CORIANT TNMS 14.1 10

TNMS 14.1 10 Coriant TNMS Installation Manual (IMN, Windows) Iss Issue: ue: 5

Iss Issue date: ate: July July 201 2014

A50023-K2035-X040-05-76D1

Coriant is continually striving to reduce the adverse environmental effects of its products and services. We would like to encourage you as our customers and users to join us in working towards a cleaner, safer environment. Please recycle product packaging and follow the recommendations for power use and proper disposal of our products and their components.

Installation Manual (IMN, Windows)

The information in this document is subject to change without notice and describes only the product defined in the introduction of this documentation. This documentation is intended for the use of Coriant customers only for the purposes of the agreement under which the document is submitted, and no part of it may be used, reproduced, modified or transmitted in any form or means without the prior written permission of Coriant. The documentation has been prepared to be used by professional and properly trained personnel, and the customer assumes full responsibility when using it. Coriant welcomes customer comments as part of the process of continuous development and improvement of the documentation. The information or statements given in this documentation concerning the suitability, capacity, or performance of the mentioned hardware or software products are given "as is" and all liability arising in connection with such hardware or software products shall be defined conclusively and finally in a separate agreement between Coriant and the customer. However, Coriant has made all reasonable efforts to ensure that the i nstructions contained in the document are adequate and free of material errors and omissions. Coriant will, i f deemed necessary by Coriant, explain issues which may not be covered by the document. Coriant will correct errors in this documentation as soon as possible. IN NO EVENT WILL CORIANT BE LIABLE FOR ERRORS IN THIS DOCUMENTATION OR FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR DATA,THAT MAY ARISE FROM THE USE OF T HIS DOCUMENT OR THE INFORMATION IN IT. This documentation and the product it describes ar e considered protected by copyrights and other intellectual property rights according to the applicable laws. Other product names mentioned in this document may be trademarks of their respective owners, and they are mentioned for identification purposes only. Copyright © Coriant 2014. All rights reserved.

f

Important Notice on Product Safety This product may present safety risks due to laser, electricity, heat, and other sources of danger. Only trained and qualified personnel may install, operate, maintain or otherwise handle this product and only after having carefully read the safety information applicable to this product. The safety information is provided in the Safety Information section in the "Legal, Safety and Environmental Information" part of this document or documentation set.

The same text in German:

f

Wichtiger Hinweis zur Produktsicherheit Produktsicherheit Von diesem Produkt können Gefahren durch Laser, Elektrizität, Hitzeentwicklung oder andere Gefahrenquellen ausgehen. Installation, Betrieb, Wartung und sonstige Handhabung des Produktes darf nur dur ch geschultes und qualifiziertes Personal unter Beachtung der anwendbaren Sicherheitsanforderungen erfolgen. Die Sicherheitsanforderungen finden Sie unter „Sicherheitshinweise“ im Teil „Legal, Safety and Environmental Information“ dieses Dokuments oder dieses Dokumentationssatzes.

2

A50023-K2035-X040-05-76D1 Issue: 5 Issue date: July 2014


Table of Contents This document has 96 pages. 96 pages. Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1 1.1 1.2 1. 2 1.3 1.4 1. 4 1.4. 1. 4.1 1 1.4. 1. 4.2 2 1.4. 1. 4.3 3 1.4. 1. 4.4 4 1.4. 1. 4.5 5

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inttended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . In Stru St ruct ctur ure e of of th this is doc ocum umen ent. t. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sym Sy mbols and co conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Avai Av aillab able le doc ocum umen enta tati tion on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Onli On line ne He Help lp sy syst stem em . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Us er Ma Manu nual al (U (UMN MN). ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inst In stal alla lati tion on Ma Manu nual al (I (IMN MN). ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgr Up grad ade e Man Manua uall (UP (UPMN MN)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Othe Ot herr doc docum umen ents ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11 11 11 12 12 13 13 13 13 13

2 2.1 2.2 2.2. 2. 2.1 1 2.3 2.4 2.5 2. 5

Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Component de delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hard rdw ware requireme men nts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virt Vi rtua uali liza zati tion on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sup Su pporte ted d Op Ope erating Sy Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pre Pr ere req quisites by component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BIOS BI OS con onfi figu gura rati tion on.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15 15 15 16 17 17 18

3 3.1 3. 1 3.2 3.3 3.4 3. 4 3.5 3.6 3.7 3. 7

Server operating system configuration . . . . . . . . . . . . . . . . . . . . . . . . . Inte In tegr grat ated ed Lig ight htss-Ou Outt (i(iLO LO)) man manag agem emen entt con conso sole le.. . . . . . . . . . . . . . . . . Disk co configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Win Wi ndows in insta talllation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HP ser ervi vice ce pa pack ck in ins sta tall llat atio ion. n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Med Me dium configurati tio on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Large co confi fig guration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disk Di sk pa part rtit itio ioni ning ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

19 19 19 19 20 20 20 21

4 4.1 4.2 4. 2 4.3 4.4 4.4. 4. 4.1 1 4.4. 4. 4.2 2 4.4. 4. 4.3 3 4.4. 4. 4.4 4 4.5 4. 5 4.6 4.7 4. 7

Initi Ini tia al sy system configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Beffore yo Be you be begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virt Vi rtua uall me memo mory ry co conf nfig igur urat atiion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aud Au dit policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FTP configura rattion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inst In stal alli ling ng In Inte tern rnet et In Info form rmat atio ion n Ser Servi vice ces s in in Win Windo dows ws Se Serv rver er 20 2008 08 . . . . . Conf Co nfig igur urin ing g th the e FT FTP P Se Serv rvic ice e in Wi Wind ndow ows s Se Serv rver er 20 2008 08 . . . . . . . . . . . . . Inst In stal alli ling ng In Inte tern rnet et In Info form rmat atio ion n Ser Servi vice ces s in in Win Windo dows ws 7 . . . . . . . . . . . . . . Conf Co nfig igur urin ing g th the FTP FTP Se Serv rviice in Wi Wind ndow ows s 7. . . . . . . . . . . . . . . . . . . . . . Doma Do main in Ve Veri rifi fica cati tio on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sys Sy stem Ho Hosts co configura rattion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dyna Dy nami mic c Po Port rt ra rang nge e con confi figu gura rati tion on . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

23 23 23 24 25 25 26 26 27 27 27 28

5

Sofftware prerequisite So tes s installati tio on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29


3


5.1 5.2 5.3 5.4 5.5 5.5. 5. 5.1 1 5.6 5.6. 5. 6.1 1 5.6. 5. 6.2 2 5.6. 5. 6.3 3 5.7 5.7. 5. 7.1 1 5.7. 5. 7.2 2 5.7. 5. 7.3 3 5.7. 5. 7.4 4 5.8 5.9

Adobe Re Reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 User Ac Account Co Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 MSX MS XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 MS..NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 MS Ora Or acle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Unin Un inst stal alli ling ng Or Orac acle le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 OSII St OS Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Inst In stal alli ling ng OS OSII Sta Stack ck.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Conf Co nfig igur uriing OS OSII sta stack. ck. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Unin Un inst stal alli ling ng OS OSII sta stack. ck. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 CopSSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Inst In stal alli ling ng Co CopS pSSH. SH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Conf Co nfig igur uriing Co CopS pSSH SH.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 CopS Co pSSH SH Tr Tro oub uble lesh shoo ooti ting. ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 CopS Co pSSH SH Ha Hard rden eniing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Anttivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 An NTI th third-p -pa arty so software in installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

6 6.1 6.2 6.3

TNMS installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Fulll installati Fu tio on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Installation of of se separa ratte co components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Abo bou ut the the automatic pr priority up updates in insta talllation . . . . . . . . . . . . . . . . . . 45

7 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7. 10 7.11 7. 11 7.12 7. 12

Post-installation procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Starting se services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Starting a Client se session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Logging in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Default username and password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Changing the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Terminat atiing a Cl Client se session. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Sin Si ngle Si Sign-on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Sta St andby se server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Lic Li cense ke keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Inte In tern rnet et Ex Expl plor orer er co conf nfig igur urat atio ion n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Con onne nect ctio ion n tim timeo eout ut co conf nfig igur urat atio ion n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Impo Im port rtin ing g a pu publ blic ic ce cert rtif ific icat ate e fro from m IOC IOC On Onli line ne Pl Plan anni ning ng (I (IOC OC OP OP)) . . . . . 50

8 8.1 8.2 8.2. 8. 2.1 1 8.2. 8. 2.2 2 8.3 8.3. 8. 3.1 1 8.3. 8. 3.2 2 8.3. 8. 3.3 3 8.3. 8. 3.4 4

Backup and restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 General description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Overview of th the Ba Backup an and Re Restore int inter erffaces. . . . . . . . . . . . . . . . . . . 52 Inte In tera rac cti tiv ve mod mode e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 NonNo n-in inte tera rac cti tive ve mo mode de . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Bac ack kup pr procedures th throu ough gh the com omma man nd line . . . . . . . . . . . . . . . . . . . 53 Back Ba ckiing up th the e Ora Oracl cle e dat datab abas ase. e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Back Ba ckiing up th the e TN TNMS da data taba bas se . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Back Ba ckiing up th the e LDA LDAP P (Op (Open enDS DS). ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Back Ba ckin ing g up th the e TN TNMS MS da data taba base se an and d th the e LD LDAP AP (O (Ope penD nDS) S) si simu mult ltan aneo eous usly ly 55 Auto Au toma mati ting ng th the e Bac Backu kup p pro proc ced edur ures es . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

8.3. 8. 3.5 5

4



8.4 8.5 8.5. 8. 5.1 1 8.5. 8. 5.2 2 8.5. 8. 5.3 3 8.5. 8. 5.4 4

Backup proc Bac oce edure res s through the TNMS client . . . . . . . . . . . . . . . . . . . . 57 Reco cov very & Restore pr procedure res s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Reco Re cove veri ring ng th the e Ora Oracl cle e dat datab abas ase e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Rest Re stor orin ing g the the TN TNMS MS da data taba base se.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Rest Re stor orin ing g the the LD LDAP AP (O (Ope penD nDS) S) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Rest Re stor orin ing g the the TN TNMS MS dat datab abas ase e and and th the e LDA LDAP P (Ope (OpenD nDS) S) sim simul ulta tane neou ousl sly y. 61

9

Upgrade to TNMS 14.1 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

10 10.1 10 .1 10.1 10 .1.1 .1 10.1 10 .1.2 .2 10.1 10 .1.3 .3 10.2 10 .2 10.3 10 .3

TNMS and TNMS Core working together . . . . . . . . . . . . . . . . . . . . . . . Conf Co nfig igur urin ing g com commo mon n har hardw dwar are e . .. .. .. .. .. .. .. .. .. .. .. .. ... .. . Conf Co nfig igur urin ing g a Co Comm mmon on Ne Nets tser erve verr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conf Co nfig igur urin ing g a Co Comm mmon on Cl Clie ient nt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conf Co nfig igur urin ing g a Co Comm mmon on st stan andb dby y ser serve verr . . . . . . . . . . . . . . . . . . . . . . . . . Impo Im port rtiing da data ta fr from om TN TNMS MS Co Core re . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Impo Im port rta ant no note te . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11

TNMS uninstallati tio on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

12 12.1 12 .1 12.2 12 .2 12.2 12 .2.1 .1 12.2 12 .2.2 .2 12.2. 12 .2.3 3 12.2 12 .2.4 .4 12.2 12 .2.5 .5 12.2 12 .2.6 .6 12.2 12 .2.7 .7 12.2 12 .2.8 .8 12.2. 12. 2.9 9 12.2. 12 .2.10 10 12.2. 12. 2.11 11 12.2.1 12. 2.12 2 12.3 12 .3 12.3 12 .3.1 .1 12.3 12 .3.2 .2 12.4 12 .4 12.4 12 .4.1 .1 12.4 12 .4.2 .2 12.4 12 .4.3 .3 12.4 12 .4.4 .4 12.5 12 .5 12.6 12 .6 12.6 12 .6.1 .1

Security hardening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sec Phys Ph ysic ical al an and d har hardw dwar are e har harde deni ning ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Oper Op erat atin ing g Sys Syste tem m har harde deni ning. ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Micr Mi cros osof oftt Win Windo dows ws se secu curi rity ty pa patc tche hes s . .. .. .. .. .. .. .. .. .. .. .. .. .. Disa Di sabl ble e and and de dele lete te un unne nece cess ssar ary y acc accou ount nts s . .. .. .. .. .. .. .. .. .. .. . Unin Un inst stal alll unn unnec eces essa sary ry ap appl plic icati ation ons s and and ro role les s . .. .. .. .. .. .. .. .. .. . Conf Co nfig igur ure e Aud Audit itin ing g. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. Disa Di sabl ble e unn unnec eces essa sary ry sh shar ares es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disa Di sabl ble e Rem Remot ote e Reg Regis istr try y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wind Wi ndow ows s Err Error or Re Repo port rtin ing. g. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Addi Ad diti tion onal al So Soft ftwa ware re . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Digi Di gita talllly y sig signe ned d comm communi unica catio tions ns (L (Loc ocal al Sec Secur urit ity y Pol Polic icy) y) . . . . . . . . . . . . Mini Mi nimi mize ze sy syste stem m ser servi vices ces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remot Re mote e Acc Acces ess/ s/Re Remot mote e Des Deskt ktop op . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reduc Re duce e pass passiv ive e FTP FTP port port ra rang nge e . .. . .. .. .. . .. .. .. . .. .. . .. .. . .. Netw Ne twor orki king ng an and d fifire rewa wall ll co conf nfig igur urat atio ion n . .. .. .. .. .. .. .. .. .. .. .. .. . List Li st of po port rts s to to ope open n in in the the fi fire rewa wall ll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Ho w to to con confi figu gure re th the e Win Windo dows ws fi fire rewa wall ll . . . . . . . . . . . . . . . . . . . . . . . . . OEM OE M Ha Hard rden enin ing g. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . JBos JB oss s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CopS Co pSSH SH (S (SFT FTP) P) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orac Or acle le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inte In tern rnet et Ex Expl plor orer er . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TNMS TN MS Ma Main inte ten nan ance ce Pa Pack ckag ages es an and d Wo Work rkar arou ound nd Upd pdat ates es . . . . . . . . . . User Us er Ma Mana nage gem men entt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rest Re stri rict ctin ing g the the sp spec ecif ifie ied d fil files es’’ per permi miss ssio ions ns . . . . . . . . . . . . . . . . . . . . . .

65 65 68 70 70 70 71

75 75 75 75 75 76 76 76 77 77 78 78 78 80 81 81 82 89 89 89 89 90 90 90 90 92

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97


5


Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

6



List of Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15


"Local Security Settings - Audit Policy" window. . . . . . . . . . . . . . . . . . . 24 How to set the TNMS installer to run with administrator rights in Windows 7 and Windows Server 2008.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Backup & Restore console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Changing the Oracle database backup schedule settings. . . . . . . . . . . 54 Backup submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Backup submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Backup submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Backup window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Restore submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Restore submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Restore submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Distributed TNMS applications (large system). . . . . . . . . . . . . . . . . . . . 65 Distributed TNMS applications (medium system) . . . . . . . . . . . . . . . . . 66 Common Netserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Common Standby Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

7


8



List of Tables Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 10 Table 11 Table 12


Structure of the manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Hardware requirements for new installations of TNMS 14.1 10. . . . . . . 15 Hardware recommendations for installations of TNMS 14.1 10 on reused legacy hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Operating System recommendations for TNMS Server, NetServer, Client and Citrix Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 TNMS software prerequisites and their installation sequence . . . . . . . 17 Paging file size. Note that automatic management is recommended.. . 23 RAM requirements and Oracle template files . . . . . . . . . . . . . . . . . . . . 30 List of the available arguments in non-interactive mode . . . . . . . . . . . . 52 Windows default shares. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Database-related configurations and security hardenings. . . . . . . . . . . 90 Default TNMS user accounts and security hardenings. . . . . . . . . . . . . 90

9


10



Preface

1 Preface This Installation Manual contains a complete description of the installation and initial configuration processes of TNMS.

1.1

Intended audience This document is intended for commissioners of TNMS.

1.2

Structure of this document The IMN is a single .pdf file viewable and printable with Adobe Reader . This document is structured as follows:

Chapter

Title

Subject

Chapter 1

Preface

Provides an introduction for this document.

Chapter 2

Preparation

Provides a guide of the hardware and software required for the installation.

Chapter 3

Server operating system configuration

Describes the creation and configuration of the logical drives in the machine where the server will be installed.

Chapter 4

Initial system configuration

Describes the configurations of the operating system required for TNMS correct functioning.

Chapter 5

Software prerequisites installation

Describes how to install and configure all software prerequisites of TNMS.

Chapter 6

TNMS installation

Describes how to install TNMS in your operating system.

Chapter 7

Post-installation procedures

Describes all post-installation configurations and actions.

Chapter 8

Backup and restore

Guides the TNMS administrator through the B&R procedures.

Chapter 9

Upgrade to TNMS 14.1 10

Describes the migration to version 14.1 10 from a previous TNMS release.

Chapter 10 TNMS and TNMS Core working together

Describes how to configure TNMS to share resources and data with TNMS Core.

Chapter 11 TNMS uninstallation

Describes how to uninstall TNMS.

Chapter 12 Security hardening

Describes the existing TNMS security hardenings.

-

Contains a list of all acronyms and their long form used in TNMS.

Table 1

Abbreviations Structure of the manual

g

Some features described in this documentation may not be available. To identify the features released for the product, see the Customer Release Notes delivered together with the product.


11

Preface


1.3

Symbols and conventions The following sections describe the symbols and conventions used in the IMN. Graphical user interface text

Window titles are placed inside quotation marks. Button names, keys, main or context menu entries, keystrokes are printed in bold. Example: •

Click the View menu, and then click Log List....

Commands

Commands and screen output are printed in a monospaced font. Example: •

Issue powercfg.exe /hibernate off

Variables

Placeholders are printed in , and filenames and paths are printed in italics. Example: •

Save the log file .txt to ..//bin

Warnings

A safety message indicates a dangerous situation where personal injury is possible. Example:

f

Important Notice on Product Safety: This product may present safety risks due to laser, electricity, heat, and other sources of danger. Notices

A notice is a must. Follow notices to avoid damage, loss or interruption. Example:

w

Do not reboot while mirroring. Notes

A note is an alert. Follow notes to learn about exceptions, side effects or something obscure or yet unclear. Example:

g

Read the Customer Release Notes before installing. Tips

A tips is a suggestion. Follow tips for convenience or efficiency. Example:

t

Before mirroring, limit the size of the root filesystem.

1.4

Available documentation The following documents are delivered with TNMS:

12



1.4.1

Preface

Online Help system A context-sensitive online help system is provided with TNMS which includes information on window contents, menus and meaning of the icons shown, and comprehensive instructions on the functions offered by the user interface. You can find the tasks and procedures necessary to operate and administer TNMS on the system’s table of contents. That is, the Online Help system follows a two-pronged approach: •

•

Descriptive. This is for when you want to know what any window element is, in any window. Particular aspects of TNMS or deeper knowledge of it are routinely provided, together with topical best practices. Operational. This is for when you want to know how to perform a task.

Help can be invoked in any of the following ways: •

After invoking help from the menu bar, you can search for topics via the table of contents, the index or a word search.

•

Clicking the Help button in the current window, which displays information about the window contents.

•

Pressing F1, which displays information about the contents of the active window.

For most windows, F1 help is further available through th e main help menu ( Help > On ).

1.4.2

User Manual (UMN) The UMN is available from Main > Help and displayed in its own Adobe Reader window. It overviews TNMS’ architecture, describes its features and functions, takes you through all major operation topics and helps you troubleshoot common issues. This document is intended for all users of TNMS.

1.4.3

Installation Manual (IMN) The Installation Manual contains a complete description of the installation procedures of the TNMS Server, and the uninstallation procedures of the TNMS Server and TNMS Client.

1.4.4

Upgrade Manual (UPMN) The Upgrade Manual describes in detail all the upgrade procedures of the TNMS components from a previous TNMS release to the current release.

1.4.5

Other documents TNMS Core and Network Elements

This manual concerns TNMS only. For more detailed information on TNMS Core or the managed network elements (NEs), see the corresponding documentation.


13

Preface


Release notes

Where applicable, contains installation hints, patch descriptions, list of supported NEs, list of supported cards and any relevant last-minute information.

14



Preparation

2 Preparation 2.1

Component delivery Before installation, be sure that: •

• •

2.2

The delivery is complete and in accordance with the delivery units specified in the delivery note (hardware, software and documentation). The components are not damaged in any way. Make sure you use the installation packages in the target machine since TNMS installation from a network drive is not supported.

Hardware requirements The tables below give a rough overview of the hardware recommendations for installing TNMS; running TNMS may require different specifications depending on parameters such as network architecture (number of Clients) or operation policies (backup, logs). The final hardware specifications and configuration must be planned specifically for each customer. Ask Coriant Technical Sales for more information. Two hardware configurations (Medium and Large) designed for new installations are provided (Table 2).

g Configuration

TNMS Server + Netserver (1 optional client only for local troubleshooting)

New TNMS installations are not recommended in a distributed environment.

Characteristics

Medium

Base reference model DL360p G8

Minimum CPU

Large

DL580 G7

or

or

BL460c G8 (blade server)

BL660c G8 (blade server)

(2x) Intel® Xeon® E5-2680/90

(4x) Intel® Xeon® E7-4870 or

(4x) Intel® Xeon® E5-4650

TNMS Client

Table 2

Minimum RAM

32 GB

128 GB

Minimum HDD

(4 x) 300 GB HD (4 x) 146 GB + (2 x) 300GB for hardware reuse

(2 x) 300 GB internal SSDs (6 x) 300 GB internal HDs

Base reference model ESPRIMO E710 E90+ or PY RX100S7 Minimum CPU

Intel® i5-3470 or Intel® Xeon® E3-1220v2 4C/4T 3.10 GHz 8 MB

Minimum RAM

8 GB DDR3 1600 GHz

Minimum HDD

HD SATA III 500GB 7.2K or HD SATA 6G 500GB 7.2K HOT PL 3.5" BC

Hardware requirements for new installations of TNMS 14.1 10 In addition the Legacy hardware configuration is provided (Table 3). This configuration is designed for the reuse of hardware compatible with TNMS 13.2 1x but not with later releases.


15

Preparation


g

A new installation using the Legacy hardware configuration does not support Optical Management.

Configuration

Characteristics

Legacy hardware

TNMS Server + Netserver

Base reference model

PY TX/RX200S7

(1 optional client only for local troubleshooting)

Minimum CPU

Intel® Xeon® E5-2420 6C/12T 1.90 GHz 15 MB

Minimum RAM

12 GB

Minimum HDD

2x HD SATA 6GB 500GB 7.2K HOT PL 3.5" BC

TNMS Client


ESPRIMO E710 E90+ or PY RX100S7

or

Minimum CPU

Intel® i5-3470 or Intel® Xeon® E3-1220v2 4C/4T 3.10 GHz 8 MB

Minimum RAM

8 GB DDR3 1600 GHz

Minimum HDD

HD SATA III 500GB 7.2K or HD SATA 6G 500GB 7.2K HOT PL 3.5" BC

TNMS Server


PY RX/TX300S7

(1 optional client only for local troubleshooting)

Minimum CPU

Intel® Xeon® E5-2609 4C/4T 2.40 GHz 10 MB

Minimum RAM

24 GB DDR3 1333 GHz

Minimum HDD

2x HD SAS 6GB 300GB 15K HOT PL 2.5" EP


ESPRIMO E710 E90+

Common Client

TNMS Netserver

or

PY RX100S7 Minimum CPU

Intel® i5-3470 or

Intel® Xeon® E3-1220v2 4C/4T 3.10 GHz 8 MB Minimum RAM

8 GB DDR3 1600 GHz

Minimum HDD

HD SATA III 500GB 7.2K or

HD SATA 6G 500GB 7.2K HOT PL 3.5" BC Common Netserver


ESPRIMO E710 E90+ or PY RX100S7

(TNMS +TNMS Core)

Minimum CPU

Intel i5-3470 or Intel® Xeon® E3-1220v2 4C/4T 3.10 GHz 8 MB

Minimum RAM

16 GB DDR3 1600 GHz

Minimum HDD

HD SATA III 500GB 7.2K or

HD SATA 6G 500GB 7.2K HOT PL 3.5" BC Table 3

Hardware recommendations for installations of TNMS 14.1 10 on reused legacy hardware

2.2.1

Virtualization TNMS supports virtualization using VMware ESXi 4.1. However Coriant does not provide neither is responsible for stability limits or performance in these circumstances.

16



Preparation

The requisites of the virtual machines are similar to those presented in Table 2 and Table 3, except for the CPU that only requires comparable CPU resources.

2.3

Supported Operating Systems The following table provides the supported operating systems.

Full Installation

Server, Server + Netserver

Netserver

Client

Microsoft Windows Server 2008 R2 SP1 (x64)1)

Microsoft Windows Server 2008 R2 SP1 (x64) 1)



NTFS mandatory

NTFS mandatory

Microsoft Windows 7 Professional SP1 (x64)

Microsoft Windows 7 Professional SP1 (x32/x64)

Table 4 1)

Citrix Server


Operating System recommendations for TNMS Server, NetServer, Client and Citrix Server

Both the Microsoft Windows Server 2008 R2 SP1 (x64) Enterprise Edition and the Standard Edition are supported. However If the machine has more than 32 GB of RAM you must install the Microsoft Windows Server 2008 R2 SP1 (x64) Enterprise Edition, as the Standard Edition cannot allocate more than 32 GB of RAM.

g

Throughout this and the following chapters the designation of the several operating systems is often abbreviated to allow for better readability. Always refer to the table above for the exact versions supported for TNMS.

2.4

Prerequisites by component The following table describes which software is required for each component. Attend to the fact that the table also shows the order in which the components should be installed. After installing the operating system, the system should be commissioned as follows:

Software

Full Installation

Server + Netserver

Server

Netserver

Client

Adobe Reader

Mandatory

Optional

Optional

Optional

Mandatory

MSXML

Mandatory

Mandatory

Mandatory

Mandatory

Mandatory

MS.NET

Mandatory

Mandatory

Mandatory

Mandatory

Mandatory

Oracle 11.2.0.3

Mandatory

Mandatory

Mandatory

-

-

OSI Stack

Mandatory

Mandatory

-

Mandatory

-

CopSSH

Mandatory

Mandatory

-

Mandatory

-

Citrix XenApp

-

-

-

-

Optional

Table 5

TNMS software prerequisites and their installation sequence

g

A dedicated Java JRE installation is not mandatory given that the installer already includes the JRE versions required by TNMS. However you can manually install Java j2re-1.6.0_43 (32 or 64 bit) if required by other software .


17

Preparation


To install the Java j2re-1.6.0_43 (32 or 64 bit) use the packages available in the TNMS prerequisites and follow the default installation procedure. For additional information refer to the Oracle Java documentation. Disable all Java automatic updates on the machines where Java is installed. If Java automatic updates are enabled the system may not work properly.

2.5

BIOS configuration The following chapter, describes the recommended conf igurations for the system BIOS. These refer to HP machines and may differ with other hardware configurations. To access the BIOS, boot the machine and press F9 in the startup screen.

18

•

Disable the network: Go to System Options > Embedded NICs > NIC # Boot Options and set to Disabled. Where # represents the network interface card number.

•

Processor options: • Go to System Options > Processor Options > Intel Virtualization Technology, and set to Disabled. • System Options > Processor Options > Intel VT-d, and set to Disabled.

•

Power management options: • System Options >Power management options > HP Power Profile, and set to Maximum performance. • System Options > Power management options > HP Power Regulator, and set to HP Static High Performance Mode




3 Server operating system configuration Before installing the server operating system, you must create and configu re the logical drive where Windows will be installed. The following chapter applies to the recommended medium and large configuration hardware only and these steps may differ in case you have any other hardware configurations.

3.1

Integrated Lights-Out (iLO) management console This chapter describes how to operate the Integrated Lights-Out (iLO) management console. This console is used to access the server machine and for administration purposes. Refer to the iLO specific documentation for further information. Accessing the Integrated Remote Console

Use the following information to access the console: 1. 2. 3. 4.

3.2

Address: https:// Username: Password: In the left panel tree, expand Information > Overview, and in Integrated Remote Console, click the .NET link.

Disk configuration It is recommended that you configure a RAID 1 for the disks where the operating systems will be installed. While booting the machine, proceed as follows: 1. 2.

3. 4.

3.3

When the Press any key to view Option ROM messages appears, click ENTER. When the internal controller displays the message Press to run the option ROM Configuration For Arrays Utility, click F8. At the Main Menu, select Create Logical Drive. Using the default settings, create the RAID 1 configuration with the two available hard drives.

Windows installation The steps below refer to the Windows operating system installation using the Integrated Lights-Out (iLO) management console. 1. 2. 3.

4.

Open the iLO management console. Click Virtual Drives menu > Image file menu entry. In the Mount Image File file dialog box, select the Windows 2008 R2 ISO file and press Open. Restart the machine and boot from CD-ROM (typically by pressing F11 to access to the boot menu).

The Windows installation is standard with no special configurations or inputs. Just need to create one NTFS partition on the previous created volume (RAID 1) with ~50% of th e available space. The others 50% will be applied on a new partition to be created afterwards.


19


3.4


HP service pack installation It is highly recommended to update to the latest HP Service Pack for the corresponding machine model. This service pack updates drivers, software and firmware to the latest version. Check the HP support website for downloading the ISO service pack. 1. 2. 3.

Open the iLO management console. Click Virtual Drives menu > Image file menu entry. In the “Mount Image File” file dialog box, select the ISO file and press Open. A new CD-ROM drive is mapped in Windows, providing the content of the service pack.

Login in Windows and run the CD-ROM setup located via :\hp\swpackages\setup.exe 1. 2. 3.

4.

3.5

In the “HP Smart Update Manager” window, tab “Welcome”, click Next. In tab “Source Selection”, choose the Default Repository and click Next. In tab “Select Targets”, click the machine list item, click Edit Target and insert the Windows Administrator username, its password and click Next. In tab “Review/Install Updates”, click Install. The machine may reboot automatically, if not click Reboot Now, choose the appropriate delay and click OK.

Medium configuration In order to configure a Windows medium configuration, proceed as follows: 1. 2.

3.

4.

5. 6. 7.

3.6

Login in Windows. Go to Start > All Programs > HP System Tools > HP Array Configuration Utility (64bits) > HP Array Configuration Utility (64-bits). In tab Configuration, in “Select an available device...” combo box, select your device (make sure it is not the “Embedded slot”). In “System and Devices” panel, expand the Smart Array tree and select the first branch and click Create Array. Select the two available disks and click OK. Click Create Logical Drive to create a new logical drive. Select RAID 1 and keep the default settings. Click Save to finish the operation.

Large configuration In order to configure a Windows large configuration, proceed as follows: 1. 2.

3.

4.

5.

20

Login in Windows. Go to Start > All Programs > HP System Tools > HP Array Configuration Utility (64bits) > HP Array Configuration Utility (64-bits). In tab Configuration, in “Select an available device...” combo box, select your device (make sure it is not the “Embedded slot”). In “System and Devices” panel, expand the Smart Array tree and select the first branch and click Create Array. Select all available disks and click OK.



6. 7.

3.7


Click Create Logical Drive to create a new logical drive. Select RAID 5 and keep the default settings. Click Save to finish the operation.

Disk partitioning Three new partitions are needed: • •

One from the internal disks (D) with the other ~50% available - NTFS Two from the disk array - NTFS

In order to configure the disk partitioning for medium and large configurations, proceed as follows: 1. 2.

3.

4.

5.

Go to Start > Search Programs and Files > type Server Manager and press Enter . In “Server Manager”, expand the server tree Server Manager > Storage > Disk Management. In case the window ”Initialize Disk” is displayed, click OK keeping the default settings. Identify the disk that contains the C: drive and select the grey partition that displays an Unallocated area. 3.1 Right-click the unallocated area and select New Simple Volume, click Next. 3.2 Choose the recommended partition size (typically 50% of the disk size) and click Next. 3.3 Choose the drive letter D to the new partition and click Next. 3.4 In the “Format Partition” window, format this volume with the following settings: • File system = NTFS • Allocation unit size = Default • Choose a volume label for the new partition • Enable the Perform quick format option 3.5 Click Next and Finish to complete the partition creation step. Identify the disk that does not contain any partition (C, D) and select the grey partition that displays an Unallocated area. 4.1 Right-click the unallocated area and select New Simple Volume, click Next. 4.2 Choose the recommended partition size (typically 65% of the disk size) and click Next. 4.3 Choose the drive letter E to the new partition and click Next. 4.4 In the “Format Partition” window, format this volume with the following settings: • File system = NTFS • Allocation unit size = Default • Choose a volume label for the new partition • Enable the Perform quick format option 4.5 Click Next and Finish to complete the partition creation step. Identify the disk that contains the E: drive and select the grey partition that displays an Unallocated area. 5.1 Right-click the unallocated area and select New Simple Volume, click Next. 5.2 Choose the recommended partition size (typically 35% of the disk size) and click Next. 5.3 Choose the drive letter F to the new partition and click Next. 5.4 In the “Format Partition” window, format this volume with the following settings:


21



File system = NTFS • Allocation unit size = Default • Choose a volume label for the new partition • Enable the Perform quick format option 5.5 Click Next and Finish to complete the partition creation step. Close the “Disk Manager” window. •

6.

22




4 Initial system configuration 4.1

Before you begin Before installing complete the following steps: •

Check the system requirements.

•

Determine the file system to be used, the partition to be used b y the installation and the components to install.

•

The machine where the TNMS Server is installed should use NTFS, as it provides extra security for the Oracle database files.

•

Oracle must be installed in the same machine as TNMS Server.

•

How the network, IP addresses and TCP/IP name management will be handled.

•

Ensure that the host IP addresses are static, that is, do not use DHCP dynamic addresses.

•

In the machines where the TNMS Server and/or Netserver are installed, disable “Hibernate” by running the following command as administrator: powercfg.exe /hibernate off

4.2

Virtual memory configuration Coriant recommends that you configure your system to automatically manage the paging file size: 1. 2. 3.

4.

5.

Go to Start > Control Panel > System. Click on Advanced system settings. In the System Properties window, go to the Advanced tab and, in the Performance area, click on Settings. In the Performance Options window, go to the Advanced tab and click on Change. In the Virtual Memory window, check Automatically manage paging file size for all drives.

However, if you prefer to set a limit to the paging file size for Server and Netserver, do as follows: 1. 2.

3.

TNMS Component

Follow the steps 1. to 4. above. In the Virtual Memory window, uncheck Automatically manage paging file size for all drives. Select the system’s drive, select Custom size and enter the paging file size (refer to table Table 6). Click Set to save the settings and then OK to close the window.

Legacy Medium

Legacy Large

Medium

Large

Server

12 GB

24 GB

16 GB

64 GB

Netserver

4 GB

4 GB

-

-

Table 6

Paging file size. Note that automatic management is recommended.


23



4.3

Audit policy

w

Proceed to configuring Audit policy only if your network has legacy, NEC-interfaced NEs, that is, other than hiT 7300 or hiT 7100. To enable auditing locally in the installed OS: 1.

2.

Open the Local Security Policy settings via Start menu/button > Control Panel (Windows 7 only) > Administrative tools > Local Security Policy icon. In the tree pane, select “Audit Policy” under “Local Policies”.

Figure 1 3.

In the details pane double-click the following policy settings to open the properties window: • Audit Account Logon Events, to track user’s logon and logoff - select the check boxes ‘Success’ and ‘Failure’. • Audit Account Management, to report changes to user account - select the check boxes ‘Success’ and ‘Failure’. • Audit Directory Service Access, to report access and changes to the directory service - No auditing (no check box selected). • Audit Logon Events, to report success/failure of any local or remote accessbased logon - select the check boxes ‘Success’ and ‘Failure’. • Audit Object Access , to report file and folder access - select the check boxes ‘Success’ and ‘Failure’.

g

24

"Local Security Settings - Audit Policy" window

The auditing configuration for the individual object (file or folder) must be set within its properties. •

Audit Policy Change, to report group policies changes - select the check boxes

•

‘Success’ and ‘Failure’. Audit Privilege Use, to report when permissions (read, write...) are used select only the check box ‘Failure’.



4.4


•

Audit Process Tracking, to report when process and programs fail (not security

•

related) - No auditing (no check box selected). Audit System Events, to report standard system events (not security related) select the check boxes ‘Success’ and ‘Failure’.

FTP configuration The following chapter provides you guidance through the needed component services configuration.

4.4.1

Installing Internet Information Services in Windows Server 2008 To install the FTP server proceed as follows: 1. 2. 3. 4. 5.

Open Start > Administrative tools > Server Manager > Roles. Click “Add Roles” to open the “Add Roles” Wizard and click “Next”. In Server Roles, select "Web Server (IIS)” and click “Next”. In Web Server (IIS) click “Next”. In Role Services, select the top end following services from the tree: •

Web Server •

Common HTTP Features • • • •

•

Health and Diagnostics • •

•

Static Content Compression

Management Tools • • • •

•

Request Filtering

Performance •

•

HTTP Logging Request Monitor

Security •

•

Static Content Default Document Directory Browsing HTTP Errors

IIS Management Console IIS Management Scripts and Tools Management Service IIS Management Compatibility - when you select this option a warning pops up informing you that two other components must also be installed. Accept their installation. • IIS 6 Scripting Tools

FTP Server

FTP Service • FTP Extensibility Click “Next”. In Confirmation, click “Install”. In Results, select “Close”. Reboot your computer. •

6. 7. 8. 9.


25



Enabling ASP.NET and IIS

The following description details the configuration steps necessary in IIS Manager: 1.

Open Start > Administrative tools > Internet Information Services (IIS) Manager.

2.

3.

4.

4.4.2

The Internet Information Services Manager enables you to configure, control and troubleshoot IIS and ASP.NET. In the “Connections” panel on the left, expand the server name and click in “Application Pools”. In the “Actions” panel on the right, click “Set Application Pool Defaults...”. This opens the “Application Pool Defaults” window. In the “General” section, set the “Enable 32-Bit Applications” option to “True” and click “OK”.

Configuring the FTP Service in Windows Server 2008 To configure the FTP Service/Server, follow these steps: 1.

Start > Administrative Tools > Internet Information Services (IIS) Manager .

2.

In the left pane tree, expand the Default Computer > Sites. In the right pane tree, select “Add FTP Site”. This opens the Add FTP Site window. Enter the FTP site name. In Physical Path, change the folder to “ C:\inetpub\ftproot”, click OK and Next. In “Binding and SSL Settings” step, configure the IP Address or leave as default. In SSL, select “Allow SSL”. Click Next. In “Authentication and Authorization Information” step, select “Authentication as Basic”. In Authorization - Allow access to “All users”, permissions “Read” and “Write”. Click Finish.

3. 4. 5. 6. 7. 8.

9. 10.

4.4.3

Installing Internet Information Services in Windows 7 To install the FTP server proceed as follows: 1.

Open Start > Control Panel > Programs and features > Turn Windows features on or off.

2.

Select the top end following services from the tree: •

Internet information Services •

FTP Server • •

•

FTP Service FTP Extensibility

Web Management Tools

IIS 6 Management Compatibility • IIS 6 Management Console • IIS Management Scripts and Tools • Management Service Click “OK” and confirm. After the installation go to Control Panel > Administrative Tools > Inter net Information Services (IIS) Manager. Reboot your computer. •

3. 4.

5.

26



4.4.4


Configuring the FTP Service in Windows 7 To configure the FTP Service/Server, follow these steps: 1.

Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager .

2.

In the right pane tree, select "Add FTP Site". This opens the Add FTP Site window. Enter the FTP site name, default . In Physical Path, change the folder to " C:\inetpub\ftproot", click OK and Next. In "Binding and SSL Settings" step, configure the IP Address or leave as default. In SSL, select "Allow SSL". Click Next. In “Authentication and Authorization Information” step, select “Authentication as Basic”. In Authorization - Allow access to "All users", permissions "Read" and "Write". Click Finish. Then expand the tree in the left pane until default FTP. In the default FTP Home area click on FTP Authentication. Then in the window right click Basic Authentication and click Enable.

3. 4. 5. 6. 7.

8. 9. 10.

4.5

Domain Verification Check if a network domain exists. Use the following windows steps: 1. 2.

4.6

Go to System Properties via, Start > Control Panel > System. In Computer name, domain, and workgroup settings, check the Domain information. • If a network domain exists and both TNMS Core and TNMS belong to it , then log on to that domain and proceed with the installation as you normally would. • If a network domain does not exist, then: • You may skip this configuration, but then you will not have Single Sign On capabilities in TNMS. • Contact your network administrator to provide you information details on how to configure the domain since domain details are specific for your network.

System Hosts configuration Since TNMS uses a static IP address configuration, it is mandatory that the system's "hosts" file is properly configured with at least " " and "127.0.0.1 localhost". –

–

Edit Windows’ hosts file (typically, C:\Windows\System32\drivers\etc\hosts) and for each server insert a line like xx.xx.xx.xx where xx.xx.xx.xx is the static IP of the server in question, and full computer name follows name.domain.com as found in Control Panel > System Properties > Computer Name > Full computer name of the server in question. If all is properly configured, the full computer name (as found in ... > Computer Name > Full computer name) will appear automatically in the OpenDS Directory Server Configuration window during the installation procedure.


27



w

The TNMS installer will check if the hosts file is correctly configured. In case the server belongs to a domain, make sure FQDN matches the domain. If no domain exists and the hosts file is not configured, the installation will not proceed.

4.7

Dynamic Port range configuration The default dynamic port range configuration for Windows Server 2008 and Windows 7 starts at port 49152 and ends at port 65535. This complies with the Internet Assigned Numbers Authority (IANA) recommendation. Proper installation of TNMS requires the default port range to be used.

g

TNMS enforces this setting during its installation. However, to avoid warnings while installing TNMS, configure the dynamic port range before the installation (required for Server and Netserver machines), as described below. Execute the following procedure to ensure the correct configuration of the Server and Netserver machines: 1. 2.

Open the command line ( cmd) as Administrator. Execute the command: netsh int ipv4 show dynamicport tcp

3.

If the reported start port is not 49152, then execute the command: netsh int ipv4 set dynamicport tcp start=49152 num=16384 persistent

Windows is now prepared concerning dynamic port range configuration.

28




5 Software prerequisites installation This chapter describes the installation and configuration of all prerequisites in the recommended installation sequence. Refer to Table 5 TNMS software prerequisites and their installation sequence to know which prerequisites are required for each TNMS component.

5.1

Adobe Reader You can either download the latest Adobe Reader from the Adobe website (recommended) or use the version included in the Prerequisites folder. Coriant is not responsible for issues or vulnerabilities introduced by Adobe Reader, in particular when you perform its download. To install Adobe Reader just follow the standard options shown in its installer. Any specific information on this see the Adobe Reader documentation.

5.2

User Account Control When applicable, Windows User Account Control must be disabled in order to continue with the installation. According to your windows version, the procedure may vary. Typically, it can be disabled under Control Panel > User Accounts > Change User Account Control Settings > Never Notify. Restart the machine after performing this change.

5.3

MSXML MSXML 4.0 is an XML parser. It must be installed on the system so that network configuration data can be imported and exported in XML format. To install MSXML 4.0 SP2 on all supported operating systems, proceed as follows: 1. 2. 3.

4.

5. 6.

7.

5.4

Double-click the msxml4sp2.msi file in the MSXML directory on the software DVD. A welcome window is now displayed. Press Next to continue. In the End-User License Agreement window, accept the terms of the license agreement, and press Next to continue. In the Customer Information window, enter a user name and the name of your company in the appropriate fields. Press Next to continue. In the Choose Setup Type window, press Install Now. The window Installing Microsoft XML Parser and SDK window is now displayed. The progress of the installation is indicated by the progress bar. Once the installation is complete, the window Completing the Microsoft XML Parser and SDK Setup Wizard is displayed. Press Finish to complete the installation.

MS.NET Windows Server 2008

MS.NET 3.5 is installed with Windows Server 2008, but requires activation. To activate .NET 3.5, proceed as follows:


29


1. 2. 3.

5.5


Go to Administrative Tools > Server Manager > Features. Click Add Features. Select .NET Framework 3.5.1 features.

Oracle This section describes the installation of Oracle Database 11g Release 2 (64-bit) for Microsoft Windows x64. The supported version is 11.2.0.3. The Oracle Database must be installed in the TNMS Server machine. Before installing

To successfully install and run TNMS, at least 40GB of free disk space must be available in the destination machine before installing the Oracle database. RAM requirements are indicated in Table 7 RAM requirements and Oracle template files. TNMS Configuration

RAM (GB minimal)

Oracle template file

Managers

Large

128

TNMS_LW.dbt

All

Medium

32

TNMS_MW.dbt

All

Legacy

8

TMNS_SW.dbt

Table 7

Ethernet and ASON only

RAM requirements and Oracle template files

For the remaining hardware, follow the recommendations described in 2.2 Hardware requirements. Note that the values in this table are recommended and may vary according to the network dimension and the used hardware. Before installing

By default, the TNMS Database Installer assumes the following directory locations: • •

Oracle installation disks: c:\oramedia TNMS INSTALLER DIRECTORY: c:\inst

However, it is possible to install from different locations. If you choose to use previous default directory locations you have to create them manually before you start the installation. During the installation you will be requested to confirm the directory paths. If you use different locations you must enter them manually whenever applicable. Create both default directory locations indicated above. If you want to use other locations, make sure they are accessible from the installer (in a local or mapped drive). Unzip the Oracle installation disks 1 and 2 to c:\oramedia (in case of recommended default location. Only the extracted database folder is required. The directory structure should be as follows: c:\oramedia\database

Copy the folders from the delivered TNMS media to the (recommended default location: c:\inst). The directory structure should be as follows:

30




c:\inst\TNMS_Installer c:\inst\TNMS_Prerequisites Installation

The following steps guide you through the Oracle Database installation. Go to \TNMS_Prerequisites\Oracle\ installation, right-click the Exec_TNMS_oracle_install.bat file and select Run as administrator . A new terminal window opens. The installation log location is c:\temp and the full path is displayed on the screen. Enter your configuration: Legacy, Medium or Large, by typing Y, M or L, respectively. Enter the drives for the ORADATA, ORALOG and ORATRACE directories, or accept the default by pressing [ENTER]. Make sure you specify a valid drive letter followed by the colon sign (for example: “c:”). Enter the TNMS database name, or accept the default by pressing [ENTER]. The database name must be between 1 and 12 characters long and the first character must be alphabetic. The main menu is presented as follows: 0 - Check requirements 1 - Oracle Software Installation 2 - TNMS database creation 3 - TNMS database configuration 4 - Exit Enter the desired option. Choose option 0 - Check requirements by pressing “0”. The requirements check is executed, showing the available disk space and free memory. In case the requirements are met, the following message is displayed: You can now proceed with Oracle Database installation!

If the requirements are not met, the message Error: The Oracle installation cannot be done, because some requirements failed

is displayed. Make sure you have enough disk space and memory before continuing. Choose option 1 - Oracle Software Installation. Press [ENTER] to confirm the default path or enter the Oracle Installer setup.exe path (if different). Press [ENTER] to confirm the default path or enter the TNMS.rsp file path (if different). This action opens a new window. Wait until the Oracle Software installation finishes. The message Successfully Setup Software. Please press Enter to exit... is displayed. Press [ENTER] to close the window. Choose option 2 - TNMS database creation.


31



Press [ENTER] to confirm the default path or enter the template file path for your configuration: • • •

TNMS_LW.dbt - large configuration. TNMS_MW.dbt - medium configuration. TNMS_SW.dbt - legacy configuration.

Type the SYS password and then retype it. Next, type the SYSTEM password and type it again. Both SYS and SYSTEM passwords must be at least 5 characters long. The TNMS database is created and the message Database created successfully is displayed. If any failure occurs during the TNMS database creation, the message Error creating database. Check installation requirements is displayed. Look for errors in the log file indicated on the screen. Choose option 3 - TNMS database configuration. Press [ENTER] to confirm the default path or enter the TNMSnetca.rsp file path. Press [ENTER] to confirm the default path or enter the listener.ora file path. The database is created and the message TNMS Database Configuration Successful. Oracle Installation finished is displayed. Choose option 4 - Exit. The Oracle installation and configuration is completed. Restart the machine. Post-installation verifications

In order to verify the installations check the Oracle Services and the TNMS database: 1. 2.

3.

g

is, 4.

5.5.1

Go to Start > Run and run the command services.msc. The following services should be started: • OracleOraDb11g_home1TNSListener • OracleServiceTNMS (if the default database name was “TNMS”) Run the application: “\BIN\LSNRCTL” and run the command status. by default, “C:\oracle\product\11.2.0\dbhome_1\”

Check if your SID exists and if its status is READY: Instance "tnms", status READY... (if the default database name was “TNMS”)

Uninstalling Oracle To uninstall the TNMS database and the Oracle software you must use the uninstallation tool provided by Oracle. Proceed as follows: 1.

Go to Start > All Programs> Accessories > Command Prompt, opposite-click, select run as administrator and then enter the following command: “
32

Home>\deinstall\deinstall.bat”



g

is,


by default, “C:\oracle\product\11.2.0\dbhome_1\”

The following steps describe a typical uninstallation procedure. In case the uninstallation tool requests you additional information, refer to the uninstallation tool documentation at: http://docs.oracle.com/cd/E11882_01/install.112/e16774/deinstall.htm . 2. 3. 4.

5.

6. 7.

5.6

When prompted for the Listener Name, enter LISTENER and press Enter . When prompted for the Oracle SID, enter TNMS and press Enter . When prompted for TNMS database modification, enter " n" and press Enter . (The details of database(s) TNMS have been discovered automatically. Do you still want to modify the details of TNMS database(s)? [n]: n) When prompted for continuation, enter " y" and press Enter . (Do you want to continue (y - yes, n - no)? [n]: y) Wait until the uninstallation finishes and then restart the machine. Go to C:\ folder and delete the remaining folders and files. •

C:\oracle

•

\oradata (path

chosen during installation)

OSI Stack If QB3 is to be used, an OSI stack must be installed on the NetServer PCs before the NetServer software.

5.6.1

Installing OSI Stack To install an OSI stack, proceed as follows: 1. In the software DVD, go to the OSI_Stack directory, opposite-click setup.exe and click Run as administrator . 2. A welcome window is now displayed. Press Next to continue. 3. In the Choose Destination Location window which is now displayed, a default installation directory is offered for the OSI stack. Press Next to continue. 4. In the Please select: window, select the NSAP address option best suited to your company’s network and press Next. 5. In the Getting NSAP window, enter the NSAP address. For example, if you selected the option NSAP should be derived from MAC address of my ethernet card on step 4., enter the MAC address of the network card and press Next. 6. In the Start Copying Files ensure that the settings displayed are correct, and if so, press Next to continue. 7. A setup status window is now displayed, showing the progress of the OSI stack installation. 8. In the InstallShield Wizard Complete window select the option for restarting the computer and press Finish to complete the OSI stack installation.

5.6.2

Configuring OSI stack Once finished the OSI stack installation and the computer rebooted, you need to proceed with the following set of configurations:


33


1.

2.

3.


Open OSI stack as administrator via Start > Control Panel > OSI Stack, right-click OSI Stack and select Run as administrator . You may need to switch to the classic view or click “View as small icons” or use the search field for OSI Stack. Activate the following options: • Select In “Bind to Network Interface Card” and activate all network interfaces. • In “OpWin Configuration”, activate "Open Stack, when Operator starts”. • Activate “Start stack as service". • Click “ES-IS” Stack parameter to enter the “ES-IS configuration” and disable “Enable emission of ES hello”. Click “Ok” Exit the OSI Stack Configuration and reboot the machine in order to reset the variables properly, otherwise you may experience unexpected delays in the service readiness.

In case you have to check the environment variable OSIPIPE: 1. 2. 3. 4. 5.

5.6.3

Click Start > Control panel > System and Security > System. Open the Advanced system settings > Advanced tab. Click the button "Environment variables" In the lower list (user variables), search for OSIPIPE variable. The OSI stack configuration is finished.

Uninstalling OSI stack To uninstall the OSI stack, follow the next steps:

5.

Open Start > Control Panel > Administrative Tools > Services. Select the OSI stack service and press Stop. Open Start > Control Panel > Add/Remove Programs. Select the OSI stack from the software list. Click Uninstall.

6.

Confirm the uninstall process with Finish and restart your computer.

1. 2. 3. 4.

5.7

CopSSH CopSSH is a Secure Shell (SSH) File Transfer Protocol (SFTP) and Secu re Copy (SCP) server used for transferring data to and from some types of NEs. CopSSH installation is required for netservers only if there are hiT 7100, hiT 7300 or ADVA NEs in your network.

34

g

SFTP / SCP use is recommended since it is more secure than FTP.

g

In order to support SFTP or SCP transactions via the LCT, you must install and configure CopSSH in TNMS.



5.7.1


Installing CopSSH To install CopSSH 4.7.1 proceed as follows (same procedure for all supported operating systems): 1.

2. 3. 4. 5. 6.

7.

5.7.2

In the software DVD, go to the CopSSH directory, right-click the Copssh_4.7.1_x86_Installer.exe file and run as administrator The setup wizard’s Welcome window is shown. Click Next. In the License Agreement window click I Agree. Enter an Installation folder or accept the default by clicking Next. Enter the service account credentials. You must select the user that will be used for the CopSSH account service management, by choosing one of the following options: • Keep the default CopSSH user: SvcCOPSSH (the installer generates a random password). If you choose this option, keep that password for the future (recommended). Or • Select a new user (must be different from existing local machine users). In this case you must provide a username and a password that matches the following requirements: - The username must be at least four characters in length. - Passwords cannot contain the user’s account name or parts of the user’s complete name exceeding two consecutive characters. - Passwords must be at least six characters in length. - Passwords must contain characters from three of the following four categories: • English uppercase characters (A through Z). • English lowercase characters (a through z). • Base 10 digits (0 through 9). • Non-alphabetical characters (for example: !, $, #, %). Click Install. Click Close to finish the installation.

Configuring CopSSH As a security measure, CopSSH’s default user cannot be used to access the machine. Therefore, new users must be created. Configuring users in CopSSH: 1.

2.

3.

4.

5. 6.

Create a user with limited privileges in the operating system. This user will be used to perform the SFTP / SCP. Grant the user write privileges on the C:\Program Files (X86)\ICW folder. Go to Properties, add the user created and give the user modify permissions. Go to Start > Programs > CopSSH, opposite-click on CopSSH Control Panel and click Run as administrator . In the Status tab, check if the service is running (green button). If not, click on the red button to start it. Go to Users tab and click Add. Click Forward to begin the CopSSH User Activation wizard.


35


7.

8.

9.


Choose the current machine for domain and the user you created earlier. Click Forward. Select Shell access type: • For ADVA NEs, select “Linux shell and Sftp”. • For hiT 7100 and/or hiT 7300 NEs, select “ Sftp”. • For ADVA and/or hiT 7300 NEs and/or hiT 7100 NEs, select “Linux Shell and Sftp”. In the three options available, only “Password authentication” must remain checked. Uncheck the other two options “Public key authentication” and “Allow TCP forwarding”.. Click Forward. Click Apply to activate the user.

Changing the default number of simultaneous sessions

The following mandatory procedure is required in order to support multiple NE requests.

w

Note that, if you run the CopSSH's Control Panel after the procedure below, all the changes to the passwd file will be reset. 1.

Edit the file C:\Program Files (x86)\ICW\etc\sshd_config Below is a sample sshd_config file (after the CopSSH Control Panel has been run for the first time): Port 22 Compression delayed LogLevel INFO TCPKeepAlive yes LoginGraceTime 120 Protocol 2 MaxAuthTries 6 MaxSessions 10 Subsystem sftp internal-sftp -l ERROR Match User copuser PasswordAuthentication yes PubkeyAuthentication no AllowTcpForwarding no MaxSessions 10 # Catch All

Match User * AllowTcpForwarding no MaxSessions 0 PasswordAuthentication no PubkeyAuthentication no 2. 3.

4.

36

Change both MaxSessions values (lines 8 and 13) to 100. Add the line MaxStartups 10:30:100 after line 8 to control the number of open unauthenticated sessions. This avoids an overload of the SSH daemon. Below is the sample above after the changes:




Port 22 Compression delayed LogLevel INFO TCPKeepAlive yes LoginGraceTime 120 Protocol 2 MaxAuthTries 6 MaxSessions 100 MaxStartups 10:30:100 Subsystem sftp internal-sftp -l ERROR Match User copuser PasswordAuthentication yes PubkeyAuthentication no AllowTcpForwarding no MaxSessions 100 # Catch All

Match User * AllowTcpForwarding no MaxSessions 0 PasswordAuthentication no PubkeyAuthentication no 5.

5.7.3

Save the sshd_config file and restart the CopSSH service using Windows Control Panel.

CopSSH Troubleshooting Go to Start > Programs > CopSSH > CopSSH Control Panel and in the Status tab, check that the CopSSH service is running (green color). If not: 1. 2. 3. 4. 5.

Go to (Windows) Control panel > Administrative tools > Services. Opposite-click the service "Openssh SSHD" and select Properties. In the Log On tab, select Local System account. Click OK. Start the Openssh service.

Check if the SFTP user is added to the password file: 1.


Edit the file C:\Program Files (x86)\ICW\etc\passwd . It must contain the details of the SFTP user that was created and activated. For example, if the user name is “FTPUser”, the file will be:

37



Administrator:unused:10500:10513:U-AUMELRD-TD-03\Administrator,S-1-521-3507081192-3007060136-515313314500:/home/Administrator:/bin/bashFTPUser:unused:11021:10513:FTPUser,UAUMELRD-TD-03\FTPUser,S-1-5-21-3507081192-3007060136-5153133141021:/home/FTPUser:/bin/bashGuest:unused:10501:10513:U-AUMELRD-TD-03\ Guest,S-1-5-21-3507081192-3007060136-515313314501:/home/Guest:/bin/bashsshd:unused:11025:10513:U-AUMELRD-TD-03\ sshd,S-1-5-21-3507081192-3007060136-5153133141025:/var/empty:/bin/bashSvcCOPSSH:unused:11026:10513:U-AUMELRD-TD-03\ SvcCOPSSH,S-1-5-21-3507081192-3007060136-5153133141026:/var/:/bin/bash 2.

5.7.4

If the password file does not contain the details of the SFTP user, grant write access to the ICW folder to the Windows user that is used to install COPSSH.

CopSSH Hardening If you wish to further restrict the CopSSH's user privileges by making connections via interactive shell impossible, do as follows:

w

Note that, if you run the CopSSH's Control Panel after the procedure below, all the changes to the passwd file will be reset. 1. 2.

Go to \etc\ and edit the passwd file. Edit the line (example) from reguser:unused:11010:10513:reguser,U-TSVM41\TestPL,S-1-5-212769772405-123357289-3683661142-1010:/home/reguser:/bin/bash

3.

5.8

to (...):/bin/false Save the file.

Antivirus To protect TNMS against viruses, you should install F-Secure Client on all machines. Refer to the software release notes to see the released versions.

5.9

NTI third-party software installation The “NTI DS” is a third-party software part of the TNMS prerequisites. You find the installer in the installation folder TNMS_Prerequisites > NTI_DS and it launches and controls the setup of this third-party software. The main setup also configures the software after the installation to work with TNMS. This procedure is mandatory only if you want to have NTI operational. Otherwise, skip this procedure.

38




Installing the NTI third-party software:

Run the NTI_DS_Installer.exe file. Check the file in the folder TNMS_Prerequisites. Proceed as described in the setup windows. In the “Welcome” window, click Next. In the “License Agreement” window, choose “I accept the terms of License Agreement” and click Next. In the “Choose Install Set” window, click Next. Choose “Full Installation” as the installation type. In the “Directory Name” (Default: C:/NTI_DS) window, enter the installation directory or select it from the Choose dialog and click Next. In the “Notification Service Configuration” window, select one of the following options: • • • • • •

“Contact with IMR on every server start-up”: off (default option). “Choose level of verbosity”: fatal errors only (default option). “Choose details for compact Typecodes”: off (default option). “Disable indirection encoding”: on (default option). “Please enter port number for Notification Service”: 17289 (default option). “Please choose maximum Java heap size for Notification Service”: choose one of the three available values. The default value is 256 MB.

Click Next. In the “Pre-Installation Summary” window check if the installation options are correct and confirm by clicking Install. In the “Install Complete” window, you see the message “Your computer must be restarted to complete the installation”. Click Finish. After rebooting, proceed as follows: •

•

•

Go to \NoSe\bin and run the “Object Viewer” by double clicking the manager.bat file. Locate the “localhost” of the OpenFusion object, right-click and then click Start in the context menu. If already started, skip this step. This changes the state to “Started”.

Ensure the services are started through Start > Control Panel > Administrative Tools > Services. The following services must exist and be in state “Started”. • •

JacORB IMR OpenFusion.NotificationService 4.2.3


39


40




TNMS installation

6 TNMS installation This chapter describes the TNMS installation. If you have a previous TNMS version installed in your system, jump to 9 Upgrade to TNMS 14.1 10. Before you install TNMS be sure to read and follow the directions below. Failing to comply will result in a failed installation.

6.1

Full installation To install TNMS Server, NetServer and Client in the same machine (full installation): 1. 2. 3.

Copy all relevant priority updates into ...\TNMS Installer\PUs. Login on the operating system with a user that has administrative rights. Opposite-click the installation file in the TNMS SW CD and select “Run as administrator” (Figure 2).

Figure 2

4.

5.

6.

g

How to set the TNMS installer to run with administrator rights in Windows 7 and Windows Server 2008.

The Introduction window opens and the complete list of installation steps is displayed on the left pane. Click Next to continue. Read the License Agreement and then select I accept the terms of the License Agreement . Click Next to continue. In the Choose Install Set step, click Full to install all components in the machine. The available buttons describe the installation variants offered. Click Next to continue. Select your type of hardware configuration: Medium, Large (see 2.2 Hardware requirements) or Legacy Hardware. Select Legacy Hardware to install TNMS Server in machines that meet the hardware requirements for TNMS 13.2 1x but not for TNMS 14.x xx. Optical Management is not supported in the Legacy Hardware configuration.

7.

8.

w

A usage warning pops up to let you know that the database should not be in use by any application. Select Build and click Next to continue. The “Build” option, if there is a previous TNMS version installed, will delete all the data in the database. To upgrade your installation, refer instead to the Upgrade Manual.

9.

The Oracle database connection step asks you to enter a set of database connection parameters: • Database IP Address: the Oracle host IP address.


41

TNMS installation


•

Database port: the Oracle server port number. The default value is 1521.

•

Database username: the user scheme of the database to be created (example:

TNMS).

g

Using the same user / password in all installations is recommended since it ensures that the database is restorable in any machine. However another user / password can be used for security reasons, as long as you keep these data for future reference and you use the same user / password in the system where you perform the backup and the system where you restore it. •

g

User password: the password for the DB user (example: fk12!igp).

The password must meet the following requirements: • Is at least four characters long. • Differs from the user name. • Has at least one alphabetic, one numeric and one punctuation characters. • Is not simple or obvious, such as welcome, account, database, or user. •

Re-enter user password: re-enter the password.

•

Database name (SID): the name of the Oracle database (DB instance), which,

by default, is “TNMS”. User ‘sys’ password: fill in with the password defined in 5.5 Oracle. Click Next to continue •

10.

w

In the Choose Components step: 10.1 Select the Managers to be installed. On Legacy hardware installations the Optical Manager will not be installed. To install and use the Optical Manager you must select the Medium or the Large configuration. Mind that all managers can be installed but each requires a specific license to be used. Click Next to continue. 10.2 Select the North Bound Interface to install, if any.

g

If you select TMF/Corba, you must have previously installed the NTI as described in 5.9 NTI third-party software installation. Click Next. 10.3 Select the LCTs to be installed. Click Next to continue. 10.4 Select the NEs to be installed and all their versions, for example: [X] hiT 7300 5.10.0x [X] hiT 7300 5.10.10 [X] hiT 7300 5.10.2x [X] hiT 7300 5.30.50 [X] hiT 7300 5.30.60 11.

42

Click Next to continue. In the Choose Install Folder step: 11.1 Enter the path for the TNMS installation folder, the TNMS Data folder (see note), the LCT installation folder and the EML Mediation installation folder.



TNMS installation

Default paths are provided. Click Next to continue.

g

Make sure that the TNMS Data folder is empty. If not, backup and remove the data or select a different folder. 12.

g

If CopSSH is not installed in the machine, a warning pops up to let you know that the NetServer requires you to install it (see 5.7.1 Installing CopSSH) If CopSSH is already installed, you must provide a valid SFTP User, that is, a Windows user that was added to CopSSH (see 5.7.2). The user is not created again. The user mentioned in this step serves as a cross check with the user added in the CopSSH configuration (see 5.7.2 Configuring CopSSH).

13.

14.

g

In case you have more than one Network Interface Card (NIC) installed, the Choose host IP address panel is displayed providing a list of the IPs associated with each NIC. Click the pulldown menu and choose the IP that corresponds to the host name of the machine. In case you only have one NIC, this panel is not displayed and you must proceed to the next step. Select the TNMS server’s IP address (blank by default). Enter the TNMS server’s IP address if you are installing the netserver on a machine other than the server (blank by default). Click Next to continue. This step is skipped in some cases, such as if the server has only one IP address.

15.

g

In the OpenDS Directory Server Configuration step set the following OpenDS database server information: All fields except the Admin password, are automatically filled in. If not, cancel the installation wizard, complete the 4.6 System Hosts configuration and start the installation once more.

16.

17.

•

Computer name: .

•

Install directory: folder wherein the OpenDS server will be installed.

•

Server port, Admin port: ports used respectively to communicate with OpenDS

Server and for administrative actions. The server and admin port numbers shown are default, not mandatory. You can use any port number from 1024 to 49151 • Admin ID: default is admin. • Admin password: select password (minimum 8 character). • Re-enter Admin password: re-enter the selected password. Click Next to continue In the Choose Shortcut Folder step configure the options of the icons and shortcuts to be created during installation. Click Next to continue. Decide whether to have Coriant’s as your default desktop wallpaper. Click Next to continue.


43

TNMS installation


18.

w

If one or more of the priority updates you copied into ..\TNMS Installer\PUs does not comply with a set of preconditions a warning message is displayed (for additional information check 6.3 About the automatic priority updates installation). The PUs that generate warnings will not be installed.

Click Next to continue or click Cancel to go back to the previous step. 19. A summary of the installation settings is given in the Pre-Installation Summary step. If the settings are correct, click Install to start the installation. 20. If an error, such as a corrupted PU file, is detected during the installation an error message is displayed (for additional information check 6.3 About the automatic priority updates installation). 21. The results of the installation are presented in the Installation Results step. Click Done to close the installation wizard. 22. Reboot the machine to complete the installation. After the TNMS Server has been installed and started, the system can be immediately operated by selecting the server name and using the default user name and password (see 7.3 Logging in and 7.4 Default username and password).

g

A warning message may be displayed during the installation configuration stating that the firewall is enabled. However, if you use the Windows Firewall, in some cases, the firewall window displays the disabled status. Such contradiction arises due to the TNMS Installer use of the netsh adv commands to check the firewall status which can return a different status from that presented in the GUI. To configure the firewall refer to 12.3 Networking and firewall configuration.

g

The TNMS installation creates the following services on the target machine after the full installation is completed: • •

• • • • • •

6.2

TNMS (automatically started). In the server machine. RCTSrv (automatically triggered off by TNMS and thus listed as Manual ). In the server machine. Open DS (automatically started). In the server machine. TNMS EmlMediator (automatically started). In the netserver machine. TNMS Generic Mediator (automatically started). In the netserver machine. TNMS TrapHandler (automatically started). In the netserver machine. TNMS Multivendor Mediator (automatically started). In the netserver machine. TNMS platform (automatically started). In the server machine.

Installation of separate components To install only one of the components or a specific combination of components you must follow the procedure described in the previous section until step 5. In this step choose Client , Server , NetServer , Server and NetServer or Server and Client . The subsequent steps are a subset of those described in 6.1 Full installation. However, note that: •

44

If you install the TNMS Client and/or the Netserver on Windows 7, go to Start > Control Panel > System > Advanced System Settings > Advanced tab > Performance pane > Settings button > Visual Effects tab and select the option “adjust for best performance”.



•

6.3

TNMS installation

If you install the TNMS Netserver in a machine other than the Server, the TNMS Server’s IP address is requested during the installation. If you install the TNMS Netserver in the same machine as the Server, the TNMS Server’s IP address is requested only if the server has more than one IP address.

About the automatic priority updates installation You can install priority updates (PU) either manually, anytime after installing TNMS, or automatically, while installing TNMS. The automatic procedure includes several verifications that are useful and timesaving. During the configuration of the installation the TNMS installer checks if: •

• •

The PUs are valid. A PU is considered valid if its file has the characteristics of a PU and if the PU is being installed on the supported TNMS version. All dependencies between PUs are met. There are no duplicated PUs.

If one or more PUs fail to meet one or more of these conditions, warnings are displayed to let you know which PUs fail to comply with which condition. Also, in the Pre-installation summary you can find the following two sections: •

•

t

Installation Check Warnings In this section are listed all warnings displayed during the configuration steps. If any warnings regarding PUs were displayed, you can find their content here. The PUs listed in this section will not be installed . Priority Updates to Install In this section are listed all PUs that comply with the conditions above and that will be installed.

Refer to the preinstall_warnings.log , if you need this information later on. The correct installation of the PUs is also verified during the TNMS installation. If any PU was not correctly installed, an error message is displayed. Any error or warning messages during the installation are also referred in the final installation step. For details on these errors and warnings refer to the PU_InstallLog.log, where ou can find the logs of the execution of all installed PUs.


45

TNMS installation

46





7 Post-installation procedures

w

If you decide to harden the system, you must do it before starting TNMS in a production environment. See 12 Security hardening for instructions.

7.1

Starting services Services, such as TNMS Server , TNMS EmlMediator and TNMS Generic Mediator start automatically with the machine.

7.2

Starting a Client session A Client session is started by clicking either the shortcut icon on the desktop (if one was created during installation) or the client icon in the installation folder. Functions authorized by the current user’s access rights can now be accessed. The user defined below has full access rights:

7.3

•

Default available user - Administrator

•

Default user group - Administrators

•

Default policy - Global

•

Default domain - Global

Logging in Once started, TNMS can be logged in to. Press the spacebar or click the icon to get the login window. You must fill in the fields: •

Server name. You can select a previously used value set from the menu. Alternat ively, input server data either in the : or : formats. The default values are localhost:1100 .

•

User name. Input a valid user name.

•

Password . Input the user’s password.

If the Server is unavailable the following error message is displayed: ”Server not reachable. Please check your network connectivity or if server is running”

In this situation check for one of the following scenarios: • • • •

g

The server is not reachable. Network connectivity. The server may not be running. You are trying to connect to a standby server instead of the active server.

If you are logging in after an update rather than an installation from scratch, the users and passwords remain unchanged from the previous version.


47


7.4


Default username and password After the TNMS Server has been installed and started, the system can be immediately operated using the default user and password. Both fields are case-sensitive. •

User name: administrator

•

Password: e2e!Net4u#

For security reasons, the administrator is requested to change the password.

7.5

Changing the password The first password change is performed in a popup window after the first login. Subsequent changes are performed in the Administration > User Management > User Modification window. You are asked to enter the new password twice for confirmation, check whether that user can’t change the password or otherwise whether the user has to change the password at next logon and/or define the password expiration deadline between 3 and 90 days. TNMS stores the history of passwords registry in the OpenDS database.

g

If Single Sign-on is enabled later on, this menu item will no longer be displayed as no password within TNMS will be required. Password complexity rules

New passwords are validated by the system according to the rules below. The new password must: •

Be at least 8 characters long

•

Contain at least 2 alphabetic characters

•

Contain at least 1 numeric character

•

Contain at least 1 special character other than # , $ , * , / and @

•

Contain at most 3 consecutive digits or letters from the alphabet

•

Differ from the old one by at least 3 characters. This is enforced only if the password is changed through the Change Password window.

The new password must not:

7.6

•

Be the same as the user id

•

Contain the user id

•

Contain a rotated version of the user id

•

Match any of the previous.

Terminating a Client session A Client session terminates when you log off. All windows are closed and only the login function is accessible.

48



7.7


Single Sign-on By enabling Single Sign-on (SSO) the users can log in to TNMS using the operating system credentials, without having to enter another username and password. This configuration can be done at any point in time and is therefore described in the TNMS User Manual.

7.8

Standby server This configuration can be done at any point in time and is therefore described in TNMS User Manual.

7.9

License keys Logging in allows you to access elementary TNMS features such as viewing th e network map or activating NEs. However, full access to the whole TNMS, including the Managers ASON, Ethernet and Optical, is granted through the acquisition and installation of proper license keys.

g

Optical Manager licenses require a TNMS service restart after importing. Refer to the User Manual for more information on how to manage licenses.

7.10

Internet Explorer configuration To ensure the correct behavior of the context sensitive online help, configure Internet Explorer as follows: 1. 2.

7.11

Within Internet Explorer go to Tools > Internet Options > Security. Select the desired security level and then click Custom:. 2.1 in the Scripting section, enable Active Scripting. 2.2 in the ActiveX controls and plug-ins, enable Initialize and script ActiveX controls not marked as safe for scripting.

Connection timeout configuration In order to avoid possible timeouts in communications between the TNMS Client and Server, such as in case of APS uploads, proceed as follows: 1.

2.

Edit the file \jboss\server\bicnet\deploy\jboss-web.deployer\ server.xml Search for the section that configures the connector of port 8080 and adjust the timeout to a value adequate to your network conditions. For example, to set the timeout to 60 seconds you must enter the value 60000 as in bold below:
protocol="HTTP/1.1"

enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout=" 60000" disableUploadTimeout="true" /> 3.

Restart the TNMS Server.


49


7.12


Importing a public certificate from IOC Online Planning (IOC OP) The communication between IOC OP and TNMS is SSL-encrypted. Such encryption is in turn based on certificates. If on IOC OP a keystore or certificate changes for any reason, a new key must be generated and then imported to avoid disabling communication. The certificates shipped with Coriant products and solutions exist to perform a correct installation and leave them ready to work. Comply with all your organization’s security rules and established practices before final deployment. To import a public certificate, proceed as follows: Log in to IOC OP. Get the IOC OP Server public certificate file tcserver.cer and copy it to the TNMS Server. For information on how to generate this file refer to the IOC OP Installation Manual for Solaris, section on generating IOC OP server keystore and public key pair. Open a Windows Command Prompt window (through cmd.exe). Change to the directory with the keytool command: cd\jre\bin

Import tcserver.cer into the TNMS truststore. Issue: keytool -import -file tcserver.cer -alias tcserver -keystore “/jboss/server/bicnet/co nf/sslmq.keystore” -storepass changeit

TNMS Server returns the certificate details and asks you to allow the import: Owner: CN=tcserver tcserver, OU=Optical Networks, O=Coriant, L=Lisboa, ST=Alfragide, C=PT Issuer: CN=tcserver tcserver, OU=Optical Networks, O=Coriant, L=Lisboa, ST=Alfragide, C=PT Serial number: 4ffd7431

... Trust this certificate? [no]: yes

A successful import returns: Certificate was added to keystore

50



Backup and restore

8 Backup and restore This chapter guides an TNMS administrator through the backup and rest ore procedures. Backup and restore is a safeguard mechanism to backup the system and recover it, in case a problem occur.

8.1

General description You must back up information contained in the following two data repositories: •

Oracle server - DCN management and services information. This server includes

•

the TNMS database. OpenDS server - User and security information.

The required information is backed up into three sets: •

Oracle database backups are used to recover the database from corruption events

or unexpected integrity issues and recovered it to its last most consistent state. These backups contain TNMS specific data plus other Oracle files required for database recovery. The Oracle database backups are stored in Oracle’s Fast Recovery Area under the BACKUPSET directory.

w

You must not use the BACKUPSET directory for any operations other than Oracle database backups. Full backups of the Oracle database are stored with a retention policy that allows for a redundancy of 2 backups. Therefore the BACKUPSET directory contains the last 3 backups and older ones are automatically removed. •

TNMS database backup files are used to restore TNMS to a previous state in order

to, for example, undo undesired user configurations or restore TNMS state to a clean installation.

g

TNMS database backup files cannot be used to directly recover from an Oracle database corruption event. TNMS database backup files are stored under a target directo ry (local or remote) of your creation or choice. Inside this directory, each backup operation creates a subdirectory named after the backup timestamp , where the backup files are saved.

w

When performing a database backup, ensure there are writing permissions to the target directory. •

OpenDS database backup files are also stored under a target directory (local or

remote) of your creation or choice. Inside this directory, each backup operation creates a subdirectory named after the backup timestamp , where the backup files are saved. You may choose to back up simultaneously the TNMS and OpenDS databases. In such case, the timestamped subdirectory will contain both databases backup files.


51

Backup and restore

8.2


Overview of the Backup and Restore interfaces The TNMS DB backup can be performed via console, interactive ( CLI) and non-interactive mode (friendly script), or via TNMS Client ( GUI). TNMS DB restore can only be performed via console (interactive or non-interactive modes).

8.2.1

Interactive mode To access the interactive mode console, run backuprestore.bat with no arguments from C:\Program Files (x86)\Coriant\TNMS\backuprestore (default location), to open the interactive menu as displayed in Figure 3.

Figure 3

8.2.2

Backup & Restore console

Non-interactive mode The non-interactive mode allows you to embed the B&R feature into a scriptable language in order to automate common and repetitive tasks. To use the non-interactive mode, run the backuprestore.bat application from C:\Program Files (x86)\Coriant\TNMS\backuprestore (default location) using arguments to specify the operation you intend to perform (Table 8). You can enter backuprestore-h in the command line to see this list. Options

-b

--backup

Performs a TNMS and/or an OpenDS database backup.

-r

--restore

Performs a TNMS and/or an OpenDS database restore.

-s

--schema

Performs the operation on the TNMS database.

-l

--ldap

Performs the operation on the LDAP (OpenDS) database.

-d

--directory

When saving or loading a backup, this option must be followed by the path to the directory where the backup files will be stored in or loaded from.

-u

--username This option must be followed by the TNMS username.

-p

--password

This option must be followed by the password matching the TNMS username.

-R

--recovery

Use this option to recover the Oracle database. Note that it does not refer to the TNMS database.

Table 8

52

Description

List of the available arguments in non-interactive mode



Backup and restore

Options

-h

--help

Table 8

8.3

Description

This option displays the list of the available arguments.

List of the available arguments in non-interactive mode (Cont.)

Backup procedures through the command line This chapter describes how to back up the system d ata using the command line. Before proceeding, some general considerations and advice apply: • • •

8.3.1

Oracle and OpenDS servers must be running. You are advised to back up the files onto a safe repository. You are responsible for guaranteeing that the TNMS server backup data files are not corrupted or changed in any way, including the file name. Otherwise restoring the backup will not be possible.

Backing up the Oracle database The backup of the Oracle database runs automatically and is scheduled inside Oracle Scheduler to run daily at a predefined hour, which, by default, is 03:00 AM. These operations’ logs are stored in the B&R application folder, C:\Program Files (x86)\ Coriant\TNMS\backuprestore\RMAN_TNMS.log. You can change the scheduled time using the B&R console schedule settings option. No other parameter is changeable.

g

In case you reschedule the daily backup, set it to run off high load periods, so that the application performance is not affected. This operation will perform the full backup of the entire Oracle database, including the TNMS database backup files. You should also consider to schedule an independent backup of the TNMS database backup files since Oracle backup files are kept for 3 days maximum. Refer to the chapter 8.3.5 Automating the Backup procedures for more information. To change the scheduled backup time: 1. 2.

3. 4. 5.

Open a command line window using the option "Run as Administrator". Go to the B&R application folder (the default is C:\Program Files (x86)\Coriant\TNMS\backuprestore). Run backuprestore. Select option “4> Schedule settings” on the console. Provide the TNMS credentials (Figure 4).


53

Backup and restore


Figure 4 6. 7.

8.3.2

Changing the Oracle database backup schedule settings

Provide the new time for the scheduled backup to run, in a 24-hour format ( Figure 4). Press Enter .

Backing up the TNMS database To back up the TNMS database: 1. 2.

3.

4.

Open a command line window using the option "Run as Administrator". Go to the B&R application folder (the default is C:\Program Files (x86)\Coriant\TNMS\backuprestore) Back up the TNMS database using either the interactive mode console (go to step 4.) or the non-interactive mode (go to step 5.). Either

back up the TNMS database using the interactive mode console: 4.1 Run backuprestore. 4.2 Select option “1> Perform backup”. 4.3 Provide the TNMS credentials upon request (Figure 5).

Figure 5

Backup submenu

Select option “1> TNMS database” from the submenu in Figure 5. 4.5 Enter the directory of your choice (local or remote) where the backup files will be stored and press Enter . Or run 4.4

5.

backuprestore -b -s -d -u -p

As a result, a subdirectory named after the backup timestamp is created under the directory you provided and the backup file of the TNMS database is saved within. The backup file is saved as .DMP .

54



8.3.3

Backup and restore

Backing up the LDAP (OpenDS) To back up the LDAP (OpenDS): 1. 2.

3.

4.

Open a command line window using the option "Run as Administrator". Go to the B&R installation folder (the default is C:\Program Files (x86)\Coriant\TNMS\backuprestore) Back up the LDAP using either the interactive mode console (go to step 4.) or the non-interactive mode (step 5.) Either

back up the LDAP using the interactive mode console: 4.1 Run backuprestore. 4.2 Select option “1> Perform backup”. 4.3 Provide the TNMS credentials upon request (Figure 6).

Figure 6

Backup submenu

Select option “2> LDAP database” from the submenu in Figure 6. 4.5 Enter the directory where the backup files will be stored and press Enter . Or run 4.4

5.

backuprestore -b -l -d -u -p .

As a result, a subdirectory named after the backup timestamp is created under the directory you provided and the backup file of the LDAP database is saved within. The backup file is saved as userRoot.ldif .

8.3.4

Backing up the TNMS database and the LDAP (OpenDS) simultaneously To back up the TNMS database and the LDAP (OpenDS) simultaneously: 1. 2.

3.

4.

Open a command line window using the option "Run as Administrator". Go to the B&R application folder (the default is C:\Program Files (x86)\Coriant\TNMS\backuprestore) Back up the TNMS and the LDAP databases using either the interactive mode console (go to step 4.) or the non-interactive mode (step 5.). Either

back up the TNMS database and the LDAP using the interactive mode console: 4.1 Run backuprestore. 4.2 Select option “1> Perform backup”. 4.3 Provide the TNMS credentials upon request (Figure 7).


55

Backup and restore


Figure 7

Backup submenu

Select option “3> Both TNMS and LDAP databases” from the submenu in Figure 7. 4.5 Enter the directory where the backup files will be stored and press Enter . Or run backuprestore -b -a -d -u -p . 4.4

5.

As a result, a subdirectory named after the backup timestamp is created under the directory you provided and the backup files of the TNMS and LDAP databases are saved within. The backup files are saved respectively as .DMP and userRoot.ldif .

8.3.5

Automating the Backup procedures It is recommended to back up the TNMS database at least weekly. You can create command scripts for the backup and restore procedures and configure the operating system scheduler to run them at scheduled times.

w

It is recommended to automate the backup using TNMS instead of a command script (see 8.4 Backup procedures through the TNMS client). The script contains sensitive data, such as usernames or passwords, that require access control. By using TNMS you overcome such security issues. Ensure the correct access rights, according to your security policy, to any command script containing sensitive data, such as usernames or passwords. For example, you can create a weekly schedule with the following command: SCHTASKS.EXE /CREATE /SC WEEKLY /TN "" /ST /TR "" /RU "SYSTEM"

Where: • •

•

is

the name of the schedule. is the time at which the command will be run (for example, 02:50:00). is the command to be run.

You can also use SCHTASKS.EXE to inspect the schedule details or delete schedules. To list schedule details run: SCHTASKS.EXE /TN ""

And to delete a schedule run: SCHTASKS.EXE /DELETE /TN ""

w 56

You must create a user in TNMS dedicated to scheduled backups and do not allow it to expire. Create the user via “User Administration” and select the option “User cannot



Backup and restore

change password”. When setting the backup commands to be run by the schedules, use this user.

8.4

Backup procedures through the TNMS client The Backup feature is also embedded in the TNMS client. It allows you to run a manual backup of the TNMS database (TNMS data) and/or LDAP (TNMS users), or to schedule a backup. The Backup window (Figure 8) allows you to see information about the backup status, and choose to run a manual backup or schedule a backup. This window is for information purposes only.

Figure 8

Backup window

To run a manual backup of the TNMS database:

In the TNMS main window, click the Administration > System > Backup menu item. The Backup window opens. Click the Manual button. This opens the Manual Backup window. Select the Path to save the backup file.

g

About the upload folder: •

•


The backup path must already exist beforehand in the server side, otherwise the task fails and you receive the following error message in a notification p opup, in the bottom right corner: Backup operation failed. TNMS server machine must have read and write permissions on the shared folder, for everyone within the domain, so that no credentials are requested to

57

Backup and restore


•

read it. However, for accesses from outside the domain, the credentials will still be requested. If you use a remote drive, you have to specify the full network drive path, since TNMS is not able to reach the mapped drive through the letter assigned by Windows. Example: • Local drive - C:\ • Remote drive - \\\

Select whether to export the TNMS Data, the TNMS Users, or both. Click Start to run the backup. The backup task starts.

g

When there is a backup running through the command line, it is not possible to run a manual backup through the TNMS Client. The opposite is also not possible.

To schedule a backup of the TNMS database:

In the TNMS main window, click the Administration > System > Backup... menu item. The Backup window opens. Click the Schedule button. This opens the Schedule Backup window. Check the Activate checkbox. Under Backup Options, select the Start date. Under Recurrence pattern, select the recurrence of the scheduling. Periodic: allows you to define the recurring time and the backup period in days and

hours. It also allows you to define the end date. Weekly: allows you to define the recurring time and the week days. Monthly: allows you to define the recurring time and the days of the month.

At least one of these fields needs to be selected. Select the Path where to save the backup file. TNMS server machine must have read and write permissions on the shared folder. If you use a remote drive, you have to specify the full network drive path, since TNMS is not able to reach the mapped drive through the letter assigned by Windows only. Example: • •

Local drive - C:\backup Remote drive - \\\backup

Click OK. This schedules the backup.

58



Backup and restore

g

When a scheduled backup is run, both the TNMS database and LDAP are backed up.

8.5

Recovery & Restore procedures This chapter describes how to recover/restore the previously backed up system data. This application is run only through the command line.

8.5.1

g

Recovering the Oracle database A database recovery is not the same as a TNMS database restore and should only be performed in case of Oracle database corruption. Recovering the Oracle

database will restore the TNMS database. However, recovering the TNMS database alone will not restore the Oracle database. The database recovery automatically stops and restarts the "TNMS Server" service. To restore the Oracle database: 1. 2.

3.

Open a command line window using the option "Run as Administrator". Go to the B&R application folder (the default is C:\Program Files (x86)\Coriant\TNMS\backuprestore). Use either the non-interactive mode or the interactive console: • Run backuprestore -R or backuprestore --recovery •

Run backuprestore. Select option “3> Perform database recovery”.

An Oracle database recovery is made using the last consistent backup found in the Fast Recovery Area of Oracle.

g 8.5.2

After the Oracle database recovery, a TNMS database restore is not n ecessary since the Oracle database backups also contain the TNMS specific data.

Restoring the TNMS database During this procedure the "TNMS Server" service is automatically stopped and restarted. To restore the TNMS database: 1. 2.

3.

4.

Open a command line window using the option "Run as Administrator". Go to the B&R application folder (the default is C:\Program Files (x86)\Coriant\TNMS\backuprestore) Restore the TNMS database using either the interactive mode console (go to step 4.) or the non-interactive mode (step 5.) Either

restore the TNMS database using the interactive mode console: 4.1 Run backuprestore. 4.2 Select option “2> Perform restore”. 4.3 Provide the TNMS credentials upon request. 4.4 Select option “1> TNMS database” from the submenu ( Figure 9).


59

Backup and restore


Figure 9

Restore submenu

Enter the directory where to load the backup file .DMP from and press Enter . Or run 4.5

5.

backuprestore -r -s -d

The "TNMS Server" service is automatically restarted when the restore procedure is complete.

8.5.3

Restoring the LDAP (OpenDS) To restore the LDAP: 1. 2. 3.

4.

5.

Make sure the "OpenDS" service is running. Open a command line window using the option "Run as Administrator". Go to the B&R application folder (the default is C:\Program Files (x86)\Coriant\TNMS\backuprestore) Restore the LDAP database using either the interactive mode console (go to step 5.) or the non-interactive mode (step 6.) Either

restore the LDAP database using the interactive mode console: 5.1 Run backuprestore. 5.2 Select option “2> Perform restore”. 5.3 Provide the TNMS credentials upon request. 5.4 Select option “2> LDAP database” from the submenu ( Figure 10).

Figure 10

Restore submenu

Enter the directory where to load the backup file ( userRoot.ldif ) from and press Enter . Or run 5.5

6.

backuprestore -r -l -d

Both the "TNMS Server" and the “OpenDS” services are automatically restarted after the restore procedure is complete.

60



8.5.4

Backup and restore

Restoring the TNMS database and the LDAP (OpenDS) simultaneously To restore the TNMS database and the LDAP: 1. 2. 3.

4.

5.

Make sure the "TNMS Server" service is running. Open a command line window using the option "Run as Administrator". Go to the B&R application folder (the default is C:\Program Files (x86)\Coriant\TNMS\backuprestore) Restore the TNMS and the LDAP databases using either the interactive mode console (go to step 5.) or the non-interactive mode (step 6.) Restore the TNMS and the LDAP databases using the interactive mode console: 5.1 Run backuprestore. 5.2 Select option “2> Perform restore”. 5.3 Provide the TNMS credentials upon request. 5.4 Select option “3> Both TNMS and LDAP databases” from the submenu ( Figure 11).

Figure 11

Restore submenu

Enter the directory where to load the backup files ( .DMP and userRoot.ldif ) from and press Enter . Or Run 5.5

6.

backuprestore -r -a -d

The TNMS Server service will be stopped before the restore procedure and both the TNMS Server and the OpenDS services will be restarted after the restore procedure.


61

Backup and restore

62





9 Upgrade to TNMS 14.1 10 To transfer your data to TNMS 14.1 10 refer to the TNMS Upgrade Manual (Windows), where you can find the full description of the upgrade procedure.


63


64




TNMS and TNMS Core working together

10 TNMS and TNMS Core working together TNMS and TNMS Core can be used in the same environment, with a common set of hardware resources.

10.1

Configuring common hardware TNMS and TNMS Core can be used in the same environment while sharing a common set of hardware resources. However, there are constraints on how to set up such an environment: •

•

•

It is possible to install TNMS Client and TNMS Core Client / System Administration either in a same machine or in separate machines. However, they must share a machine if you want both client applications integrated with a GUI cut-through. It is possible to install TNMS Netserver and TNMS Core Netserver in a same machine, but, if you use the UDP protocol to connect the DCN to any NE, you must follow the procedure described under 10.1.1 Configuring a Common Netserver . It is possible to install TNMS Standby Server and TNMS Core Standby Server in a same machine. In this scenario, you must follow the procedure described under 10.1.3 Configuring a Common standby server .

Below are examples of possible setups: Example 1: Large system

The applications are mostly distributed on different machines.

Figure 12


Distributed TNMS applications (large system)

65



Example 2: Medium system

To reduce the amount of machines in medium networks, components can run in parallel on the same machine. The example in Figure 13 shows that the netservers run on the same machines as the appropriate servers.

Figure 13

66

Distributed TNMS applications (medium system)




Example 3: Common Netserver

TNMS and TNMS Core share a common Netserver machine.

Figure 14


Common Netserver

67



Example 4: Common Standby server

TNMS and TNMS Core share a common Standby server machine.

Figure 15

10.1.1

Common Standby Server

Configuring a Common Netserver A common Netserver is a machine where both the TNMS Core Netserver and the TNMS Netserver are installed. The hardware requirements for a Common Netserver are described in Table 3 Hardware recommendations for installations of TNMS 14.1 10 on reused legacy hardware. There is no specific configuration in a common Netserver, except if you use the UDP protocol to connect the DCN to a (supported) NE . In such hybrid scenarios a

special configuration of the Netserver machine is required in order to allow multiple connections without traffic interference. You should also consider a specific configuration of the DCN while using TNMS and TNMS Core clients. So, in this particular case, you must perform configurations in: • •

68

The operating system TNMS



•


TNMS Core

You must complete all of the following three sets of instructions for the configuration to be complete.

w

This configuration can be done any time after installation. However the configuration must be done prior to connecting TNMS Core and TNMS to same network element via UDP, otherwise you will get an inconsistent network state representation.

w

Using both UDP and TCP protocols to connect to the same NE is not allowed and will result in an inconsistent network state representation. To configure the operating system in the Netserver machine, proceed as follows: 1. 2. 3. 4. 5.

6. 7.

8.

Go to Start > Control Panel. Select Network and Sharing Center . Change Adapter Settings. In Network Connection select the Use connection. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Make sure the IP is statically defined and not by DHCP server. Note down the defined Primary IP, as it will be necessary at later stage. Choose Advanced tab. In IP Setting tab add the Secondary IP in order to be used in the common server. Note down the Secondary IP address, as it will be necessary later on. Restart the Netserver.

TNMS Core and TNMS must use different IPs to communicate with each NE via UDP protocol. If you configure the Primary IP in TNMS you must configure the Secondary IP in TNMS Core and vice versa. Those IPs are configured in the Bind IP Address

field. In TNMS proceed as follows: 1. 2. 3.

w

Go to the DCN Management window. Create a new SNMP channel. In the General tab: 3.1 If you want to use the Primary IP leave the Automatic IP Address checked. In the field IP Address enter the Primary IP. 3.2 If you wish to use the Secondary IP: • Uncheck the Automatic IP Address. • In the field IP Address enter the Primary IP. • In the field Bind IP Address enter the Secondary IP. The connection to the NetServer is performed using the Primary IP and the connection to the NEs will be established using the Secondary IP. Remember you must use different IPs in TNMS and in TNMS Core. If you use the Primary IP in TNMS you must use the Secondary IP in TNMS Core and vice versa.

4.

Click OK and activate the channel.

In TNMS Core proceed as follows:


69


1. 2. 3. 4.

w

In System Administration go to DCN. In DCN Connections add a Netserver. Choose the Netserver you created and add a new SNMP channel. In the Channel Properties tab, in UDP Connection Settings group: 4.1 If you want to use the Primary IP leave the Automatic IP Address checked. In the field IP Address enter the Primary IP. 4.2 If you wish to use the Secondary IP: • Uncheck the Automatic IP Address. • In the field IP Address enter the Primary IP. • In the field Bind IP Address enter the Secondary IP. The connection to the NetServer is performed using the Primary IP and the connection to the NEs will be established using the Secondary IP. Remember you must use different IPs in TNMS and in TNMS Core. If you used the Primary IP in TNMS you must use the Secondary IP in TNMS Core and vice versa.

5.

10.1.2


Click OK and activate the channel.

Configuring a Common Client A common Client is a machine where both the TNMS Core Client / System Administration and the TNMS Client are installed. The supported configurations for this scenario are all configurations of TNMS Core and all the Legacy configurations of TNMS. The hardware requirements for a Common Client are similar to those of a regular Client (Table 3).

10.1.3

Configuring a Common standby server The Common standby server allows you to have both TNMS and TNMS Core Standby Servers running in the same machine. In case of failure of one TNMS or TNMS Core active servers (connection loss due to network failure or hardware failure of the server), it is possible to activate and use one of the TNMS or TNMS Core standby servers until the problem is fixed. No special installation procedures are necessary for the Common Standby servers. The setup of this machine is done by installing first the TNMS Core, followed by TNMS according to the corresponding Installation Manuals. Later, a special configuration of the Netserver machine may be performed in order to allow multiple connections. This configuration is similar to the Common Netserver. For the standby server configuration procedures, refer to the TNMS Core Installation manual (IMN) or the TNMS User Manual.

10.2

Importing data from TNMS Core It is possible to import several types of data from TNMS Core. This feature can, for example, speed up the setup of your TNMS. You can import DCN configurations, physical trails, paths, subscribers and services involving hiT 7300 and FSP3000 R7 NEs.

70




You can also synchronize the DCN between TNMS Core and TNMS, in shared network management scenarios. You can schedule a periodical import from TNMS Core that updates the DCN configuration in TNMS, avoiding the repetition of manual changes. Check TNMS User Manual for detailed instructions on how to configure and use the import from TNMS Core feature.

10.3

Important note When an NE is simultaneously managed by TNMS and TNMS Core, the configuration of the respective properties in the DCN Management window must be the same.


71


72




TNMS uninstallation

11 TNMS uninstallation Before uninstalling TNMS and in case you have a standby server assigned, you must first unassign it by doing as follows in the active server : 1.

2.

3.

Select Administration > System > Standby Server Configuration and fill in the available fields. The address of the current standby server is filled in automatically. Verify your input and click Unassign to start the procedure. The progress and result can be followed in the configuration steps, along with the elapsed time. When the unassignment finishes, a notification pops up in the lower right corner with the status of the operation, either success or error. Alternatively, it is possible to check in System Event Log that the procedure has ended successfully.

If any error occurs, the logs can be checked in /tmp_home/[timestamp]/result.log . In the standby server , perform the following steps: 1.

2.

Go to the installation folder and, in \bin\scripts, run as Administrator standby-server.bat . In the interactive menu select 3. Unconfigure StandBy.

To uninstall TNMS, do as follows: 1. 2. 3.

g

Go to Start > Control Panel > Programs and Features. In the list, opposite-click TNMS and select Uninstall. Restart the machine once the uninstallation finishes.

When the application is uninstalled, the users and groups are kept on the system and they are not deleted.


73

TNMS uninstallation

74




Security hardening

12 Security hardening This chapter describes the existing TNMS security hardenings. Note that TNMS already applies security hardening during installation. This means that, for example, security settings are defined so that no unnecessary permissions are granted. The remaining items are, in a default installation, hardened to an acceptable level. However it is possible to improve from that level as is described in the following sections.

12.1

Physical and hardware hardening Any effort in securing a system is useless if possible attackers can have physical access to a TNMS machine. It is very easy to disable security mechanisms or compromise the system if there is easy physical access to a machine. For this reasons the following measures should be taken: •

•

•

•

• •

•

•

12.2 12.2.1

The TNMS server machine should be located in a room where only the system administrators have access. A physical access control should be put in place, including, for example, electronic door locks. Any non-required I/O interfaces, such as USB interfaces or DVD drives, should be removed or, at least, disabled. Any type of communication interfaces not required for the operation of TNMS should be removed or, at least, disabled. This is especially important for wireless interfaces such as Bluetooth or WLAN adapters. All hardware should be securely installed so that it cannot easily be moved. The facilities where the hardware is located should have sufficient heat dissipation and, if needed, the server room should be air-conditioned. Additional security measures like video surveillance of server rooms is recommended. The BIOS of the machines used for TNMS should be protected by password, to prevent unauthorized modification of the machines BIOS configuration.

Operating System hardening Microsoft Windows security patches Coriant recommends that you install the Microsoft Windows security patches listed in the Customer Release Notes in all the machines running TNMS.

12.2.2

Disable and delete unnecessary accounts Unnecessary accounts should not exist as the machine should be exclusively used by TNMS server. Anyhow, it should be verified before TNMS is installed that no additional unnecessary users exist. TNMS only requires the existence of the following users: • • •

Administrator sshd SvcCOPSSH


75

Security hardening


All other users should be disabled. For example, during the Windows Server 2008 installation, the Administrator , Guest and Help Assistant accounts are created by default. Both Guest and Help Assistant accounts should be disabled at all times. To disable an account, do as follows: 1.

2.

3.

12.2.3

Go to Start > All Programs > Administrative Tools > Server Manager > Configuration > Local Users and Groups > Users . Right-click on the user name (for example Guest or Help Assistant ) and select Properties. Click on Disable Account.

Uninstall unnecessary applications and roles TNMS only requires the following roles: •

Web Server (IIS) • Security • FTP Server (optional - only if legacy NEs, which only support FTP, are to be managed by TNMS) • Application development • .NET Extensibility

All other roles should be uninstalled. To uninstall an unnecessary role: •

Go to Start > All Programs > Administrative tools > Server manager > Roles and click to remove roles.

To uninstall an unnecessary application: •

12.2.4

Go to Start > Control Panel > Programs and Features , select the application and click to remove.

Configure Auditing To automatically configure the audit policies, run the following command, located in the TNMS software: TNMS_Prerequisites\Audit Policies\AuditPolicies.bat

t

You can check the configured audit policies by running in the command line: auditpol /get /category:*

12.2.5

Disable unnecessary shares System and security administrators should disable all unnecessary shares, configure the necessary ones and harden all NTFS and Share permissions. To disable shares, do as follows: 1.

Get a list of all the shares on the server by running the following command: #> net share

2.

76

Disable all shares that are not in use. See Table 9 Windows default shares for guidance on which default shares you should disable.



Security hardening

Via command line:

•

#> net share /delete

Via the graphical user interface: 1. Go to Start > Control panel > Administrati ve tools > Computer Manage-

•

ment-> System Tools > Shared Folders > Shares 2.

Select the share and chose "Stop sharing".

Share

Recommended Hardening measure

DriveLetter$

-

Disable

ADMIN$

Only needed in case of remote administration of the machine. Should not be disabled.

-

IPC$

Needed by Windows and can/must thus not be disabled.

-

NETLOGON

Used by domain controller and should not be disabled.

-

SYSVOL

Used by domain controller and should not be disabled.

-

Print$

Only needed in case of remote administration of printers.

Disable manually, if exists.

FAX$

Only needed in case of remote administration of fax clients.

Disable manually, if exists.

Table 9

12.2.6

Description

Windows default shares

Disable Remote Registry The Remote Registry service allows registry access to authenticated remote users. Even though this service is blocked by the firewall and ACLs, if you have no reason to allow remote registry access, Remote Registry should be disabled. To disable the remote registry: 1.

2.

3. 4. 5.

12.2.7

Go to Start > All Programs > Accessories > Run , enter regedit and press Enter . Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecureP ipeServers\ Select winreg and right-click and select Permissions. Select the appropriate users/groups and appropriate permissions. Click OK and close the window.

Windows Error Reporting Windows Error Reporting (WER) is a set of Windows technologies that capture software crash data and support end-user reporting of crash information. WER should be enabled.


77

Security hardening


In Windows 7 the Windows Error Reporting is enabled by default. However, in Windows Server 2008 you should enable WER. To enable WER: 1.

2. 3.

4.

12.2.8

Go to Start > All Programs > Administrative tools > Server Manager and expand Resources and Support. Click on Configure Windows Error Reporting. On the Windows Error Reporting Configuration dialog box, select one of the following options: • Yes, automatically send detailed reports - personal data may be sent to Microsoft. • Yes, automatically send summary reports - only non-personal data is sent to Microsoft Click OK.

Additional Software The TNMS server machine should be dedicated to run the TNMS Server only. No additional software should be installed beyond the TNMS application and its prerequisites listed below: • • • • • • • • • • •

12.2.9

Acrobat Reader CopSSH ICW Base ICW COPSSHCP ICW OpenSSHServer J2SE Runtime Environment Java (TM) MicroSoft Visual C++ Redestributable (several packages) OSI Stack TNMS Virus Scanner (for example, TrendMicro OfficeScan Client)

Digitally signed communications (Local Security Policy) It is possible to digitally sign all Microsoft network server communications. By default this security feature is not switched on. To enable this feature, do as follows: 1.

2. 3.

4. 5.

12.2.10

Go to Start > Control Panel > Administrative Tools and double-click Local Security Policy. Click to expand Local Policies and select Security Options. From the list, right-click Microsoft network server: Digitally sign communications (always) and select Properties. Select Enable and click OK to apply the changes. Repeat step 3. and step 4. for the policy Microsoft network server: Digitally sign communications (if client agrees).

Minimize system services TNMS enables all services it requires for its proper operation. So, any active default service should be disabled. If required, the Remote Access can be kept open for remote

78



Security hardening

configuration of the system, such as in case of headless server (see 12.2.11 Remote Access/Remote Desktop). The following services must be disabled as they are not needed by TNMS. Some of them must be considered inherently insecure:

g • • • • •

•

• • • • • • • • • • • •

•

•

• • •

•

ftp shall only explicitly enabled whenever legacy NEs are used, which only support ftp and not SFTP/SCP or FTPS.

ActiveX Installer (AxInstSV) Application Layer Gateway Application Management ASP.NET State Bitlocker Drive Encryption Service Block Level Backup Engine Service DHCP Server/Client Bluetooth Bluetooth Support Service BranchCache Certificate Propagation Credential Manager Disk Defragmenter Distributed Link Tracking Client Encrypting File System Enterprise Connect WebDAV Fax Function Discovery Provider Host Function Discovery Resource Publication Health Key and Certificate Management HomeGroup Listener HomeGroup Provider IKE and AuthIP IPSec Keying Modules Any type of wireless LAN adapters

• • • •

•

• • •

• • • • • • • •

•

•

• • • • • •

Any type of bluetooth adapter Interactive Services Detection Internet Connection Sharing KtmRm for Distributed Transaction Coordinator Link-Layer Topology Discovery Manager Microsoft Office Diagnostics Microsoft FTP Service (*) Microsoft Software Shadow Copy Provider Net.Msmq Listener Adapter Net.Pipe Listener Adapter Net.TCP Listener Adapter Network Location awareness Office Source Engine Parental Controls Peer Name Resolution Protocol Peer Networking Grouping/Identity Manager Performance Counter DLL Host / Logs / Alerts Problem Report and Solution Support Program compatibility Assistant Remote Access (**) Remote Desktop (**) Routing and Remote Access Secondary Logon Secure Socket Tunneling Protocol Service

• • • • • • • • • • • • • • • • • •

•

•

• •

• • •

Smart card SNMP Trap Software Protection SPP Notification Service SSDP Discovery Storage Service Tablet PC Input Service Telephony Thread Ordering Server TPM Base Services UPnP Device Host Virtual Disk Volume Shadow Copy WebClient Windows Backup Windows Biometric Service Windows CardSpace Windows Connect Now - Config Registrar Windows Media Player Network Sharing Service Windows Remote Management (**) Windows Search WinHTTP Web Proxy Auto-Discovery Service Wired AutoConfig WLAN AutoConfig WWAN AutoConfig

* FTP is only needed if TNMS manages legacy NEs, which support FTP but do not support any secure protocol. ** Disable only if no remote server administration shall be permitted Windows services can be disabled via Start > Administrative Tools > Services. If a service is changed to "disabled" via context menu it is no longer run ning and will no longer be automatically started during OS startup. TNMS Server uses the following services:


79

Security hardening


• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •

12.2.11

Application Host Helper Service Certificate Propagation COM+ Event System COM+ System Application Cryptographic Services DCOM Server Process Launcher Desktop Window Manager Session Manager Diagnostic Policy Service Distributed Transaction Coordinator DNS Client IIS Admin Service IP Helper IPsec Policy Agent Microsoft FTP Service Net.Pipe Listener Adapter Net.Tcp Listener Adapter Net.Tcp Port Sharing Service Netlogon Network Connections Network List Service Network Location Awareness Network Store Interface Service Optional: Virus Scanner - e.g. OfficeScan NT RealTime Scan OpenDS Openssh SSHD OracleOraDb11g_home1TNSListener OracleServiceTNMS Plug and Play Portable Device Enumerator Service Power Print Spooler RCTSrv Remote Desktop Configuration* Remote Desktop Services* Remote Desktop Services UserMode Port Redirector* Remote Procedure Call (RPC) RPC Endpoint Mapper Security Accounts Manager Server Shell Hardware Detection

Remote Access/Remote Desktop TNMS does not rely on the remote access/remote desktop feature provided by the Windows operation system. However, it is possible to remotely administer TNMS machines. It is therefore recommended that you configure the Network Level Authentication for the allowed connections as described below.

80



Security hardening

To configure the Network Level Authentication for a connection: 1.

2.

3.

g

On the Remote Desktop Session Host server, go to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration . Under Connections, right-click the name of the connection and then click Properties. On the General tab, select Allow connections only from computers running Remote Desktop with Network Level Authentication . If the Allow connections only from computers running Remote Desktop with Network Level Authentication check box is selected and not enabled, the Require user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and applied to the Remote Desktop

Session Host server. 4.

12.2.12

Click OK.

Reduce passive FTP port range By default FTP uses any port of the dynamic port range 49152-65535, which is quite wide. To limit this range do as follows:

w

The range should contain 50 or more ports. 1.

2. 3. 4.

12.3

Go to the IIS 7 Manager . In the Connections pane, click the server-level node in the tree. Double-click the FTP Firewall Support icon in the list of features. Enter a range of values for the Data Channel Port Range. Click Apply in the Actions pane to save your settings.

Networking and firewall configuration You should configure the network in a way that makes the TNMS machines only accessible from machines with which TNMS needs to communicate. This can be done by network segmentation and by firewall deployment. The hardening description below is general, as the measures highly depend on the network infrastructure and topology. You should consider disabling any default gateways and using static routes between the TNMS machines and other machines with which TNMS needs to communicate. Access to the general internet should also be disabled. It is recommended that you install a network firewall. However, you can also use local firewalls, such as Windows Firewall (see 12.3.2 How to configure the Windows firewall).

w

Coriant does not recommend the deployment of a firewall between the NetServer and the NE network. This scenario is not tested and therefore is not officially supported. In case the costumer needs to deploy one due to topology/security reasons, the ports listed for NetServer <> NE communication in this manual can be used as a starting point to configure the firewall for the Coriant hiT7300 and hiT7100 NEs. Other supported NEs may need different/additional ports/protocols. Please refer to the specific NE's manual to gather the required information to configure your firewall.


81

Security hardening

12.3.1


List of ports to open in the firewall Below is the list of ports to be open in the firewall, as well as their description.

g

Coriant does not recommend the use of a proxy to access the Citrix Se rver through the web interface, but if you decide to use one you must open a port in the firewall for the proxy.

Host address Source

Destination

Service Destination Port

Protocol

Application

Encrypte d

Description

Optional / Mandatory

Firewall between a Planning Tool (PT) and TNMS Server

PT

TNMS Server

TNMS Server

8093

PT

4189

TCP

TCP

MTOSI / JMS

Yes (TLS) TMF-854 interface between TNMS and PT. Used in the IOC deployment.

Optional

PCEP

Yes (TLS) PCEP interfaces used by TNMS to request routes from PT. Used in IOC deployment

Optional

No

Optional

Only for IOC.

Only for IOC.

Firewall between an NBI and TNMS Server

CORBA Northbound Interface

TNMS Server

17289 (Default)

TCP

MTMN CORBA

(CORBA NS)

TMF-814 interface for integration into umbrella NMS.

Only if CORBA NBI is used

3528 (CORBA IIOP) TNMS Server

CORBA Northbound Interface

configurable

TCP

CORBA

External CORBA Naming Service.

configurable

TCP

CORBA

External CORBA Notification Service.

Firewall between a remote Administrator machine and TNMS Server or TNMS NetServer (northbound) machines

TNMS remote Administrator machine

TNMS 3389 Server machine / TNMS NetServer (northbound) machine

Table 10

Firewall rules

82

TCP

RDP (Windows Remote Access)

Yes (if TNMS security hardening is followed)

Windows Remote Desktop for remote administration.

Optional Only required if TNMS machines need to be administered remotely.



Security hardening

Host address Source

Destination


Protocol

Application

Encrypte d

Description


Firewall between CITRIX Client and CITRIX Server

Citrix server and client are only deployed if a central user interfaces’ server is used (for example a central Windows server for TNMS clients). If not used, packets arriving at those ports can be rejected or dropped. TNMS user workstation

TNMS Client (CITRIX server)

(CITRIX client)

1494

TCP

ICA

No

For Citrix.

Optional

2598

TCP

ICA

Yes

For Citrix SecureICA.

80

TCP

http

No

443

TCP

https

Yes

Only if you use the Citrix web client. If you have a Citrix client installed locally you do not need to open these ports

Only required when Citrix is used.

Firewall between TNMS clients and TNMS Server

TNMS Client

Table 10

TNMS Server

1098

TCP

RMI

Yes (TLS) Naming service port for RMI requests from client proxies

1100

TCP

JBoss NS

JBoss Naming Service

3873

TCP

EJB3

EJB3 Remoting Connector

4444

TCP

RMI

Port for the RMI/JRMP invoker

4445

TCP

RMI

Port for the Pooled invoker

5445

TCP

RMI

RMI (JMX HornetQ)

8080

TCP

WEBDAV

WEBDAV service

8083

TCP

RMI

RMI Web Service Port for dynamic class and resource loading

8093

TCP

JMS

JMS Service

Mandatory

Firewall rules (Cont.)


83

Security hardening


Host address Source

Destination


Protocol

Application

Encrypte d

Description


Firewall between TNMS clients and TNMS Netserver(s)

Embedde d EM

Netserver 22

TNMS client can open the craft terminal as it is embedded in the TNMS client. To be able to communicate with the central SFTP server running on the TNMS Netserver machine, a tunnel is created.

Optional

Only used for NEs that use SFTP, for example: hiT 7300 and hiT 7100.

Firewall between TNMS Server and TNMS Netserver

TNMS Server

TNMS 22 NetServer (northbound)

Table 10

84

TCP

SSH/SCP No (local only)

Secure Copy (secure copy over ssh)

Optional Only if TNMS manages hiT

1198

TCP

RMI

Naming service port for RMI requests from client proxies

7100 or hiT 7300 NEs

1199

TCP

JBossNS


3973

TCP

EJB3Con n

JBoss default EJB3connector

4445

TCP

RMI

Port for the Pooled invoker

8083

TCP

RMI


8093

TCP

RMI

RMI

19980

TCP

CORBA

CORBAOMNIORB listening port




Security hardening

Host address Source

TNMS Server

TNMS Server

Destination


Protocol

Application

Encrypte d

TNMS 22 NetServer 1298 (northbound)

TCP

SFTP

TCP

RMI

1299

TCP

JBossNS


4073

TCP

EJB3Con n

JBoss default EJB3connector

8083

TCP

RMI


8093

TCP

RMI

RMI

TCP

FTP

TCP

FTP

TNMS 21 NetServer (north49152 bound) 65535

No (local only)

Description

No (local only)

Secure FTP Naming service port for RMI requests from client proxies

File Transfer Protocol File Transfer Protocol Limit the dynamic range used by the FTP server: 1.


Optional Only if TNMS manages Juniper MX / PTX NEs.

Optional Only if TNMS manages hiT70xx, ADVA or hiT7500

NEs.

Go to IIS connection manager > Connections Column (Server) > FTP Firewall Support > Set Data Channel Port Range and

2. 3.

Table 10

insert desired range. Restart IIS. Insert the same range in the firewall.



85

Security hardening


Host address Source

Destination

TNMS TNMS Netserver Server (northbound)


Protocol

Application

Encrypte d

1098

TCP

RMI

1100

TCP

JBoss


3528

TCP

CORBA / IIOP

CORBA Object Adapter (used by TNMS NBI/SBI)

4444

TCP

RMI

Port for the RMI/JRMP invoker

8083

TCP

RMI


8093

TCP

JMS

JMS Service

No (local only)

Description

Naming service port for RMI requests from client proxies


Mandatory

Firewall between TNMS active server and TNMS standby server

TNMS active server

TNMS standby server

1521

TNMS standby server

TNMS active server

1521

TCP

TCP

Oracle stream

No

Oracle database replication

Optional

Oracle

No

Oracle database replication

Optional Only if there is a standby TNMS Server installed.

No

DNS

Optional

only required if TNMS standby server is used

Firewall between TNMS Server and Customer Network

TNMS Server

Table 10

86

DNS server

53

NTP server

123

TCP

DNS

Only if a DNS service is used. TCP / UDP

NTP

No

NTP Use TCP or UDP depending on the configuration of the NTP server.

Mandatory




Security hardening

Host address Source

TNMS Server

Destination

Server where TNMS logs are transferred to


Protocol

21

TCP

FTP

No

22

TCP

SFTP

Yes

UDP

Kerberos

No

TCP / UDP

DCE / RPC

389

TCP / UDP

LDAP

445

TCP / UDP

AD / SMB

464

TCP / UDP

Kerberos

Domain 88 controller 135

Application

Encrypte d

Description


External server to store logs

Optional

Communication with domain controller for single sign on (SSO).

Optional

SNMP multiplexing ports (NAPT) for embedded CT; target NE

Mandatory

Only needed if logs are to be transferred to an external log file server.

Only required if SSO is used.

Traffic between TNMS and NE Network (firewall not recommended) Example for hiT7300 / hiT7100

TNMS NE/GNE Netserver management (southinterface bound) NE/GNE management interface

Table 10

10000 13999

TCP

161

TCP

TNMS 22 Netserver (southbound)

TCP

SNMPv3 over TCP (RFC342 0)

Yes (SNMPv3 )

SNMP managers SSH / SCP

Yes

Secure Copy (secure copy over SSH)

Mandatory



87

Security hardening


Host address Source

NE/GNE management interface

Destination

TNMS Client


Protocol

990-993

TCP

Application

FTPS

Encrypte d

Description

Yes (SSL) FTP over SSL For LCT communication.

(LCT)

g The number of ports within this range that are in use at a given time is the same as LCTs communicating with the NE up until a maximum of 4 ports. Additional ports may be opened if more simultaneous LCTs are required. 49152 65535

TCP

FTPS


Optional For hiT 7300 / hiT 7100 if required for FTPS file operations between LCT and NE. and not recommended. To avoid direct connectivity you should configure the TNMS SFTP settings for tunneling communications between LCT and NEs.

Yes (SSL) FTP over SSL For LCT communication.

Traffic between TNMS and NE Network (firewall not recommended) (Example for Juniper NEs)

TNMS NE/GNE Netserver management (southinterface bound) NE/GNE management interface

22

TNMS 32666 Netserver

TCP

NetConf

Yes (SSH)

NETCONF manage- Optional ment interface for (only if there are Juniper. Juniper NEs in your network)

UDP

SNMPv3

Yes (SNMPv3 )

Trap notifications from Juniper

(southbound)

Optional (only if there are Juniper NEs in your network)

Traffic between TNMS and NE Network (firewall not recommended) (Example for hiT 7020, 7025, 7030, 7035, 7060, 7060HC, 7065, 7080 NEs )

NE/GNE management interface

Table 10

88

TNMS 8002 Netserver (southbound)

TCP

SNMPv3

Yes (SNMPv3 )

Traphandler

Optional (only if there are any of these NEs in your network)




12.3.2

Security hardening

How to configure the Windows firewall To configure the Windows 7 / Windows Server 2008 firewall proceed as follows: 1. 2. 3.

4.

5.

6.

7.

8.

9.

10.

12.4

Go to Start > Control Panel > Windows Firewall. Click on Advanced settings. In the left pane click on Inbound Rules or Outbound Rules, depending on the direction of the connection you are configuring. In the right pane, click on New Rule to open a port for the traffic of a service. The New In/Outbound Rule Wizard starts. In the Rule Type step select port. Click Next. In the Protocols and Ports step: • select TCP. • select Specific local ports and enter the port number to which the rule applies (see Table 10). Click Next. In the Action step check Allow the connection. Click Next. In the Profile step check Domain (uncheck all others). Click Next. In the Name step type a name for the rule. Click Finish to create the rule and close the wizard. Repeat the procedure for each of the remaining ports.

OEM Hardening In this section you can find instructions on how OEM and 3rd party software that works with TNMS can be hardened to decrease the attack surface for attacks against TNMS.

12.4.1

JBoss JMX should be disabled. To disable the JMX console remove the folder: …\TNMS\jboss\server\bicnet\deploy\jmx-console.war

12.4.2

CopSSH (SFTP) You should limit user access to CopSSH home folder. To do so you must manually configure the NTFS file system properties as described below: 1.

Create a local group by running the following command in the command line: #> net localgroup CopsshUsers /ADD

2.

Deny access to this group for each available local drive, by running: #> cacls :\ /c /e /t /d CopsshUsers

3.

Open access to the home directory, by running: #> cacls copssh-inst-\home /c /e /t /r \ CopsshUsers

4.

Add the Copssh user to the user group above and make sure that the user is not member of any other groups. Run #> net localgroup CopsshUsers /add


89

Security hardening


Go to the CopSSH control panel and activate user for 'Linux shell and Sftp' or 'Sftp only'. Shell access will not work due to limitations on system directories. Repeat steps 4. and 5. for each user.

5.

6.

12.4.3

Oracle File name

Location

Explanation/Goal

Hardening

config.dat

Binary file which Restrict the file per\jboss\server\bicnet\conf allows to connect missions according USM to LDAP server. to 12.6.1.

db-ds.xml

Text file which Restrict the file per\jboss\server\bicnet\ connects JBoss com- missions according deploy ponents to database. to 12.6.1. Identified in the file by: username/password.

Table 11

12.4.4

Database-related configurations and security hardenings.

Internet Explorer The Internet Explorer should not be used for browsing the public internet, as this raises the threat to compromise the system. You should disable the access to public internet.

12.5

TNMS Maintenance Packages and Workaround Updates Coriant recommends that you install, when available, the TNMS Maint enance Packages and Workaround Updates, since they may contain relevant security improvements.

12.6

User Management

Components

Username/Password

TNMS Server (JMX Console)

User: admin The password is automatically generated and there is no need to change it.

Location

Explanation/Goal

/jboss/server/bicnet/conf/props/jmxconsole-users.properties

Access management console with Administrator role for JBoss instance.

Hardening

N/A: the password is automatically generated.

Only required for JBoss administration / configuration. Table 12

90

Default TNMS user accounts and security hardenings.



Components

Username/Password

Generic Mediator

User: admin The password is automatically generated and there is no need to change it.

(JMX Console)

Security hardening

Location

Explanation/Goal

/jboss/server/gm/co nf/props/jmx-consoleusers.properties

Access management console with Administrator role for JBoss instance.

Hardening


Only required for JBoss administration / configuration. Multi Vendor Mediator (JMX Console)

User: admin The password is automatically generated and there is no need to change it

/jboss/server/mvm/c ment console with onf/props/jmx-console- Administrator role users.properties for JBoss instance.


Only required for JBoss administration / configuration. Generic Mediator

User: RemoteLoginFunction Password:

LCT

User: (concatenation of the username from tab SNMP Settings in NE Properties window and the string "_RU")Password:

Table 12

Hardcoded. Authentication from TNMS (GM) to the NE is possible when checking the option in NE Properties window: "Use RADIUS server for authentication". Then the option "Use TNMS username for LCT login (Radius required at NE)" in GCT User tab is checked automatically.

The Generic Mediator uses the following user only in the first message of the authentication process between the Generic Mediator and the RADIUS server.

N/A because this user is only needed to fulfill RADIUS protocol requirements.

Hardcoded. Authentication sent from GM to EM/NE to open LCT window is possible when the option "Use TNMS username for LCT login (Radius required at NE)" in GCT User tab is checked.

The EM/NE uses this authentication to allow the opening of the LCT window corresponding to that NE.

N/A because it is not possible to change this password (solution underway).

This user cannot be used for login purposes.

Default TNMS user accounts and security hardenings. (Cont.)


91

Security hardening

Components


Location

Explanation/Goal

Hardening

Connection User: jleal Manager, Password (hardBCB Mediator coded): jleal

Hardcoded in those components so that their authentication match each one with the other.

Security context for communication from server to netserver components.

N/A because it is not possible to change this password (solution underway).

Multiple NE functions

User: tomcat

\TNMS\ nedata\webdav\webdav.war\WEB-INF\ classes\ users.properties

Security context for communication from client to server components.

Restrict the file permissions according to 12.6.1.

User and Security Management

User: Administrator

User and Security Management

User: ptc

Table 12

Username/Password

Password: tomcat

Password (default): e2e!Net4u#

Password (hardcoded): e2e!Net4u#

C:\Program Files (x86)\ Password for user OpenDS\install\ cf-usm- Administrator has install-data_opends.ldif to be changed at first login.

N/A because the user has to be changed at the first login.

C:\Program Files (x86)\ ptc user is an OpenDS\install\ cf-usm- internal account. install-data_opends.ldif

Remove file after installing and/or protect the installation directory against unauthorized users.

Default TNMS user accounts and security hardenings. (Cont.)

12.6.1

Restricting the specified files’ permissions To restrict the specified files’ permissions: 1. 2. 3. 4.

5.

6.

92

Navigate to the file using Windows Explorer. Opposite-click the file and select Properties. In the Security tab click on Advanced. In the Advanced Security Settings window, Permissions tab, click on Change Permissions. Select all users except SYSTEM and the Administrators group and click on Remove. Only the user SYSTEM and the Administrators group should remain and both having full access. Click OK to accept the changes and close the window.



Index A Adobe Reader 29 Antivirus 38 Audit policies 76 Audit policy 24

B Backup 51 automating 56 client 57 command line 53 console 52 interactive mode 52 LDAP 55 non-interactive mode 52 OpenDS 55 Oracle database 53 TNMS database 54 BIOS 18

C Client terminating session 48 Common standby server 70 Common Netserver 68 Common Standby Server 70 Common standby server 70 Component delivery 15 Component Services 25 Console 52 CopSSH configure 35 hardening 38 install 35 security hardening 89 troubleshooting 37

D Disk configuration 19 Disk partitioning 21 Documentation online help 13 Domain Verification 27 Dynamic Port range 28

F Firewall configuration 81 Windows firewall 89


H Hardware 15 client 15 large configuration 15 medium configuration 15 netserver 15 requirements 15 security hardening 75 server 15 HP service pack 20

I Installation CopSSH 34 full 41 Hardware 15 OSI stack 33 separate components 44 TNMS 41 XML parser 29 Integrated Lights-Out 19 Interactive mode 52 Internet Explorer 49 Internet Information Services 26 Interworking 65 TNMS 65

J Java JRE 17 JBoss 89 JRE 17

L Large configuration 20 LDAP 55 License 49 Local security policy 78 Login 47

M Medium configuration 20 Microsoft Windows security hardening 75 security patches 75 MS.NET 29 MSXML 29

N Netserver 68 Non-interactive mode 52 NTI 38

93


O OpenDS 55 Operating system security hardening 75 shares 76 Operating Systems 17 Oracle 30 security hardening 90 template files 30 Uninstalling 32 Oracle backup files 53 OSI Stack 33 configure 33 install 33 OSI stack Installation 33 uninstalling 34

P Password 48 change 48 complexity rules 48 Policies 76 Prerequisites 17, 29

Q Quick format 22

R Recovering Oracle 59 Recovery 59 Remote access 80 desktop 80 Remote registry 77 Restore 51, 59 LDAP 60 OpenDS 60 simultaneous 61 TNMS database 59 Roles 76

Security hardening 75 audit policies 76 CopSSH 89 digitally signed communications 78 firewall 81 Internet Explorer 90 jboss 89 local security policy 78 Microsoft Windows security patches 75 networking 81 OEM 89 operating system 75 Oracle 90 physical and hardware 75 remote access 80 remote registry 77 SFTP 89 system services 78 unnecessary accounts 75 unnecessary applications and roles 76 user management 90 Windows Error Reporting 77 Server 19 standby 49 Services 47 SFTP security hardening 89 Single Sign-on 49 Standby server 49, 70 Structure online help 13 System Hosts configuration 27 System services 78

T Template files 30 Third-party software OSI stack 33 XML parser 29 TNMS 65 uninstallation 73 TNMS Core 65

U S Security 75

Uninstallation 73 Upgrade 63 User Account Control 29 User interface username and password 48 Username 48

V Virtual memory 23

94



Virtualization 16

W Web Server 25 Windows 19 Windows 7 26, 27 FTP 27 Windows Error Reporting 77 Windows Server 2008 25, 26, 29 FTP 26

X XML parser Installation 29


95


96


Abbreviations

Abbreviations ACS

Actual Creation State

ALS

Automatic Laser Shutdown

ASON

Automatically-Switched Optical Network

BCB

Broadcast Band

CAM

Common Array Manager

CBS

Committed Burst Size

CC CDM CIR CFM CLI CORBA CSPF

Cross Connection Cross-domain Manager Committed Information Rate Connectivity Fault Management Console Interactive Common Object Request Broker Architecture Constrained Shortest Path First

CST

Central Standard Time

CSV

Comma-Separated Values

DA DCN DHCP

(Oracle’s Sun Storage) Disk Array Data Communications Network Dynamic Host Configuration Protocol

DNS

Domain Naming Service

DSR

Dynamic Source Routing

DWDM ELP EM EM/NE FA-LSP

Dense Wavelength Division Multiplexing Ethernet Linear Protection Element Manager Element Manager/Network Element object management Forwarding Adjacency LSP

FEC

Forward Error Correction

FTP

File Transfer Protocol

GBE

Gigabit Ethernet

GCT

GUI Cut-Through

GFPG

Issue date: July 2014

Generic Framing Procedure Group

Abbreviations

GM GMPLS

Generic Mediator Generalized Multi-Protocol Label Switching

GMT

Greenwich Mean Time

GNE

Gateway Network Element

GPS

Global Positioning System

GUI

Graphical User Interface

IMN

Installation Manual

IOC

Intelligent Optical Control

IOC OP IP LACP

Intelligent Optical Control Online Planning Internet Protocol Link Aggregation Control Protocol

LAG

Link Aggregation

LAN

Local Area Network

LCT

Local Craft Terminal

LDAP

Lightweight Directory Access Protocol

LSP

Label Switched Path

LSR

Label Switch Router

MDI

Multiple Document Interface

MIB

Management Information Base

MSDE

Microsoft SQL Server Desktop Engine

MTOSI

Multi Technology Operations System Interface

MVM NE NEC

Multi-Vendor Mediator Network Element NE Controller

NIC

Network Interface Card

NNI

Network to Network Interface

NTFS NTP NW

(Microsoft’s) New Technology File System Network Time Protocol Network

OAM

Operation, Administration and Maintenance

OCH

Optical Channel

ODU

Optical Data Unit - transport technology


Abbreviations

OM

Optical Manager or Optical Management

OMS

Optical Multiplex Section

OPU

Optical Payload Unit - transport technology

OTS

Optical Transport Section - transport technology

OTU

Optical Transport Unit - transport technology

PBS

Peak Burst Size

PC PCEP PDF PIR PT

Personal Computer Path Computation Engine Protocol Portable Document Format Peak Information Rate Physical Trail

PTC

Planning Tool Connector

PTP

Physical Termination Point

RAID

Redundant Array of Independent Disks

RNE

Remote Network Element

SCP

Secure Copy

SCSI

Small Computer System Interface

SDH

Synchronous Digital Hierarchy

SFTP

Secure File Transfer Protocol, or Secure Shell File Transfer Protocol

SLA

Service-Level Agreement

SNC

SubNetwork Connection

SNCP

SubNetwork Connection Protection

SNMP

Simple Network Management Protocol

SONET

Synchronous Optical Networking

SPC

Soft Permanent Connection

SQL

Structured Query Language

SRLG

Shared Risk Link Group

SSH

Secure Shell

STP

Spanning Tree Protocol

SVID TC TCP/IP


Service Virtual Local Area Network Identifier Topological Container or TransConnect Transport Control Protocol/Internet Protocol

Abbreviations

TL1

Transaction Language 1

TE-Link

Traffic Engineering-Link

TMN TN TNMS TP

Telecommunications Management Network TransNet Telecommunications Network Management System Terminal Point

USB

Universal Serial Bus

UMN

User Manual

UNI UNI-S UPS VC VLAN WAN WLAN XC

User-to-Network Interface User-to-Network Interface-Service Uninterruptible Power Supply Virtual Container Virtual LAN Wide Area Network Wireless LAN Cross Connection

X-NE

Cross-NE

XML

eXtended Markup Language


Glossary

Glossary @CT

3DES

@CT is a web-based craft terminal (that is, elemen t manager) software which provides web access to hiT 7300 network elements (NEs) in the customer network without the use of a management system. It communicates via SNMP with the NEs and uses the FTPS for upload/download of software or other data configuration (for example, log files). Triple DES is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block.

Actual Creation State (ACS)

Is the current state of the path which results from the accumulation of the actual creation states of the path’s route elements.

Advanced Encryption Standard (AES)

Is a specification for the encryption of electronic data. AES is based on a design principle known as a substitution-permutation network, and is fast in both soft ware and hardware.

Alarm

Alarm log

Alarm severity

An alarm is a management mechanism intended to inform the user that th ere is a standing fault condition in the system. An alarm log provides a list of the alarms associated with a managed object, and provides the following information about each of the alarms: • the identification of the affected object • the identification of the failed NE or the NE in which the failed unit resides • the alarm severity • the time the event occurred • the indication whether the alarmed event is service affecting or not • the location and the affected traffic Each failure is assigned a severity. The following values are used: • indeterminate • critical • major • minor • warning • cleared alarms • not Existent • not Alarmed Element Manager (EM) can configure the severity which is assigned to each fault cause by an alarm severity assignment profile. In addition, EM can specify that a fault cause shall not be alarmed. These fault causes will be blocked, hence do not lead to any LED alarm indications, log entries or alarm reporting.

Alien wavelength

Automatic Laser Shutdown (ALS)


A wavelength that does not originate from a transponder or muxponder card, but is still allowed to be multiplexed into the aggregate line signal for transport as an optical channel by the system. Is a technique used to automatically shut down the output power of the transmitter in case of fiber break. This is a safety feature that prevents dangerous levers of laser light from leaking out of a broken fiber, provided ALS is provisioned on both ends of the fiber pair.

101

Glossary

AutomaticallySwitched Optical Networks (ASON)

ASON domains are built on the VC4 layer of hiT 7065, 7070 or 7080, and on OCh layer of hiT 7300 and on ODU2 layer of hiT 7100, which have a Control Plane. The Control Plane uses network-generated signaling and routing protocols to set up or release a connection, and can restore one when it fails. ASON domains can be built up as part of the transport network. They provide the benefit of easy end-to-end provisioning, and fault and protection management. Soft permanent connections (SPCs) connect both endpoints (NE1 and NE2) within an ASON domain. If a path fails, an alternative path is automatically used.

Bidirectional Selfhealing Ring (BSHR)

Is a telecommunications term for loop network topology, a common configuration in telecommunications transmission systems, this loop or ring is used to provide redundancy. The system consists of a ring of bidirectional links between a set of stations. In normal use, traffic is dispatched in the direction of the shortest path towards its destination. In the event of the loss of a link, or of an entire station, the two nearest surviving stations "loop back" their ends of the ring. In this way, traffic can still travel to all surviving parts of the ring, even if it has to travel "the long way round".

Card

A card is a plug-in unit that occupies one (or multiple) shelf slots. Cards perform specific electrical and/or optical functions within an NE. Each card has a faceplate with information LEDs and, in most cases, several ports for interconnection of optical fibers and/or optical interfaces.

Card slot

A card slot is the insertion facility for a card in a shelf. Each card slot is designed for one or several particular card types. Mechanical coding elements make sure that each card can be fully inserted only into a card slot that is suitable for the given card type. Therefore, fundamental shelf equipping errors (which might cause hardware damage or fatal malfunctions) are impossible.

Ethernet Connectivity Fault Management (CFM)

Is an end-to-end perservice Ethernet layer OA&M protocol. IEEE 802.1ag CFM is a service level OA&M protocol that provides tools for detecting and isolating connectivity failures in the network. This includes proactive connectivity monitoring, f ault verification and fault isolation for large Ethernet Metropolitan Area Networks (MANs) and WANs.

Committed Information Rate (CIR)

Is the guaranteed average rate (in Mbit/s) at which the information units are transferr ed through the port over a measurement interval.

Commissioning

Controller card

Commissioning an network element (NE) is the process of taking an installed NE and bringing it in to an operational state. The NE commissioning phase is performed after the NE is installed and powered-up. NE controller cards provide the central monitoring and controlling functions of the system, as well as the MCF to operate the Q and QF Ethernet interfaces.

The controller card performs the following main functions: Fault Management, Performance Management, Configuration Management, Security Management, Equipment Management, Communication Management, Software Management (performing all software downloads, uploads, and software integrity functions) and controlling the NE alarm LEDs. Data Communication Network (DCN)

Data Communications Network is a management network for telecommunication transport systems. A DCN domain interconnects several NEs for the purpose of network management. The communication is established via the Optical Supervisory Channel (OSC) of the optical links and an Ethernet/L2 switching network implemented by the NEs.

102


Glossary

Dense Wavelength Division Multiplexing (DWDM)

In fiber-optic communications, wavelength-division multiplexing (WDM) is a technology which multiplexes a number of optical carrier signals onto a single optical fiber fib er by using different wavelengths (colors) of laser light, that is, simultaneously places a large number of optical signals (in the 1550 nm band) on a single optical fiber. This technique enables bidirectional communications over one strand of fiber, as well as multiplication of capacity.

Data Encryption Standard (DES)

Is a widely-used method of data encryption using a private key. DES applies a 56-bit key to each 64-bit block of data. The process can run in several modes and involves 16 rounds or operations.

Dynamic Host Configuration Protocol (DHCP)

Is a standardized networking protocol used use d on IP networks that dynamically configures IP addresses and other information that is needed for Internet communication. DHCP allows computers and other devices to receive an IP address automatically from a central DHCP server, reducing the need for a network administrator or a user from having to configure these settings manually.

Domain

TNMS allows you to restrict user groups to operate only a set of NEs or DCN subnets instead of the entire network. This partitioning is called a “Domain” and limits the operation on nodes outside of their partitions by assigning user groups to domains. Further, you can also assign policies to domains for further control and security, limiting the user groups to specific menu entries and actions. This arrangement is required, for example, in network centers that are responsible for maintaining only a subset of the nodes. The main purpose is security: it avoids that a login to the system gra nts access to the entire network. TNMS now supports the creation, modification or deletion of mu ltiple domains, granting or restricting their accesses. By default , all NEs belong to the GLOBAL domain which cannot be modified or deleted.

Ethernet Linear Protection (ELP)

Is a protection scheme defined in the ITU-T G.8031 standard designed to protect pointto-point Ethernet paths such as VLAN based based Ethernet networks. To achieve protection ELP uses two disjointed paths, a working path and a protection path, traffic is carried firstly on the active path (working path) and in case of failure, traffic is switched to the protection path. Both paths can be monitored using OAM protocols like CFM.ELP provides 1:1 bi-directional protection switching with revertive mode capabilities.ELP must first be configured at the NE side via the LCT, only then they are visible in TNMS so that you can use it in the E-LAN and E-Line service creation via the New Ethernet Service wizard.ELP is supported in specific network elements and cards only. Refer to the NE dedicated documentation for more information.

Element Manager (EM) Ethernet

Fault management

File Transfer Protocol (FTP)


Network elements enable the user to perform operation, administration and maintenance tasks with the NE system in a GUI environment. Ethernet is a family of frame-based computer networking technologies for LANs. It defines a number of wiring and signaling standards for the physical layer, through means of network access at the MAC/Data Link Layer, and a common addressing format. Fault management reports all hardware and software malfunctions within an NE, and monitors the integrity of all incoming and outgoing digital signals. FTP is a network protocol used to transfer files from one computer to an NE and viceversa through the network.

103

Glossary

Frequency

Frequency is a physical attribute of a wave (for example, an optical wave), defined as the number of wave cycles per time unit. The frequency is directly related to the wavelength.

Generalized MultiProtocol Label Switching (GMPLS)

Is a protocol suite extending MPLS to manage further classes of interfaces and switching technologies other than packet interfaces and switching, such as time division multiplex, layer-2 switch, wavelength switch and fiber-switch.

Intelligent Optical Control (IOC)

Is the Coriant software platform integrating the software defined networking (SDN) framework with intelligent control for multi-layer optical transport networks. IOC addresses the complete operational workflow and network lifecycle from service planning to optimization up to maintenance, by combining the capabilities of the Coriant TransNet optical planning tool, the IOC OP provisioning system and the TNMS network management system.

Internet Protocol (IP)

Is the principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.

Internet Protocol version 4 (IPV4)

Is a connectionless protocol for use on packet-switched p acket-switched networks. It operates on a best effort delivery model, in that it does not guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate delivery. These aspects, including data integrity, are addressed by an upper layer transport protocol, such as the Transmission Control Protocol (TCP).

Link Aggregation Control Protocol (LACP)

Within the IEEE specification the Link Aggregation Control Protocol (LACP) provides a method to control the bundling of several physical ports together to form a single logical channel. LACP allows a network device to negotiate an automatic bundling of links by sending LACP packets to the peer (directly connected device that also implements LACP).

Link Aggregation (LAG)

Allows a bridge to treat multiple physical links between two end-points as a single single logical link, referred to also as a port-channel. port-ch annel. The feature can be used to directly connect two switches when the traffic between them requires high bandwidth and/or reliability, or to provide a higher bandwidth connection to a public network. For this purpose, all the physical links in a given port-channel must operate in full-duplex mode and at the same speed.If a physical port or the related link of a LAG fails, the traffic previously carried over the failed link automatically is switched to the remaining link(s) of the LAG (rapid reconfiguration). Bandwidth degradation is an obvious impact if the sum ofthroughput of the two/multiple aggregated links are higher than the throughput of the remaining link(s). Be aware that certain link failures are not always visibleto both ends of a link. Link Aggregation Control Protocol (LACP) and Automatic Au tomatic Laser Shutdown (ALS) enabled, guarantees that both ends of a link properly detect all failures and perform the correct response.LAG groups must first be created at the NE side via the LCT, only then, they are visible in TNMS so that you can use it in the E-LAN and E-Line service creation via the New Ethernet Service wizard. LAG is supported in specific network elements and cards only. Refer to the NE dedicated documentation for more information.

Laser A laser is a device that generates an intense narrow beam of light by stimulating the

emission of photons from excited atoms or molecules. Laser safety

104

Laser safety rules are a group of mechanisms and actio ns necessary to protect all users from harmful laser light emissions.


Glossary

Local Craft network (LCT)

LCT is a client-based craft terminal (that is, element manager) software which provides access to network elements (NEs) in the customer network without the use of a management system.

Lightweight Directory Access Protocol (LDAP)

Is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.

Line interface

A line interface is a transponder interface that faces the line side of the link. Contrast with “client interface” which faces the client equipment side of the link.

Long Haul (LH)

hiT 7300 LH segment is a DWDM application characterized by a reach of more than 500 km and up to 1200 km.

Label Switched Path (LSP)

Is a path through an MPLS network, set up by a signaling protocol such as LDP, RSVPTE, BGP or CR-LDP. The path pat h is set up based on criteria in the forwarding for warding equivalence class (FEC).

Label switch router (LSR)

Sometimes called transit router, is a type of a router located in the middle of a Multiprotocol Label Switching (MPLS) network. It is responsible for switching the labels used to route packets. When an LSR LS R receives a packet, it uses the label included in cluded in the packet header as an index to determine the next hop on the Label Switched Path (LSP) and a corresponding label for the packet from a look-up table. The old label is then removed from the header and replaced with the new label before the packet is routed forward.

MD5

Maintenance Association End Points (MEP) Management Information Base (MIB)

Message-digest algorithm is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed as a 32 digit hexadecimal number Are points at the edge of the domain that define the boundaries and sends and receives CFM frames through the wire side (physical port) or relay function side. Is used for backup purposes where you can plan automatic upload jobs.

MX

Juniper MX Series Universal Edge Routers are Ethernet-centric services routers that are purpose-built for demanding carrier and enterprise applications (font: Juniper website).

NetConf

Network Configuration Protocol (NETCONF), is an IETF network management protocol. NETCONF provides mechanisms to install, manipulate, and delete the configuration of network devices. Its operations are realized on top of a simple Remote Procedure Call (RPC) layer. The NETCONF protocol uses an Extensible Markup Language (XML) based data encoding for the configuration data as well as the protocol messages. This in turn is realized on top of the transport protocol.

Network Craft Terminal (NCT)

NCT is a network management craft terminal (that is, element manager) soft ware which is used for either local or remote network management.

Network Element (NE)

A network element (NE) is a self-contained logical unit within the network. The NE can be uniquely addressed and individually managed via software. Each NE consists of hardware and software soft ware components to perform given electrical and optical functions within the network.


105

Glossary

Network Management

The network management layer includes all the required functions to mana ge the optical network in an effective and user-friendly way, such as the visualization of the network topology, creation of services, and correlation of alarms to network resources.

Network topologies

A topology of a network is defined by the list of NEs included in the network and the list of links that connect those NEs (for example, point-to-point, chain, ring, and so on).

Network to Network Interface (NNI)

Is an interface which specifies signaling and management functions between two networks. NNI circuit can be used for interconnection of IP (e.g. MPLS) networks.

Coriant TransNet

Planning of a hiT 7300 network is done by the Coriant TransNet tool. Coriant TransNet is a sophisticated software simulation tool developed specifically for designing and/or upgrading optical DWDM networks with hiT 7300. It runs on PCs using Microsoft Windows operating systems.

Optical Channel

A predefined wavelength that can be used to transmit a bit stream by means of a modulated light signal.

Optical Network Node (ONN)

An ONN is an NE where the incoming channels are either dropped or routed to a line in a different direction, outgoing channels can also be added locally. Apart from multiplexing and demultiplexing an ONN NE implements optical or 3R signal regeneration and dispersion compensation.

Optical path

The path followed by an optical channel from the first multiplexer to the last demultiplexer.

Path Computation Engine Protocol (PCEP)

Implements, sets up and manages PCEP, while also notifying OM when PCEP is available or unavailable to send/receive PCEP Route messages.

Performance management

Performance monitoring and signal quality analysis provide information for detecting and alerting, a cause that could lead to a degraded performance before a failure is declared.

Peak Information Rate (PIR)

Is a burstable rate set on routers and/or switches that allows throughput overhead. Related to Committed Information Rate which is a committed rate speed guaranteed/capped. For example, a CIR of 10 Mbit/s PIR of 12 Mbit/s allows you access to 10 Mbit/s minimum speed with burst/spike control that allows a throttle of an additional 2 Mbit/s.

Pseudo-Random Binary Sequence (PRBS)

Is a known sequence of bits that can be used as a test signal to measure transmission delay and bit error rate of a channel. In this test, one port inserts the PRBS signal in the channel (source port) and another detects if the sequence was received correctly (sink port). This kind of test is traffic affecting since the test sequence is inserted into the OPUk until the test is stopped.

Physical Trails (PT)

Trails are represented as Physical Trails (PTs). They connect two Physical Termination Points (PTP) on a physical layer rate, but can also contain non-physical layers.

Planning Tool Connector (PTC)

Interfaces Coriant TransNet/Intelligent Optical Control DWDM network planning tool.

PTX

106

Juniper Packet Transport Routers are Converged Supercore platforms that deliver powerful capabilities based on the Junos Express chipset and forwarding architectures optimized for MPLS and Ethernet, with integrated, coherent 100GbE technology (font: Juniper website).


Glossary

Required Creation State (RCS) Optical Signal to Noise Ratio (OSNR) Ring network

Synchronous Digital Hierarchy (SDH)

Is the desired state of the path, which is set by the user upon creation. OSNR is the ratio of an optical signal power to the noise power in the signal. A ring network is a network topology in which each NE connects to exactly two other NEs, forming a circular optical path for signals (that is, a ring). Is a standardized protocol that transfer multiple digital bit streams over optical fiber using lasers or highly coherent light from light-emitting diodes. At low transmission rates data can also be transferred via an electrical interface. The method was developed to replace the Plesiochronous Digital Hierarchy system for transporting large amounts of telephone calls and data traffic over the same fiber without synchronization problems.

Security management

Security Management controls the individual access to particular NE functions via the network management system and/or via a craft terminal, using a hierarchical security management user ID, and password concept.

State Event Machine (SEM)

In computation, a finite-state machine is event driven if the transition from one state to another is triggered by an event or a message.

Service Provisioning via NMS

Provisioning mode in hiT 7300. The core equipment is provisioned by downloading and swapping NCFs, while services are manually provisioned via the NMS. When adding new services or expanding an existing network, the relevant line cards, cross connections and internal port connections between line cards and multiplexers/demultiplexers are provisioned via the NMS.

Secure Hash Algorithm (SHA)

Is a family of cryptographic hash functions that takes an arbitrary block of data and returns a fixed-size bit string, the cryptographic hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the message, and the hash value is sometimes called the message digest or simply digest.

Simple Network Management Protocol (SNMP)

SNMP is used in network management systems to monitor network-attached devices for conditions that warrant administrative control. It consists of a set of standards for network management, including an application layer protocol, a database schema, and a set of data objects.

Software management

Software management performs all software downloads, uploads, and software inte grity functions.

Secure Shell (SSH)

Is a cryptographic network protocol for secure data communication, remote commandline login, remote command execution, and other secure network services between two networked computers that connects, via a secure channel over an insecure network, a server and a client (running SSH server and SSH client programs, respectively).

Subsystem

A subsystem is a set of shelves and cards in multicontroller NE that is controlled by a subagent. All subagents within a multicontroller NE are controlled by the master agent.

Topological Container (TC)


Defines a containment relationship between other topological container and/or NEs. This means they can contain NE symbols and other TCs. The network map is always associated with one TC, which corresponds to a network view.

107

Glossary

Tandem Connection Monitoring (TCM)

TCMs are configurable parameters (via Element Manager) of the transponders. They provide a Performance Management of all the Optical Transport Network (that is, endto-end connection) or specific sections only and impleme nt an Optical channel Data Unit (ODU) termination provisioned to support up to six TCM levels.

Transmission Control Protocol (TCP)

Is one of the core protocols of the Internet protocol suite (IP), and is so common that the entire suite is often called TCP/IP. TCP provides reliable, ordered, error-checked delivery of a stream of octets between programs running on computers connected to a local area network, intranet or the public Internet. It resides at the transport layer.

TL1

Transaction Language 1 (TL1) is a widely used management protocol in telecommunications. It is a cross-vendor, cross-technology man-machine language, and is widely used to manage optical (SONET) and broadband access infrastructure in North America. TL1 is used in the input and output messages that pass between Operations Systems (OSs) and Network Elements (NEs). Operations domains such as surveillance, memory administration, and access and testing define and use TL1 messages to accomplish specific functions between the OS and the NE.

TNMS

Telecommunications Network Management System - is a standalone application that provides a full range of network-management functions, from the transport network’s physical structure and its NEs to those required for Automatically-Switched Optical Networks (ASON), SW management (also referred to as X-NE or Cross-NE), Optical Management and Ethernet Management.

TNMS Core

TNMS Core is an integrated solution designed for large, medium and small size networks. It supports NEs with DWDM, OTH, SDH, PDH, Ethernet in line, star, ring and mesh network configurations. TNMS Core can be used to manage networks in the access, edge, metro, core and backbone levels.

TNMS CT

TNMS CT is a transparent software platform for SDH and DWDM NEs using QD2, QST, QST V2, Q3 or SNMP telegram protocols. It supports line, star, r ing and mesh networks and provides access to NEs via Ethernet interface or via a serial line interface (RS232).

TNMS DX

TNMS DX is a telecommunications network management system to operate, administer and maintain hiT 7300 NEs. It allows remote operation and control of these network elements.

Trail Trace Identifier (TTI)

TTI is a transponder card parameter (configurable via Element Manager) of which is used to verify correct cabling or correct Tandem Connection Monitoring (TCM) configuration. The basic principle is that specific overhead bytes are reserved for Trace Messages of the user's choosing. By specifying the Actually Sent (transmitted) and the Expected (received) trace messages, the system can automat ically verify that fiber connections have been made as intended. This is accomplished by comparing the e xpected Trace Message to that actually received. If they differ, an alarm is raised, alerting personnel of the incorrect connections.

Transponder card

A transponder card receives an optical input signal and converts it to an optical output signal suitable for DWDM multiplexing and transmission.

Transponder loopback

Loopbacks are diagnostic tests that can be activated via Element Manager. Loopbacks return the transmitted signal back to the sending device after the signal has passed across a particular link. The returned signal can then be compared to the transmitted one. Any discrepancy between the transmitted and the returned signal helps to trace faults.

108


Glossary

User Datagram Protocol (UDP)

Is one of the core members of the Internet protocol suite (the set of network protocols used for the Internet). With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network without prior communications to set up special transmission channels or data paths. UDP uses a simple transmission model with a minimum of protocol mechanism. It has no handshaking dialogues, and thus exposes any unreliability of the underlying network protocol to the user's program. As this is normally IP over unreliable media, there is no guarantee of delivery, ordering or duplicate protection. UDP provides checksums for data integrity, and port numbers for addressing differe nt functions at the source and destination of the datagram.

Ultra Long Haul (ULH)

hiT 7300 ULH segment is a DWDM application characterized by long path lengths of up to 1600 km.

User-to-Network Interface (UNI)

Is a demarcation point between the responsibility of the service provider and the responsibility of the subscriber. This is distinct from a Network to Network Interface (NNI) that defines a similar interface between provider networks.

Virtual Local Area Networks (VLAN)

In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN or VLAN.

Wavelength

Wavelength is a physical attribute of a wave (for example, an optical wave), defined as the distance between corresponding points of two consecutive wave cycles. The wavelength is directly related to the frequency of the wave.

Wait to restore time (WTR)

The time in minutes that TNMS waits until it tries to switch to the working path again, assuming the Revertive option is selected.

eXtensible Markup Language (XML)

Is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. The design goals of XML emphasize simplicity, generality, and usability over the Internet. It is a textual data format with strong support via Unicode for the languages of the world. Although the design of XML focuses on documents, it is widely used for the representation of arbitrary data structures, for example in web services.


109

CORIANT TNMS 14.1 10

Recommend Documents