
5.2 About TLS86
5.3 NFM-P TLS implementation86
NFM-P
5.4 TLS deployment methods88
5.5 TLS certificate management91
5.6 Managing TLS versions and ciphers94
Automated TLS deployment procedures95
5.7 Workflow for automated TLS deployment95
5.8 To configure and enable an NSP PKI server96
5.9 To configure an NFM-P main server to request a PKI-server TLS
certificate
5.10 To configure an NFM-P auxiliary server to request a PKI-server TLS
certificate
Manual TLS deployment procedures107
5.11 Workflow for manual TLS deployment107
5.12 To perform the TLS preconfiguration108
5.13 To manually configure TLS on a main server113
5.14 To manually configure TLS on an auxiliary server117
General TLS configuration procedures120
5.15 To disable TLS for XML API clients120
100
103
5.16 To enable TLS for XML API clients122
5.17 To suppress security warnings in NFM-P browser sessions125
Release 20.9
September 2020
Issue 1853HE-16029-AAAC-TQZZA
Page 86
TLS configuration and management
Introduction
About TLS
Introduction
5.2About TLS
5.2.1Overview
The NFM-P uses Transport Layer Security, or TLS, to secure communication between system
components. TLS supersedes the obsolescent SSL, and uses stronger ciphers.
Network entities that communicate using TLS each require a copy of a security certificate that is
digitally signed by a common certification authority, or CA. The signed certificate is distributed
among the entities for use during TLS authentication. Only entities that have the same certificate
signed by the same CA can communicate using TLS.
A signed TLS certificate is one of the following, depending on the signing method used:
• self-signed—certificate creator acts as CA; requires manual keystore distribution to each
communicating entity, and is untrusted by entity unless imported to local truststore
• CA-signed
− public-CA-signed—signed by a publicly recognized CA; provides security between entities
that communicate across a public network; typically not required in an NFM-P management
domain
− private-CA-signed—signed by a CA that is not publicly recognized, such as a root CA service
that is internal to an organization; provides security between entities in an isolated or internal
network
NFM-P
Depending on the TLS role of an entity–client or server–a certificate is stored by the entity in a local
keystore file, truststore file, or both. One entity can act as a TLS client to some entities and a TLS
server to others, if required.
5.3NFM-P TLS implementation
5.3.1Overview
TLS is mandatory and enabled by default on all interfaces between the following components:
• main server
• auxiliary server
Figure 5-1, “NFM-P TLS communication channels” (p. 87) shows the TLS communication channels
in an NFM-P system.
Release 20.9
September 2020
86Issue 1
3HE-16029-AAAC-TQZZA
Page 87
OSS clients
Firewall
GUI clients
Auxiliary
servers
Flow
Collectors
Analytics
servers
Main server,
if redundant
Managed
network
Main server
27684
NSP
OSS
clients
TLS configuration and management
Introduction
NFM-P TLS implementation
Figure 5-1 NFM-P TLS communication channels
NFM-P
5.3.2Client and server communication
The NFM-P client GUI status bar displays the padlock icon in
security icon” (p. 87)
is also displayed on the following:
• client GUI login form
• information form opened using Help→About NFM-P
Figure 5-2 NFM-P client GUI security icon
You can secure the following client interfaces using TLS:
• single-user GUI client or client delegate server—EJB, JMS, and HTTP
• XML API client—JMS and HTTP
To support non-TLS OSS clients, you can disable TLS on the XML API.
to show that communication with the main server is secured by TLS. The icon
Figure 5-2, “NFM-P client GUI
Release 20.9
September 2020
Issue 1873HE-16029-AAAC-TQZZA
Page 88
TLS configuration and management
Introduction
TLS deployment methods
Note: Disabling TLS on the XML API disables TLS for all clients that use the XML API, and for
all NFM-P GUI clients. Browser-based clients are unaffected, and must use HTTPS for
application access.
Note: Disabling TLS on the XML API disables the REST API, which can operate only when
secured using TLS.
When the NFM-P is configured for secure client access and a non-secure single-user GUI client or
client delegate server connects to a main server for the first time, TLS communication is
automatically enabled for client communication; no additional user action is required.
5.3.3Internal NFM-P TLS certificates
An internal NFM-P TLS certificate is used for securing internal processes. For maximum security,
an NSP Public Key Infrastructure server, or PKI server, uses an internally generated private CA to
create the internal certificate. Consequently, no certificate from any external CA is trusted for
access to the processes.
A PKI server generates an internal certificate automatically during initialization. During NFM-P
installation, or an upgrade from a Release earlier than 19.6, the PKI server must be running in order
for each component to request and receive the internal certificate, as the procedures in this guide
describe.
NFM-P
Note: To reduce complexity, each upgrade procedure instructs you to start the PKI server,
regardless of the upgrade conditions.
5.4TLS deployment methods
5.4.1Overview
The NFM-P supports system-wide TLS deployment using the following methods:
• automated, using an NSP PKI server that:
− creates a local private root CA service
− generates a TLS certificate and uses the CA service to sign it, or imports a certificate
− distributes the certificate to each entity, called a requestor, that submits a certificate request
This is the recommended method; see
information.
• manual, which requires that you:
− provide a self-signed, private-CA-signed, or public-CA-signed TLS certificate
− generate the keystore and truststore files
− manually distribute the keystore and truststore files to components, as required
See 5.4.3 “Manual TLS deployment” (p. 91) for more information.
Note: You can use a keystore or truststore file from a 5620 SAM system in an NSP
deployment that includes only the NFM-P, but only if the SAN field of the certificate contains
the public IP address or hostname of each NFM-P main server.
5.4.2 “Automated TLS deployment” (p. 89) for more
Release 20.9
September 2020
88Issue 1
3HE-16029-AAAC-TQZZA
Page 89
TLS configuration and management
Introduction
TLS deployment methods
Note: It is strongly recommended to save your TLS keystore and certificate files in a secure
and remote location, such as a separate physical facility, for future use.
The following describe the available TLS deployment methods for common scenarios.
Installation
NFM-P
For a system installation, you can use either method described in
Upgrade
For a system upgrade, you can continue to use the current TLS keystore and truststore files; no
further action is required.
Note: The NFM-P TLS configuration persists through system upgrades.
System expansion
If you are adding a system component, or converting a standalone system to a redundant system,
the following options are available for implementing TLS on the new system elements:
• automated
− Recommended—If you are using a TLS certificate generated by the PKI server, no action is
required other than specifying the PKI server in the configuration of each new system
element. Alternatively, if you provide a certificate, you must also import the certificate to the
PKI server for distribution to each requestor.
System operation is unaffected in either case.
− You can use a PKI server to implement a new TLS certificate throughout the system;
however, each requestor requires configuration and a restart, which can affect system
operation.
• manual
− You must copy the required keystore and truststore files to the new system element, and then
configure the system element to use the new files. See the appropriate configuration
procedure in
“Manual TLS deployment procedures” (p. 107) for information.
5.4.1 “Overview” (p. 88).
5.4.2Automated TLS deployment
To reduce the complexity of configuring TLS in a new NFM-P system, or adding components to an
existing system, you can use an NSP utility called a Public Key Infrastructure, or PKI, server. Based
on user input, a PKI server creates, signs, and distributes certificates to each entity that is
configured to use the PKI server.
Note: An NFM-P system upgrade preserves the TLS keystore and truststore files, which are
used if no PKI server is specified during the upgrade.
Benefits of automated TLS deployment
In addition to simplifying the implementation of TLS, using a PKI server has the following benefits:
• no downtime when adding NFM-P or NSP components, or during operations such as system
conversion to redundancy
• no complex CLI operations or manual file transfers
Release 20.9
September 2020
Issue 1893HE-16029-AAAC-TQZZA
Page 90
TLS configuration and management
Introduction
TLS deployment methods
• no operator requirement for knowledge of interface IP address or hostname assignments
• compatible with current and future product releases
• can generate certificate, use existing certificate, or use certificate from a previous PKI-server
instance, for example, if the original PKI server is no longer available
“Automated TLS deployment procedures” (p. 95) for information about using an NSP PKI
See
server to deploy TLS.
Functional description
The NSP PKI server is a standalone utility that services TLS certificate signing requests, or CSRs,
from requesting entities in an NFM-P or NSP system. A PKI server is available on an NFM-P main
server after an installation or upgrade. A PKI server is also available on a station to which you
extract an NSP software bundle.
Note: Only one PKI server instance is required for automated TLS deployment; the instance
serves an entire NSP system.
Note: It is recommended that you run the utility from the installation location on an NFM-P
main server or NSP host server; optionally, however, you can run a copy of the utility on any
RHEL station that is reachable by each requestor.
NFM-P
Note: The NFM-P messaging subsystems require a separate TLS certificate that is used
internally. The certificate is generated and distributed automatically during an installation, or
during an upgrade from Release 19.4 or earlier, and requires that the PKI server is running
during the deployment. The separate internal certificate is required regardless of the TLS
configuration method you choose for system-wide NFM-P communication.
Initially, a PKI server looks for an existing TLS certificate to import; if no certificate is available, the
server prompts the operator for certificate parameters and creates a local private root CA service.
Subsequently, the PKI server listens for CSRs.
Upon receiving a CSR, for example, from an NFM-P auxiliary server, the PKI server directs the
private root CA to sign the requestor certificate, and then returns the signed certificate to the
requestor. The requestor uses the signed certificate to create the required keystore and truststore
files, and then enables TLS on the required local interfaces.
In order for a PKI server to implement TLS on an NFM-P component, the component configuration
must include the PKI server information.
If a PKI server is specified, but
• no keystore and truststore files are specified, the PKI server generates a TLS certificate using
the specified alias, which is mandatory.
• no keystore and truststore passwords are specified, the default password, which is available
from technical support, is used.
Securing XML API clients in an automated TLS deployment
Securing an XML API client in an automated TLS deployment is the same as in a manual TLS
deployment; you must import the required TLS certificate to a truststore on the client station. In an
automated deployment, you must import the certificate in the ca.pem file on the PKI server.
Release 20.9
September 2020
90Issue 1
3HE-16029-AAAC-TQZZA
Page 91
TLS configuration and management
Introduction
TLS certificate management
See the NSP NFM-P XML API Developer Guide for information about establishing a secure XML
API client connection to the NFM-P.
5.4.3Manual TLS deployment
Each of the following requires the import of a TLS certificate to a local truststore:
• main server
• auxiliary server
• OSS client
After you import the certificate to a main server truststore, you must configure TLS on each main
server using the NFM-P samconfig utility. Subsequently, the standalone or primary main server
automatically distributes the truststore file to each single-user GUI client or client delegate server
that connects to the main server.
Note: You must use the Java Key Store, or JKS, keystore format in an NFM-P system. If you
have a keystore in a different format, for example, PKCS12, you must use the Java keytool
utility to convert the keystore to JKS format.
NFM-P
Note: The NFM-P does not support the use of multiple private encryption keys. Only the first
encryption key in a keystore is used; any others are ignored.
Note: You must manually copy the keystore file associated with a truststore file to each
auxiliary server, after which you can enable TLS on the auxiliary server.
Note: The NFM-P messaging subsystems require a separate TLS certificate that is used
internally. The certificate is generated and distributed automatically during an installation, or
during an upgrade from Release 19.4 or earlier, and requires that the PKI server is running
during the deployment. The separate internal certificate is required regardless of the TLS
configuration method you choose for system-wide NFM-P communication.
“Manual TLS deployment procedures” (p. 107) for information about manually generating and
See
deploying TLS certificates in an NFM-P system.
NSP-specific requirements
In a shared-mode NSP deployment, the Subject Alternative Name, or SAN, field of the certificate for
the NFM-P main servers must include the following:
• public IP address of each NSP server
• public IP address or hostname of each NFM-P main server
In an NSP deployment that includes only the NFM-P, the SAN field of the certificate for the main
servers must include the public IP address or hostname of each main server.
5.5TLS certificate management
5.5.1Replacing NFM-P TLS certificates
NFM-P TLS certificate replacement may be required when:
Release 20.9
September 2020
Issue 1913HE-16029-AAAC-TQZZA
Page 92
TLS configuration and management
Introduction
TLS certificate management
• a component is added to the NFM-P system
• a component IP address or hostname changes
• a TLS certificate nears or reaches expiry
5.5.2 “TLS certificate expiry” (p. 93) for information about how the NFM-P monitors and
See
responds to TLS certificate expiry.
Internal TLS certificate management
When you add a new component to an NFM-P system, the component installation procedure
instructs you to start the PKI server. During component initialization, the PKI server automatically
distributes the required internal TLS artifacts to the component.
When the TLS certificate used by the internal processes requires replacement because of expiry, or
because of a system configuration update, for example, a component addition or address change,
or because you enable nspOS security, the following actions may be required; see
configure and enable an NSP PKI server” (p. 96)
configuration information.
1. Start the PKI server.
2. Enable certificate regeneration on each main server using the samconfig utility.
3. Stop each component.
4. If the NSP system includes an NSP analytics server:
a. If you are enabling nspOS security, use the “AnalyticsAdmin.sh updateConfig” command on
the analytics server to enable and configure nspOS security.
b. Enable certificate regeneration using the “AnalyticsAdmin.sh genCertificate” command.
See “To install an NSP analytics server” in the NSP Deployment and Installation Guide for
configuration information.
5. Restart each component that uses the certificate.
NFM-P
5.8 “To
and Chapter 2, “Using samconfig” for
External TLS certificate management
When you add a new component to an NFM-P system, the component installation procedure
instructs you to start the PKI server. During component initialization, the PKI server automatically
distributes the required external TLS artifacts to the component.
When you need to replace an external certificate because of expiry, or because of a system change
such as component addition or address change, the replacement method depends on the TLS
deployment method:
• Manual—The certificate replacement process is the same as the manual TLS deployment
process described in
5.11 “Workflow for manual TLS deployment” (p. 107).
• Automated—The following options are available.
− Provide a custom CA-signed certificate to the PKI server for TLS distribution to components.
− Let the PKI server generate a certificate that is signed by the PKI server private root CA
service.
If you use the automated method, you perform the following sequence of actions to update the TLS
configuration in the NFM-P system; see
5.8 “To configure and enable an NSP PKI server” (p. 96)
and Chapter 2, “Using samconfig” for configuration information.
Release 20.9
September 2020
92Issue 1
3HE-16029-AAAC-TQZZA
Page 93
TLS configuration and management
Introduction
TLS certificate management
1. Remove the TLS artifacts for the current certificate from the PKI server.
2. If you have a custom certificate, import the certificate to the PKI server.
3. Start the PKI server.
4. Use the samconfig utility on each main server station to specify no keystore and no truststore.
5. If the NFM-P sysstem includes an NSP analytics server, enable certificate regeneration in the
analytics-server configuration using the “AnalyticsAdmin.sh genCertificate” command.
6. Restart each component that uses the certificate.
Note: If you do not provide a custom certificate, using samconfig to enable certificate
regeneration causes the PKI server to generate an internal and an external certificate; if you
provide a custom certificate, only an internal certificate is generated, and the existing external
certificate remains in service.
5.5.2TLS certificate expiry
A main or auxiliary server checks the expiry date of each TLS certificate in the local keystore during
initialization, and every 24 hours after initialization. If a certificate is expired or approaching expiry,
the NFM-P raises one of the following alarms:
• a Warning alarm, if the certificate is to expire within 30 days of the current time
• a Critical alarm, if the certificate is to expire within 7 days of the current time
• a Critical alarm, if the certificate is expired
NFM-P
Note: The alarms persist through events such as server switchovers.
When a TLS certificate is expired, the main or auxiliary server continues to operate normally, but
some application functions that depend on secure communication may be inoperable.
The NFM-P updates the Last Time Detected value of an expiry Warning alarm daily, and updates a
Critical alarm daily when a certificate is expired. If multiple certificates meet the expiry criteria, the
alarm includes one entry for each certificate. Each entry includes the certificate serial number, TLS
parameters, and expiry date and time.
After you replace an expiring or expired certificate with a new and valid certificate, the associated
expiry entry is removed from the alarm information during the next expiry check. If no certificates
meet the expiry criteria during the check, the Critical or Warning alarm clears.
Note: The Days Remaining value in an expiry alarm is based on the number of complete 24hour periods until the certificate expiry time. If fewer than 24 hours remain until the expiry, the
Days Remaining value is zero, but the NFM-P does not raise an alarm about the expired
certificate until the actual expiry time.
Note: If a keystore contains hierarchical certificates, the NFM-P checks the expiry date of
each certificate in the hierarchy, starting with the lowest, and uses the earliest expiry date
found as the reference point for raising an alarm.
Release 20.9
September 2020
Issue 1933HE-16029-AAAC-TQZZA
Page 94
TLS configuration and management
Introduction
Managing TLS versions and ciphers
5.6Managing TLS versions and ciphers
5.6.1Configuring TLS version and cipher support
The NFM-P includes a tool for managing the supported TLS versions and ciphers. A TLS version or
cipher may be required for compatibility with an older OSS, or may be considered unsecure and
need to be disabled if a security vulnerability is identified. You can configure the NFM-P to enable or
disable the support for specific versions and ciphers, as required.
Note: An NFM-P system upgrade does not preserve custom TLS version and cipher support
settings. You must reconfigure the TLS support after an upgrade.
Note: TLS 1.0 and 1.1 are disabled by default. If either version is enabled before an NFM-P
system upgrade and required after the upgrade, you must re-enable the version support after
the upgrade.
See “To update the supported NFM-P TLS versions and ciphers” in the NSP NFM-P AdministratorGuide for information about using the tool.
NFM-P
Release 20.9
September 2020
94Issue 1
3HE-16029-AAAC-TQZZA
Page 95
TLS configuration and management
Automated TLS deployment procedures
Workflow for automated TLS deployment
Automated TLS deployment procedures
5.7Workflow for automated TLS deployment
5.7.1Description
CAUTION
Service Disruption
An incorrect TLS configuration prevents communication between system components and may
seriously affect network management.
An operator who performs a procedure in this section must have TLS implementation knowledge
and experience. Contact technical support for TLS configuration assistance.
The following is the sequence of high-level actions required to configure automated TLS
deployment for an NFM-P system. You can use the workflow to:
• deploy TLS in a new system
• deploy TLS to new components in an existing system
• update an expired TLS certificate
NFM-P
5.7.2Stages
1
Configure and enable the NSP PKI server to do one of the following:
• Create a new TLS certificate.
• Restore the backed-up PKI-server private key and public certificate from a previous PKIserver instance.
See
2
Configure each system component that requires the TLS configuration to use the PKI server.
This may be required during a system installation, conversion to redundancy, or the addition of
a new NSP or NFM-P component to an existing system.
To configure an NFM-P main server to request a PKI-server TLS certificate, see
configure an NFM-P main server to request a PKI-server TLS certificate” (p. 100)
To configure an NFM-P auxiliary server to request a PKI-server TLS certificate, see
configure an NFM-P auxiliary server to request a PKI-server TLS certificate” (p. 103)
3
If the OSS clients do not use TLS, disable TLS on the XML API; see 5.15 “To disable TLS for
XML API clients” (p. 120)
5.8 “To configure and enable an NSP PKI server” (p. 96).
5.9 “To
.
5.10 “To
.
.
Release 20.9
September 2020
Issue 1953HE-16029-AAAC-TQZZA
Page 96
TLS configuration and management
Automated TLS deployment procedures
To configure and enable an NSP PKI server
4
If required, enable TLS for the OSS clients; see 5.16 “To enable TLS for XML API clients”
(p. 122)
5
If you are using a TLS certificate signed by a private root CA such as the PKI server, and want
to prevent the display of browser security warnings for NSP pages, import the certificate to your
browser or computer certificate store; see
browser sessions” (p. 125)
6
Open each GUI client to automatically update the client TLS configuration.
.
5.17 “To suppress security warnings in NFM-P
.
5.8To configure and enable an NSP PKI server
5.8.1Description
The following steps describe the following, after which the PKI server is enabled and listens for TLS
certificate requests:
• how to configure the parameters for TLS certificate generation on a PKI server
• how to import an existing TLS certificate to the PKI server for distribution to requestors
NFM-P
Note: You require root user privileges on a station.
Note: The Bash shell is the supported command shell for RHEL CLI operations.
Note: A leading # character in a command line represents the root user prompt, and is not to
be included in a typed command.
5.8.2Steps
1
A PKI server is installed by default on an NFM-P main server or NSP host server station. You
can run the utility from the default installation location, or can copy the utility to another station
that is reachable by all requestors. The PKI server file path is:
/opt/nsp/os/install/tools/pki/pki-server
If you want to run the utility from another location, copy the pki-server file to the location.
2
Log in as the root user on the station on which you want to run the PKI server..
3
Open a console window.
Release 20.9
September 2020
96Issue 1
3HE-16029-AAAC-TQZZA
Page 97
TLS configuration and management
Automated TLS deployment procedures
To configure and enable an NSP PKI server
4
Navigate to the directory that contains the pki-server file. On an NFM-P main server or an NSP
host server station, the path is:
/opt/nsp/os/install/tools/pki
5
If you need to use a backed-up PKI-server private key and public certificate from a previous
PKI-server instance, copy the files to the directory that contains the pki-server file. The files
must be named as follows:
• ca.key—private RSA key of the CA
• ca.pem—X.509 public key certificate signed using ca.key
Note: The files must be located in the same directory as the pki-server file, and the user
that invokes the PKI server requires read access to the files.
6
Perform one of the following.
NFM-P
a. Enter the following to use the default PKI server port:
# ./pki-server ↵
b. Enter the following to specify a port other than the default:
port
# ./pki-server -port
where port is the port to use for receiving and responding to requests
Note: If you specify a port other than the default, you must specify the non-default port
number when you configure each requestor using samconfig.
7
If you are using files from a previous PKI-server instance, as described in Step 5, or have
previously configured the root CA parameters for the PKI server, go to
8
If this is the first time that the PKI server is run on the station, the following message and
prompt are displayed:
TLS configuration and management
Automated TLS deployment procedures
To configure and enable an NSP PKI server
17
Enter the two-letter ISO alpha-2 code for your country.
The following prompt is displayed:
State or Province Name (full name) []:
18
Enter your state or province name.
The following prompt is displayed:
Validity (days) [3650]:
19
Enter the length of time, in days, for which the TLS certificate is valid, or press ↵ to accept the
default.
The following messages are displayed as the PKI server creates a local TLS root CA and
begins to poll for TLS certificate requests:
date time
date time
Root CA generated successfully.
Using Root CA from disk, and serving requests on port
NFM-P
port
20
Make a backup copy of the following private root CA files, which are in the current directory;
store the files in a secure and remote location, such as a separate physical facility:
• ca.key
• ca.pem
21
When the PKI server receives a certificate request from a requestor, the following is displayed:
date time
If the PKI server successfully responds to the request, the following is displayed:
date time
[
IP_address_1
When all requestors have received a signed certificate, enter CTRL+C to close the PKI server
utility.
22
Close the console window.
END OF STEPS
Received request for CA cert from
Successfully returned a signed certificate valid for IPs:
...
IP_address_n
] and hostnames: [
IP_address:port
hostname_1
...
hostname_n
]
Release 20.9
September 2020
Issue 1993HE-16029-AAAC-TQZZA
Page 100
TLS configuration and management
Automated TLS deployment procedures
To configure an NFM-P main server to request a PKI-server TLS certificate
5.9To configure an NFM-P main server to request a PKI-server TLS
certificate
5.9.1Description
CAUTION
Service Disruption
Performing the procedure requires that you shut down the main server, which may be serviceaffecting.
If the main server is in service, ensure that you perform the procedure only during a scheduled
maintenance period.
The following steps describe how to configure an NFM-P main server to request a new TLS
certificate from a PKI server. This may be required during the initial installation of a main server, or
whenever a new certificate is required.
Note: The system installation and conversion to redundancy procedures in this guide describe
the parameter settings that enable certificate generation.
NFM-P
5.9.2Steps
1
Ensure that the PKI server is configured and running; see 5.8 “To configure and enable an
NSP PKI server” (p. 96)
2
Log in to the main server station as the nsp user.
3
Open a console window.
4
Stop the main server.
1. Enter the following:
2. Enter the following:
3. Enter the following:
.
bash$ cd /opt/nsp/nfmp/server/nms/bin ↵
bash$ ./nmsserver.bash stop ↵
bash$ ./nmsserver.bash appserver_status ↵
The main server is stopped when the following message is displayed:
Main Server is stopped
Release 20.9
September 2020
100Issue 1
3HE-16029-AAAC-TQZZA
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.