Professional Documents
Culture Documents
U2000 ATAE Cluster System Administrator Guide (SUSE) (V200R016C10 - 05) PDF
U2000 ATAE Cluster System Administrator Guide (SUSE) (V200R016C10 - 05) PDF
V200R016C10
Issue 05
Date 2016-08-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Scope
This document is designed for administrators of the U2000 cluster system. It provides
concepts and operation procedures for administration tasks of the U2000 system, which is
based on the SUSE Linux operating system and the Oracle or Sybase database. It also
describes routine and emergency maintenance procedures for the U2000 system, emergency
maintenance procedures for hardware, and troubleshooting methods.
Product Versions
The following table lists the product versions related to this document.
U2000 V200R016C10
OSMU V200R002C50
Intended Audience
This document is intended for network management engineers.
Change History
05 (2016-08-30)
This is the 05 release of V200R016C10. Compared with issue 04 (2016-07-20) of
V200R016C10, this issue includes the following changes.
04 (2016-07-20)
This is the 04 release for V200R016C10. Compared with issue 03 (2016-05-30) for
V200R016C10, this issue incorporates the changes listed in the following table.
Section Change Descriptin
03 (2016-05-30)
This is the 03 release for V200R016C10. Compared with issue 02 (2016-03-20) for
V200R016C10, this issue incorporates the changes listed in the following table.
Section Change Descriptin
20.2.2 Synchronizing NE
Subscription Information
02 (2016-03-20)
This is the 02 release for V200R016C10. Compared with issue 01 (2016-02-25) for
V200R016C10, this issue incorporates the changes listed in the following table.
Section Change Descriptin
01 (2016-02-25)
This is the 01 release for V200R016C10. Compared with issue Draft A (2015-12-30) for
V200R016C10, this issue incorporates the changes listed in the following table.
Section Change Descriptin
Draft A (2015-12-30)
This is the Draft A release for V200R016C10. Compared with issue 01 (2015-09-20) for
V200R016C00, this issue incorporates the changes listed in the following table.
Section Change Descriptin
Organization
1 Powering On and Powering Off the System
This section describes how to power on and power off the U2000 in a specified sequence to
ensure system security.
2 Configuring the Parameters of the U2000 Server
This section describes how to change the IP addresses and routes of the U2000 server and
configure U2000 service network plane ports.
3 Managing the U2000 Server Time
This section describes how to set the server time for the U2000 cluster system to ensure that
the settings meet time requirements.
4 Managing U2000 Services and Database Services
This section describes how to use the OSMU to view the status of U2000 services and
database services, and start and stop U2000 services and database services.
5 Managing U2000 Resources
This section describes the mapping between the resources of the U2000 system and the
methods of managing the resources and resource groups of the U2000 system.
6 Setting the Authentication Mode of the U2000
This section describes how to add the U2000 server to the SSO server and set the local
authentication mode and SSO mode of the U2000 server.
7 Managing the U2000 FTP Server
This section describes how to change the port number and set file transfer policies on the FTP
server.
8 Managing U2000 System Security
This section describes how to replace the encrypted key of the U2000 system, replace the SSL
certificate of OSS Management Tool, change the password of the OSS Management Tool's
private key file, and perform security hardening/unhardening for internal ports of the U2000
server.
9 Setting the Communication Modes Used by the U2000 Clients and Server
The U2000 server supports three communication modes: common, Secure Sockets Layer
(SSL), and both. Clients support two communication modes: common and SSL. The clients
can successfully connect to the server only when the communication modes are consistent
between the clients and server. The security of the SSL mode is higher than the security of the
common and both modes. The default communication mode on the server is SSL. The client
must connect to the server in SSL mode.
10 Enabling the U2000 Server to Authenticate NEs Sending Syslog Logs to It
When the U2000 server functions as an SSL server for communication with the U2000 client
and NEs, you are advised to enable authentication of the communication peer on the U2000
server for security concerns. After this function is enabled, you must deploy the required trust
certificates on the U2000 server to ensure normal communication.
11 Managing U2000 System Users
This section describes how to manage and monitor the U2000 users. The users involved in the
U2000 system are Linux user, database user, OM users, and storage system users.
12 Managing Files and Disks on the U2000 Server
This describes how to manage the file systems and disks on the U2000 server.
13 Managing the U2000 Client
This section describes how to manage the U2000 client. The graphic user interface (GUI) on
the U2000 client supports the O&M for the NEs and enables you to monitor the U2000. You
must manage the U2000 client to ensure its proper operation.
14 Managing the U2000 License
U2000 licenses restrict the number of manageable devices, and the availability duration of the
U2000. You need to manage the licenses periodically.
25 U2000 Troubleshooting
26 General Operation
27 Appendix
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
General Conventions
The general conventions that may be found in this document are defined as follows.
Convention Description
Convention Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention Description
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.
Format Description
Key Press the key. For example, press Enter and press Tab.
Format Description
Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl
+Alt+A means the three keys should be pressed
concurrently.
Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A means
the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Action Description
Drag Press and hold the primary mouse button and move the
pointer to a certain position.
Contents
8.2 Replacing the Root Key of the U2000 System Sensitive Data...................................................................................183
8.3 Replacing the Encrypted Key of the OSS Management Tool Sensitive Data............................................................ 184
8.4 Replacing the Root Key of the OSS Management Tool Sensitive Data.....................................................................184
8.5 Replacing the SSL Certificate of OSS Management Tool..........................................................................................185
8.6 Changing the Password of the OSS Management Tool's Private Key File................................................................ 189
8.7 Changing the Maximum Login Attempts and Locking Duration for the OSS Management Tool.............................190
8.8 Performing Security Hardening/Unhardening for Internal Ports of the U2000 Server.............................................. 191
8.9 Performing Security Hardening/Unhardening for U2000 Database Ports................................................................. 193
8.10 Querying and Setting the Encryption Algorithm for Alarms Between the U2000 and OSMU............................... 195
8.11 Querying and Setting the Authentication Algorithm for the Heartbeats Between the U2000 and OSMU.............. 196
8.12 Querying and Setting the SNMPv3-based Algorithms Used Between the U2000 and PRS....................................198
8.13 Changing the OSS Private Key Password................................................................................................................ 200
8.14 Disabling the SSLv3 Protocol Used on the U2000.................................................................................................. 201
8.15 Disabling the TLSv1.0 Protocol............................................................................................................................... 205
8.16 Enabling/Disabling Proxy Service ACL...................................................................................................................205
8.17 Configuring the DH Key Length for DS Services....................................................................................................207
9 Setting the Communication Modes Used by the U2000 Clients and Server..................209
9.1 Mode Switching Operation Guide.............................................................................................................................. 211
9.2 Introduction to Communication Modes......................................................................................................................221
9.2.1 Digital Certificates...................................................................................................................................................222
9.2.2 SSL Protocol............................................................................................................................................................222
9.3 Preparing Digital Certificates..................................................................................................................................... 224
9.4 Certificate Save Path and Naming Conventions.........................................................................................................226
9.5 Setting the U2000 Communication Mode.................................................................................................................. 227
9.5.1 Mode Switching Operation Guide........................................................................................................................... 227
9.5.2 Querying the Communication Mode of the Server................................................................................................. 238
9.5.3 Deploying Certificates on U2000 the Server...........................................................................................................239
9.5.4 Enabling the U2000 Server to Authenticate Its Peer............................................................................................... 242
9.5.5 Switching the Communication Mode of the U2000 Server.................................................................................... 244
9.5.6 Deploying Certificates on the U2000 Client........................................................................................................... 245
9.6 Replacing All Digital Certificates.............................................................................................................................. 250
9.7 Updating Certificates.................................................................................................................................................. 250
9.7.1 Updating Certificates on the U2000 Server.............................................................................................................250
9.7.2 Adding Trust Certificates of the U2000 Client to the U2000 Server...................................................................... 253
9.7.3 Deleting Trust Certificates of the U2000 Client from the U2000 Server................................................................254
9.7.4 Updating Certificates on the U2000 Client............................................................................................................. 256
10 Enabling the U2000 Server to Authenticate NEs Sending Syslog Logs to It............... 259
10.1 Querying NE Syslog Operation Logs....................................................................................................................... 262
10.2 Deploying a Certificate for the U2000 Server to Receive NE Syslog Logs.............................................................262
10.3 Updating a Certificate for the U2000 Server to Receive NE Syslog Logs...............................................................265
10.4 Adding to the U2000 Server the Trust Certificates of the NE Sending Syslog Logs to It....................................... 267
10.5 Deleting from the U2000 Server the Trust Certificates of the NE Sending Syslog Logs to It.................................269
15.3.2 Parameters for Setting the Hard Disk Monitoring Thresholds of the U2000 Server.............................................362
15.3.3 Parameters for Setting the Database Monitoring Thresholds of the U2000 Server.............................................. 366
15.3.4 Parameters for Setting the Service Monitoring Thresholds of the U2000 Server................................................. 370
15.3.5 Parameters for Monitoring the Service Status of the U2000 Server..................................................................... 371
15.3.6 Parameters for Monitoring the Process Status of the U2000 Server..................................................................... 372
15.3.7 Parameters for Monitoring the Hard Disk Status of the U2000 Server.................................................................373
15.3.8 Parameters for Monitoring the Database Status of the U2000 Server...................................................................375
15.3.9 Parameters for Monitoring the Status of the U2000 Server.................................................................................. 377
15.3.10 Parameters for Viewing System Monitoring Operation Logs............................................................................. 378
26 General Operation...................................................................................................................582
26.1 Operations Performed on the Server........................................................................................................................ 583
26.1.1 Logging In to the Board by Using PuTTY............................................................................................................ 583
26.1.2 Logging In to the board by Using the KVM of the OSMU...................................................................................585
26.1.3 Viewing Device States by Using the OSMU.........................................................................................................588
26.1.4 Starting the OSMU Service................................................................................................................................... 590
26.1.5 Stopping the OSMU Service................................................................................................................................. 591
26.1.6 Viewing the OSMU Server Software Version....................................................................................................... 592
26.1.7 Viewing the U2000 Software Server Version........................................................................................................593
26.1.8 Checking the Operating System Version of Boards.............................................................................................. 594
26.1.9 Checking the Sybase Database Server Name........................................................................................................ 594
26.1.10 Changing All the Board's Time Manually........................................................................................................... 595
26.1.11 Generating Kdump Information of the Board......................................................................................................596
26.1.12 Transferring Files by Using FileZilla.................................................................................................................. 597
26.1.13 Solving the U2000 Backup or Restore Failure Problem..................................................................................... 599
26.1.14 Solving the U2000 Disk Space Shortage Problem.............................................................................................. 601
26.1.15 Uninstalling the U2000 Server Software.............................................................................................................602
26.1.16 Viewing VCS Resources Status...........................................................................................................................602
26.1.17 Checking the License of the Veritas.................................................................................................................... 603
26.1.18 Connecting the PC and SMM Board................................................................................................................... 605
26.1.19 Viewing and Setting the IP Addresses for the SMM Board................................................................................ 607
26.1.20 Uninstalling the NE Mediation Software by Using Commands..........................................................................611
26.1.21 Uninstalling the NE Mediation Software by Using the OSMU.......................................................................... 612
26.1.22 Starting the Services that Are Disabled by Default............................................................................................. 613
26.1.23 Configuring the ACL for the PortTrunking Service............................................................................................615
26.1.24 Switching the LMT Login Mode.........................................................................................................................619
26.1.25 Solving the Problem of the Port for the U2000 SyslogCollectorDM Service and the syslog Service Conflicts
.......................................................................................................................................................................................... 620
26.1.26 Checking Whether a User Has Logged In to the Board by Using KVM............................................................ 621
26.1.27 Downloading Files from the Specified Path on the Server................................................................................. 622
26.1.28 Uploading Files to the Specified Path on the Server........................................................................................... 624
26.1.29 Setting a DHCP Listening IP Address.................................................................................................................625
26.1.30 How Do I Unlock an Oracle Database Account?................................................................................................ 626
26.1.31 How Do I Unlock a Sybase Database Account?................................................................................................. 627
26.1.32 Enabling SUSE Linux Operating System Audit (SUSE10)................................................................................ 628
26.1.33 Enabling SUSE Linux Operating System Audit (SUSE11)................................................................................ 632
26.1.34 Disabling SUSE Linux Operating System Audit................................................................................................ 635
26.1.35 Setting the KVM..................................................................................................................................................635
26.1.36 Configuring the Iptables Firewall........................................................................................................................638
26.1.37 Setting the ACL of the OSMU Web Service (Optional)..................................................................................... 639
26.1.38 Disabling/Enabling the Proxy Function of the U2000 Server............................................................................. 641
26.1.39 Updating the ACL for Internal Ports on the U2000 Server................................................................................. 642
26.1.40 How Do I Resolve LTE Subscription and Data Reporting Failures.................................................................... 644
26.1.41 Collecting Device Asset Information.................................................................................................................. 645
26.2 Operations Performed on the PC.............................................................................................................................. 646
26.2.1 Setting Internet Explorer....................................................................................................................................... 646
26.2.2 Setting Firefox....................................................................................................................................................... 650
26.2.3 Solving the Problem that Web-based U2000 Services Fail to Be Started............................................................. 651
26.2.4 Solving the Problem that the U2000 Web Page Cannot be Opened......................................................................654
26.2.5 Logging In to the OSMU by Using a Web Browser..............................................................................................654
26.2.6 Logging In to the U2000 Client.............................................................................................................................656
26.2.7 Uninstall the U2000 Client Software.....................................................................................................................657
26.2.8 Checking the JRE Version on the PC.................................................................................................................... 658
26.2.9 Resolving the Problem that a System Error Occurs During the Performance Measurement Result Query Process
and Users Cannot Query the Performance Measurement Results.................................................................................... 659
26.2.10 Deploying Certificates on a Browser...................................................................................................................659
26.2.11 Setting Browser....................................................................................................................................................662
26.3 Operations on Disk Array.........................................................................................................................................663
26.3.1 Using PuTTY to Log In to the S3900 Disk Array.................................................................................................663
26.3.2 Connecting the PC and the S3900 Controller Enclosure.......................................................................................665
26.3.3 Checking the S3900 Disk Array Version...............................................................................................................668
26.3.4 Changing the Initial IP Address of the S3900 Controller Enclosure.....................................................................670
27 Appendix................................................................................................................................... 678
27.1 Default Users and Initial Passwords......................................................................................................................... 680
27.2 Partitioning of Storage Space................................................................................................................................... 704
27.3 Default Host Names and IP Addresses of Boards.................................................................................................... 707
27.4 Default IP Addresses of Switching Boards.............................................................................................................. 710
27.5 Default IP Addresses of SMM Boards..................................................................................................................... 712
27.6 Default IP Addresses of the S3900 Storage System.................................................................................................713
27.7 List of Web Access Paths......................................................................................................................................... 714
27.8 Introduction to U2000 Processes and Services.........................................................................................................716
27.9 Trace Server altogether cluster deployment related explanation..............................................................................717
27.10 U2000 Database......................................................................................................................................................717
27.10.1 BMSDB Database................................................................................................................................................717
27.10.2 cmedb Database................................................................................................................................................... 718
27.10.3 cmedb1 Database................................................................................................................................................. 718
27.10.4 cmedb2 Database................................................................................................................................................. 719
27.10.5 eamdb Database................................................................................................................................................... 719
27.10.6 farsdb Database....................................................................................................................................................720
27.10.7 fmdb Database..................................................................................................................................................... 721
27.10.8 itfndb Database.................................................................................................................................................... 722
This section describes how to power on and power off the U2000 in a specified sequence to
ensure system security.
Prerequisites
You have applied for an account at http://support.huawei.com and are authorized to
download related reference documents.
Context
NOTICE
For an ATAE cluster online remote HA system:
l You need to power on the system to be used as the active site.
l The procedure for powering on active site is the same as that for powering on standby
site.
Procedure
Step 1 Log in to http://support.huawei.com.
Step 2 Obtain the ATAE Cluster System Product Documentation used with the OSMU version by
accessing Product Support > Wireless Network > SingleOSS-MBB > SingleOSS-MBB >
M2000-Common > iManager OSMU.
Step 3 Power on the U2000 system by following instructions provided in Reference > General
Operation > Powering On the System in ATAE Cluster System Product Documentation.
----End
Prerequisites
You have applied for an account at http://support.huawei.com and are authorized to
download related reference documents.
Context
NOTICE
For an ATAE cluster online remote HA system:
l You need to power off the active site first.
l The procedure for powering off active site is the same as that for powering off standby
site.
Procedure
Step 1 Log in to http://support.huawei.com.
Step 2 Obtain the ATAE Cluster System Product Documentation used with the OSMU version by
accessing Product Support > Wireless Network > SingleOSS-MBB > SingleOSS-MBB >
M2000-Common > iManager OSMU.
Step 3 Stop U2000 services.
Check whether U2000 services are running by following instructions provided in 4.1
Checking the U2000 Service Status. If U2000 services are running, stop them by following
instructions provided in 4.6 Stopping U2000 Services.
Step 4 Stop database services on the U2000.
Check whether database services are running by following instructions provided in 4.1
Checking the U2000 Service Status. If database services are running, stop them by
following instructions provided in 4.4 Stopping the Database Service.
Step 5 Power off the U2000 boards by using the OSMU.
1. In the main window of the OSMU, choose Device Management > Hardware Device >
Board in the navigation tree.
2. Select the check boxes in front of the U2000 boards to be powered off. Then, click
Power Off.
You can check the task execution status in the Centralized Task Management area.
NOTICE
– When the Oracle database is used, you also need to select the service board whose
System is U2000, the DB board whose System is U2000DB, and the standby
database board whose System is Standby, Subsystem is Standby, and Cluster
Name is DBCluster.
– When the Sybase database is used, you also need to select the service board whose
System is U2000, the DB board whose System is U2000DB, and the standby board
whose System is Standby, Subsystem is Standby, and Cluster Name is
U2000Cluster.
– If the U2000 shares the standby DB board with other products (such as PRS and
Nastar), powering off the standby DB board affects the other products.
To continue to use other products, power on the standby database board after
powering it off.
– Based on the service volume, powering off the service boards takes about 30 to 60
minutes.
3. In the left pane of the OSMU, expand the Device Management navigation tree and
select a rack number under the Device Panel node. On the rack tab page in the right
pane, check the status of all boards to be powered off.
After the power-off task is complete in the Centralized Task Management area, verify
that the boards to be powered off are in the Powered Off state.
Step 6 Power off the OSMU board, subracks, disk arrays, switches, and cabinet by following
instructions provided in Reference > General Operation > Powering Off the System in
ATAE Cluster System Product Documentation.
When the U2000 is deployed together with other products (such as PRS and Nastar) in a
subrack, powering off the subrack affects other products. If you do not need to power off the
boards of other products, skip this step.
----End
This section describes how to change the IP addresses and routes of the U2000 server and
configure U2000 service network plane ports.
Prerequisites
l You have logged in to the OSMU using a web browser. For details, see 26.2.5 Logging
In to the OSMU by Using a Web Browser.
l You have obtained the new public IP addresses of the U2000 server.
l You need to check the backup status of the emergency system if the emergency system is
configured in the ATAE cluster system. For details, see Changing the IP Address of
Backup Resources in the Emergency System in U2000 ATAE Cluster Emergency System
User Guide.
l You are not allowed to change the public IP address when a dynamic data backup task is
running.
Context
When the OM network requires reassignment of IP addresses or relocating, you need to
change the IP address of the U2000 server. Therefore, the OM network can be easily managed
and maintained and becomes open and flexible. In addition, the scalability and evolution
capability of the network are improved.
When you are changing the IP address of the U2000 server, the performance data and alarm
data of the managed NEs cannot be processed. If the IP address of the U2000 server is
recorded in an NE database, changing the IP address of the U2000 server results in
disconnection between the U2000 server and the NE. Therefore, if you need to change the IP
address of the U2000 server, ask NE maintenance engineers to modify relevant plans and
update the IP address of the U2000 server recorded in the NE database. After you change the
IP address, the U2000 collects performance data and alarm data again through automatic
synchronization and then processes the data.
NOTICE
l After the public IP address of the U2000 server is changed, back up OS data, static data
and dynamic data. For detailed operations, see 21 Backing Up and Restoring the U2000.
If you do not back up OS data, static data and dynamic data, the original data may be
restored during subsequent restoration operations, causing IP address inconsistency
recorded in the OS data, static data and dynamic data. As a result, some U2000 functions
become invalid.
l You need to reconfigure route after changing the IP addresses to one on another network
segment.
l The method of changing the board's internal IP address applies only when the connected
network is within the network segment range from 192.168.0.0 to 192.168.255.255 and the
internal IP address of the ATAE board configured by default before delivery has been used
by another device. In other scenarios, you are advised not to change the board's internal IP
address. In case you need to change the board's internal IP address, contact Huawei
technical support.
Procedure
Step 1 Check whether the new IP address is in use.
On the PC whose IP address is on the same network segment as the new IP addresses, open
the cmd window and run the ping command to check whether the new IP addresses are in
use:
l If the IP addresses can be pinged, they are in use. When this occurs, use other IP
addresses.
l If the IP addresses cannot be pinged, they are available for use. Perform the following
steps.
Step 2 Run the following commands to check whether security hardening has been performed for
internal ports of the U2000 server:
1. Use PuTTY to log in to the master, slave, and standby servers in SSH mode as user
ossuser.
2. Run the following command to switch to user root.
~> su - root
Password: Password of root
3. Run the following command to check the security hardening for internal ports of the
U2000 server:
# . /opt/oss/server/svc_profile.sh
– If the system displays the following information, security hardening has been
performed for internal ports of the U2000 server. Perform security unhardening for
the service port by referring to 8.8 Performing Security Hardening/Unhardening
for Internal Ports of the U2000 Server and perform Step 3.
The security hardening rules have been set for internal ports on the OSS
server.
– If the system displays the following information, security hardening has not been
performed for internal ports of the U2000 server. Then, proceed with Step 3.
The security hardening rules have not been set for internal ports on the
OSS server.
Step 3 Run the following commands to check whether security hardening has been performed for the
U2000 database ports:
1. Use PuTTY to log in to the master server in SSH mode as user ossuser.
2. Run the following command to switch to user root.
~> su - root
Password: Password of root
3. Run the following command to check the security hardening for the U2000 database
ports:
# . /opt/oss/server/svc_profile.sh
# cd /opt/oss/server/rancn/tools/DBIptables
# ./DBAccessControl.sh -q
– If the system displays the following information, security hardening has been
performed for the U2000 database ports. Perform security unhardening for the ports
by referring to 8.9 Performing Security Hardening/Unhardening for U2000
Database Ports and perform Step 4.
DB ports have been hardened.
– If the system displays the following information, security hardening has not been
performed for the U2000 database ports. Then, proceed with Step 4.
Check DB ports have not been hardened.
Change the public IP 1. In the left pane of the OSMU, expand the Device
addresses of U2000 Management navigation tree and select a rack number under
boards in batches. the Device Panel node.
2. On the rack tab page in the right pane, check the board status.
If any board is in the Faulty state, contact Huawei technical
support engineers.
– Before changing the public IP addresses of service boards,
ensure that all service boards of the U2000 product are in
the Active or Service Stopped state.
n If there are boards in the Normal state, stop the services
of these boards by referring to 4.6 Stopping U2000
Services.
n If there are boards in the Switched Over state, switch
resources for the boards based on their original active/
standby relationship by referring to 5.5 Switching
Resources Between U2000 Nodes Manually (Oracle)
or 5.6 Switching Resources Between U2000 Nodes
Manually (Sybase), and then stop the boards' services
by referring to 4.6 Stopping U2000 Services.
NOTE
This restriction applies when you want to change the public IP
address of a network interface of the service board whose
Usage is Default. If you want to change the public IP address
of the network interfaces used for other purposes, refer to
U2000 ATAE Cluster System Administrator Guide to learn the
restriction condition.
– If the public IP address of the network interface on the
board can be changed when the board service is
running,ensure that all service boards of the U2000 product
are in the Active or Service Stopped state.
If there are boards in the Switched Over state, switch
resources for the boards based on their original active/
standby relationship by referring to 5.5 Switching
Resources Between U2000 Nodes Manually (Oracle) or
5.6 Switching Resources Between U2000 Nodes
Manually (Sybase).
NOTE
This restriction applies when you want to change the public IP
address of a network interface of the service board whose Usage is
Default. If you want to change the public IP address of the
network interfaces used for other purposes, refer to U2000 ATAE
Cluster System Administrator Guide to learn the restriction
condition.
3. In the left pane of the OSMU window, expand the Device
Management navigation tree and choose Hardware Device >
Network Interface.
4. On the Network Interface tab page, click Export.
Change the public IP 1. In the left pane of the OSMU, expand the Device
addresse of oneU2000 Management navigation tree and select a rack number under
board in batches. the Device Panel node.
2. On the rack tab page in the right pane, check that the status of
each board meets the requirement for the following scenarios.
If any device is in the Faulty state, contact Huawei technical
support.
NOTICE
If the status of a board is inconsistent with that described below, setting
the public IP address of the U2000 server will fail.
a. Ensure that all U2000 service boards are in the Service
Stopped state.
n If there are boards in the Normal state, stop the U2000
services by referring to 4.6 Stopping U2000 Services.
n If there are boards in the Switched Over state, switch
resources for the boards based on their original active/
standby relationship by referring to 5.5 Switching
Resources Between U2000 Nodes Manually (Oracle)
or 5.6 Switching Resources Between U2000 Nodes
Manually (Sybase), and then stop the U2000 services
by referring to 4.6 Stopping U2000 Services.
b. Before changing the public IP addresses of the U2000 DB
boards, check the status of all U2000 service boards and
DB boards as follows:
n Ensure that all U2000 service boards are in the Service
Stopped state.
○ If there are boards in the Normal state, stop the
U2000 services by referring to 4.6 Stopping U2000
Services.
○ If there are boards in the Switched Over state,
switch resources for the boards based on their
original active/standby relationship by referring to
5.5 Switching Resources Between U2000 Nodes
Manually (Oracle) or 5.6 Switching Resources
Between U2000 Nodes Manually (Sybase), and
then stop the U2000 services by referring to 4.6
Stopping U2000 Services.
n Ensure that the DB board is in the Normal state.
○ If there are boards in the Switched Over state,
switch resources for the boards based on their
original active/standby relationship by referring to
5.5 Switching Resources Between U2000 Nodes
Manually (Oracle) or 5.6 Switching Resources
Between U2000 Nodes Manually (Sybase).
Step 5 Restart the U2000 services after the change. For details, see 4.5 Starting U2000 Services.
Step 6 After the U2000 services are restarted, please perform the following operation based on the
actual situation.
If... Then...
There is an NAT 1. Use PuTTY to log in to the OSMU board in SSH mode as
device between the osmuuser. For detailed operations, see 26.1.1 Logging In to
U2000 server and the Board by Using PuTTY.
U2000 client 2. Run the following command to switch to user root.
~> su - root
Password: Password of root
There is an NAT Reconfigure the NAT table on the NAT device (such as the
device between the firewall).
U2000 server and
NEs
----End
Follow-up Procedure
l After you change the server IP address, check whether the IP address change has impacts
on communication between the U2000 server and other devices (such as Nastar and
PRS). If there are impacts, adjust the IP addresses of other devices based on the actual
situations. For details about how to change the IP addresses of other devices, see the
manual of each device.
l If the U2000 system is configured with the Trace Server independently deployed, you
also need to change the configuration file of the Trace Server. For details, see Changing
the Configuration of the U2000 Server Recorded in the Trace Server Configuration
File, Configuring IP Address-Host Name Mapping of the U2000 Server on the
Trace Server, Modifying the Alarm and Heartbeat Interfaces Between the OSMU
and U2000 in U2000 Trace Server User Guide (ATAE Cluster, Standalone).
l After the IP address of a U2000 service network plane where NEs are located is
modified, you need to reconfigure the mapping between the IP address of the service
network plane and the NEs managed by the U2000. For detailed operations, see 2.3.7
Configuring Network Segments of NEs for Southbound IP Addresses of the U2000
Server.
l If the Trace Server is co-deployed with the U2000 in the ATAE cluster system, after the
IP address of a U2000 service network plane where NEs are located is modified, you
need to reconfigure the mapping between Trace Server boards and the U2000 mediation
service. For detailed operations, see 2.3.8 Configuring the Mapping Between the
Trace Server Boards and the U2000 Mediation Service.
l If the Trace Server is independently deployed, after the IP address of a U2000 service
network plane where NEs are located is modified, you need to modify the IP address of
Trace Server service network plane, please modify the IP address of Trace Server service
network plane first, For detailed operations, see Changing the IP Addresses of the
Default Network Port on Trace Server (After the Service Software Is Installed,
Cluster, ATAE) in U2000 Trace Server User Guide (ATAE Cluster, Standalone). Then
reconfigure the mapping between Trace Server boards and the U2000 mediation service.
For detailed operations, see Configuring the Mapping Between the Trace Server
Boards and the U2000 Mediation Service in U2000 Trace Server User Guide (ATAE
Cluster, Standalone).
l After you change the server IP address, if there is no hardware firewall, to increase the
U2000 system security, and reduce risks of attacks on the U2000 server, it is
recommended that you configure the OS firewall to perform security hardening on the
internal ports of the U2000 server and the U2000 database ports to ensure its security.
For details, see 8.8 Performing Security Hardening/Unhardening for Internal Ports
of the U2000 Server and 8.9 Performing Security Hardening/Unhardening for
U2000 Database Ports.
l After changing the IP addresses to one on another network segment, you need to
reconfigure the routes of the U2000 Server. For details, see 2.2 Setting the Routes of
the U2000 Server.
Prerequisites
l You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging
In to the OSMU by Using a Web Browser.
l Information about configuring a route is available, such as the destination IP address,
gateway, and subnet mask.
Context
Table 2-1 describes the parameters for managing routes.
Destination IP IP address of the destination network or host. You can provide the IP
address in dotted decimal. For example, 10.70.12.0 indicates that the IP
address of the destination network is 10.70.12.0. 10.70.12.30 indicates
that the IP address of the destination host is 10.70.12.30. When this
parameter is set to default or 0.0.0.0, the default route is used.
Gateway Gateway IP address of the network where the ATAE cluster system is
deployed.
Subnet Mask/ Subnet mask of the destination network of a board. Set this parameter
Prefix Length based on site requirements.
When this parameter Destination IP is set to default or 0.0.0.0, leave
the subnet mask empty.
Gateway Bond Whether to enable gateway link monitoring for network ports on a
Monitor board.
NOTE
If the gateways configured for a network interface on a board use the same IP
protocol, you can enable link monitoring of only one gateway.
NOTICE
If SN is set to ALL in Table 2-1, the Network Interface drop-down list displays only the
network ports used by the boards in the U2000 cluster. Therefore, if some boards in the
U2000 cluster use different network ports and you need to set routes for those boards, SN
must be set to the slot numbers of those boards and cannot be set to ALL. You can choose
Hardware Device > Network Interface and then view the network ports used by the boards
in the U2000 cluster on the Network Interface tab page.
Procedure
l Query a route.
a. In the left pane of the OSMU window, expand the Device Management navigation
tree and choose Hardware Device > Route.
b. On the Route tab page in the right pane, set Cluster name, SN, Network
interface, Usage, or Destination IP as required. Then, click Filter.
The route list on this tab page displays the routes that have been set. For
descriptions of the parameters on the tab page, see Table 2-1.
l Refresh routes.
a. In the left pane of the OSMU window, expand the Device Management navigation
tree and choose Hardware Device > Route.
b. On the Route tab page in the right pane, click Refresh and then you can view the
currently configured routes.
l Add a route.
a. Prepare the IP address, subnet mask or subnet prefix length of the destination
network by scenario and the gateway IP address of the network where the ATAE
cluster system is deployed.
NOTICE
If the the gateway IP address of the network where the ATAE cluster system is
deployed is not on the same network segment as public IP address of the board for
which you want to set a route, setting a route for the ATAE cluster system will fail.
b. In the left pane of the OSMU window, expand the Service System navigation tree
and choose Service Management > Board Services.
c. On the Board Services tab page in the right pane, check the running status of the
OGPU board for which you want to set the route. Ensure that the board is in any of
the following states: Normal, Standby, Service Stopped, and Switched Over.
NOTICE
If any OGPU board is in the Faulty state, contact Huawei technical support.
d. In the left pane of the OSMU window, expand the Device Management navigation
tree and choose Hardware Device > Route.
e. On the Route tab page in the right pane, click Add.
f. In the displayed Configure New Route dialog box, set a route by referring to Table
2-1, and click OK.
If SN is set to All, the Network Interface drop-down list displays only the network
ports used by the boards in the U2000 cluster. Therefore, if some boards in the
U2000 cluster use different network ports and you need to set routes for those
boards, SN must be set to the slot numbers of those boards and cannot be set to All.
You can choose Hardware Device > Network Interface and then view the
network ports used by the boards in the U2000 cluster on the Network Interface
tab page.
g. In the displayed dialog box, click OK.
h. In the Centralized Task Management window, check the operating status of the
task for add route, and perform operations based on the execution result.
n If Status of the task is Succeeded, route have been added.
n If Status of the task is Failed, rectify the fault based on the information in
Remarks. Perform the preceding steps. If Status is still Failed, contact
Huawei technical support.
l Modify a route.
a. Prepare the IP address, subnet mask or subnet prefix length of the destination
network by scenario and the gateway IP address of the network where the ATAE
cluster system is deployed.
NOTICE
If the the gateway IP address of the network where the ATAE cluster system is
deployed is not on the same network segment as public IP address of the board for
which you want to set a route, setting a route for the ATAE cluster system will fail.
b. In the left pane of the OSMU window, expand the Service System navigation tree
and choose Service Management > Board Services.
c. On the Board Services tab page in the right pane, check the running status of the
OGPU board for which you want to set the route. Ensure that the board is in any of
the following states: Normal, Standby, Service Stopped, and Switched Over.
NOTICE
If any OGPU board is in the Faulty state, contact Huawei technical support.
d. In the left pane of the OSMU window, expand the Device Management navigation
tree and choose Hardware Device > Route.
e. On the Route tab page in the right pane, select the route that you want to modify,
and click Modify.
f. In the Reconfigure Route dialog box, modify the Gateway and Subnet Mask/
Prefix Length, and click OK.
g. In the displayed dialog box, click OK.
h. In the Centralized Task Management window, check the operating status of the
task for modify route, and perform operations based on the execution result.
n If Status of the task is Succeeded, route have been modified.
n If Status of the task is Failed, rectify the fault based on the information in
Remarks. Perform the preceding steps. If Status is still Failed, contact
Huawei technical support.
l Delete a route.
a. In the left pane of the OSMU window, expand the Device Management navigation
tree and choose Hardware Device > Route.
b. On the Route tab page in the right pane, select the route that you want to delete, and
click Delete.
c. In the displayed dialog box, click Yes, and click OK.
d. In the Centralized Task Management window, check the operating status of the
task for delete route, and perform operations based on the execution result.
n If Status of the task is Succeeded, route have been deleted.
n If Status of the task is Failed, rectify the fault based on the information in
Remarks. Perform the preceding steps. If Status is still Failed, contact
Huawei technical support.
----End
NOTE
l If the service network plane isolation solution is used, after configuring the service network plane
ports of the U2000 server, you need continue to configure the service network plane ports of the
Emergency System Server. For details, see Configuring the Service Network Plane Ports of the
Emergency System Server in U2000 ATAE Cluster Emergency System User Guide.
l If the service network plane isolation solution is used, after configuring the service network plane
ports of the U2000 server, you need continue to configure the service network plane ports of the
Trace Server. For details, see Configuring the Service Network Plane Ports of the Trace Server
in U2000 Trace Server User Guide (ATAE Cluster, Standalone).
isolate NE devices and enhance NE device protection to protect the devices against invasions
and attacks from the network.
In the U2000 service network plane isolation solution, the OSS uses a dedicated IP address to
communicate with network devices on a network segment and uses different IP addresses on
other network segments to communicate with NE or non-NE devices on different network
segments, such as NMS and clients, thereby achieving network isolation. This solution
requires that the OSS support IP addresses of different network segments.
In Figure 2-1, service network planes 1, 2, 3, and 4 belong to different network segments,
which are isolated from each other. The U2000 server communicates with upper-layer
applications A and B on service network plane 1. The U2000 server communicates with
upper-layer applications C and D on service network plane 2. The U2000 server
communicates with NEs A and B on service network plane 3. The U2000 server
communicates with NE C on service network plane 4.
Figure 2-1 Networking diagram of the U2000 service network plane isolation solution
NOTICE
l Both the U2000 service network plane isolation solution and network address translation
(NAT) solution are used to achieve network isolation and improve network security. The
two solutions cannot be used concurrently. The U2000 provides supported solutions for
the two solutions. You can deploy as required.
l Due to port restrictions, the U2000 supports a maximum of two service network planes
when it uses the solution of 3200 equivalent NEs. The U2000 supports a maximum of
three service network planes when it uses other equivalent NE solutions.
l Due to port restrictions, a maximum of two service network planes are supported when
you use Ethernet optical ports to connect to the customer's network. A maximum of three
service network planes are supported when you use network cables to connect to the
customer's network.
l Newly added service network planes include southbound and northbound planes. The
southbound plane is used to communicate with NEs. The northbound plane is used to
communicate with the file interfaces, command line interfaces, alarm streaming interfaces,
LDAP and RADIUS security interfaces on northbound network devices.
l The IP addresses of different service network planes must be on different network
segments.
l The master service board and standby service board must be configured with all service
network planes. A slave service board can be configured with one or more service network
planes.
Prerequisites
l Network cables and cable ties are available for use.
l Diagonal pliers are available for use.
l The network ports of the new service network planes and switch VLANs have been
planned.
Context
NOTICE
l You do not need to perform operations related to standby boards if they do not exist.
l All service network planes must be configured for the master and standby service boards.
One or more service network planes can be configured for slave service boards. Connect
cables on the boards based on the actual planning.
Each time you add a service network plane for the U2000, plan a VLAN for switches first and
then route network cables from the U2000 service board and standby service board to the
corresponding VLAN of the switches.
The two switches require the same number of ports. The number of ports on the switches
required by the newly planned VLAN depends on the number of U2000 service boards and
standby service boards:
l Number of VLANs to plan = Number of service network planes to add
l Maximum number of network ports required by a switch = (Number of U2000
service boards + Number of standby service boards) x Number of VLANs to plan
In the following examples, there are three U2000 service boards and one standby service
board; three service network planes are added. Calculate the number of ports and plan VLANs
based on actual conditions.
Three VLANs need to be planned for each switch. Each switch requires 12 ports: (3 + 1) x 3 =
12. Table 2-2 describes the VLAN planning for a switch.
Figure 2-2 shows the rear transition module (RTM) of the U2000 service board and standby
service board.
Figure 2-2 Ports on the RTM of the U2000 service board and standby service board
Procedure
Step 1 Determine the total number of U2000 service boards and standby service boards and the slots
for housing the boards. Then, make two labels for each board based on the following rules:
l The labels for the U2000 boards in the subrack (XY-MPS-1-5) are named as follows:
<number of the slot for the board>.a, <number of the slot for the board>.b,
<number of the slot for the board>.c, <number of the slot for the board>.d,
<number of the slot for the board>.e and <number of the slot for the board>.f.
l The labels for the U2000 boards in the subrack (XY-EPS-1-6) are named as follows:
<14+number of the slot for the board>.a, <14+number of the slot for the board>.b,
<14+number of the slot for the board>.c, <14+number of the slot for the board>.d,
<14+number of the slot for the board>.e and <14+number of the slot for the
board>.f.
Step 2 Connect network ports of U2000 service boards and standby service boards to network ports
of the corresponding VLANs ports of the switches based on the following rules:
Each service board has six network ports, including three groups of ports. The two ports in
each group work in redundancy mode and form a logical port. When adding a service network
plane, route network cables from a group of unused ports on the U2000 service board and
standby service board to the corresponding ports on the switch. The following table lists the
port mapping and grouping.
NOTICE
l XY in label in following description is a random number generated at delivery. You need
to select the cabinet, subrack, board, disk array, and cables with the same random number
for onsite installation. For example, in a cabinet having the label AB-MPRII-1, the label of
main processing subrack (MPS) is AB-MPS-1-5 and the label of the board in slot 1 is AB-
MPS-1-5-1.
l Figure 2-3 in the following provide cable connections when devices are fully configured
in the cabinet. If devices in the cabinet are not fully configured in actual situations,
connect only the actually configured devices and ignore the connections for unconfigured
devices. Check the locations of the actually configured devices and labels before
connecting the cables.
Table 2-4 Mapping between ports on U2000-related boards and those on the switches
U2000- Slot Port on the Cable Label Port on the
related U2000-related Switches
Board Board
Label
Step 3 Verify that each U2000 board connects to the switches properly.
l If the indicators for the Card2 (PMC2)-LAN0, Card2(PMC2)-LAN1, Card3 (PMC3)-
LAN0, Card3 (PMC3)-LAN1, Card4 (PMC4)- LAN0 and Card4 (PMC4)-LAN1
ports on each U2000 board are steady green or blink yellow, the board connects to the
switch properly.
l If the indicators for the Card2 (PMC2)-LAN0, Card2(PMC2)-LAN1, Card3 (PMC3)-
LAN0, Card3 (PMC3)-LAN1, Card4 (PMC4)- LAN0, and Card4 (PMC4)-LAN1
ports on each U2000 board are off, check that the board's cables are connected properly
as planned. Contact Huawei technical support if the cables are connected properly but
the indicators are still off.
----End
Prerequisites
l A PC is available, including the serial port and RS-232 power cable.
l The cables of the U2000 hardware devices have been arranged properly. For detailed
operations, see 2.3.2 Connecting the Service Network Plane Ports of the U2000
Server to Switches.
l You have contacted Huawei technical support engineers to obtain PuTTY.zip at http://
support.huawei.com and decompressed it to your PC.
Huawei technical support engineers can quickly search for the tool package using its
name as the keyword after clicking Search by Category > Tools at http://
support.huawei.com.
Context
l The VLAN planning for network ports of the two switches is the same. Plan the VLANs
and network ports based on site conditions. Table 2-5 describes the VLAN planning for
a switch. In the following example, the U2000 management capability is 800 equivalent
NEs, and three service network planes are added to the U2000.
Ports LAN05 and Ports LAN11 to Ports LAN17 to The other ports on
LAN08 on the LAN14 on the LAN20 on the the switch are used
switch are used for switch are used for switch are used for for this VLAN.
this VLAN. this VLAN. this VLAN.
Reserved network Reserved network Reserved network
port LAN09 is used port LAN15 is used port LAN21 is used
for connecting the for connecting the for connecting the
Trace Server to the Trace Server to the Trace Server to the
customer's customer's customer's
network. Reserved network. Reserved network. Reserved
network port network port network port
LAN10 is used for LAN16 is used for LAN22 is used for
cascading switches. cascading switches. cascading switches.
l Before using network cables to connect two switches on a newly added service network
plane to the customer's network, plan VLANs for the network ports on the two switches.
l Before using optical fibers to connect two switches on a newly added service network
plane to the customer's network, plan VLANs for the network ports and optical ports on
the two switches.
l If VLAN planning has been performed for the ports on switches, you can delete the
configurations of unused ports and then plan these ports to the newly added VLAN.
Procedure
Step 1 Use an RS-232 cable to connect the COM port on the PC to the console port on the switch.
Parameter Value
Serial line to Specify a serial port (for example, COM1) of the PC terminal
connect to to connect the PC terminal to the switch.
NOTE
The PC may contain several serial ports, and you can check the name
and number of the serial port by performing the following procedures:
On a PC running on Windows 7 operating system, choose Control
Panel and locate Device Manager. In the displayed Device Manager,
choose Port to check the name and number of the serial port.
Speed 9600
Data bits 8
Stop bits 1
Parity None
4. Choose Session from the navigation tree in the left pane. In the right pane, choose
Serial, and click Open.
NOTE
You do not need to enter the user name and password when logging in to a switch of an earlier
version. Therefore, security risks exist. To improve system security, upgrade the switch to the
latest version. For detailed operations, see the upgrade guide.
Step 3 Press Enter until the command-line prompt for the user view is displayed, for example,
<Quidway>.
If switches are connected to the customer's See Planning VLANs for network
network using network cables interfaces.
If switches are connected to the customer's See Planning VLANs for network
network using optical fibers interfaces and optical ports.
...
#
interface gigabitethernet 0/0/48
stp edged-port disable
broadcast-suppression 14880
multicast-suppression 14880
unicast-suppression 14880
c. Run the following command to view the VLAN planning of a switch. If VLAN
planning is not performed for the switch, skip this step.
[Quidway] display port vlan
[Quidway] quit
If VLAN planning has been performed for certain ports on the switch, delete the
configurations of unused ports based on actual conditions. The following describes
how to delete the configurations. Port Gigabitethernet 0/0/2 is used as an example.
n Run the following commands to delete VLAN configurations:
<Quidway> system-view
[Quidway] interface GigabitEthernet 0/0/2
[Quidway-GigabitEthernet0/0/2] vlan 2
[Quidway-vlan2] undo port GigabitEthernet 0/0/2
[Quidway-vlan2] quit
[Quidway]
n Run the following commands to delete the link-type configurations of unused
ports:
[Quidway] interface GigabitEthernet 0/0/2
[Quidway-GigabitEthernet0/0/2] undo port link-type
n Run the following command to check whether the port configurations have
been deleted:
[Quidway-GigabitEthernet0/0/2] display this
n When the following information is displayed, enter the file name to save the
switch configuration information in the form of a file package
Info: Please input the file name(*.cfg,*.zip)vrpcfg.zip
n Run the following command to check whether the switch configuration is
correct:
<Quidway> dis cur
If the switch configuration is incorrect, modify the configuration and save the
modified configuration.
l Planning VLANs for network interfaces and optical ports
a. Run the following command to open the system view:
<Quidway> system-view
[Quidway]
In the command output, 0/0/X is the port number. 0/0/1 maps the LAN01 port
on the switch, 0/0/2 maps the LAN02 port, and so on.
#
interface gigabitethernet 0/0/1
stp edged-port disable
broadcast-suppression 14880
multicast-suppression 14880
unicast-suppression 14880
#
interface gigabitethernet 0/0/2
stp edged-port disable
broadcast-suppression 14880
multicast-suppression 14880
unicast-suppression 14880
...
#
interface gigabitethernet 0/0/48
stp edged-port disable
broadcast-suppression 14880
multicast-suppression 14880
unicast-suppression 14880
c. Run the following command to view the VLAN planning of a switch. If VLAN
planning is not performed for the switch, skip this step.
[Quidway] display port vlan
[Quidway] quit
If VLAN planning has been performed for certain ports on the switch, delete the
configurations of unused ports based on actual conditions. The following describes
how to delete the configurations. Port Gigabitethernet 0/0/2 is used as an example.
n Run the following commands to delete VLAN configurations:
<Quidway> system-view
[Quidway] interface GigabitEthernet 0/0/2
[Quidway-GigabitEthernet0/0/2] vlan 2
[Quidway-vlan2] undo port GigabitEthernet 0/0/2
[Quidway-vlan2] quit
[Quidway]
n Run the following commands to delete the link-type configurations of unused
ports:
[Quidway] interface GigabitEthernet 0/0/2
[Quidway-GigabitEthernet0/0/2] undo port link-type
n Run the following command to check whether the port configurations have
been deleted:
[Quidway-GigabitEthernet0/0/2] display this
If the command output shows no configuration information starting with
"port", the configurations of these ports have been restored to the default
configurations.
[Quidway-GigabitEthernet0/0/2] quit
d. Plan VLANs for ports on the switch based on onsite planning as follows:
n Create a VLAN, for example, VLAN X. X indicates the VLAN ID.
[Quidway] vlan X
[Quidway-vlanX] quit
[Quidway]
n Add the ports planned for the newly added service network plane to VLAN X.
Set link-type of these ports to access. The following command use port
GigabitEthernet0/0/2 as an example:
[Quidway] interface GigabitEthernet 0/0/2
[Quidway-GigabitEthernet0/0/2] port link-type access
[Quidway-GigabitEthernet0/0/2] quit
n Add the ports planned for the newly added southbound or northbound plane to
VLAN X.
[Quidway] vlan X
[Quidway-vlanX] port gigabitethernet <port No.>
[Quidway-vlanX] quit
[Quidway]
e. If switches are connected to the customer's network using optical fibers and
switches and the customer's network belong to different VLANs, each time you add
a southbound or northbound plane, you need to cascade optical ports of the switches
and plan VLANs for the optical ports used by the newly added southbound or
northbound plane. The following describes how to plan VLANs. Port
XGigabitEthernet 0/0/2 is used as an example.
[Quidway] interface XGigabitEthernet 0/0/2
[Quidway-XGigabitEthernet0/0/2] port link-type access
[Quidway-XGigabitEthernet0/0/2] quit
[Quidway] vlan X
[Quidway-vlanX] port XGigabitethernet 0/0/2
[Quidway-vlanX] quit
If optical ports are insufficient, configure a cascaded optical port as a trunk based
on site conditions. In this way, data exchange is allowed between the VLAN to
which that optical port belongs and the VLAN to which the southbound or
northbound network belongs. The following provides an example for the
configuration, in which the newly added service network plane belongs to VLAN 3
and cascaded port XGigabitEthernet 0/0/3 belongs to VLAN 2:
[Quidway] interface XGigabitEthernet 0/0/3
[Quidway-XGigabitEthernet0/0/3] port link-type trunk
[Quidway-XGigabitEthernet0/0/3] port trunk allow-pass vlan 2 to 3
[Quidway-XGigabitEthernet0/0/3] quit
f. Run the following commands to save the configuration:
[Quidway] quit
<Quidway> save
n When the following information is displayed, enter Y to save the configuration
on the switch.
The current configuration will be written to the device. Are you
sure to continue? [Y/N]
n When the following information is displayed, enter the file name to save the
switch configuration information in the form of a file package
Info: Please input the file name(*.cfg,*.zip)vrpcfg.zip
n Run the following command to check whether the switch configuration is
correct:
<Quidway> dis cur
If the switch configuration is incorrect, modify the configuration and save the
modified configuration.
----End
Prerequisites
l A PC is available, including the serial port and RS-232 power cable.
l The cables of the U2000 hardware devices have been arranged properly. For detailed
operations, see 2.3.2 Connecting the Service Network Plane Ports of the U2000
Server to Switches.
l You have contacted Huawei technical support engineers to obtain PuTTY.zip at http://
support.huawei.com and decompressed it to your PC.
Huawei technical support engineers can quickly search for the tool package using its
name as the keyword after clicking Search by Category > Tools at http://
support.huawei.com.
Context
l The VLAN planning for network ports of the two switches is the same. Plan the VLANs
and network ports based on site conditions. Table 2-7 describes the VLAN planning for
a switch. In the following example, the U2000 management capability is 800 equivalent
NEs, and three service network planes are added to the U2000.
Ports LAN05 and Ports LAN11 to Ports LAN17 to The other ports on
LAN08 on the LAN14 on the LAN20 on the the switch are used
switch are used for switch are used for switch are used for for this VLAN.
this VLAN. this VLAN. this VLAN.
Reserved network Reserved network Reserved network
port LAN09 is used port LAN15 is used port LAN21 is used
for connecting the for connecting the for connecting the
Trace Server to the Trace Server to the Trace Server to the
customer's customer's customer's
network. Reserved network. Reserved network. Reserved
network port network port network port
LAN10 is used for LAN16 is used for LAN22 is used for
cascading switches. cascading switches. cascading switches.
l Before using network cables to connect two switches on a newly added service network
plane to the customer's network, plan VLANs for the network ports on the two switches.
l Before using optical fibers to connect two switches on a newly added service network
plane to the customer's network, plan VLANs for the network ports and optical ports on
the two switches.
l If VLAN planning has been performed for the ports on switches, you can delete the
configurations of unused ports and then plan these ports to the newly added VLAN.
Procedure
Step 1 Use an RS-232 cable to connect the COM port on the PC to the console port on the switch.
Serial line to Specify a serial port (for example, COM1) of the PC terminal
connect to to connect the PC terminal to the switch.
NOTE
The PC may contain several serial ports, and you can check the name
and number of the serial port by performing the following procedures:
On a PC running on Windows 7 operating system, choose Control
Panel and locate Device Manager. In the displayed Device Manager,
choose Port to check the name and number of the serial port.
Speed 9600
Parameter Value
Data bits 8
Stop bits 1
Parity None
4. Choose Session from the navigation tree in the left pane. In the right pane, choose
Serial, and click Open.
NOTE
You do not need to enter the user name and password when logging in to a switch of an earlier
version. Therefore, security risks exist. To improve system security, upgrade the switch to the
latest version. For detailed operations, see the upgrade guide.
Step 3 Press Enter until the command-line prompt for the user view is displayed, for example,
<Quidway>.
If switches are connected to the customer's See Planning VLANs for network
network using network cables interfaces.
If switches are connected to the customer's See Planning VLANs for network
network using optical fibers interfaces and optical ports.
...
#
interface gigabitethernet 0/0/48
stp edged-port disable
broadcast-suppression 14880
multicast-suppression 14880
unicast-suppression 14880
c. Run the following command to view the VLAN planning of a switch. If VLAN
planning is not performed for the switch, skip this step.
[Quidway] display port vlan
[Quidway] quit
If VLAN planning has been performed for certain ports on the switch, delete the
configurations of unused ports based on actual conditions. The following describes
how to delete the configurations. Port Gigabitethernet 0/0/2 is used as an example.
n Run the following commands to delete VLAN configurations:
<Quidway> system-view
[Quidway] interface GigabitEthernet 0/0/2
[Quidway-GigabitEthernet0/0/2] vlan 2
[Quidway-vlan2] undo port GigabitEthernet 0/0/2
[Quidway-vlan2] quit
[Quidway]
n Run the following commands to delete the link-type configurations of unused
ports:
[Quidway] interface GigabitEthernet 0/0/2
[Quidway-GigabitEthernet0/0/2] undo port link-type
n Run the following command to check whether the port configurations have
been deleted:
[Quidway-GigabitEthernet0/0/2] display this
If the command output shows no configuration information starting with
"port", the configurations of these ports have been restored to the default
configurations.
[Quidway-GigabitEthernet0/0/2] quit
d. Plan VLANs for ports on the switch based on onsite planning as follows:
n Create a VLAN, for example, VLAN X. X indicates the VLAN ID.
[Quidway] vlan X
[Quidway-vlanX] quit
[Quidway]
n Add the ports planned for the newly added service network plane to VLAN X.
Set link-type of these ports to access. The following command use port
GigabitEthernet0/0/2 as an example:
[Quidway] interface GigabitEthernet 0/0/2
[Quidway-GigabitEthernet0/0/2] port link-type access
[Quidway-GigabitEthernet0/0/2] quit
n Add the ports planned for the newly added southbound or northbound plane to
VLAN X.
[Quidway] vlan X
[Quidway-vlanX] port gigabitethernet <port No.>
[Quidway-vlanX] quit
[Quidway]
e. Run the following commands to save the configuration:
[Quidway] quit
<Quidway> save
n When the following information is displayed, enter Y to save the configuration
on the switch.
The current configuration will be written to the device. Are you
sure to continue? [Y/N]
n When the following information is displayed, enter the file name to save the
switch configuration information in the form of a file package
Info: Please input the file name(*.cfg,*.zip)vrpcfg.zip
n Run the following command to check whether the switch configuration is
correct:
<Quidway> dis cur
If the switch configuration is incorrect, modify the configuration and save the
modified configuration.
l Planning VLANs for network interfaces and optical ports
a. Restructure the optical ports of the switches. For details, see 2.3.5 Restructuring
Switch S5310-52C-EI.
b. Run the following command to open the system view:
<Quidway> system-view
[Quidway]
...
#
interface gigabitethernet 0/0/48
stp edged-port disable
broadcast-suppression 14880
multicast-suppression 14880
unicast-suppression 14880
d. Run the following command to view the VLAN planning of a switch. If VLAN
planning is not performed for the switch, skip this step.
[Quidway] display port vlan
[Quidway] quit
If VLAN planning has been performed for certain ports on the switch, delete the
configurations of unused ports based on actual conditions. The following describes
how to delete the configurations. Port Gigabitethernet 0/0/2 is used as an example.
n Run the following commands to delete VLAN configurations:
<Quidway> system-view
[Quidway] interface GigabitEthernet 0/0/2
[Quidway-GigabitEthernet0/0/2] vlan 2
[Quidway-vlan2] undo port GigabitEthernet 0/0/2
[Quidway-vlan2] quit
[Quidway]
n Run the following commands to delete the link-type configurations of unused
ports:
[Quidway] interface GigabitEthernet 0/0/2
[Quidway-GigabitEthernet0/0/2] undo port link-type
n Run the following command to check whether the port configurations have
been deleted:
[Quidway-GigabitEthernet0/0/2] display this
If the command output shows no configuration information starting with
"port", the configurations of these ports have been restored to the default
configurations.
[Quidway-GigabitEthernet0/0/2] quit
e. Plan VLANs for ports on the switch based on onsite planning as follows:
n Create a VLAN, for example, VLAN X. X indicates the VLAN ID.
[Quidway] vlan X
[Quidway-vlanX] quit
[Quidway]
n Add the ports planned for the newly added service network plane to VLAN X.
Set link-type of these ports to access. The following command use port
GigabitEthernet0/0/2 as an example:
[Quidway] interface GigabitEthernet 0/0/2
[Quidway-GigabitEthernet0/0/2] port link-type access
[Quidway-GigabitEthernet0/0/2] quit
n Add the ports planned for the newly added southbound or northbound plane to
VLAN X.
[Quidway] vlan X
[Quidway-vlanX] port gigabitethernet <port No.>
[Quidway-vlanX] quit
[Quidway]
f. If switches are connected to the customer's network using optical fibers and
switches and the customer's network belong to different VLANs, each time you add
a service network plane, you need to cascade optical ports of the switches and plan
VLANs for the optical ports used by the newly added service network plane. The
following describes how to plan VLANs. Port XGigabitEthernet 0/0/2 is used as an
example.
[Quidway] interface XGigabitEthernet 0/0/2
[Quidway-XGigabitEthernet0/0/2] port link-type access
[Quidway-XGigabitEthernet0/0/2] quit
[Quidway] vlan X
[Quidway-vlanX] port XGigabitethernet 0/0/2
[Quidway-vlanX] quit
If optical ports are insufficient, configure a cascaded optical port as a trunk based
on site conditions. In this way, data exchange is allowed between the VLAN to
which that optical port belongs and the VLAN to which the southbound or
northbound network belongs. The following provides an example for the
configuration, in which the newly added service network plane belongs to VLAN 3
and cascaded port XGigabitEthernet 0/0/4 belongs to VLAN 2:
[Quidway] interface XGigabitEthernet 0/0/4
[Quidway-XGigabitEthernet0/0/4] port link-type trunk
[Quidway-XGigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 3
[Quidway-XGigabitEthernet0/0/4] quit
g. Run the following commands to save the configuration:
[Quidway] quit
<Quidway> save
n When the following information is displayed, enter Y to save the configuration
on the switch.
The current configuration will be written to the device. Are you
sure to continue? [Y/N]
n When the following information is displayed, enter the file name to save the
switch configuration information in the form of a file package
Info: Please input the file name(*.cfg,*.zip)vrpcfg.zip
n Run the following command to check whether the switch configuration is
correct:
<Quidway> dis cur
If the switch configuration is incorrect, modify the configuration and save the
modified configuration.
----End
Prerequisites
l The 2-port 10 GE optical interface cards are available.
l Optical modules for connecting switches to the telecom operator's network are available.
Procedure
Step 1 Remove the filler panel on the rear panel of the switch, such as positions 1 shown in Figure
2-5. Figure 2-4 and Figure 2-5 show the front view and rear view of the switch, respectively.
1 Filler panel on the rear panel 2 Filler panel on the rear panel
Step 2 Insert the optical interface card into the rear card slot of the switch. Then, lower the ejector
lever and fasten the captive screws.
Step 3 Insert the optical modules to positions 1 shown in Figure 2-6, respectively.
Force each optical module into the position. If you hear a crack sound or feel a slight tremor,
the optical module is securely locked.
2 reserve. -
----End
2.3.6 Setting the IP Addresses and Routes for the Service Network
Plane of the U2000 Server
This section describes how to configure the IP addresses and routes for the service network
plane of the U2000 server. Configure the IP addresses for the service network plane based on
actual conditions. If the IP addresses for the service network plane do not need to be
configured, skip this section.
Prerequisites
l The U2000 server software has been installed.
l You have logged in to the OSMU using a web browser. For details, see 26.2.5 Logging
In to the OSMU by Using a Web Browser.
l The IP addresses and subnet mask of the new service network planes have been planned.
Procedure
Step 1 Perform operations by scenario.
Query current network interfaces 1. In the left pane of the OSMU window, expand the
Device Management navigation tree and choose
Hardware Device > Network Interface.
2. On the Network Interface tab page, set Cluster
name, SN, Network interface, or Usage as
required. Then, click Filter.
The network interface list on this tab page displays
the network interfaces that have been set.
Query or set the network 1. In the left pane of the OSMU window, expand the
interface state Device Management navigation tree and choose
Hardware Device > Network Interface.
2. On the Network Interface tab page, select the
network interface whose state you want to query or
set.
3. Click Query Network Interface Status.
4. Information, such as the names of the network
interfaces bound with the current network
interface, names of network interfaces on the OS,
active/standby state, and connection state, is
displayed in the Query Network Interface Status
dialog box.
5. Select the required active/standby state in the
drop-down list of the Active/Standby Status
column and click OK.
NOTE
– You can change the active/standby state only of the
bond interface.
– Only one of a pair of network interfaces on a board
can be set to the active interface. To change the
standby interface to the active interface, you also
need to change the active interface to the standby
interface.
– When a network interface is in the Link Down state
and the active/standby state is --, you cannot change
its active/standby state.
6. In the Query Network Interface Status dialog
box, click OK.
On the Centralized Task Management tab page
in the lower part of the window, view the task
execution status. When Status is displayed as
Succeeded, network interface have been added.
Otherwise, contact Huawei technical support
engineers.
If you Then...
need to...
Add 1. Connect the interface you want to add and the port on the switch using a
network network cable.
interfaces 2. In the left pane of the OSMU window, expand the Service System
navigation tree and choose Service Management > Board Services.
3. On the Board Services tab page in the right pane, check whether the
board is running properly.
The board is running properly if it is in either of the following states:
– Normal
– Standby
4. In the left pane of the OSMU window, expand the Device Management
navigation tree and choose Device Information > Details.
5. On the Details tab page, select the U2000 service board and standby
service board to view the detailed information in the board list.
The detailed information about the selected board is displayed in the
Board details area. Ensure that the OEM part running status is
Running. Otherwise, contact Huawei technical support. After the problem
is resolved, you are allowed to perform the following steps.
6. In the left pane of the OSMU window, expand the Device Management
navigation tree and choose Hardware Device > Network Interface.
7. On the Details tab page, select the board for which you want to add
network interfaces in the board list.
The detailed information about the selected board is displayed in the
Board details area. Ensure that the OEM part running status is
Running. Otherwise, contact Huawei technical support engineers. After
the problem is resolved, you are allowed to perform the following steps.
8. In the left pane of the OSMU window, expand the Device Management
navigation tree and choose Hardware Device > Network Interface.
9. On the Network Interface tab page, click Export.
10. When the system displays the message Export succeeded click OK to
export the network interface information.
The exported network interface information is stored in the
Port_Export_YYYYMMDDhhmmss.zip file that is displayed on the
Network Interface tab page as a hyperlink. YYYY indicates year. MM
indicates month. DD indicates date. hh indicates hour. mm indicates
minute. ss indicates second.
11. Click the Port_Export_YYYYMMDDhhmmss.zip hyperlink. In the
displayed dialog box, click Save to save the file to a directory on the PC.
NOTE
All service network planes must be configured for the master and standby service
boards. One or more service network planes can be configured for slave service
boards. Add network ports based on the actual planning.
12. Decompress Port_Export_YYYYMMDDhhmmss.zip to obtain the
network interface information file Port_Export.xls.
If you Then...
need to...
13. On the Network Interface sheet of the network interface information file
Port_Export.xls, set Status of the network interface to Use. Then, set
network interface parameters and save the settings.
14.Click Import.
15.In the displayed dialog box, select the network interface information file
Port_Export.xls in the xls, xlsx, or xlsm format, and click Open to
import the file.
To avoid import failures, do not perform any operations when importing
the network interface information file. When the system displays Import
succeeded. the file has been imported successfully.
16.In the Centralized Task Management window, check the operating
status of the task for adding network interfaces, and perform operations
based on the execution result.
– If Status of the task is Succeeded, network interfaces have been
added.
– If Status of the task is Failed, rectify the fault based on the
information in Remarks. Perform the preceding steps. If Status is still
Failed, contact Huawei technical support engineers.
If you Then...
need to...
If you Then...
need to...
If you Then...
need to...
NOTE
Logical port names vary by newly added ports. For details about the port
mapping, see Table 2-3 in 2.3.2 Connecting the Service Network Plane Ports
of the U2000 Server to Switches. The following uses logical port bond2 as an
example:
bond2 Link encap:Ethernet HWaddr 00:25:9E:B5:F6:E8
inet addr:172.16.139.227 Bcast:172.16.139.255
Mask:255.255.254.0
inet6 addr: fe80::225:9eff:feb5:f6e8/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500
Metric:1
RX packets:647081 errors:0 dropped:0 overruns:0
frame:0
TX packets:2747 errors:0 dropped:0 overruns:0
carrier:0
collisions:0 txqueuelen:0
RX bytes:45476425 (43.3 Mb) TX bytes:177108 (172.9
Kb)
If the displayed IP address and subnet mask are consistent with the
actual ones, you have configured the IP address successfully.
Otherwise, contact Huawei technical support.
If you Then...
need to...
Add 1. Connect the interface you want to add and the port on the switch using a
network network cable.
interfaces 2. In the left pane of the OSMU window, expand the Service System
navigation tree and choose Service Management > Board Services.
3. On the Board Services tab page in the right pane, check whether the
board is running properly.
The board is running properly if it is in either of the following states:
– Normal
– Standby
4. In the left pane of the OSMU window, expand the Device Management
navigation tree and choose Device Information > Details.
5. On the Details tab page, select the U2000 service board and standby
service board to view the detailed information in the board list.
The detailed information about the selected board is displayed in the
Board details area. Ensure that the OEM part running status is
Running. Otherwise, contact Huawei technical support. After the problem
is resolved, you are allowed to perform the following steps.
6. In the left pane of the OSMU window, expand the Device Management
navigation tree and choose Hardware Device > Network Interface.
7. On the Network Interface tab page, click Add.
8. In the displayed Add Network Interface dialog box, select Bond Dual
Network Interfaces, and click Next.
9. The Filter function helps you quickly find network ports to be added.
a. Select the corresponding network port name from the Network
Interface drop-down list. For the mapping between network port
names and logical network ports, see Table 2-3 in 2.3.2 Connecting
the Service Network Plane Ports of the U2000 Server to Switches.
b. Select the usage for the network port to be added from the Usage drop-
down list, and click Filter.
c. Select the board on which the network port is to be added from the
network port list box, and click Finish. In the displayed dialog box,
click OK.
NOTE
– All service network planes must be configured for the master and standby
service boards. One or more service network planes can be configured for slave
service boards. Add network ports based on the actual planning.
– In Remarks, you can enter a brief description of the network interfaces to be
added as required.
10.In the Centralized Task Management window, check the operating
status of the task for adding network interfaces, and perform operations
based on the execution result.
– If Status of the task is Succeeded, network interfaces have been
added.
If you Then...
need to...
If you Then...
need to...
If you Then...
need to...
If the displayed IP address and subnet mask are consistent with the
actual ones, you have configured the IP address successfully.
Otherwise, contact Huawei technical support.
----End
Prerequisites
l The U2000 server software has been installed.
l You have logged in to the OSMU through a web browser. For details, see 26.2.5
Logging In to the OSMU by Using a Web Browser.
Procedure
SN Procedure
SN Procedure
please input NE segment IP number[MIN:1,MAX:100, all] for
SouthIP:192.168.100.173
NOTE
all indicates the network segments of all NEs.
l The entered value should be an integer ranging from 1 to 100 or the
word all. If an invalid value is entered, the system prompts you to
enter a correct value:
please input the correct number of IP segment[MIN:1,MAX:100,
all] <Input number must be integer or all>;
l The system prompts you to enter next network segment after you enter
a network segment until the number of entered network segments
reaches the number of network segments required for the southbound
IP address.
please input the IP segment[1]:
10.10.9
please input the IP segment[2]:
10.10.8
If the system displays the following information, the file transfer fails. In
this case, contact Huawei technical support.
ssh: connect to host 192.168.100.160 port 22: Connection timed
out
lost connection
f. Stop the U2000 services. For details, see 4.6 Stopping U2000 Services.
SN Procedure
g. Start the U2000 services. For details, see 4.5 Starting U2000 Services.
NOTE
After the network segments are configured for the southbound IP addresses, restart
all U2000 services so that the configuration can take effect.
SN Procedure
SN Procedure
please input NE segment IP number[MIN:1,MAX:100, all] for
SouthIP:192.168.100.173
NOTE
all indicates the network segments of all NEs.
l The entered value should be an integer ranging from 1 to 100 or the
word all. If an invalid value is entered, the system prompts you to
enter a correct value:
please input the correct number of IP segment[MIN:1,MAX:100,
all] <Input number must be integer or all>;
l The system prompts you to enter next network segment after you enter
a network segment until the number of entered network segments
reaches the number of network segments required for the southbound
IP address.
please input the IP segment[1]:
10.10.9
please input the IP segment[2]:
10.10.8
SN Procedure
__updateXmlFile__ enter
set NeServerIpListCfg.xml complete!
If the system displays the following information, the file transfer fails. In
this case, contact Huawei technical support.
ssh: connect to host 192.168.100.160 port 22: Connection timed
out
lost connection
SN Procedure
Context
l If the U2000 service network plane solution is used and the Trace Server is deployed in
the U2000 system, you need to configure the mapping between the Trace Server boards
and the boards where the U2000 mediation service is running, on the U2000 server. This
is done to ensure that the Trace Server and U2000 use the IP addresses on the same plane
to communicate with NEs. If the U2000 service network plane solution is not used or the
Trace Server is not deployed in the U2000 system, skip this section.
l If the U2000 system is configured with the Trace Server independently deployed, and
Trace Server use the service network plane isolation solution, you need to reconfigure
the mapping between Trace Server boards and the U2000 mediation service. For detailed
operations, see Configuring the Mapping Between the Trace Server Boards and the
U2000 Mediation Service in U2000 Trace Server User Guide (ATAE Cluster,
Standalone).
l If the Trace Server board is configured as a PS board, you do not need to configure the
mapping between the PS board and the U2000 mediation service.
Procedure
Step 1 Use PuTTY to log in to the U2000 master service board in SSH mode as user ossuser.
~> . /opt/oss/server/svc_profile.sh
~> cd /opt/oss/server/rancn/bin
Step 3 Run the following command to generate the configuration file recording the mapping:
Step 4 Run the following command to synchronize the configuration file recording the mapping to
other server:
----End
Prerequisites
l Optical fibers and fiber binding tapes are available for use before you connect switches
to the telecom operator's network through optical fibers.
l Network cables and cable ties are available for use before you connect switches to the
telecom operator's network through network cables.
l Diagonal pliers are available for use.
Context
Pay attention to the following when connecting optical fibers:
l The optical module is electrostatic-sensitive. It must be in an antistatic dust-free
environment during the transport, storage, and usage.
l Optical connectors must be clean without scratches.
l Unused optical fibers and optical modules should be covered with protective caps.
l The bending radius of an optical fiber must be longer than 50 mm (1.97 in.).
l Do not look closely or into the optical connector.
Figure 2-7 shows how to connect optical fibers.
NOTE
Procedure
l If the customer's network is an Ethernet, connect switches to the customer's network
through network cables.
Connect the switches 1. Connect LAN03, LAN05, and LAN07 on LSW-0 and
to different switches LAN04 on LSW-1, as shown in Figure 2-10 or Figure
or routers in the 2-11.
customer's network, NOTICE
and the switches or Do not perform this operation if the switches or routes in the
routers in the customer's network are in the same VLAN. Otherwise, network
customer's network loop will occur.
are not in the same 2. Route network cables from LAN02 in VLAN2, LAN04 in
VLAN VLAN3, and LAN06 in VLAN4 of LSW-0 and LSW-1 to
the customer's network, as shown in Figure 2-10 or Figure
2-11.
The following figures use the addition of three service network plane as an example.
Figure 2-8 Connection between the front panel of switch S5352C-EI and the customer's
network (connecting to the same VLAN of the customer's network)
Figure 2-9 Connection between the front panel of switch S5310-52C-EI and the
customer's network (connecting to the same VLAN of the customer's network)
Figure 2-10 Connection between the front panel of switch S5352C-EI and the customer's
network (connecting to different VLANs of the customer's network)
Figure 2-11 Connection between the front panel of switch S5310-52C-EI and the
customer's network (connecting to different VLANs of the customer's network)
l Connect the Route optical fibers from Ethernet optical ports on LSW-0 and
switches to the LSW-1 to the desired network plane, as shown in Figure 2-12
same VLAN of the or Figure 2-13.
same switch in the
customer's
network
l Connect the
switches to
different switches
or routers in the
customer's
network, and the
switches or
routers in the
customer's
network are in the
same VLAN
Connect the switches 1. Connect Ethernet optical ports XLAN04 on LSW-0 and
to different switches LSW-1 using an optical fiber, as shown in Figure 2-14 or
or routers in the Figure 2-15.
customer's network, NOTICE
and the switches or Do not perform this operation if the switches or routes in the
routers in the customer's network are in the same VLAN. Otherwise, network
customer's network loop will occur.
are not in the same 2. Route optical fibers from Ethernet optical ports on LSW-0
VLAN and LSW-1 to the desired network plane, as shown in
Figure 2-14 or Figure 2-15.
The following figures use the addition of a service network plane as an example.
NOTICE
Due to a limited number of Ethernet optical ports, a maximum of two service network
planes are supported when you use Ethernet optical ports to connect to the customer's
network.
Figure 2-12 Connection between the front panel of switch S5352C-EI and the customer's
network using the optical fiber (connecting to the same VLAN of the customer's
network)
Figure 2-13 Connection between the rear panel of switch S5310-52C-EI and the
customer's network using the optical fiber (connecting to the same VLAN of the
customer's network)
Figure 2-14 Connection between the front panel of switch S5352C-EI and the customer's
network using the optical fiber (connecting to different VLANs of the customer's
network)
Figure 2-15 Connection between the switch S5310-52C-EI and the customer's network
using the optical fiber (connecting to different VLANs of the customer's network)
----End
Prerequisites
The U2000 server software has been installed.
Procedure
Step 1 Use PuTTY to log in to the U2000 master service board as user ossuser in SSH mode. For
details, see 26.1.1 Logging In to the Board by Using PuTTY.
Step 2 Run the following command to open the /opt/oss/server/etc/3rdToolService/
NetworkSystemClientNorthConf.xml configuration file:
~> vi /opt/oss/server/etc/3rdToolService/NetworkSystemClientNorthConf.xml
Step 3 Add the corresponding upper-layer network management application to the configuration file
by replacing the upper-layer network management application name in the following example
with the actual name:
<NetworkSystemClientNorthConf>
<NetworkSystem name="TSP_10.1.1.41">
<param name="IP">10.1.1.41</param>
<param name="NorthClientName">NORTH01ServerName</param>
</NetworkSystem>
</NetworkSystemClientNorthConf>
NOTE
l The value of NetworkSystem name must contain the IP address of the upper-layer network
management application.
l Set NorthClientName based on the network plane name in the /opt/oss/server/etc/conf/
sysconfigure.xml file.
Step 4 Press Esc to switch to the command mode, and then run the :wq command to save the file and
exit the vi editor.
----End
Prerequisites
l You have logged in to the OSMU through a web browser. For details, see 26.2.5
Logging In to the OSMU by Using a Web Browser.
l Plan public IP addresses and routes for the network interfaces of the desired service
network plane.
Context
1. Check whether the new IP address is in use.
On the PC whose IP address is on the same network segment as the new IP addresses,
open the cmd window and run the ping command to check whether the new IP addresses
are in use:
– If the IP addresses can be pinged, they are in use. When this occurs, use other IP
addresses.
– If the IP addresses cannot be pinged, they are available for use. Perform the
following steps.
2. Run the following commands to check whether security hardening has been performed
for internal ports of the U2000 server:
a. Use PuTTY to log in to the master, slave, and standby servers in SSH mode as user
ossuser.
b. Run the following command to switch to user root.
~> su - root
Password: Password of root
c. Run the following command to check the security hardening for internal ports of the
U2000 server:
# . /opt/oss/server/svc_profile.sh
# sec_adm -cmd queryIPTables
n If the system displays the following information, security hardening has been
performed for internal ports of the U2000 server. Perform security
unhardening for the service port by referring to 8.8 Performing Security
Hardening/Unhardening for Internal Ports of the U2000 Server and
perform 3.
The security hardening rules have been set for internal ports on the
OSS server.
n If the system displays the following information, security hardening has not
been performed for internal ports of the U2000 server. Then, proceed with 3.
The security hardening rules have not been set for internal ports on
the OSS server.
3. Run the following commands to check whether security hardening has been performed
for the U2000 database ports:
a. Use PuTTY to log in to the master server in SSH mode as user ossuser.
b. Run the following command to switch to user root.
~> su - root
Password: Password of root
c. Run the following command to check the security hardening for the U2000
database ports:
# . /opt/oss/server/svc_profile.sh
# cd /opt/oss/server/rancn/tools/DBIptables
# ./DBAccessControl.sh -q
n If the system displays the following information, security hardening has been
performed for the U2000 database ports. Perform security unhardening for the
ports by referring to 8.9 Performing Security Hardening/Unhardening for
U2000 Database Ports and perform 4.
DB ports have been hardened.
n If the system displays the following information, security hardening has not
been performed for the U2000 database ports. Then, proceed with 4.
Check DB ports have not been hardened.
Change one 1. In the left pane of the OSMU, expand the Device
public IP Management navigation tree and select a rack number under
addresses for the Device Panel node.
interface of the 2. On the rack tab page in the right pane, check the board status.
desired service If any board is in the Faulty state, contact Huawei technical
network plane. support engineers.
Before changing the public IP addresses of service boards,
ensure that all service boards of the U2000 product are in the
Active or Service Stopped state.
l If there are boards in the Normal state, stop the services of
these boards by referring to 4.6 Stopping U2000 Services.
l If there are boards in the Switched Over state, switch
resources for the boards based on their original active/
standby relationship by referring to 5.5 Switching
Resources Between U2000 Nodes Manually (Oracle) or
5.6 Switching Resources Between U2000 Nodes
Manually (Sybase), and then stop the boards' services by
referring to 4.6 Stopping U2000 Services.
3. In the left pane of the OSMU window, expand the Device
Management navigation tree and choose Hardware Device >
Network Interface.
4. On the Network Interface tab page, select the network
interfaces for which you want to change public IP addresses,
and click Modify. The Modify Network Interface dialog box
is displayed.
NOTE
l You are not allowed to change public IP addresses for network
interfaces on the standby board.
l You can use the Filter function to quickly find the interfaces that
need to be added.
Select the corresponding port group from the Network Interface
drop-down list. Select the interface usage from the Usage drop-
down list. ClickFilter.
5. In the network interface list, change Public IP Address and
Public Subnet Mask/Prefix Length for the network
interfaces, and click OK. In the next displayed dialog box,
click OK.
NOTE
You can change either the Public IP Address or the Public Subnet
Mask/Prefix Length.
6. In the Centralized Task Management window, check the
operating status of the task for changing public IP addresses,
and perform operations based on the execution result.
l If Status of the task is Succeeded, public IP addresses have
been changed.
Change public IP 1. In the left pane of the OSMU, expand the Device
addresses for Management navigation tree and select a rack number under
network the Device Panel node.
interfaces in 2. On the rack tab page in the right pane, check the board status.
batches. If any board is in the Faulty state, contact Huawei technical
support engineers.
l Before changing the public IP addresses of service boards,
ensure that all service boards of the U2000 product are in
the Active or Service Stopped state.
– If there are boards in the Normal state, stop the services
of these boards by referring to 4.6 Stopping U2000
Services.
– If there are boards in the Switched Over state, switch
resources for the boards based on their original active/
standby relationship by referring to 5.5 Switching
Resources Between U2000 Nodes Manually (Oracle)
or 5.6 Switching Resources Between U2000 Nodes
Manually (Sybase), and then stop the boards' services
by referring to 4.6 Stopping U2000 Services.
NOTE
This restriction applies when you want to change the public IP
address of a network interface of the service board whose
Usage is Default. If you want to change the public IP address
of the network interfaces used for other purposes, refer to
U2000 ATAE Cluster System Administrator Guide to learn the
restriction condition.
l If the public IP address of the network interface on the
board can be changed when the board service is
running,ensure that all service boards of the U2000 product
are in the Active or Service Stopped state.
If there are boards in the Switched Over state, switch
resources for the boards based on their original active/
standby relationship by referring to 5.5 Switching
Resources Between U2000 Nodes Manually (Oracle) or
5.6 Switching Resources Between U2000 Nodes
Manually (Sybase).
NOTE
This restriction applies when you want to change the public IP
address of a network interface of the service board whose Usage is
Default. If you want to change the public IP address of the
network interfaces used for other purposes, refer to U2000 ATAE
Cluster System Administrator Guide to learn the restriction
condition.
3. In the left pane of the OSMU window, expand the Device
Management navigation tree and choose Hardware Device >
Network Interface.
4. On the Network Interface tab page, click Export.
5. When the system displays the message Export succeeded
click OK to export the network interface information.
5. Start U2000 services. For details, see 4.5 Starting U2000 Services.
6. Set routes for network interfaces of the service network plane whose public IP addresses
have been changed. For detailed operations, see 2.2 Setting the Routes of the U2000
Server.
7. To check whether the IP address of the service network plane is changed successfully, do
as follows:
a. Log in to the U2000 master service board and all slave service boards as user
ossuser in SSH mode using PuTTY.
b. Run the following command to switch to user root.
~> su - root
Password: Password of root
If the displayed IP address and subnet mask are consistent with the actual ones, you
have changed the IP address successfully. Otherwise, contact Huawei technical
support.
Follow-up Procedure
l After the IP addresses and routes for the service network planes of the U2000 server is
changed, back up OS data, static data and dynamic data. For detailed operations, see 21
Backing Up and Restoring the U2000. If you do not back up OS data, static data and
dynamic data, the original data may be restored during subsequent restoration operations,
causing IP address inconsistency recorded in the OS data, static data and dynamic data.
As a result, some U2000 functions become invalid.
l After the IP address of a U2000 service network plane where NEs are located is
modified, you need to reconfigure the mapping between the IP address of the service
network plane and the NEs managed by the U2000. For detailed operations, see 2.3.7
Configuring Network Segments of NEs for Southbound IP Addresses of the U2000
Server.
l If the Trace Server is co-deployed with the U2000 in the ATAE cluster system, after the
IP address of a U2000 service network plane where NEs are located is modified, you
need to reconfigure the mapping between Trace Server boards and the U2000 mediation
service. For detailed operations, see 2.3.8 Configuring the Mapping Between the
Trace Server Boards and the U2000 Mediation Service.
l If the Trace Server is independently deployed, after the IP address of a U2000 service
network plane where NEs are located is modified, you need to modify the IP address of
Trace Server service network plane, please modify the IP address of Trace Server service
network plane first, For detailed operations, see Changing the IP Addresses of the
Default Network Port on Trace Server (After the Service Software Is Installed,
Cluster, ATAE) in U2000 Trace Server User Guide (ATAE Cluster, Standalone). Then
reconfigure the mapping between Trace Server boards and the U2000 mediation service.
For detailed operations, see Configuring the Mapping Between the Trace Server
Boards and the U2000 Mediation Service in U2000 Trace Server User Guide (ATAE
Cluster, Standalone).
Prerequisites
You have logged in to the OSMU using a web browser on a PC. For details, see 26.2.5
Logging In to the OSMU by Using a Web Browser.
Procedure
Step 1 Perform operations by scenario.
Option Description
Option Description
Deleting one 1. In the left pane in the OSMU window, choose Device
network interface Management > Hardware Device > Network Interface.
for the service 2. On the Network Interface tab page, set Cluster name, SN,
network plane of the Network interface, and Usage as required, and click Filter.
U2000 server.
In the network interface list on this tab page, you can query
whether the network interface of the desired service network
plane has been set for the U2000 server. If the network interface
of the desired service network plane for the U2000 server is not
filtered out, no further action is required. Otherwise, perform
Step 1.3.
3. In the network interface list, select the network interface of the
U2000 server and click Delete.
4. In the displayed confirmation dialog box, click Yes. Then,
another dialog box is displayed. Click OK.
5. In the Centralized Task Management window, view the
running status of the task for deleting the network interface and
perform operations according to the task status.
– If Status of the task is Succeeded, the network interface is
deleted successfully.
NOTICE
After a network interface is successfully deleted, its route is deleted
automatically.
– If Status of the task is Failed, rectify the fault based on the
information in Remarks. Perform the preceding procedures
again. If Status of the task is still Failed, contact Huawei
technical support engineers.
Option Description
NOTICE
Deleting network
interfaces for the l Netowrk interfaces whose Usage is Default cannot be deleted.
service network l After a network interface is successfully deleted, its route is deleted
plane of the U2000 automatically.
server in batches. 1. In the left pane of the OSMU window, expand the Device
Management navigation tree and choose Hardware Device >
Network Interface.
2. On the Network Interface tab page, click Export.
3. When the system displays the message Export succeeded click
OK to export the network interface information.
The exported network interface information is stored in the
Port_Export_YYYYMMDDhhmmss.zip file that is displayed on
the Network Interface tab page as a hyperlink. YYYY indicates
year. MM indicates month. DD indicates date. hh indicates hour.
mm indicates minute. ss indicates second.
4. Click the Port_Export_YYYYMMDDhhmmss.zip hyperlink. In
the displayed dialog box, click Save to save the file to a
directory on the PC.
5. Decompress Port_Export_YYYYMMDDhhmmss.zip to obtain
the network interface information file Port_Export.xls.
6. On the Network Interface sheet of the network interface
information file Port_Export.xls, set Status of the network
interface to be deleted to Unuse and save the setting.
7. Click Import.
8. In the displayed dialog box, select the network interface
information file Port_Export.xls in the xls, xlsx, or xlsm format,
and click Open to import the file.
To avoid import failures, do not perform any operations when
importing the network interface information file. When the
system displays Import succeeded. the file has been imported
successfully.
9. In the Centralized Task Management window, check the
operating status of the task for deleting network interfaces, and
perform operations based on the execution result.
– If Status of the task is Succeeded, network interfaces have
been deleted.
– If Status of the task is Failed, rectify the fault based on the
information in Remarks. Perform the preceding steps. If
Status is still Failed, contact Huawei technical support.
----End
Follow-up Procedure
l After the Network Interface for the Service Network Plane of the U2000 Server where
NEs are located is deleted, you need to reconfigure the mapping between the IP address
of the service network plane and the NEs managed by the U2000. For detailed
This section describes how to set the server time for the U2000 cluster system to ensure that
the settings meet time requirements.
This section describes how to start and stop NTP monitoring services on the server. For an
ATAE cluster online remote HA system, you need to perform the following steps on the active
site.
3.9 Viewing the Time and Time Zone of the U2000 Server
This section describes how to check the time settings of the U2000 server. Before configuring
the Network Time Protocol (NTP) service, ensure that the time zone, date, and time are set
correctly on the U2000 server.
3.10 Changing the Time and Time Zone of the U2000 Server
This section describes how to change the time and time zone of the advanced telecom
application environment (ATAE) cluster system by using the OSMU. When the time and time
zone of the ATAE cluster are changed, the date, time, and time zone of all boards in the ATAE
cluster system are changed at the same time. This configuration takes effect on all boards. If
this configuration has already been performed on the other product such as PRS or Nastar in
the ATAE cluster system, you do not need to perform this configuration again on the U2000.
3.11 Viewing the DST Rule for the U2000
This section describes how to view the daylight saving time (DST) rule of the U2000 system.
For an ATAE cluster online remote HA system, you need to perform the following steps on
the active site and the standby site.
3.12 Setting the DST Rule for the U2000
This section describes how to set the daylight saving time (DST) rule for the U2000 system.
DST is associated with the time zone. To set the DST, you only need to set the correct time
zone. For an ATAE cluster online remote HA system, you need to perform the following steps
on the active site and the standby site.
3.13 Setting the NTP Service of the U2000 System (Security Authentication Mode)
This section describes how to manually set time synchronization between the OSMU server
and the NTP server so as to ensure that the NTP service on the OSMU server is running
properly. The NTP security authentication implements security authentication between the
NTP client and server. That is, the time that the NTP client synchronizes from the NTP server
in security authentication mode is the trusted time.
Therefore, if you use the NTP protocol to construct a time synchronization network, the
number of NTP nodes under an NTP server should not exceed 500. If the number exceeds
500, the performance of the NTP server may be affected. The interval for sending the time
synchronization request by an NTP client should be 30 minutes or longer. In addition, you
need to reduce the probability of concurrent requests.
Impact on OM
The time synchronization feature is vital for the OM of the mobile network. It has the
following impacts on the other features:
l Ensures the accuracy and consistency of the time on the U2000 and NEs in a mobile
network. Time synchronization plays a key role in timely fault reporting, information
accuracy, and fault correlation analysis in fault management. If the NE time is inaccurate
or inconsistent with the U2000 time, a mistake may be made during the fault
identification and handling.
l Has a significant impact on the accuracy of log record, query, display, audit, and
analysis. If the NE time is inaccurate or the time of NEs in the entire network is not the
same, the log record is incorrect and the log audit is also affected.
l Has a significant impact on recording, collecting, and analyzing performance data in
performance management. If the NE time is inaccurate or the time of NEs in the entire
network is not the same, the time of NE performance data records and the dot time may
be inaccurate, and therefore may result in invalid performance data.
l Has a significant impact on services such as call tracing and problem locating. If the NE
time is inaccurate or the time of NEs in the entire network is not the same, the call
tracing service may fail.
NOTE
The upper-level time servers of the U2000 server require to use the NTP protocol. The server running
the Windows operating system uses the SNTP protocol, and therefore it cannot function as the upper-
level time server of the U2000 server and the administration console.
Figure 3-1 Schematic diagram of time synchronization for the RAN device
The active BAM of the RAN device serves as the NTP client to synchronize the time on
each NE node and each module of the RAN device, as shown in Figure 3-1. After the
active BAM of the RAN device obtains the reference time from the specified NTP
server, the BAM delivers the time to each module of the RAN device and all NodeBs to
realize time synchronization.
l The RNC BAM synchronizes the time with the upper-level NTP server.
The RNC has two BAM servers: an active BAM server and a standby BAM server. In
the BAM program of the RNC, an NTP client process automatically starts following the
BAM program and always runs on the active BAM server.
By running MML commands, you can specify the upper-level NTP server as the active
BAM server of the RNC. Then, the NTP client process running on the active BAM
automatically obtains the time synchronization information from the specified NTP
server.
Up to 16 NTP server addresses can be specified for the active BAM. The active BAM of
the RNC can synchronize time with the preferred time source. If an NTP time source
does not work properly, the active BAM can use a new NTP time source to ensure the
continuity of the NTP service.
When the BAM of the RNC experiences active and standby switching, the NTP client
process is automatically switched to the new active BAM to ensure the continuity of the
NTP service.
Figure 3-2 Directly connecting the RAN and the NTP server
The U2000 server and all the RNCs must directly communicate with the specified time
synchronization server. The NTP server that can serve as the reference time may be
deployed in other subnets. Therefore, the communication between the U2000 and the
RNC may involve the policy of traversing the firewall. In such a case, you need to
modify the configuration of the firewall.
l Deploying the intermediate NTP server
According to the principle of layered NTP, when constructing a RAN network, you can
deploy a dedicated intermediate NTP server in the RAN-OM network to serve as the
time reference for the internal RAN devices. The intermediate NTP server obtains the
reference time from the upper-level server, synchronizes its own time, and serves as the
NTP server of the RAN network. In such a case, the intermediate NTP server can receive
the request on time synchronization from the internal NE devices in the RAN, such as
the RNC and the U2000, and provides standard time, as shown in Figure 3-3.
Figure 3-3 Networking of the RAN and the intermediate NTP server
Deploying the intermediate NTP server can effectively simplify the structure of the time
synchronization network. It can also prevent too many NEs from directly connecting the
highest level NTP server, therefore reducing the risks to the highest level NTP server. In
addition, if a firewall exists between the highest level NTP server and the RAN network,
you do not need to configure the firewall.
You can use the dedicated BITS SYNCLOCK v5 as the NTP intermediate server of the
RAN network. Complying with the NTP v3 protocols, this device can provide two
channels of NTP service units and lock multiple upper-level NTP servers to realize NTP
priority. It also provides two channels of NTP service output that are mutually backed
up.
NOTE
The U2000 server uses the Linux operating system where you can configure the U2000 server as
the intermediate NTP server. With regard to that the time synchronization server for the RAN
network plays a special role and requires the independent and stable operating environment, we
recommends that the U2000 server should not act as the intermediate NTP server for the RAN
network.
In the ATAE cluster system, the OSMU can synchronize time with the upper-level NTP server.
The U2000 servers synchronize time with the OSMU. Therefore, the time of all servers in the
cluster system is consistent with each other.
l Obtaining reference time from the GPS
If there is no upper-level time synchronization server that can provide the reference time,
you should deploy the highest-level NTP server, that is, the NTP server providing the
reference time in the RAN-OM network to ensure the time synchronization. The highest
level NTP server obtains the reference time from the GPS or other satellite systems and
synchronizes time on all the RAN NEs and the U2000. Figure 3-4 shows the networking
of the RAN to the highest-level NTP server.
Figure 3-4 Directly connecting the RAN and the highest-level NTP server
You can use the dedicated BITS SYNCLOCK V5 as the highest-level NTP server in the
RAN network. Complying with the NTP V3 protocols, this device can provide two
channels of the satellite access system and two channels of the NTP service units. It also
provides two channels of NTP service output that are mutually backed up.
NOTE
To improve the reliability of the NTP service, use the following methods:
l Choose two or more NTP servers that serve as the upper-level NTP server to provide time
reference. When deploying the upper-level NTP server for NEs and the U2000, ensure that more
than two channels of the NTP service are available.
l If the stratum 1 NTP server is deployed, it obtains reference time directly from the GPS satellite.
In such a case, the stratum 1 NTP server should provide two channels of satellite interfaces.
Device A and device B communicate through the network. Both devices have their own
system time. To implement the automatic synchronization of system clocks, ensure that:
l Before you synchronize the system time of device A and device B, the time on device A
is set to 10:00:00 and the time on device B is set to 11:00:00.
l Device B is configured as the NTP server. That is, you need to synchronize the time on
device A with that on device B.
l The unidirectional transmission of a data package between device A and device B takes
one second.
To synchronize the time between device A and device B, ensure that the following
information is available:
l Offset, which is the time difference between device A and device B
l Delay, which is the loss during the time synchronization between device A and device B
If the previous information is available, device A can easily calculate the time to be adjusted
to synchronize with device B. The NTP protocol stipulates the method for calculating the
values of the offset and delay between device A and device B.
After that, device A can calculate the two parameters using the following method:
l Delay of an NTP message delivering circle: Delay = (T4 - T1) - (T3 - T2).
l Offset between device A and device B: Offset = [(T2 - T1) + (T3 - T4)]/2.
Then, device A can set the time according to the preceding information so that device A is
synchronized with device B.
Theoretically, the time synchronization network can be classified into 16 levels from 0 to 15,
or more than 16 levels on the basis of accuracy and importance. In practice, the number of
levels does not exceed six.
The device at level 0 is located at the special position of the subnetwork. It provides the
reference clock for time synchronization. On the top of the subnet, the device at level 0 uses
UTC time codes broadcast by the global positioning system (GPS).
The devices in the subnet can play multiple roles. For example, a device at level 2 may be a
client to level 1 level and a server for level 3.
As shown in Figure 3-6, the following servers are configured in the NTP layered architecture:
l Top level NTP server: level 0 NTP server, which provides the synchronization service
for lower level servers (Stratum-1).
l Intermediate NTP server: level 1 and level 2 servers, which acquire time from the upper
level server and provides the time for the lower level servers.
l NTP client: acquires time from the upper level NTP server but does not provide time
service.
A host can acquire time from multiple NTP servers. An NTP server can also provide time for
multiple hosts. Hosts on the same level can exchange time. The NTP protocol supports a
maximum of 15 levels of clients.
NOTE
Port 123 is used by NTP during communication through the User Datagram Protocol (UDP). Ensure that
all the IP links between the nodes are functional.
l Handling errors
l Filtering of multiple servers
l Choosing among multiple clock sources, that is, acquiring the most accurate clock source
after using an algorithm to analyze multiple connected NTP servers.
Table 3-1 Policies for configuring the NTP service on the U2000 server
Policy Reliability Security System Cost
Resource
Usage
Policy 2: Operations are A key for time The U2000 board No extra NTP
The performed synchronization synchronizes server is required
U2000 frequently on the can be time with the because the
board is U2000 board configured on upper-level U2000 boards is
configured because of the NE and the server and configured as the
as the maintenance, U2000 board to provides the time intermediate
intermedia upgrade, and achieve synchronization NTP server. This
te NTP backup. encrypted service to the saves the server
server and Therefore, the authentication lower-level NE. cost.
NEs are reliability is and security. This policy's
configured relatively low system resource
as NTP when the U2000 usage is higher
clients to board is used as than that of
synchroniz the intermediate Policy 1.
e time NTP server.
with the When the U2000
U2000 board is
board. configured as the
intermediate
NTP server, the
NE time and the
top-level NTP
server time might
be different
because the
U2000 board
time has an
offset.
Prerequisites
l You have logged in to the OSMU through a web browser. For details, see 26.2.5
Logging In to the OSMU by Using a Web Browser.
l You have obtained the IP address of the NTP server for the OSMU.
l The OSMU is communicating properly with the NTP server.
Procedure
Step 1 Expand the Routine Maintenance navigation tree in the left pane on the OSMU and choose
Time Management > Upper-Level NTP Server Info.
Step 2 On the Upper-Level NTP Server Info tab page, check that the NTP server has been added
successfully.
Table 3-2 describes the connection status between the OSMU and the NTP server.
Table 3-2 Connection status between the OSMU server and the NTP server
State Description Solutions
Connectio The OSMU is not 1. Check whether the physical connection between the
n failed communicating OSMU and the NTP server is correct and whether
properly with the the OSMU is communicating properly with the NTP
NTP server. server.
2. Check whether a route is correctly set between the
OSMU and the NTP server. If the route has not been
set or the setting is incorrect, re-set the route by
following instructions provided in 2.2 Setting the
Routes of the U2000 Server, and then check the
status of the synchronization between the OSMU and
the NTP server.
Synchroni An error occurs 1. Use PuTTY to log in to the OSMU board in SSH
zation when the OSMU mode as user osmuuser. For detailed operations, see
failed synchronizes time 26.1.1 Logging In to the Board by Using PuTTY.
with the NTP 2. Run the following command to switch to user root.
server. The
probable causes ~> su - root
Password: Password of root
are as follows:
3. Run the following command to check whether the
l Cause 1: The
NTP service is running:
NTP service of
the OSMU # ps -ef|grep ntp|grep -v grep
server has not – If the system displays no command output, the
started. NTP service of the OSMU server has not started.
l Cause 2: The If this occurs, run the following command to start
NTP service of the NTP service of the OSMU server:
the OSMU # service ntp start
server has not
– If the displayed command output contains ntpd,
started or the
the NTP service of the OSMU server has started.
NTP service is
In this case, check the NTP service status of the
not provided
NTP server to ensure that the NTP service has
for the OSMU.
started and the NTP service has been provided to
the OSMU.
----End
Prerequisites
l You have logged in to the OSMU through a web browser. For details, see 26.2.5
Logging In to the OSMU by Using a Web Browser.
l You have obtained the IP address of the NTP server for the OSMU.
l The OSMU is communicating properly with the NTP server.
Procedure
l Expand the Routine Maintenance navigation tree in the left pane on the OSMU and
choose Time Management > Upper-Level NTP Server Info.
For details about how to modify the NTP server of the OSMU server, see OSS
Management > Time Management > Modifying NTP Servers for the OSMU Server
in the OSMU Online Help. Press F1 to view the OSMU Online Help in the OSMU.
----End
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser. For detailed
operations, see 26.1.1 Logging In to the Board by Using PuTTY.
Step 2 Run the following command to switch to user root.
~> su - root
Password: Password of root
Step 3 Check whether the NTP software package is installed on the server (by default, the NTP
software package is installed):
l On SUSE10 OS, run the following command.
# rpm -qa|grep xntp
xntp-4.2.4p3-48.14.16
If the system output is similar to the previous information, the NTP software package is
installed. Proceed with Step 4. Otherwise, the NTP software package is not installed and you
can skip subsequent steps and contact Huawei technical support.
Step 4 View the NTP software version:
l On SUSE10 OS, run the following command.
# rpm -qi xntp | grep Version
Version : 4.2.4p3 Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany
In the system output, the value of Version indicates the NTP software version.
----End
Procedure
l Starting NTP monitoring
a. Log in to the U2000 active service board, standby service board, and all slave
service boards as user root through the KVM. For detailed operations, see 26.1.2
Logging In to the board by Using the KVM of the OSMU.
You need to perform the following steps on each server.
b. Run the following commands to run the NTP monitoring configuration script:
# . /opt/oss/server/svc_profile.sh
# cd /opt/oss/server/rancn/bin
# ./deployHDMonitor.sh
c. Choose NTP Service Monitor.
d. When the system displays the following information, enter true.
Please set the flag to start NTP Monitor [default:false]:
When the system displays the following information, the NTP monitoring is started
successfully.
configure the flag to start NTP service monitor in /opt/oss/server/
common/resourcemonitor/conf/user.xml
# kill -9 13382
NOTE
# . /opt/oss/server/svc_profile.sh
# cd /opt/oss/server/rancn/bin
# ./deployHDMonitor.sh
c. Choose NTP Service Monitor.
d. When the system displays the following information, enter false.
Please set the flag to start NTP Monitor [default:false]:
When the system displays the following information, it indicates that the NTP
monitoring configuration script is running and NTP monitoring is stopped.
configure the flag to start NTP service monitor in /opt/oss/server/
common/resourcemonitor/conf/user.xml
# kill -9 13382
NOTE
# . /opt/oss/server/svc_profile.sh
----End
3.9 Viewing the Time and Time Zone of the U2000 Server
This section describes how to check the time settings of the U2000 server. Before configuring
the Network Time Protocol (NTP) service, ensure that the time zone, date, and time are set
correctly on the U2000 server.
Prerequisites
l The personal computer (PC) communicates with the OSMU server properly.
l You have logged in to the OSMU through a web browser. For details, see 26.2.5
Logging In to the OSMU by Using a Web Browser.
Procedure
Step 1 In the navigation tree in the left pane, choose Routine Maintenance > Time Management >
Time and Time Zone.
Step 2 In the Time and Time Zone area on the right, check whether the time zone, date, and time of
the cluster system meet requirements.
The time zone and date of the cluster system must be consistent with those of the NTP time
source. The time difference between time of the cluster system and that of the NTP time
source cannot exceed 60 seconds. Otherwise, modify the time of the cluster system by
following instructions provided in 3.10 Changing the Time and Time Zone of the U2000
Server.
----End
Prerequisites
l You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging
In to the OSMU by Using a Web Browser.
l You have obtained the local time zone and time of a site.
NOTE
You can visit http://www.timeanddate.com to query the local time zone and time of a site.
l No task is running on the OSMU.
Procedure
Step 1 Perform operations by scenario.
Scenario Operation
ATAE cluster Change the time Perform Step 2 through Step 12 at the active site.
online remote and time zone at
HA system the active site
Step 2 In the left pane of the OSMU, expand the Routine Maintenance navigation tree, and choose
Time Management > Time and Time Zone.
Step 3 On the Time and Time Zone tab page in the right pane, click Refresh to check whether the
current settings are consistent with the local time and time zone settings.
If... Then...
The current settings are consistent with the time and Skip this section.
time zone of the site
The current settings are inconsistent with the time and Perform Step 4 through Step
time zone of the site 12.
Step 4 In the left pane of the OSMU, expand the Device Management navigation tree and select a
rack number under the Device Panel node.
Step 5 On the rack tab page in the right pane, verify that the OSMU board is in the Normal state and
the OGPU board status is consistent with that in the following describe.
If there is any board in the Faulty state, contact Huawei technical support.
NOTICE
If the status of a board is inconsistent with the following described, the time zone and time of
the U2000 server will fail to be changed.
l For the Oracle database, the board status is the same as the following describe.
– Status of service board must be Service Stopped or Switched Over.
– Status of standby service board must be Standby or Service Stopped.
You need to modify 1. In the displayed Change Time and Time Zone dialog box,
the time zone only select Change Time Zone. Then, set the time zone based on the
local time zone of the site, and click OK.
2. In the displayed dialog box, click OK.
3. On the Time and Time Zone tab page, click Refresh. Then,
check that the new time zone is consistent with the local time
zone of the site.
If... Then...
You need to modify 1. In the displayed Change Time and Time Zone dialog box,
the time only select Change Time. Then, set the time based on the local time
of the site, and click OK.
NOTICE
Ensure that the changed time is the same as the local standard time. If
you change the time to a value beyond the security certificate's validity
period (from September 1, 2014 to August 29, 2024), all the OGPU
boards will malfunction. To solve the problem, see 26.1.10 Changing All
the Board's Time Manually.
2. In the displayed dialog box, click Yes.
After the preceding operations are performed, the OSMU service
automatically restarts. The restart of the OSMU service takes
about 1 minute. You can log in to the OSMU only after the
OSMU service is restarted.
3. Log in to OSMU by using the browser on the PC. For detailed
operations, see 26.2.5 Logging In to the OSMU by Using a
Web Browser.
4. In the left pane of the OSMU, expand the Routine Maintenance
navigation tree, and choose Time Management > Time and
Time Zone.
5. On the Time and Time Zone tab page, click Refresh. Then,
check that the new time is consistent with the local time of the
site.
You need to modify 1. In the displayed Change Time and Time Zone dialog box,
the time zone and select Change Time Zone and Change Time. Then, set the time
time zone and time based on the local time zone and time of the site,
and click OK.
NOTICE
Ensure that the changed time is the same as the local standard time. If
you change the time to a value beyond the security certificate's validity
period (from September 1, 2014 to August 29, 2024), all the OGPU
boards will malfunction. To solve the problem, see 26.1.10 Changing All
the Board's Time Manually.
2. In the displayed dialog box, click Yes.
After the preceding operations are performed, the OSMU service
automatically restarts. The restart of the OSMU service takes
about 1 minute. You can log in to the OSMU only after the
OSMU service is restarted.
3. Log in to OSMU by using the browser on the PC. For detailed
operations, see 26.2.5 Logging In to the OSMU by Using a
Web Browser.
4. In the left pane of the OSMU, expand the Routine Maintenance
navigation tree, and choose Time Management > Time and
Time Zone.
5. On the Time and Time Zone tab page, click Refresh. Then,
check that the new time zone and time are consistent with the
local time zone and time of the site.
Step 11 If you have deleted NTP servers in Step 7, you need to reset the NTP servers after changing
the time and time zone. For detailed operations, see 3.6 Modifying NTP Servers of the
OSMU Server.
Step 12 If the board services are stopped in Step 5, start the board services. For details, see 4.3
Starting the Database Service and 4.5 Starting U2000 Services. Otherwise, skip this step.
----End
Procedure
Step 1 Log in to the OSMU through a web browser. For details, see 26.2.5 Logging In to the
OSMU by Using a Web Browser.
Step 2 Choose Routine Maintenance > Time Management > Time and Time Zone from the
navigation tree in the left pane.
The DST information is displayed below the DST Info area.
----End
Context
The DST is one hour earlier than the standard time. For example, during the DST, 10:00 am in
US east standard time is 11:00 am in US east DST.
NOTE
l The local time is the time displayed on the computer. It varies according to the time zone.
l The system clock indicates the GMT. The NTP synchronization uses the GMT, which does not
affect the local time. The DST does not affect the NTP service.
Procedure
Step 1 Set the time zone of the U2000 system by following instructions provided in 3.10 Changing
the Time and Time Zone of the U2000 Server. The DST rule is then automatically set.
----End
Prerequisites
l The time zone, date, and time of the OSMU server are set correctly.
l You have configured the upper-level NTP server in security authentication mode.
l You have obtained the identifier, key type, and key data of the upper-level NTP server.
l When a firewall exists between the OSMU server and an NTP server, the port UDP/TCP
123 on the firewall has been enabled.
Procedure
Step 1 Use PuTTY to log in to the OSMU board in SSH mode as osmuuser. For detailed operations,
see 26.1.1 Logging In to the Board by Using PuTTY.
Step 2 Run the following command to switch to user root.
~> su - root
Password: Password of root
Define the identifier, key type, and authentication code for the OSMU server to synchronize
time with the upper-level NTP server. Write only one data item in each line in the following
format.
identifier key type key data
NOTE
After editing the file, press Esc, and then run the :wq! command to save the file and exit the
vi editor.
Step 4 Run the following commands to open the /etc/ntp.conf file:
# TERM=vt100; export TERM
# vi /etc/ntp.conf
Step 5 Add server IP address of the upper-level NTP server key identifier prefer to specify the IP
address and identifier of the upper-level NTP server.
NOTE
prefer indicates that the system preferentially synchronizes time with the NTP server using this IP
address.
If multiple upper-level NTP servers exist, add multiple lines. Ensure that each line maps to one NTP
server. For example,
server IP address of upper-level NTP server 1 key identifier 1 prefer
server IP address of upper-level NTP server 2 key identifier 2
Step 6 Set the level of the OSMU server in the ntp.conf file to 10.
fudge 127.127.1.0 stratum 10
Step 7 Write the key file path and key identifiers to /etc/ntp.conf and delete the comment mark # in
front of the following line.
#keys /etc/ntp/keys
#trustedkey 1 2 3 4 5 6 14 15
#requestkey 1 2 3 4 5 6 14 15
Step 8 Add the identifiers used by the upper-level NTP server for time synchronization following
trustedkey, requestkey. Write the identifiers in a line and separate them with a space.
For example, if the key file path is /etc/ntp/keys and the key identifiers of the upper-level
NTP server are 100 and 101, add the identifiers in the following format:
keys /etc/ntp/keys # path for keys file
trustedkey 100 101 # define trusted keys
requestkey 100 101 # define trusted keys
----End
Example
For example, set the OSMU server to synchronize the time of the upper-level NTP servers
whose IP addresses are 10.161.94.212 and 10.161.94.214; the NTP time server uses the MD5
algorithm; the identifiers are 100 and 101 and the corresponding key data is k0ssL09a and
l2082skt.
The contents in the created /etc/ntp/keys are as follows:
100 M k0ssL09a
101 M l2082skt
The contents in the /etc/ ntp.conf before the modification are as follows:
fudge 127.127.1.0 stratum X
#keys /etc/ntp/keys
#trustedkey 1 2 3 4 5 6 14 15
#requestkey 1 2 3 4 5 6 14 15
Prerequisites
l The U2000 server time zone is correct.
l You have configured the upper-level NTP server in security authentication mode.
l Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
Context
l The OSMU server functions as the NTP server. The OSMU server synchronizes time
with an external clock source, and the U2000 server automatically synchronizes time
with the OSMU server.
l When a U2000 server is configured as an intermediate NTP server, the U2000 server
synchronizes time from the upper-layer clock source before providing the NTP service
for NEs. If the U2000 server fails to synchronize time from the upper-layer time source,
the U2000 server provides the NTP service for NEs using the U2000 server time. The
U2000 server time has an offset. If the U2000 server cannot synchronize the time from
the upper-layer clock source for a long time, the offset may be large, which may cause
network faults.
l When the U2000 manages billing system NEs such as the iGWB and CG, you must set
the U2000 server and NEs as NTP clients. If you set the U2000 as an intermediate NTP
server, the U2000 server time has an offset, which may lead to severe faults on the
network.
l When you set the U2000 as the intermediate NTP server, the specifications are as
follows:
– The number of NEs of concurrent NTP time synchronization is 500. Specifically,
the intermediate NTP server can provide time synchronization for 500 NEs
concurrently. When the number of NEs requiring time synchronization is greater
than 500, synchronize the NE time at an interval of 30s in batches.
– The maximum number of NEs of which the time can be synchronized using the
intermediate NTP server is consistent with the U2000 management capability.
l All U2000 service boards must be configured.
Table 3-3 describes the policies for configuring the NTP service in the U2000 system and the
advantages and disadvantages of the policies.
Table 3-3 Policies for configuring the NTP service on the U2000 server
Policy Reliability Security System Cost
Resource
Usage
Policy 2: Operations are A key for time The U2000 board No extra NTP
The performed synchronization synchronizes server is required
U2000 frequently on the can be time with the because the
board is U2000 board configured on upper-level U2000 boards is
configured because of the NE and the server and configured as the
as the maintenance, U2000 board to provides the time intermediate
intermedia upgrade, and achieve synchronization NTP server. This
te NTP backup. encrypted service to the saves the server
server and Therefore, the authentication lower-level NE. cost.
NEs are reliability is and security. This policy's
configured relatively low system resource
as NTP when the U2000 usage is higher
clients to board is used as than that of
synchroniz the intermediate Policy 1.
e time NTP server.
with the When the U2000
U2000 board is
board. configured as the
intermediate
NTP server, the
NE time and the
top-level NTP
server time might
be different
because the
U2000 board
time has an
offset.
Procedure
Step 1 Run the following command to switch to user root.
~> su - root
Password: Password of root
Step 2 Run the following command to check the time zone of the server:
# grep TIMEZONE /etc/sysconfig/clock
If the server time zone is incorrect, correct it by referring to 3.10 Changing the Time and
Time Zone of the U2000 Server.
Step 3 If the U2000 services are running, stop them.
1. Check the status of the U2000 services.
For details, see 4.1 Checking the U2000 Service Status.
2. Stop U2000 services
# vi /etc/ntp/keys
Define the identifier, key type, and authentication code for an NE to synchronize time with
the U2000 board. Write only one data item in each line in the following format.
identifier key type key data
NOTE
After editing the file, press Esc, and then run the :wq! command to save the file and exit the
vi editor.
Step 6 Run the following commands to back up the ntp.conf configuration file:
# service ntp stop
If the following information is displayed, ignore it and continue to run the following
commands:
Shutting down network time protocol daemon (NTPD) done
umount: /var/lib/ntp/proc: not mounted
# cd /etc
# cp -p ntp.conf bak.ntp.conf
Step 7 Perform the following steps to set parameters related to the NTP service and write the key file
path and key identifier:
1. Run the following commands to open /etc/ntp.conf:
# TERM=vt100; export TERM
# vi /etc/ntp.conf
2. Add server 127.127.1.0 and fudge 127.127.1.0 stratum 10 to the file end.
3. Check whether the key file path is keys /etc/ntp/keys.
– If the key file path is keys /etc/ntp/keys, it is normal.
– If a comment tag exists before the key file path, delete the comment tag.
– If the key file path is not keys /etc/ntp/keys, change it to keys /etc/ntp/keys.
– If the key path does not exist, add it to the file end.
4. Check whether the key identifier in /etc/ntp/keys exists after trustedkey.
– If trustedkey exists and no comment tag exists before trustedkey, add the key
identifier defined in Step 5 after trustedkey.
– If only a comment tag exists before trustedkey, delete the comment tag and add the
key identifier of /etc/ntp/keys after trustedkey.
– If trustedkey does not exist, add trustedkey and add the key identifier of /etc/ntp/
keys after trustedkey.
5. Check whether the key identifier in /etc/ntp/keys exists after requestkey.
– If requestkey exists and no comment tag exists before requestkey, add the key
identifier defined in Step 5 after trustedkey.
– If only a comment tag exists before requestkey, delete the comment tag and add the
key identifier of /etc/ntp/keys after trustedkey.
– If requestkey does not exist, add requestkey and add the key identifier of /etc/ntp/
keys after trustedkey.
6. Save ntp.conf and exit the vi editor.
After editing the file, press Esc and run the :wq! command to save the file and exit.
7. Run the following command to change the permission for file ntp.conf:
# chmod 400 /etc/ntp.conf
Step 8 Run the following command to start the FTP service:
# rcntp start
Step 9 Run the following command to check the status of the NTP service on the U2000 server:
# /usr/sbin/ntpq –p
If the information similar to the following is displayed, the NTP service is started. Otherwise,
the NTP service is in abnormal state. Contact Huawei technical support.
remote refid st t when poll reach delay offset jitter
==============================================================================
192.168.128.100 LOCAL(0) 6 u 19 64 377 0.135 0.265 0.115
LOCAL(0) .LOCL. 5 l 17 64 377 0.000 0.000 0.001
l The value of remote indicates the IP address and status of an NTP server.
In the preceding output, 192.168.128.100 indicates the IP address of the top-layer NTP
server, and * indicates that the top-layer NTP server is in normal state. After the
preceding information is displayed, wait 5 minutes and * is displayed.
l The value of st indicates the layer of an NTP server in the time synchronization network.
In the preceding output, the IP address 192.168.128.100 is on layer 6.
Step 10 Run the following command to check the time synchronization path from the U2000 server to
the top-layer NTP server:
# /usr/sbin/ntptrace
localhost: stratum 7, offset 0.000160, synch distance 0.019073
192.168.128.100: stratum 6, offset 0.000000, synch distance 0.011094
The localhost line and the next line indicate the path from the U2000 server (intermediate-
layer NTP server) to the top-layer NTP server. The system can track the entire NTP
synchronization path from the U2000 server (intermediate-layer NTP server) to the top-layer
NTP server.
For example, localhost: stratum 7 in the preceding output indicates that the U2000 server is
on layer 7, and 192.168.128.100: stratum 6 indicates that 192.168.128.100 is on layer 6.
Step 11 Run the following command to check the system date and time.
# date -R
If the system date and time are incorrect, contact Huawei technical support.
Step 12 Restart the Sybase/Oracle database services.
For details, see 4.3 Starting the Database Service.
Step 13 Restart the U2000 services.
For details, see 4.5 Starting U2000 Services.
Step 14 Enable NTP monitoring.
For details, see 3.8 Enabling/Stopping the NTP Monitoring Service of the U2000 Server.
NOTE
After the preceding configuration, start NTP monitoring so that NTP alarms can be reported to the
U2000.
----End
Example
For example, the MD5 algorithm is used, the identifiers are 100 and 101, and the
corresponding key data is tPol3kRS and l2082skt.
open the /etc/ntp/keys, the contents are as follows after the modification:
10000 M b273290137C]
100 M tPol3kRS
101 M l2082skt
Follow-up Procedure
After the U2000 server is set as an intermediate NTP server, set the NEs as NTP clients. For
details about how set an NE as an NTP client, see the user guide of the corresponding NE
type. Contact Huawei technical support to obtain the user guide.
of the NTP service on the master, standby, and slave servers. For an ATAE cluster online
remote HA system, you need to perform the following steps on the active site and the standby
site.
Context
After the NTP server and NTP client start, a 5-minute system check is performed. Wait for 5
minutes before running the following command to query the NTP service running status:
ntpq -p.
If you run ntpq -p during system check, the address of the remote time source does not
have the asterisk *; if you run ntptrace, Timeout or Not Synchronizedis displayed.
Procedure
Step 1 Log in to the OSMU board as user osmuuser in SSH mode using PuTTY. For detailed
operations, see 26.1.1 Logging In to the Board by Using PuTTY.
~> su - root
Password: Password of root
# ntpq -p
The remote field in the command output of ntpq -p is the IP address of the OSMU server's
time source, and its status is provided.
SR5S1:~ # ntpq -p
remote refid st t when poll reach delay offset disp
==============================================================================
*10.161.94.214 10.161.94.214 2 u 58 64 377 0.37 0.217 0.05
# ntptrace
The ntptrace command will trace the NTP synchronization path from the current server to the
top-level NTP server. For more details, run the ntptrace -v command.
# ntpq
ntpq> as
In the command output, if the value in the auth column is ok, the NTP authentication is
successful.
ntpq> exit
----End
Example
The OSMU server functions as an NTP client.
# ntpq -p
remote refid st t when poll reach delay offset disp
==============================================================================
*10.71.15.97 10.71.15.69 2 u 29 64 377 0.44 -0.428 0.09
# ntpq
ntpq> as
ind assID status conf reach auth condition last_event cnt
===========================================================
1 30140 f614 yes yes ok sys.peer reachable 1
ntpq> exit
The asterisk * in front of *10.71.15.97 in the command output of ntpq -p indicates that
time synchronization is successful.
Run the ntpq command and type as. The value in the auth column is ok, which indicates that
the authentication between the OSMU server and the NTP server is successful.
This section describes how to use the OSMU to view the status of U2000 services and
database services, and start and stop U2000 services and database services.
Procedure
Step 1 Log in to the OSMU using a web browser. For details, see 26.2.5 Logging In to the OSMU
by Using a Web Browser.
Step 2 In the navigation tree, choose Service System > Service Management > Board Services.
The basic information about all boards is listed in the right pane.
Step 3 View the current status of U2000 services and database services. Table 4-1 lists the details.
NOTE
In Table 4-1, Subsystem corresponding to the board whose System is U2000 varies depending on the
installed component.
l BASE, PM, DS, FARS, ITF, CME,CORE,CM, and FM (running on the U2000 master service board)
l MED, DS, and CORE (running on U2000 slave service boards)
l TS, CORE (available only when the TS component is installed)
l CME, DS, CORE (available only when the management capability of the U2000 is expanded to
1600 equivalent NEs or more and the CME component is installed)
l DS, CORE, NEMGR, NW (available only when the management components of the MBB backhaul
devices are installed)
l PW (available only when the Site Power Management component is installed)
When a node is in the Switched Over state, you can perform the following operations to check
whether the board experiences a normal switchover or a fault switchover:
1. In the navigation tree, choose Device Management > Device Information > Details.
2. Select the board that is in the Switched Over state, and check the status of the board
service software in the Details area.
– If the value of Service software running status is StoppedSwitchOver, this node
experiences a normal switchover and no abnormal resource is available on this
node.
– If the value of Service software running status is AbnormalSwitchOver, this
node experiences a fault switchover and abnormal resources are available on this
node.
Step 4 Check the U2000 service status.
NOTICE
The Veritas Cluster Software (VCS) in the ATAE cluster system monitors only the U2000
daemon process of each board. Even if the U2000 daemon process is normal, U2000 services
on some boards may be abnormal. You can perform the following operations to check the
status of all U2000 services.
1. In the navigation tree on the left, choose Service System > Service Management >
Board Services.
2. In the Board Services tab page in the right pane, find boards whose System is U2000
and that are in the Normal state, and record SN of these boards.
3. Log in to any of the boards found in Step 4.2 as user ossuser using the keyboard, video,
and mouse (KVM) of the OSMU. For details, see 26.1.2 Logging In to the board by
Using the KVM of the OSMU.
4. Run the following commands to check the U2000 service status:
~> cd /opt/oss/server
~> . ./svc_profile.sh
– In the system output, if Not Running of all Host is 0, all U2000 services are
started.
– In the system output, if Running of all Host is 0, all U2000 services are stopped.
NOTE
The U2000 system generates processes and services dynamically during operation. Accordingly,
the number of the processes and services that are found changes dynamically.
----End
Prerequisites
You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Procedure
Step 1 Choose Service System > U2000 > OSS Management Tool from the navigation tree on the
OSMU. The OSS Management Tool window is displayed.
If the system displays Security Warning, set the parameters according to the browser by
referring to 26.2.1 Setting Internet Explorer or 26.2.2 Setting Firefox.
Step 2 In the OSS Management Tool main window, click Component Management. The
Component Management window is displayed.
Step 3 Click Help in the upper right corner. Then, perform operations according to the online help in
the Component Management tab.
----End
Prerequisites
You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Procedure
Step 1 In the navigation tree, choose Service System > Service Management > Board Services.
Step 2 On the Board Services tab page in the right pane, view the status of the U2000 DB board.
NOTE
If you select more than one DB board, one service startup task is created for each DB board, and these
tasks can be executed concurrently.
----End
Prerequisites
You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Procedure
Step 1 In the navigation tree, choose Service System > Service Management > Board Services.
Step 2 On the Board Services tab page in the right pane, view the status of the U2000 service
boards.
l If the service boards are in the Service Stopped state, go to Step 3.
l If the service boards are in the Normal state, stop the services on the service boards by
referring to 4.6 Stopping U2000 Services. Then, go to Step 3.
l If the service boards are in other state excluding Service Stopped and Normal, contact
Huawei technical support.
Step 3 On the Board Services tab page, view the status of the U2000 DB board.
l If the DB boards are in the Normal state, go to Step 4.
l If the DB boards are in other state excluding Service Stopped and Normal, contact
Huawei technical support.
Step 4 On the Board Services tab page, select the check box of the DB board whose service you
want to stop based on the database type and click Stop.
l For Oracle databases, select the DB board whose Subsystem is OSSDB or OSSPMDB
and whose Cluster Name is DBCluster.
l For Sybase databases, select the DB board whose Subsystem contains DBSVR, and
whose Cluster Name is U2000Cluster.
Step 5 In the displayed confirmation dialog box, click Yes to stop services.
Step 6 In the displayed dialog box, click OK.
You can check the task execution result in the Centralized Task Management area. If the
task execution fails, contact Huawei technical support.
NOTE
If you select more than one DB board, one service termination task is created for each DB board, and the
tasks can be executed concurrently.
----End
Prerequisites
l The PC communicates with the OSMU server properly.
l You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging
In to the OSMU by Using a Web Browser.
Procedure
Step 1 In the navigation tree, choose Service System > Service Management > Board Services.
Step 2 On the Board Services tab page in the right pane, check the status of the boards for the
clusters listed in Table 4-2.
Table 4-2 Requirements for board status before you start U2000 services
Database Cluster Name System Subsystem
l If any board is in the Faulty state, contact Huawei technical support. After the fault is
rectified, go to Step 3.
l If none of the boards is in the Faulty state, go to Step 3.
Step 3 On the Board Services tab page in the right pane, confirm that the U2000 service boards are
in the Service Stopped or Normal state.
Step 4 Before starting the U2000 services, ensure that database services are started. For details about
how to start the database services, see 4.3 Starting the Database Service.
Step 5 In the navigation tree, choose Service System > Service Management > System Services.
Step 6 On the System Services tab page in the right pane, select the check box of the system whose
System is U2000, and click Start to start U2000 services.
The time required for starting U2000 services varies according to the actual environment. In
normal cases, starting the services takes 15 to 20 minutes.
You can check the task execution result in the Centralized Task Management area. If the
task execution fails, contact Huawei technical support.
----End
Prerequisites
l The PC communicates with the OSMU server properly.
l You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging
In to the OSMU by Using a Web Browser.
Procedure
Step 1 In the navigation tree, choose Service System > Service Management > Board Services.
Step 2 On the Board Services tab page in the right pane, confirm that the U2000 service boards are
in the Normal state.
If the boards are in other state, contact Huawei technical support.
Step 3 In the navigation tree, choose Service System > Service Management > System Services.
Step 4 On the System Services tab page in the right pane, select the check box of the system whose
System is U2000, and click Stop to stop U2000 services.
NOTICE
When the U2000 uses the Sybase database, this operation takes effect only on service boards
of the system whose System is U2000.
The time required for stopping U2000 services varies according to the actual environment. In
normal cases, stopping the services takes 2 minutes.
You can check the task execution result in the Centralized Task Management area. If the
task execution fails, contact Huawei technical support.
----End
Services are categorized into the following service groups: BASEGroup, CMGroup,
FMGroup, PMGroup, PRSGroup, FASGroup, DSGroup, CMEGroup, MEDGroup, ITFGroup,
and COREGroup.
The categories of the service groups and their contained services are listed in Table 4-3.
BASEGroup 3rdToolService
ADNService
AdvancedSwitchService
AntennaTune
ConfigExport
CorbaService
EAMService
ForwardingService
FNLicenseService
GEMService
IPMService
ItmService
LicenseService
LogService
MaintenanceService
NeLicenseService
NeUserService
NGNFullFillService
NGNNI112Service
NGNNIService
NGNTestManageService
NHCService
NICService
NIMServer
PartitionService
PMService
PortTrunkingService
ProxyServer
ScriptModuleService
SecurityService
SNMService
SONService
SWMService
SystemService
TopoAdapterService
TopoService
trapdispatcher
UAPService
CMGroup CMEngine
CMServer
CPMService
FMGroup FaultService
PMGroup PMMonService
ThresholdService
LocationService
PRSGroup PRSAssistantService
PRSReportService
PRSSumService
PRSFsService
PRSDcService
FARSGroup FarsService
DSGroup DesktopService
CMEGroup CmeServer
MEDGroup CmDcService
FMMediationService
FMPreService
IRPEngine
MediationService
NCCService
PMEngine
PMSExport
SWMEngine
ThresholdEnging0X0X
ITFGroup CMExport
IRPService
IRPEngine
IRPPMEngine
MirrorDBService
PMExport
SnmpAgent
TTMgrService
COREGroup XFTPService
OMMonitor
Prerequisites
You have logged in to the OSMU through a web browser. For details, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Procedure
Step 1 Choose Service System > U2000 > OSS Management Tool from the navigation tree on the
OSMU. The OSS Management Tool window is displayed.
If the system prompts Security Warning, configure the parameters for the browser in use by
following instructions provided in 26.2.1 Setting Internet Explorer or 26.2.2 Setting
Firefox.
Step 2 In the OSS Management Tool main window, click General.
Step 3 Click Service Management in the navigation tree in the left pane. The Service Management
page is displayed.
Step 4 Click Query. The OSMU starts to query the service statuses.
The query results are displayed in the lower area of the page.
l Service Name: Displays the names of the services to be queried.
l Process Name: Displays the names of the processes to be queried.
l Service Status: Displays the current statuses of the services.
Step 5 Change the statuses of U2000 services.
l To start a service, select the service that needs to be started, then click Start.
l To stop a service, select the service that needs to be stoped, then click Stop.
l To start all the services, click Start All.
l To stop all the services, click Stop All.
NOTE
l The timeout duration for starting a service or all services is about 60 minutes.
l The timeout duration for stopping a service or all services is about 5 minutes.
l When all services are stopped, no stack information is generated.
l When a single service is stopped, stack information is generated.
To query stack information, obtain the stack file (for example,
20151214104743_swm_agent_4503.stack) from the /opt/oss/server/var/logs/stack/ directory
based on the service name and time when the service was stopped.
After you start or stop all the services, the Download latest operation log button and the
Download troubleshooting file button are displayed on the right of the Stop button. You can
click either of buttons to download log files as required.
----End
This section describes the mapping between the resources of the U2000 system and the
methods of managing the resources and resource groups of the U2000 system.
Cluster Planning
For the Oracle database, Table 5-1 describes the cluster planning for the ATAE cluster
system.
Table 5-2 Resource group planning and resource planning (U2000 service cluster)
Resource Group Description of Resource Name Description
Resource Group
Table 5-3 Resource group planning and resource planning (U2000 DB cluster)
Resource Group Description of Resource Name Description
Resource Group
Cluster Planning
For the Sybase database, the ATAE cluster system only the U2000 application cluster, that
name is U2000Cluster.
The cluster managed by the Veritas Cluster can automatically switch over the applications
from a faulty master or active node to a specified standby node. Therefore, the Veritas Cluster
ensures high availability.
If a fault occurs on a master or active node running services, the system attempts to restart
services on the node. If the restart fails, the system automatically switches over the services
from the node to a standby node. After the switchover, you may need to reconnect the service
to the server without considering the internal structure of the system.
Resources are instances of the resource types defined in a cluster. One resource type may have
multiple resources, each of which has its name and attribute value group. This allows multiple
instances of the basic applications to run on the Cluster.
Resources that are dependent on each other are classified into the same resource group.
The Veritas Cluster runs the monitoring script at a regular interval to monitor the imapsysd
process of the U2000. If the returned information is normal, the Veritas Cluster continues
monitoring the process. If the returned information is abnormal, you need to invoke a script to
start U2000 services. If the services are restarted successfully, that is, the imapsysd process is
started successfully, the Veritas Cluster regards that the U2000 resources are recovered and
continues monitoring the process. If the services fail to be restarted, that is, the imapsysd
process fails to be started, the Veritas Cluster switches the resources from the master or active
node to the standby node.
The key process of the U2000 node is imapsysd. If the imapsysd process is running properly,
the Veritas Cluster continues monitoring the system. If the imapsysd process is not running
properly, the Veritas cluster invokes a script to start the U2000 services. If the imapsysd
process is started successfully, the Veritas Cluster regards that the U2000 resources have been
recovered and continues monitoring the system. If the imapsysd process is not started
successfully, the Veritas Cluster switches over the resources from the master or active node to
the standby node. The switchover process takes about 30 minutes.
The key process of the database node is the database service process. To monitor the database
service process, the Veritas Cluster provides Sybase Agent or Oracle Agent. If the Agent
detects that the database service process is not running properly, it restarts the database
service. If the database service is restarted successfully, the Veritas Cluster regards that the
database resources are recovered and continues monitoring the database service. Otherwise,
the Veritas Cluster switches over the database resources from the master or active node to the
standby node. The switchover of the database service takes about 30 minutes.
NOTE
The imapsysd and imapwatchdog processes are the daemons of the U2000 and monitor the other service
processes of the U2000. If an U2000 service is not running properly, the two processes automatically
restart it. In addition, the imapsysd and imapwatchdog processes monitor each other.
The Veritas Cluster provides Agent to monitor the database service. It determines whether the database
is running properly by checking for the database service process.
The Veritas Cluster system (U2000 cluster or database cluster) allows you to switch over the resources
of only one board to the standby board. If the resources of a board have been switched over to the
standby board, manual or automatic switchover of resources from the other boards in the same cluster to
the standby board will fail.
Prerequisites
You have logged in to the OSMU through a web browser. For details, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Procedure
Step 1 In the navigation tree in the left pane, choose Service System > Service Management >
System Services.
Step 2 Select the cluster to be viewed from the list on the right side. Click View Resource Status.
You can view all the resource groups and their status in the cluster in the displayed dialog
box.
NOTE
A SR5S2 RUNNING 0
A SR5S3 RUNNING 0
A SR5S4 RUNNING 0
-- GROUP STATE
-- Group System Probed AutoDisabled
State
B U2000ClusterSnmpGroup SR5S2 Y N
ONLINE
B U2000ClusterSnmpGroup SR5S3 Y N
OFFLINE
B U2000ClusterSnmpGroup SR5S4 Y N
OFFLINE
B sr5s2_oss_sg SR5S2 Y N
ONLINE
B sr5s2_oss_sg SR5S4 Y N
OFFLINE
B sr5s3_oss_sg SR5S3 Y N
ONLINE
B sr5s3_oss_sg SR5S4 Y N
OFFLINE
The displayed information indicates that the service cluster consists of three resource
groups.
– Resource group U2000ClusterSnmpGroup consists of nodes SR5S2, SR5S3, and
SR5S4.
A SR5S11 RUNNING 0
A SR5S14 RUNNING 0
A SR6S4 RUNNING 0
-- GROUP STATE
-- Group System Probed AutoDisabled
State
B DBClusterSnmpGroup SR5S11 Y N
ONLINE
B DBClusterSnmpGroup SR5S14 Y N
OFFLINE
B DBClusterSnmpGroup SR6S4 Y N
OFFLINE
B sr5s11_db_sg SR5S11 Y N
ONLINE
B sr5s11_db_sg SR5S14 Y N
OFFLINE
B sr6s4_db_sg SR5S14 Y N
OFFLINE
B sr6s4_db_sg SR6S4 Y N
ONLINE
NOTE
The system will show all products's DB resource groups as database boards of all products
constitute one database cluster that share one standby DB board.
The displayed information indicates that the DB cluster consists of three resource
groups.
– Resource group DBClusterSnmpGroup consists of nodes SR5S11, SR5S14, and
SR6S4.
– Resource group sr5s11_db_sg consists of nodes SR5S11 and SR5S14.
– Resource group sr6s4_db_sg consists of nodes SR6S4 and SR5S14.
Correct status of the resource groups in the DB cluster is described as follows:
– Resource group DBClusterSnmpGroup is in the ONLINE state on only one node.
For example, in the preceding information, resource group DBClusterSnmpGroup
is in the ONLINE state on node SR5S11 only.
– Resource group sr5s11_db_sg is in the ONLINE state on only one node. The same
is true for resource group sr6s4_db_sg.
For example, in the preceding information, resource group sr5s11_db_sg is in the
ONLINE state on node SR5S11 only, and resource group sr6s4_db_sg is in the
ONLINE state on node SR6S4 only. Resource groups sr5s11_db_sg and
sr6s4_db_sg are both in the OFFLINE state on node SR5S14. This indicates that
node SR5S14 is the standby node of nodes SR5S11 and SR6S4. If the master node
in either resource group is faulty, services are switched to node SR5S14.
Step 3 Click OK. Then, the Query Cluster Resource dialog box is closed.
Step 4 Choose Service System > Service Management > Board Services from the navigation tree
in the left pane.
Step 5 Select the board where the cluster system resource status needs to be viewed from board list
on the right side. Click View Resource Status. The Query Board Resource dialog box is
displayed. Then the cluster system resource status on the board can be viewed.
NOTE
Step 6 Click OK. Then the Query Board Resource dialog box is closed.
----End
Prerequisites
You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Context
l The U2000 service cluster comprises the following parts:
– Master node (or master server): board whose System is U2000 and Subsystem
contains BASE.
– Slave node (or slave server): board whose System is U2000 and Subsystem dose
not contain BASE.
l The U2000 DB cluster comprises the following parts:
– U2000 DB node: board whose System is U2000DB.
– DB standby node: board whose System is Standby, Subsystem is Standby and
Cluster Name is DBCluster.
NOTICE
l The U2000 allows you to switch over the resources of only one board to the standby board
at the same time in the same cluster. If the resources of a board have been switched over to
the standby board, switchover of resources from any other board in the same cluster to the
standby board will fail.
l A switchover is performed only when an exception occurs in the system. After the services
are switched over, some management functions of the OSMU on boards are restricted. You
can use these restricted functions only after the system restores and the services are
switched back to the original board. Restricted functions include changing time and time
zone, setting DST, changing IP addresses of boards, configuring routes, collecting device
information, backing up static data, changing user passwords of the operating system and
databases.
l The time required for the switchover depends on the actual environment. Normally, the
switchover takes 30 minutes.
l The ALM-1038 VCS Monitor Warning Alarm alarm is reported during the manual
resource switchover between U2000 nodes. After the resources are switched over, you can
manually clear this alarm.
l The ALM-1045 Abnormal SSH Trust Relationship alarm is reported during the manual
resource switchover between U2000 nodes. After the resources are switched over, this
alarm is cleared automatically.
Procedure
Step 1 Perform the following operations to switch over resources to the standby node or the DB
standby node based on the scenario:
1. Choose Service System > Service Management > Board Services from the navigation
tree on the left.
2. Check the board status on the Board Services tab page in the right pane.
– If you want to switch over the service resources:
n Status of service board and standby service board to be switched over must be
Normal and Standby, respectively.
n Status of DB board and standby DB board must be Normal, Standby, or
Switched Over.
– If you want to switch over DB resources, Status of DB board and standby DB
board to be switched over must be Normal and Standby, respectively.
3. On the Board Services tab page in the right pane, select the check box in front of the
board which you want to switch. Then, click Switch.
– If you want to switch over the service resources, select the master node or the slave
node.
– If you want to switch over DB resources, select the U2000 DB node.
4. Click Yes in the Confirm dialog box.
5. Click OK in the Information dialog box.
NOTICE
Relevant boards may restart during the switchover and the status of the boards may be
displayed as Faulty because they are disconnected from other boards. Normally, they
will restore after the switchover is complete. If any board is still in the Faulty state after
the switchover is complete, contact Huawei technical support.
6. Monitor the execution status in the Centralized Task Management area. After the task
is complete, switch to the Board Services tab page to check the board status again.
If the board status meets the following requirements, the resources are switched over
successfully. Otherwise, the switchover fails. When this happens, contact Huawei
technical support.
– After service resources are switched over, Status of service board and standby
service board must be Switched Over and Normal, respectively.
– After DB resources are switched over, Status of DB board and standby DB board
must be Switched Over and Normal, respectively.
Step 2 Perform the following operations to switch resources back from the standby node or the DB
standby node to the original node based on the scenario:
1. Choose Service System > Service Management > Board Services from the navigation
tree on the left.
2. On the Board Services tab page in the right pane, select the check box in front of the
standby node or the DB standby node. Then, click Switch.
3. Click Yes in the Confirm dialog box.
4. Click OK in the Information dialog box.
NOTICE
Relevant boards may restart during the switchover and the status of the boards may be
displayed as Faulty because they are disconnected from other boards. Normally, they
will restore after the switchover is complete. If any board is still in the Faulty state after
the switchover is complete, contact Huawei technical support.
5. Monitor the execution status in the Centralized Task Management area. After the task
is complete, switch to the Board Services tab page to check the board status again.
If the board status meets the following requirements, the resources are switched over
successfully. Otherwise, the switchover fails. When this happens, contact Huawei
technical support.
– After service resources are switched over, Status of original node and standby
service board must be Normal and Standby, respectively.
– After DB resources are switched over, Status of original node and standby DB
board must be Normal and Standby, respectively.
----End
Prerequisites
You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Context
The U2000 cluster system comprises the following parts:
l Master node (or master server): board whose System is U2000 and Subsystem contains
BASE.
l Slave node (or slave server): board whose System is U2000 and Subsystem dose not
contain BASE.
l Standby node (or standby server): board whose System is Standby, Subsystem is
Standby and Cluster Name is U2000Cluster.
l U2000 DB node: board whose System is U2000DB.
NOTICE
l The U2000 allows you to switch over the resources of only one board to the standby board
at the same time in the same cluster. If the resources of a board have been switched over to
the standby board, switchover of resources from any other board in the same cluster to the
standby board will fail.
l A switchover is performed only when an exception occurs in the system. After resources
are switched over, some board management functions of the OSMU are unavailable,
including changing the time and time zone, setting DST, changing IP addresses of boards,
configuring routes, collecting device information, backing up static data, and changing
user passwords of the operating systems and databases. You can use these functions only
after the system is restored and resources are switched back to the original board.
l The time required for the switchover depends on the actual environment. Normally, the
switchover takes 30 minutes.
l The ALM-1038 VCS Monitor Warning Alarm alarm is reported during the manual
resource switchover between U2000 nodes. After the resources are switched over, you can
manually clear this alarm.
l The ALM-1045 Abnormal SSH Trust Relationship alarm is reported during the manual
resource switchover between U2000 nodes. After the resources are switched over, this
alarm is cleared automatically.
Procedure
Step 1 Perform the following operations to switch over resources from the to the standby node:
1. Choose Service System > Service Management > Board Services from the navigation
tree in the left pane.
2. Check the board status on the Board Services tab page in the right pane.
– Status of the board which you want to switch and standby board must be Normal
and Standby, respectively.
– If you want to switch over the service resources, Status of DB board must be
Normal.
3. On the Board Services tab page in the right pane, select the check box in front of the
board which you want to switch. Then, click Switch.
4. Click Yes in the Confirm dialog box.
5. Click OK in the Information dialog box.
NOTICE
Relevant boards may restart during the switchover and the status of the boards may be
displayed as Faulty because they are disconnected from other boards. Normally, they
will restore after the switchover is complete. If any board is still in the Faulty state after
the switchover is complete, contact Huawei technical support.
6. Monitor the execution status in the Centralized Task Management area. After the task
is complete, switch to the Board Services tab page to check the board status again.
If the board status meets the following requirements, the resources are switched over
successfully. Otherwise, the switchover fails. When this happens, contact Huawei
technical support.
Status of the board which has been switched and standby board must be Switched Over
and Normal, respectively.
Step 2 Perform the following operations to switch resources back from the standby node to the
original node:
1. On the Board Services tab page in the right pane, select the check box in front of the
standby node. Then, click Switch.
2. Click Yes in the Confirm dialog box.
3. Click OK in the Information dialog box.
NOTICE
Relevant boards may restart during the switchover and the status of the boards may be
displayed as Faulty, because they are disconnected from other boards. Normally, they
will restore after the switchover is complete. If any board is still in the Faulty state after
the switchover is complete, contact Huawei technical support.
4. Monitor the execution status in the Centralized Task Management area. After the task
is complete, switch to the Board Services tab page to check the board status again.
If the board status meets the following requirements, the resources are switched over
successfully. Otherwise, the switchover fails. When this happens, contact Huawei
technical support.
Status of original node and standby board must be Normal and Standby, respectively.
----End
This section describes how to add the U2000 server to the SSO server and set the local
authentication mode and SSO mode of the U2000 server.
6.1 Setting the Authentication Mode of the U2000 Server to Local Mode
This section describes how to set the authentication mode of the U2000 server to the default
local mode if the authentication mode of the server is not set to local mode. For an ATAE
cluster online remote HA system, you need to perform the following steps on the active site
and the standby site.
6.2 Setting the Authentication Mode of the U2000 Server to the SSO Mode
This section describes how to run commands to switch the authentication mode of the local
computer to the SSO mode when you need to move user authentication operations from the
U2000 server to the SSO server. For an ATAE cluster online remote HA system, you need to
perform the following steps on the active site and the standby site.
Procedure
Step 1 Use PuTTY to log in to the U2000 master service board as user ossuser in SSH mode. For
detailed operations, see 26.1.1 Logging In to the Board by Using PuTTY.
Step 2 Run the following commands to set the environment variable:
~> cd /opt/oss/server
~> . ./svc_profile.sh
NOTE
These commands stop the SSOMediatorService service and restart the security service.
oss_chg2Local script started execution...
Executing : svc_adm -cmd stopsvc SecurityService
Executing : svc_adm -cmd stopsvc SSOMediatorService
Updating SecurityService files.
Removing SSOMediatorService files.
Executing : svc_adm -cmd startsvc SecurityService
oss_chg2Local script executed...
If the preceding information is displayed, the authentication mode has been successfully set.
In this case, you need to proceed with the following operations. Otherwise, contact Huawei
technical support.
Step 5 Run the following command to restart the DesktopService:
~> svc_adm -cmd restartsvc <desktop_servicename>
For example,
~> svc_adm -cmd restartsvc DesktopService0101
NOTE
l You can run the ~> svc_adm -cmd status | grep DesktopService command to query the desktop
services on the current U2000.
l There may be more than one DesktopService that is running. You need to restart all the
DesktopServices.
----End
Prerequisites
You have deployed an SSO server. For detailed operations, see SSO Server Installation and
Deployment Guide.
Context
If the authentication mode is SSO, user locking and unlocking policies are controlled by the
SSO server.
Procedure
Step 1 Use PuTTY to log in to the U2000 master service board as user ossuser in SSH mode. For
detailed operations, see 26.1.1 Logging In to the Board by Using PuTTY.
~> cd /opt/oss/server
~> . ./svc_profile.sh
~> cd /opt/oss/server/platform/bin
Step 4 Run the following command to change the authentication mode to the SSO mode:
~> ./oss_chg2SSO.sh <U2000 server name> <SSO master server IP address> 31048 <SSO
backup server IP address> 31048
For example,
NOTE
l These commands stop the SSOMediatorService service and restart the security service.
l U2000 server name is created when users add the U2000 server. For details, see SSO User Guide.
oss_chg2SSO script started execution...
Executing : svc_adm -cmd stopsvc SecurityService
Copying SSOMediatorService files.
Updating SecurityService files.
Executing : svc_adm -cmd startsvc SSOMediatorService
Executing : svc_adm -cmd startsvc SecurityService
oss_chg2SSO script executed...
If the preceding information is displayed, the authentication mode has been successfully set.
In this case, you need to proceed with the following operations. Otherwise, contact Huawei
technical support.
Step 5 Run the following command to restart the DesktopService.
~> svc_adm -cmd restartsvc <desktop_servicename>
Example:
~> svc_adm -cmd restartsvc DesktopService0101
NOTE
l You can run the ~> svc_adm -cmd status | grep DesktopService command to query the desktop
services on the current U2000.
l There may be more than one DesktopService that is running. You need to restart all the
DesktopServices.
----End
This section describes how to change the port number and set file transfer policies on the FTP
server.
7.1 Changing the FTP Port Number (the U2000 Server as the FTP Server)
This section describes how to query or change the FTP port numbers when the U2000 server
functions as the FTP server and NEs, network management systems (NMSs), U2000 clients,
or tools function as the FTP clients. After the port number of the U2000 server is changed,
data transmission between all FTP clients and the U2000 server will be affected. Therefore,
you must set the FTP port numbers of all FTP clients communicating with the U2000 server
to be the same as the FTP port number on the U2000 server (FTP server). Alternatively, you
need to set the FTP mode on the FTP clients to encryption mode.
7.2 Changing the FTP Port Number (an NE as the FTP Server)
When an NE is used as the relay server that serves as the FTP server, the U2000 serves as an
FTP client. This section describes how to change the FTP port number if you do not want to
use the default port number 21.
7.3 Changing the FTP Port Number (a Third-Party Server as the FTP Server)
This section describes how to change the FTP port number if you do not want to use the
default port number 21 when a third-party server is used as the relay server that serves as the
FTP server, and the U2000 serves as an FTP client.
7.4 Configuring the FTP Transmission Policy
The FTP transmission policy for transmitting data between the FTP client and the FTP server
can use the traditional plaintext FTP mode or the SSL/SSH-based FTP encryption mode. To
ensure data security during file transmission, users can disable the plaintext FTP mode and
enable the SSL/SSH-based FTP encryption mode.
Prerequisites
1. You have logged in to the OSMU through a web browser. For details, see 26.2.5
Logging In to the OSMU by Using a Web Browser.
2. You have stopped U2000 services if you want to change the port number of the FTP
server. For details about how to stop U2000 services, see 4.6 Stopping U2000 Services.
3. You have obtained a new FTP port number that is not in use. For details about port
number usage, see the U2000 Communication Matrix.
The port number can be changed to 21 or a number ranging from 1024 to 65535.
4. The FTP port number of the NEs managed by the U2000 can be changed.
Context
For details about the NEs whose FTP port number can be changed, see Table 7-1.
Procedure
Step 1 Choose Service System > U2000 > OSS Management Tool from the navigation tree on the
OSMU. The OSS Management Tool window is displayed.
If the system prompts Security Warning, configure the parameters for the browser in use by
following instructions provided in 26.2.1 Setting Internet Explorer or 26.2.2 Setting
Firefox.
----End
Prerequisites
You have obtained a new FTP port number that is not in use. For details about port number
usage, see the U2000 Communication Matrix.
Procedure
Step 1 Perform the following operations to change the FTP port number of the NE that serves as the
FTP server:
On the U2000 client, choose Choose Maintenance > MML Command from the main menu
(traditional style); alternatively, double-click Trace and Maintenance in Application Center
and choose Maintenance > MML Command from the main menu (application style). In the
displayed MML Command window, set the MML command to be executed. For details, see
section Running MML Commands in U2000 Software and Hardware Management User
Guide.
The MML command for changing the port number of the FTP server is SET FTPSSRV.
NOTE
Ensure that the port number of the U2000 is consistent with the port number of all NEs.
For details about the MML commands, see the MML command reference of the related NEs.
Step 2 Perform the following operations to change the FTP port number of the U2000 that serves as
an FTP client:
1. Open the window for setting file transfer parameters between the NE and the U2000
server using either of the following methods on the U2000 client.
– Choose Security > Connection Security Management > NE/OSS Server
Connection Settings (traditional style); alternatively, double-click Security
Management in Application Center and choose NE Security > Connection
Security Management > NE/OSS Server Connection Settings (application
style).. The Preferences dialog box is displayed, and NE/OSS Server Connection
Settings is displayed in the right pane.
– Choose System > Preferences(traditional style) or File > Preferences (application
style). In the displayed Preferences dialog box, choose Connection Settings >
NE/OSS Server Connection Settings from the navigation tree in the left pane.
NE/OSS Server Connection Settings (for Server) is displayed in the right pane.
2. Change the FTP port number.
In the NE / OSS Server Transfer Settings dialog box, set a new FTP port number in
Command Port.
NOTICE
You can set a number ranging from 1024 to 65535. The port numbers before 1024
(except 21) are reserved and cannot be used as the command port.
3. Click OK.
Step 3 Perform the following operations to change the FTP port number of an NE that serves as an
FTP client:
On the U2000 client, choose Choose Maintenance > MML Command from the main menu
(traditional style); alternatively, double-click Trace and Maintenance in Application Center
and choose Maintenance > MML Command from the main menu (application style). In the
displayed MML Command window, set MML commands to be executed. For details, see
section Running MML Commands in U2000 Software and Hardware Management User
Guide.
If... Then...
No FTP port number has been Run the ADD FTPSCLTDPORT command to
configured on the NE configure the IP address and port number for the FTP
client to communicate with the FTP server.
An FTP port number has been Run the MOD FTPSCLTDPORT command to change
configured on the NE the port number.
NOTE
Ensure that the port number of the U2000 is consistent with the port number of all NEs.
For details about the MML commands, see the MML command reference of the related NEs.
If the new FTP port number is unavailable in the command output, proceed to Step 4.2
to add the FTP port number. If the new FTP port number is available, do not add it.
2. Run the following command to add the new FTP port number:
After the setting, perform Step 4.1 again to check whether the new FTP port number is
available.
NOTE
If there is an unnecessary FTP port number, you can run the undo port ftp port port number
command to delete it. Port number 21 is a default number and cannot be changed or deleted.
----End
Prerequisites
You have obtained a new FTP port number that is not in use. For details about port number
usage, see the U2000 Communication Matrix.
Procedure
Step 1 Change the FTP port number on the third-party server.
For details, see the related guide delivered with the third-party server.
Step 2 Perform the following operations to change the FTP port number of the U2000 that serves as
an FTP client:
1. Open the window for setting file transfer parameters between the NE and the U2000
server using either of the following methods on the U2000 client.
– Choose Security > Connection Security Management > NE/OSS Server
Connection Settings (traditional style); alternatively, double-click Security
Management in Application Center and choose NE Security > Connection
Security Management > NE/OSS Server Connection Settings (application
style).. The Preferences dialog box is displayed, and NE/OSS Server Connection
Settings is displayed in the right pane.
– Choose System > Preferences(traditional style) or File > Preferences (application
style). In the displayed Preferences dialog box, choose Connection Settings >
NE/OSS Server Connection Settings from the navigation tree in the left pane.
NE/OSS Server Connection Settings (for Server) is displayed in the right pane.
2. Change the FTP port number.
In the NE / OSS Server Transfer Settings dialog box, set a new FTP port number in
Command Port.
NOTICE
You can set a number ranging from 1024 to 65535. The port numbers before 1024
(except 21) are reserved and cannot be used as the command port.
3. Click OK.
Step 3 Perform the following operations to change the FTP port number of an NE that serves as an
FTP client:
On the U2000 client, choose Choose Maintenance > MML Command from the main menu
(traditional style); alternatively, double-click Trace and Maintenance in Application Center
and choose Maintenance > MML Command from the main menu (application style). In the
displayed MML Command window, set MML commands to be executed. For details, see
section Running MML Commands in U2000 Software and Hardware Management User
Guide.
If... Then...
No FTP port number has been Run the ADD FTPSCLTDPORT command to
configured on the NE configure the IP address and port number for the FTP
client to communicate with the FTP server.
An FTP port number has been Run the MOD FTPSCLTDPORT command to change
configured on the NE the port number.
NOTE
Ensure that the port number of the U2000 is consistent with the port number of all NEs.
For details about the MML commands, see the MML command reference of the related NEs.
The methods of changing port numbers vary according to firewalls. The following uses
changing the FTP port number on the firewall Eudemon200 as an example.
1. Run the following command to check the FTP port number defined on the firewall:
If the new FTP port number is unavailable in the command output, proceed to Step 4.2
to add the FTP port number. If the new FTP port number is available, do not add it.
2. Run the following command to add the new FTP port number:
After the setting, perform Step 4.1 again to check whether the new FTP port number is
available.
NOTE
If there is an unnecessary FTP port number, you can run the undo port ftp port port number
command to delete it. Port number 21 is a default number and cannot be changed or deleted.
----End
SSH Generally, SSH is used to replace the traditional and insecure Telnet. It
supports the setup of an encrypted tunnel between the SSH client and
server. After a Transmission Control Protocol (TCP) connection is set
up, the SSH client and server can transmit data through the encrypted
tunnel.
SSL SSL is used to protect all application protocols that are based on TCP
or other transfer protocols.
SSL is mainly used to identify communication entities and provide a
secure channel for data confidentiality and integrity.
FTPS As a secure FTP protocol developed from SSL, FTPS is used to encrypt
data during an FTP login connection and data transmission.
plaintext FTP mode and enable the SSL/SSH-based FTP encryption mode. Different
communication entities use different encryption modes, as shown in Figure 7-1.
l If an NE supports FTPS, FTPS is used for data transmission between the NE and the
U2000 server. To check whether an NE supports FTPS, see the NE product
documentation.
l SFTP is used between the U2000 client and the U2000 server.
l SFTP is used between the U2000 server and the NMS server.
l SFTP is used between the NIC, Nastar, and PRS and the U2000 server.
Overview of the FTP Policy When the U2000 Functions as the FTP Server
When the NEs, NMS, U2000 client, NIC, Nastar, and PRS are used as the FTP client and the
U2000 server is used as the FTP server, the traditional plaintext FTP mode or the encrypted
SFTP and FTPS modes can be used. If you have higher requirements for reliability of data
transmission, you can disable the plaintext FTP mode and use the encrypted SFTP or FTPS
mode.
If you disable the plaintext FTP mode on the U2000 server, the FTP connections between the
other systems and the U2000 server will be affected. File transfer between the U2000 server
and the NMS or NEs fails and services between them are blocked. Disabling the plaintext
FTP mode has the following impacts:
l If you set an U2000 server as a transfer server or third-party FTP server, NEs have to use
the FTPS mode to set up FTP connections with the transfer server or third-party FTP
server.
l The NMS has to use the SFTP mode. Otherwise, the NMS cannot set up FTP connection
with the U2000 server, and cannot obtain information from the U2000 server through
northbound interfaces.
l Other systems, such as the PRS, Nastar, and NIC, have to use the SFTP mode to access
the U2000 server. Otherwise, the access fails.
l Terminal users have to use the SFTP mode to transfer files to the U2000 server.
Otherwise, file transfer fails.
l The U2000 server and client have to use the SFTP mode to access each other.
l If NEs managed by the U2000 support the FTPS mode, run MML commands on an
U2000 client to set the FTPS mode for NEs.
l After the plaintext FTP mode is disabled on the U2000 server, users cannot run ftp
commands on a PC to upload files to or download files from the U2000 server. Instead,
users need to transmit data using the FileZilla tool.
Overview of the FTP Policy When the U2000 Functions as the FTP Client
When an NE functions as a transfer server and the U2000 functions as an FTP client, the FTP
policy can be set to plaintext FTP mode or FTPS encryption mode. When the FTP mode is set
to FTPS on the FTP server, the FTP mode on the U2000 functioning as the FTP client must be
set to FTPS accordingly.
Prerequisites
l The NMS for the U2000 is set to the SFTP mode.
l Other systems that need to access the U2000 are set to the SFTP mode.
l The NEs managed by the U2000 support the FTPS mode.
l The FTP service is running properly.
l You have logged in to the OSMU through a web browser. For details, see 26.2.5
Logging In to the OSMU by Using a Web Browser.
Context
The impacts of disabling the plaintext FTP mode for the U2000 server are as follows:
l If you set an U2000 server as a transfer server or third-party FTP server, NEs have to use
the FTPS mode to set up FTP connections with the transfer server or third-party FTP
server.
l The NMS has to use the SFTP mode. Otherwise, the NMS cannot set up FTP
connections with the U2000 server, and cannot obtain information from the U2000
server through northbound interfaces.
l Other systems, such as the PRS, Nastar, and NIC, have to use the SFTP mode to access
the U2000 server. Otherwise, the access fails.
l Terminal users have to use the SFTP mode to transfer files to the U2000 server.
Otherwise, file transfer fails.
l The U2000 server and client have to use the SFTP mode to access each other.
l If NEs managed by the U2000 support the FTPS mode, run MML commands on an
U2000 client to set the FTPS mode for NEs.
l After the plaintext FTP mode is disabled on the U2000 server, users cannot run ftp
commands on a PC to upload files to or download files from the U2000 server.
Procedure
Step 1 Stop U2000 services.
Check whether U2000 services are running by following instructions provided in 4.1
Checking the U2000 Service Status. If U2000 services are running, stop them by following
instructions provided in 4.6 Stopping U2000 Services.
Step 2 Perform the following operations to disable the plaintext FTP mode on the U2000 server.
1. Choose Service System > U2000 > OSS Management Tool from the navigation tree on
the OSMU. The OSS Management Tool window is displayed.
If the system prompts Security Warning, configure the parameters for the browser in
use by following instructions provided in 26.2.1 Setting Internet Explorer or 26.2.2
Setting Firefox.
2. In the OSS Management Tool main window, click General.
3. In the navigation tree in the left pane, choose Local FTP Server Settings. The Local
FTP Server Settings window is displayed.
4. Select Disable Plain Mode.
5. Click Customize.
NOTE
3. Run the following commands to check for emergency systems associated with the
current U2000 server on which you are performing operations:
# . /opt/oss/server/svc_profile.sh
# emgproxy_adm -c status
4. Run the following command on the U2000 server to synchronize the data from the
current U2000 system to the emergency system in full data synchronization mode:
# emgproxy_adm -c synchronize -t all
When the system displays The synchronization succeeded.............................[100.0%],
data synchronization is complete.
5. Use PuTTY to log in to the emergency system server as user ossuser in SSH mode. For
details, see 26.1.1 Logging In to the Board by Using PuTTY.
You can perform the following operation to query the external IP address for the
emergency system server.
Use a browser to log in to the OSMU server, and choose Device Management >
Hardware Device > Board from the navigation tree in the left pane of the OSMU
window. The external IP address for the board whose Cluster Name is ESCluster is the
external IP address for the emergency system server.
NOTICE
If multiple emergency system instances are deployed, the value of Cluster Name for
each emergency system is unique, for example, ESCluster#2. Select an emergency
system according to the actual requirements.
7. Run the following command to check whether the plaintext FTP mode is disabled on the
emergency system server:
# ftp IP address for the emergency system server
When the system displays the following information, type ftpuser and press Enter.
Name (***.***.***:ossuser):
If the system displays Non-anonymous sessions must use encryption, the plaintext
FTP mode is disabled on the emergency system server. When this occurs, go to Step 6.
Otherwise, proceed to the following steps to disable the plaintext FTP mode on the
emergency system server.
8. Enter the password of user ftpuser and run the following command to exit from the FTP
connection:
ftp> bye
9. Run the following command to freeze data synchronization between the U2000 system
and the emergency system:
# emgsys_adm -o resmgr -c freeze
10. Run the following commands to disable the plaintext FTP mode on the emergency
system server:
# . /opt/oss/server/svc_profile.sh
# cd /opt/oss/server/3rdTools/ftp/files
# ./setSSLForFtpSvr.sh disablePlainFtp
11. Run the following command to check whether the plaintext FTP mode is disabled on the
emergency system server:
# ftp IP address for the emergency system server
When the system displays the following information, type ftpuser and press Enter.
Name (***.***.***:ossuser):
If the system displays Non-anonymous sessions must use encryption, the plaintext
FTP mode is disabled on the emergency system server. When this occurs, proceed to the
following steps.
12. Press Enter for multiple times. After the ftp> prompt is displayed, run the following
command to exit from the FTP connection:
ftp> bye
13. Run the following command to unfreeze data synchronization between the U2000
system and the emergency system:
# emgsys_adm -o resmgr -c unfreeze
Step 6 Perform the following operations to set the transfer mode between the U2000 server and
client to SFTP.
1. Log in to the U2000 client.
2. Choose System > Preferences(traditional style) or File > Preferences (application
style). In the displayed Preferences dialog box, choose OSS Client/OSS Server File
Transfer Settings from the navigation tree in the left pane. Open the window for setting
file transfer parameters between the U2000 client and server.
3. Set FTP Mode to SFTP.
– Optional functions include Resumable Transfer, Compress, and Passive Mode. If
Passive Mode is not selected, files will be transferred in active mode by default.
– Network timeout(5-3600)s indicates the timeout duration for setting up an FTP
connection. The value of this parameter ranges from 5 seconds to 3600 seconds.
4. Click OK for the settings to take effect.
Step 7 Change the FTP transmission mode of the NEs managed by the U2000 to the FTPS mode on
the U2000 client or LMT.
On the U2000 client, choose Maintenance > MML Command. The MML Command
window is displayed. Set the MML commands. For details, see Running MML Commands in
U2000 Software and Hardware Management User Guide.
The MML commands are as follows:
l SET FTPSCLT
This command is used to set the transfer mode of an FTP client (NE).
l LST FTPSCLT
This command is used to query the transfer mode of an FTP client (NE).
NOTE
l For details about the MML commands, see the MML command reference of the related NE.
l On the CGPOMU, the command for setting the FTP transfer mode (SET FTPPRTL) and the
command for querying the FTP transfer mode (LST FTPPRTL) are different from those on other
NEs.
----End
Prerequisites
l The plaintext FTP mode has been disabled on the U2000 server.
l The FTP service is running properly.
l You have logged in to the OSMU through a web browser. For details, see 26.2.5
Logging In to the OSMU by Using a Web Browser.
Procedure
Step 1 Stop U2000 services.
Check whether U2000 services are running by following instructions provided in 4.1
Checking the U2000 Service Status. If U2000 services are running, stop them by following
instructions provided in 4.6 Stopping U2000 Services.
Step 2 Perform the following operations to enable the plaintext FTP mode on the U2000 server.
NOTICE
Enabling the Plaintext FTP Mode maybe brings risks. Therefore, use this function with
caution.
1. Choose Service System > U2000 > OSS Management Tool from the navigation tree on
the OSMU. The OSS Management Tool window is displayed.
If the system prompts Security Warning, configure the parameters for the browser in
use by following instructions provided in 26.2.1 Setting Internet Explorer or 26.2.2
Setting Firefox.
2. In the OSS Management Tool main window, click General.
3. In the navigation tree in the left pane, choose Local FTP Server Settings. The Local
FTP Server Settings window is displayed.
4. Clear Disable Plain Mode.
5. Click Customize.
NOTE
3. Run the following commands to check for emergency systems associated with the
current U2000 server on which you are performing operations:
# . /opt/oss/server/svc_profile.sh
# emgproxy_adm -c status
4. Run the following command on the U2000 server to synchronize the data from the
current U2000 system to the emergency system in full data synchronization mode:
# emgproxy_adm -c synchronize -t all
NOTICE
If multiple emergency system instances are deployed, the value of Cluster Name for
each emergency system is unique, for example, ESCluster#2. Select an emergency
system according to the actual requirements.
7. Run the following command to check whether the plaintext FTP mode is disabled on the
emergency system server:
When the system displays the following information, type the password of user ftpuser,
and then press Enter.
Name (***.***.***:ossuser):
If the system displays Non-anonymous sessions must use encryption, the plaintext
FTP mode is disabled on the emergency system server. When this occurs, perform the
following steps to enable the plaintext FTP mode on the emergency system server.
Otherwise, go to Step 5.
8. Press Enter for multiple times. After the ftp> prompt is displayed, run the following
command to exit from the FTP connection:
ftp> bye
9. Run the following command to freeze data synchronization between the U2000 system
and the emergency system:
# . /opt/oss/server/svc_profile.sh
# cd /opt/oss/server/3rdTools/ftp/files
# ./setSSLForFtpSvr.sh enablePlainFtp
11. Run the following command to unfreeze data synchronization between the U2000
system and the emergency system:
When the system displays the following information, type ftpuser and press Enter.
Name (***.***.***:ossuser):
If the FTP connection is set up, the plaintext FTP mode is enabled on the emergency
system server. Otherwise, contact Huawei technical support.
Step 5 Perform the following operations to set the transfer mode between the U2000 client and
server to the plaintext FTP mode.
1. Log in to the U2000 client.
2. Choose System > Preferences(traditional style) or File > Preferences (application
style). In the displayed Preferences dialog box, choose OSS Client/OSS Server File
Transfer Settings from the navigation tree in the left pane. Open the window for setting
file transfer parameters between the U2000 client and server.
3. Set FTP Mode to FTP.
– Optional functions include Resumable Transfer, Compress, and Passive Mode. If
Passive Mode is not selected, files will be transferred in active mode by default.
l For details about the MML commands, see the MML command reference of the related NE.
l On the CGPOMU, the command for setting the FTP transfer mode (SET FTPPRTL) and the
command for querying the FTP transfer mode (LST FTPPRTL) are different from those on other
NEs.
----End
Procedure
Step 1 Set the FTP mode to FTPS on the NE.
For details, see the related NE guide.
Step 2 Set the FTP mode to FTPS on the U2000.
1. Log in to the U2000 client.
2. Set the FTP mode to Adapter Mode.
For details, see Setting the FTP Policy Between an NE and the U2000 in U2000 Data
Management User Guide.
----End
data security during file transmission, you can set the SFTP encryption mode. If the U2000
server is upgraded to V200R015C00 or a Later Version, please reconfigure the SFTP for
actively transferring files over the northbound interface according to this chapter.
Prerequisites
l Use PuTTY to log in to the U2000 server in SSH mode as user ossuser. For an advanced
telecommunications application environment (ATAE) cluster system, you have logged in
to each server in the U2000 cluster.
l You have logged in to the NMS server as user UserA.
UserA is the NMS server user. Replace it as required.
Context
l To set up an SFTP connection using public or private key authentication, save the U2000
server's public key file in the authorized_keys file of the related NMS server user. The
system performs authentication using the U2000 server's private key and the U2000
server's public key stored on the NMS server. After the authentication is successful, the
SFTP connection is set up successfully. The U2000 server is not required to provide the
NMS login password.
l The public and private key authentication files can be encrypted or not. For encrypted
public and private key authentication files, set the password. If you forget the password,
all public and private key authentication files must be generated again, and the new files
will replace the existing files.
l Unless otherwise specified, perform the following operations on each server:
NOTE
l XFTPService0X01 indicates the XFTP service name of the U2000 server. Replace it as
required.
l For an ATAE cluster system, the service is deployed on the master and slave servers. The
service name for the master server is XFTPService0101. The service name for the first slave
server is XFTPService0201. The service name for the second slave server is
XFTPService0301. This method applies to the service names for other servers.
l When the XFTP service uploads files in FTP mode:
– If the northbound server runs the Linux or Unix operating system, use the vsftpd
software whose version is 2.0.5 or later.
– If the northbound server runs the Windows operating system, use the ftpserver
service delivered with the system.
Procedure
Step 1 Public and private key files are generated on the U2000.
1. Run the following command on the U2000 server to check whether the .ssh directory
exists in the home directory.
~> cd /export/home/omc/.ssh/
If the system displays the following message, enter 1 to create encrypted public and
private key files.
------------------------------------------------------------------
Please select an operation type:
1--Generate PubKey File with Encrypt Key.
2--Generate PubKey File without Encrypt Key.
------------------------------------------------------------------
Please make a choice : 1
If the following message is displayed, enter the password twice. When ~> is displayed,
the encrypted public key file is generated.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
NOTICE
– Keep the password for future use. If the password is lost, all public and private key
files must be generated again, and the new files will replace the existing files.
– The password can contain 8 to 30 characters, including lowercase letters a to z,
uppercase letters A to Z, digits 0 to 9, and special characters ]@%-=_.}{. To
improve password security, please use the following password policies:
n The password contains at least one uppercase letter.
n The password contains at least one lowercase letter.
n The password contains at least one digit.
n The password contains at least one special character.
4. Run the following commands to modify permission of the public key file.
~> cd /export/home/omc/.ssh/
– If the system displays id_rsa: No such file or directory, perform Step 1.7 to create
public and private key files.
– If the system displays id_rsa, perform Step 2.
7. Run the following command to create non-encrypted public and private key files.
~> . /opt/oss/server/rancn/bin/ssh-keygen.sh
If the system displays the following message, enter 2 to create non-encrypted public and
private key files.
------------------------------------------------------------------
Please select an operation type:
1--Generate PubKey File with Encrypt Key.
2--Generate PubKey File without Encrypt Key.
------------------------------------------------------------------
Please make a choice : 2
If the system displays information similar to the following, the non-encrypted public key
file has been created successfully:
8. Run the following commands to modify permission of the public key file.
~> cd ${HOME}/.ssh/
NOTICE
– For a non-encrypted public key file, copy the id_rsa.pub file's content.
If the id_rsa.pub file does not exist, copy the ${HOME}/.ssh/authorized_keys file's
content on the U2000 server.
– For an encrypted public key file, copy the id_rsa_pwd.pub file's content.
a. Run the cat id_rsa.pub or cat id_rsa_pwd.pub command on the U2000 server.
The content of the id_rsa.pub or id_rsa_pwd.pub file is displayed.
b. Run the vi command on the NMS server to write the content of the id_rsa.pub or
id_rsa_pwd.pub file into the authorized_keys file.
NOTICE
– The content to be written into the authorized_keys file cannot contain any line feed.
If any line feed exists, delete it.
– If the authorized_keys file contains any other data, perform a line feed operation.
Then, write the content.
4. Run the vi command to modify the /etc/ssh/sshd_config file and configure SFTP
parameters on the NMS server.
# su - root
Password: Password of user root
# vi /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentica- yes
tion
AuthorizedKeysFile .ssh/authorized_keys
Parameter Value
5. Perform the following operations on the NMS server to check the SFTP service status.
If... Then...
OpenSSH
Portabl
e for
Solaris
If... Then...
Step 3 If you use encrypted public and private key authentication files, perform Step 4. If you use
non-encrypted public and private key authentication files, perform Step 4.
1. Run the following command on the U2000 server to query the password for encrypting
the private key.
~> . /opt/oss/server/svc_profile.sh
~> XFTPPasswdEncrypt
When the following information is displayed, enter the encryption password twice.
Please Enter Password :
Please Re-enter Password :
NOTICE
– The encryption password must be the same as that in Step 1.3.
– Keep the encryption password for future use. If the encryption password is lost, all
public and private key files must be generated again, and the new files will replace
the existing files.
~> vi ModuleParam.xml
3. Run the following command to check whether the config file exists:
~> cd ${HOME}/.ssh/
– If No such file or directory is displayed, the .ssh directory is unavailable in the
home directory. After running the following command. Perform the following steps.
~> mkdir -p ${HOME}/.ssh/
– If no command output is displayed, the .ssh directory is available in the home
directory. Perform the following steps.
~> ls config
NOTE
~> vi config
IdentityFile /export/home/omc/.ssh/
id_rsa_pwd
IdentityFile ~/.ssh/id_rsa
NOTE
If the config file contains the preceding information, you do not need to modify the config file.
Step 4 Run the Vi command on the U2000 server to change the value of DefaultFTPType in the
ModuleParam.xml file.
This operation must be performed on each server where the XFTPService0X01 service is
deployed.
~> cd /opt/oss/server/etc/XFTPService
~> vi ModuleParam.xml
NOTE
If DefaultFTPType is set to 1, the SFTP encryption mode is used. If DefaultFTPType is set to 0, the
plaintext FTP mode is used.
To change the SFTP encryption mode to the plaintext FTP mode, change the value of DefaultFTPType
to 0 and restart the XFTPService0X01 service.
Using the plaintext FTP mode has security risks, It is recommended that you use the SFTP mode.
<GeneralParams>
…
<param name="DefaultFTPType">1</param>
…
</GeneralParams>
Step 5 Run the following command on the U2000 server to restart the XFTPService0X01 service to
make the modification take effect.
This operation must be performed on each server where the XFTPService0X01 service is
deployed.
~> . /opt/oss/server/svc_profile.sh
You can obtain the service name of XFTPService0X01 for the server on which the current
operation is performed from the command output. XFTPService0X01 is used as an example.
Replace it as required.
Step 6 Run the following command on the U2000 server to view the XFTPService0X01 service
status.
This operation must be performed on each server where the XFTPService0X01 service is
deployed.
~> svc_adm -cmd status | grep XFTP
l If the XFTPService0X01 service is in the running state in the command output, the
service is running properly.
l If the XFTPService0X01 service is in the not running state in the command output, the
service is not started. When this occurs, contact Huawei technical support.
Step 7 Perform the following operations on the U2000 client to configure FTP server information:
1. Log in to the U2000 client.
2. Choose Software > FTP Auto Upload Management > Target Server Settings
(traditional style); alternatively, double-click System Management in Application
Center and choose Settings > FTP Auto Upload Management > Target Server
Settings (application style).
In the Target Server Setting window, the configured FTP server information is
displayed.
3. Select an FTP server whose information needs to be configured and click Add.
4. Set the FTP server parameters, as described in Table 7-5.
Module The module type consists of NBI FM, NBI CM, NBI PM, NBI
Type/ Inventory, CME NBI, CME NCCDM, License Management, NBI
Module Server Backup, NBI Log, EBC Counter, EBC Data, and LTE Trace
Name Data. A module name indicates that the configured FTP server is used
to transfer the files corresponding to the modules in the U2000. For
example, if the module name is northbound alarm, it indicates that the
configured FTP server is used to transfer the files of northbound alarm
modules in the U2000 server.
Confirm Enter the password again that is used to log in to the FTP server.
Password
Parameter Description
Server Directory for storing a file after it is transferred to the FTP server.
Directory The directory name cannot contain the following special characters:
colon (:), asterisk (*), question mark (?), quotation mark ("), less than
(<), greater than (>), and vertical bar (|).
NOTE
When you log in to the U2000 server as user ftpuser, ensure that the server
directory starts with "/export/home/sysm", for example, "/export/home/sysm/
ftproot".
Source Directory for storing the LTE Trace Data need to be uploaded.
Directory NOTE
This parameter only can be configured when you modify or add a FTP server
whose Module Name is LTE Trace Data.
The added parameters are saved and displayed in the Target Server Setting window.
6. Choose Software > FTP Auto Upload Management > File Upload Browser
(traditional style); alternatively, double-click System Management in Application
Center and choose Settings > FTP Auto Upload Management > File Upload Browser
(application style) to check the status of the files to be uploaded.
The files to be uploaded and files that fail to be uploaded are displayed in the Upload
File Browser window.
----End
Prerequisites
l Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.For an advanced
telecommunications application environment (ATAE) cluster system, you have logged in
to each server in the U2000 cluster.
l You have logged in to the NMS server as user UserA.
UserA is an NMS server user. Replace it as required.
Context
l When the password authentication is used, the password for logging in to the NMS
server is required to set up an SFTP connection.
l Unless otherwise specified, perform the following operations on each U2000 server:
NOTE
XFTPService0X01 indicates the XFTP service name of the U2000 server. Replace it as required.
For an ATAE cluster system, the XFTP service is deployed on the master and slave servers, and
the service name for the master server is XFTPService0101. The service name for the first slave
server is XFTPService0201. The service name for the second slave server is XFTPService0301.
This method applies to the service names for other servers.
l When the XFTP service uploads files in FTP mode:
– If the northbound server runs the Linux or Unix operating system, use the vsftpd
software whose version is 2.0.5 or later.
– If the northbound server runs the Windows operating system, use the ftpserver
service delivered with the system.
Procedure
Step 1 Run the vi command to modify the /etc/ssh/sshd_config file and configure SFTP parameters
on the NMS server.
su - root
Password: Password of user root
# vi /etc/ssh/sshd_config
Parameter Value
Step 2 Perform the following operations on the NMS server to check the SFTP service status.
If... Then...
OpenSSH
Portabl
e for
Solaris
If... Then...
Step 3 Perform the following operations on the U2000 server to change the value of the
DefaultFTPType parameter in the ModuleParam.xml file.
This operation must be performed on each server where the XFTPService0X01 service is
deployed.
~> cd /opt/oss/server/etc/XFTPService
~> vi ModuleParam.xml
NOTE
If DefaultFTPType is set to 1, the SFTP encryption mode is used. If DefaultFTPType is set to 0, the
plaintext FTP mode is used.
To change the SFTP encryption mode to the plaintext FTP mode, change the value of DefaultFTPType
to 0 and restart the XFTPService0X01 service.
<GeneralParams>
…
<param name="DefaultFTPType">1</param>
…
</GeneralParams>
Press Esc and run the :wq command to save the file and exit the vi editor.
Step 4 Run the following command on the U2000 server to restart the XFTPService0X01 service to
make the modification take effect.
This operation must be performed on each server where the XFTPService0X01 service is
deployed.
~> . /opt/oss/server/svc_profile.sh
You can obtain the service name of XFTPService0X01 for the server on which the current
operation is performed from the command output. XFTPService0X01 is used as an example.
Replace it as required.
Step 5 Run the following command on the U2000 server to view the XFTPService0X01 service
status.
This operation must be performed on each server where the XFTPService0X01 service is
deployed.
l If the XFTPService0X01 service is in the running state in the command output, the
service is running properly.
l If the XFTPService0X01 service is in the not running state in the command output, the
service is not started. When this occurs, contact Huawei technical support.
Step 6 Perform the following operations on the U2000 client to configure FTP server information:
1. Log in to the U2000 client.
2. Choose Software > FTP Auto Upload Management > Target Server Settings
(traditional style); alternatively, double-click System Management in Application
Center and choose Settings > FTP Auto Upload Management > Target Server
Settings (application style).
In the Target Server Setting window, the configured FTP server information is
displayed.
3. Select an FTP server whose information needs to be configured and click Add.
4. Set the FTP server parameters, as described in Table 7-7.
Module The module type consists of NBI FM, NBI CM, NBI PM, NBI
Type/ Inventory, CME NBI, CME NCCDM, License Management, NBI
Module Server Backup, NBI Log, EBC Counter, EBC Data, and LTE Trace
Name Data. A module name indicates that the configured FTP server is used
to transfer the files corresponding to the modules in the U2000. For
example, if the module name is northbound alarm, it indicates that the
configured FTP server is used to transfer the files of northbound alarm
modules in the U2000 server.
Confirm Enter the password again that is used to log in to the FTP server.
Password
Server Directory for storing a file after it is transferred to the FTP server.
Directory The directory name cannot contain the following special characters:
colon (:), asterisk (*), question mark (?), quotation mark ("), less than
(<), greater than (>), and vertical bar (|).
NOTE
When you log in to the U2000 server as user ftpuser, ensure that the server
directory starts with "/export/home/sysm", for example, "/export/home/sysm/
ftproot".
Source Directory for storing the LTE Trace Data need to be uploaded.
Directory NOTE
This parameter only can be configured when you modify or add a FTP server
whose Module Name is LTE Trace Data.
----End
This section describes how to replace the encrypted key of the U2000 system, replace the SSL
certificate of OSS Management Tool, change the password of the OSS Management Tool's
private key file, and perform security hardening/unhardening for internal ports of the U2000
server.
8.1 Replacing the Encrypted Key of the U2000 System Sensitive Data
Sensitive data in the U2000 system includes the user password and key, certificate password
and key, and user's sensitive information, such as IMSI, IMEI, and MSISDN. This section
describes how to replace the encrypted key. To improve the security of sensitive data in the
U2000 system, you need to periodically replace the encrypted key. Otherwise, you do not
need to perform the operations.
8.2 Replacing the Root Key of the U2000 System Sensitive Data
Sensitive data in the U2000 system includes the user password and key, certificate password
and key, and user's sensitive information, such as IMSI, IMEI, and MSISDN. This section
describes how to replace the root key. To improve the security of sensitive data in the U2000
system, you need to periodically replace the root key. Otherwise, you do not need to perform
the operations.
8.3 Replacing the Encrypted Key of the OSS Management Tool Sensitive Data
This section describes how to replace the encrypted key. To improve the security of sensitive
data in the U2000 system, you need to periodically replace the encrypted key. Otherwise, you
do not need to perform the operations.
8.4 Replacing the Root Key of the OSS Management Tool Sensitive Data
This section describes how to replace the Root key. To improve the security of sensitive data
in the U2000 system, you need to periodically replace the Root key. Otherwise, you do not
need to perform the operations.
8.5 Replacing the SSL Certificate of OSS Management Tool
The HTTPS service used by the OSS Management Tool depends on the SSL protocol. Digital
certificates are preconfigured during the installation of the U2000 server software by default.
To improve the security of the U2000 system, you are advised to use the certificates applied
from a recognized certificate authority to replace the preconfigured certificates. Otherwise,
you do not need to perform the operations. In the non-single-server system, the operation
needs to be performed only on the active node or master node.
8.6 Changing the Password of the OSS Management Tool's Private Key File
The HTTPS service used by the OSS Management Tool depends on the security socket layer
(SSL). To ensure security, the SSL uses the RSA encryption algorithm, which is based on a
private key file. To increase the system security of OSS Management Tool, you can change
the password of the OSS Management Tool's private key file. This section describes how to
change the password of the OSS Management Tool's private key file. In the ATAE cluster
system, the operation needs to be performed only on the master node. For an ATAE cluster
online remote HA system, you need to perform the following steps on the master node of both
active site and the standby site.
8.7 Changing the Maximum Login Attempts and Locking Duration for the OSS Management
Tool
To enhance the U2000 system security, by default, if you incorrectly enter the user name or
password for three consecutive times, the IP address for logging in to the OSS Management
Tool will be locked for 30 minutes. 30 minutes later, you are allowed to use the IP address to
log in again. You can customize the maximum number of login attempts and the maximum
lock duration for the OSS Management Tool based on the actual situation. In the non-single-
server system, you need to perform related operations only on the active server or master
server. For an ATAE cluster online remote HA system, you need to perform the following
steps on the active site.
8.8 Performing Security Hardening/Unhardening for Internal Ports of the U2000 Server
After the U2000 server is installed, you need to deploy a hardware firewall to reduce risks of
attacks on the U2000 server, improving security. If there is no hardware firewall, it is
recommended that you configure the OS firewall to perform security hardening on the internal
ports of the U2000 server to ensure its security.
8.9 Performing Security Hardening/Unhardening for U2000 Database Ports
After the U2000 database is installed, you need to deploy a hardware firewall to reduce risks
of attacks on the U2000 server, improving security. If there is no hardware firewall, it is
recommended that you configure the OS firewall to perform security hardening U2000
database ports to ensure its security.
8.10 Querying and Setting the Encryption Algorithm for Alarms Between the U2000 and
OSMU
This section describes how to query and set the encryption algorithm for alarms between the
U2000 and OSMU. In the ATAE cluster system, perform operations in this section only on the
master server. In the ATAE cluster online remote HA system, perform operations in this
section only on the master server at the active site.
8.11 Querying and Setting the Authentication Algorithm for the Heartbeats Between the
U2000 and OSMU
This section describes how to query and set the authentication algorithm for heartbeats
between the U2000 and OSMU. In the ATAE cluster system, perform operations in this
section on the master and standby servers. In the ATAE cluster online remote HA system,
perform operations in this section only on the master and standby servers at both the active
and standby sites.
8.12 Querying and Setting the SNMPv3-based Algorithms Used Between the U2000 and PRS
This section describes how to query and set the SNMPv3-based authentication and encryption
algorithms used between the U2000 and PRS. In a non-single-server system, perform
operations in this section on the master and standby servers.In the ATAE cluster online remote
HA system, perform operations in this section on the master and standby server at both the
active and standby sites.
8.13 Changing the OSS Private Key Password
This topic describes how to change the default OSS private key password in /opt/oss/
server/etc/ssl/ne/ltecertlist.xml file.
8.14 Disabling the SSLv3 Protocol Used on the U2000
By default, the U2000 supports both SSL and TLS protocols for communication with other
devices. TLS protocols are more secure. Therefore, you are advised to disable SSL protocols
and use only TLS protocols. You can use the methods described in this section to disable the
SSLv3 protocol, improving the U2000 security.
8.15 Disabling the TLSv1.0 Protocol
By default, when the client (the U2000 client or the device communicating with the U2000
server) connects to the U2000 server, or the U2000 server connects to other servers, the
U2000 server supports the SSLv3 and TLS protocols. The SSLv3 and TLSv1.0 protocols are
insecure. TLSv1.1 and later are recommended instead of the SSLv3 and TLSv1.0 protocols,
improving U2000 security. This section describes how to disable the TLSv1.0 protocol.
8.16 Enabling/Disabling Proxy Service ACL
This section describes how to enable or disable the proxy service ACL function.
8.17 Configuring the DH Key Length for DS Services
The DH key length can be set to 2048 for a DS service. The default DH key length is 1024.
Increasing the DH key length can enhance security. Set the DH key length as required.
Prerequisites
Use PuTTY to log in to the U2000 master service board as user ossuser in SSH mode.
Context
If MBB backhaul device management components have been installed on the U2000, contact
Huawei technical support engineers before you perform this operation.
Procedure
Step 1 Stop the U2000 services.
Check the status of the U2000 services by following the instructions provided in 4.1
Checking the U2000 Service Status. If the U2000 services have been started, stop them by
following the instructions provided in 4.6 Stopping U2000 Services.
Step 2 Run the following command to replace the encrypted key of the U2000 system sensitive data:
~> . /opt/oss/server/svc_profile.sh
When the system displays the following information, type yes and press Enter:
To continue, enter "yes". To exit, enter other characters: yes
When information similar to the following is displayed, the encrypted key is replaced
successfully:
Cipher key changed successfully.
Step 3 Start the U2000 services by following the instructions provided in 4.5 Starting U2000
Services.
----End
Follow-up Procedure
l If the U2000 system is configured with the Trace Server independently deployed in the
ATAE cluster system, you also need to replace the encrypted key of the Trace Server. For
details, see section Replacing the Private Key of the Trace Server in U2000 Trace
Server User Guide (ATAE Cluster, Standalone).
l If the U2000 system is configured with the Trace Server independently deployed on an
HP server, you need to update the material file of the Trace Server. For details, see
section Updating the Material File on the Trace Server in U2000 Trace Server User
Guide (HP, Standalone).
l If the U2000 system is configured with the HAMonitor, you must install the HAMonitor
again to monitor the U2000 after the key is replaced. For details, see chapter
HAMonitor in U2000 OSMU User Guide.
Prerequisites
Use PuTTY to log in to the U2000 master service board as user ossuser in SSH mode.
Context
If MBB backhaul device management components have been installed on the U2000, contact
Huawei technical support engineers before you perform this operation.
Procedure
Step 1 Stop the U2000 services.
Check the status of the U2000 services by following the instructions provided in 4.1
Checking the U2000 Service Status. If the U2000 services have been started, stop them by
following the instructions provided in 4.6 Stopping U2000 Services.
Step 2 Run the following command to replace the root key of the U2000 system sensitive data:
~> . /opt/oss/server/svc_profile.sh
When information similar to the following is displayed, the root key is replaced successfully:
Root key changed successfully.
Step 3 Start the U2000 services by following the instructions provided in 4.5 Starting U2000
Services.
----End
Follow-up Procedure
l If the U2000 system is configured with the Trace Server independently deployed in the
ATAE cluster system, you also need to replace the encrypted key of the Trace Server. For
details, see section Replacing the Private Key of the Trace Server in U2000 Trace
Server User Guide (ATAE Cluster, Standalone).
Procedure
Step 1 Use PuTTY to log in to the U2000 master service board service as user ossuser in SSH mode.
For detailed operations, see .
Step 2 Run the following command to switch to user root.
~> su - root
Password: Password of root
Step 3 Run the following command to replace the encrypted key of the OSS Management Tool
sensitive data:
# /opt/OSMU/omc_control/update_config.sh modify
When information similar to the following is displayed, the encrypted key is replaced
successfully:
The Operation Succeeded.
Step 4 Run the following commands to synchronize the result to the standby node. If the U2000
system does not have a standby node, ignore this operation.
# scp -pr /opt/OSMU/omc_control/etc/conf/crypto.cfg Private IP address of the standby
node:/opt/OSMU/omc_control/etc/conf/crypto.cfg
# scp -pr /opt/OSMU/omc_control/etc/conf/rootkey.cfg Private IP address of the standby
node:/opt/OSMU/omc_control/etc/conf/rootkey.cfg
----End
Procedure
Step 1 Use PuTTY to log in to the U2000 master service board service as user ossuser in SSH mode.
For detailed operations, see .
Step 2 Run the following command to switch to user root.
~> su - root
Step 3 Run the following command to replace the Root key of the OSS Management Tool sensitive
data:
# /opt/OSMU/omc_control/update_config.sh modifyRootKey
When information similar to the following is displayed, the Root key is replaced successfully:
The Operation Succeeded.
Step 4 Run the following commands to synchronize the result to the standby node. If the U2000
system does not have a standby node, ignore this operation.
# scp -pr /opt/OSMU/omc_control/etc/conf/crypto.cfg Private IP address of the standby
node:/opt/OSMU/omc_control/etc/conf/crypto.cfg
# scp -pr /opt/OSMU/omc_control/etc/conf/rootkey.cfg Private IP address of the standby
node:/opt/OSMU/omc_control/etc/conf/rootkey.cfg
----End
Prerequisites
l The U2000 server software has been installed.
l The OSS Management Tool is working properly.
l The new SSL certificates have been prepared. Certificates contain rootcert.pem, server-
key.pem, and server-cert.der.
NOTE
l The OSS Management Tool does not support certificates encoded in der format. Make sure
that the encoding format of the 3 certificates is pem.
l You must obtain the three certificates. rootcert.pem is the trust certificate, server-key.pem is
the key of the device certificate, and server-cert.der is the device certificate.
l If the private key file of the device certificate is set with a password, obtain the password.
l You have logged in to the OSMU through a web browser. For details, see 26.2.5
Logging In to the OSMU by Using a Web Browser.
Procedure
Step 1 Upload the SSL certificate to the U2000 server by using the FileZilla tool.
For details about how to use the FileZilla tool, see 26.1.12 Transferring Files by Using
FileZilla. The configuration information required for uploading the files is as follows:
Step 4 Run the following commands to back up the old certificate directory and the configuration
file.
# cp -pr /opt/OSMU/omc_control/cert /opt/OSMU/omc_control/cert.bak
# rm *.pem *.der
Step 6 Run the following commands to copy the new certificates to the target directory.
# cp -pr /opt/OSMU/omc_control/rootcert.pem /opt/OSMU/omc_control/cert
Step 7 Run the following commands to modify the password of the OSS Management Tool private
key file:
# cd /opt/OSMU/omc_control
# ./modify_pem_passvalue.sh
When The Operation Succeeded. is displayed by the system, the password of the
OSS Management Tool's private key file is modified successfully.
NOTE
l If the private key file for the device certificate is not set with a password, press Enter when you
enter the old password.
l The password contains 8 to 32 characters, including digits from 0 to 9, uppercase and lowercase
letters and special characters ]%@-=_.}{. To enhance password security, please use the
following password policies:
– The password contains at least one uppercase letter.
– The password contains at least one lowercase letter.
– The password contains at least one digit.
– The password contains at least one special character.
l When The code you enter twice must be same.Do you want to re-enter
it again? Y/N: is displayed, the entered passwords are inconsistent. In such case, type Y or y
and enter the password again.
l When The PEM pass phrase change is failure. is displayed, the OSS
Management Tool's private key file fails to be modified. In such case, perform this step to modify
the OSS Management Tool's private key file again. If The PEM pass phrase change is
failure. is displayed again, contact Huawei technical support engineers.
Step 8 If you want to enable SSL bidirectional authentication between the OSS Management Tool
server and client, perform this step. Otherwise, skip this step.
1. In the configuration file /opt/OSMU/omc_control/nginx.conf of the OSS Management
Tool server, set ssl_verify_client to on.
NOTE
ssl_verify_depth specifies the length of the certificate trust chain. If the client certificate delivered
with the server is used, retain the default value 2. If a customer's certificate is used, set this
parameter as needed.
server {
127.0.0.1:31123;
server_name localhost;
add_header X-Frame-Options SAMEORIGIN;
ssl on;
ssl_certificate ../../cert/server-cert.der;
ssl_certificate_key ../../cert/server-key.pem;LF
ssl_certificate_key_password
@WD3077272C8D2974904255ABF679AC7F8DF805F39E82D7E5E740792D;
ssl_client_certificate ../../cert/rootcert.pem;
ssl_verify_client on;
ssl_verify_depth 2;
NOTICE
– After SSL bidirectional authentication is enabled, you need to perform the following
operations to load the client certificate to all PCs that will be used to log in to the
web-based OSS Management Tool through a web browser. You are advised to use
Internet Explorer to log in to the web-based OSS Management Tool because Firefox
ESR 17.x, Firefox ESR 24.x, and Firefox ESR 31.x supported by the web-based OSS
Management Tool do not support the self-signed client certificate.
– Ensure that the time and time zone at the PC are consistent with those at the OSS
Management Tool server. Otherwise, you cannot log in to the web-based OSS
Management Tool after you have loaded the client certificate.
Step 10 Log in the OSS Management Tool again and check if the operation of substitution has been
done successfully.
Choose Service System > U2000 > OSS Management Tool from the navigation tree on the
OSMU. The OSS Management Tool window is displayed.
NOTE
If the system prompts Security Warning, configure the parameters for the browser in use by following
instructions provided in 26.2.1 Setting Internet Explorer or 26.2.2 Setting Firefox.
If you log in to the OSS Management Tool, the certificates are replaced successfully. In such a
case, go to Step 11. If you fail to log in to the OSS Management Tool, contact Huawei
technical support.
Step 11 Run the following commands to delete the temporary files.
# rm /opt/OSMU/omc_control/rootcert.pem
# rm /opt/OSMU/omc_control/server-key.pem
# rm /opt/OSMU/omc_control/server-cert.der
# rm -r /opt/OSMU/omc_control/cert.bak
Step 12 Run the following commands to synchronize the result to the standby node. If the U2000
system does not have a standby node, ignore this operation.
# scp -pr /opt/OSMU/omc_control/Junction/settings.py Private IP address of the standby
node:/opt/OSMU/omc_control/Junction/settings.py
# scp -pr /opt/OSMU/omc_control/cert/rootcert.pem Private IP address of the standby
node:/opt/OSMU/omc_control/cert/rootcert.pem
# scp -pr /opt/OSMU/omc_control/cert/server-key.pem Private IP address of the standby
node:/opt/OSMU/omc_control/cert/server-key.pem
# scp -pr /opt/OSMU/omc_control/cert/server-cert.der Private IP address of the standby
node:/opt/OSMU/omc_control/cert/server-cert.der
----End
Prerequisites
l You have installed the U2000 server software.
l The OSS Management Tool is working properly.
Context
To improve system security, you are advised to change the initial passwords set before
product delivery in a timely manner and periodically (at an interval of 6 months) change the
password of the private key file to avoid security risks, such as violent password cracking.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
NOTE
The public IP address of the U2000 board at the standby site in an ATAE cluster online remote HA
system is unavailable. When performing operations at the standby site, log in to the U2000 board using
either of the following two modes:
l Log in to the OSMU of the standby site, and then log in to the U2000 board through the KVM of
the OSMU.
l Use PuTTY to log in to the OSMU board at the standby site in SSH mode as user osmuuser,
switch to user root, run the ssh command to switch to the U2000 board using the private IP
address of the board at the standby site.
Step 3 Run the following commands to modify the password of the OSS Management Tool's private
key file:
# cd /opt/OSMU/omc_control
# ./modify_pem_passvalue.sh
l If you are using the SSL certificate that provided by U2000, the default password of the OSS
Management Tool's private key file is Changeme_123.
l The password contains 8 to 30 characters, including digits from 0 to 9, uppercase and lowercase
letters, and special characters ]@%-=_.}{. You are advised to set the following password policies
to enhance password security:
– The password contains at least one uppercase letter.
– The password contains at least one lowercase letter.
– The password contains at least one digit.
– The password contains at least one special character.
l When The code you enter twice must be same.Do you want to re-enter
it again? Y/N: is displayed, the entered passwords are inconsistent. In such case, type Y or y
and enter the password again.
l When The PEM pass phrase change is failure. is displayed, the password of the
OSS Management Tool's private key file fails to be modified. In such case, perform this step to
modify the password of the OSS Management Tool's private key file again. If The PEM pass
phrase change is failure. is displayed again, contact Huawei technical support
engineers.
Step 4 After the password of the OSS Management Tool's private key file has been modified
successfully, run the following command to restart the OSS Management Tool service:
# /opt/OSMU/omc_control/restart_om_monitor.sh
Step 5 Log in to the OSS Management Tool again to check whether the modification takes effect.
To check whether the modification takes effect, you must use a web browser to log in to the
OSS Management Tool again. If you can successfully log in to the OSS Management Tool,
the modification takes effect.
Step 6 Run the following commands to synchronize the modification result to the standby node.
# scp -pr /opt/OSMU/omc_control/Junction/settings.py Private IP address of the standby
node:/opt/OSMU/omc_control/Junction/settings.py
# scp -pr /opt/OSMU/omc_control/cert/server-key.pemPrivate IP address of the standby
node:/opt/OSMU/omc_control/cert/server-key.pem
# scp -pr /opt/OSMU/omc_control/nginx.confPrivate IP address of the standby
node:/opt/OSMU/omc_control/nginx.conf
----End
Tool will be locked for 30 minutes. 30 minutes later, you are allowed to use the IP address to
log in again. You can customize the maximum number of login attempts and the maximum
lock duration for the OSS Management Tool based on the actual situation. In the non-single-
server system, you need to perform related operations only on the active server or master
server. For an ATAE cluster online remote HA system, you need to perform the following
steps on the active site.
Prerequisites
l The U2000 server software has been installed.
l The OSS Management Tool can be properly logged in.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
~> su - root
Password: Password of root
Step 3 Run the following command to set the maximum number of login attempts and the locking
duration for the OSS Management Tool.
# /opt/OSMU/omc_control/modify_lock_configure.sh
Enter the maximum number of login attempts: Maximum number of login attempts
Enter the maximum lock duration: Maximum lock duration
NOTE
The maximum number of login attempts and the maximum lock duration must be integers.
l The maximum number of login attempts ranges from 0 to 99. If the maximum number of login
attempts is set to 0, the lock policy is not used.
l The maximum lock duration ranges from 0 to 999. If the maximum number of login attempts is set
to a value other than 0 and the maximum lock duration is set to 0, the lock duration is unlimited.
If Operation success. is displayed, the maximum number of login attempts and the
maximum lock duration are changed successfully.
Step 4 Run the following command to restart the OSS Management Tool services.
# /opt/OSMU/omc_control/restart_om_monitor.sh
----End
Prerequisites
The firewall function provided by the OS is enabled. (That is, the iptables service is available
before operations are performed on SUSE Linux.)
Context
l In the high availability (HA) systems, the operation needs to be performed on the
primary and secondary servers.
l In the ATAE cluster system, the operation needs to be performed on the master, slave,
and standby servers.
l In the ATAE cluster online remote HA system, the operation needs to be performed on
the master, slave, and standby servers at the active and standby sites.
l Before changing the IP address of a U2000 server, you need to perform security
unhardening for internal ports if security hardening has been performed.
l After changing the IP address of a U2000 server, you can perform security hardening for
internal ports of the U2000 server.
l The operation execution involves the U2000 server's firewall. If too many rules are set,
U2000 server's performance may be affected. It is recommended that the hardware
firewall be deployed.
l If the operation execution fails, all the security hardening rules for the internal ports of
the U2000 server will be deleted from the OS firewall. If this occurs, contact Huawei
technical support.
l The security hardening operation mentioned in this section does not involve the security
hardening on ports 31837 and 31838 of the Apache.
l The previous hardening information may be lost after the OS firewall service is restarted.
Therefore, you need to perform the operation mentioned in this section again to perform
security hardening. Restarting the server has no impact on the previous hardening
information. Therefore, you do not need to perform this operation again.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
NOTE
The public IP address of the U2000 board at the standby site in an ATAE cluster online remote HA
system is unavailable. When performing operations at the standby site, log in to the U2000 board using
either of the following two modes:
l Log in to the OSMU of the standby site, and then log in to the U2000 board through the KVM of
the OSMU.
l Use PuTTY to log in to the OSMU board at the standby site in SSH mode as user osmuuser,
switch to user root, run the ssh command to switch to the U2000 board using the private IP
address of the board at the standby site.
Step 3 Perform security hardening/unhardening for internal ports of the U2000 server as required.
l To perform security hardening for internal ports of the U2000 server, run the following
commands:
# . /opt/oss/server/svc_profile.sh
# sec_adm -cmd setIPTables
l To perform security unhardening for internal ports of the U2000 server, run the following
commands:
# . /opt/oss/server/svc_profile.sh
# sec_adm -cmd restoreIPTables
----End
Follow-up Procedure
After security hardening is performed on internal ports on the U2000 server, other products or
tools can update the internal port whitelist to set trust relationships with the U2000 server for
accessing the internal ports on the server. For detailed operations, see 26.1.39 Updating the
ACL for Internal Ports on the U2000 Server.
Prerequisites
The firewall function provided by the OS is enabled. (That is, the iptables service is available
before operations are performed on SUSE Linux.)
Context
l In the non-single-server system, you need to perform related operations only on the
active server or master server.
l For an ATAE cluster online remote HA system, you need to perform related operations at
the active site. After a switchover is performed between the active and standby sites,
performs operations in this section again if related operations have not been performed at
the standby site before the switchover.
l Before changing the IP address of a U2000 server, you need to unharden database ports
if they have been hardened.
l After changing the IP address of a U2000 server, you can harden database ports to forbid
the access to the database using a remote IP address.
l The script hardens ports 4100 and 4200 for the Sybase database and ports 1521 and 1522
for the Oracle database.
l Database port hardening affects the database access using a remote IP address, for
example, accessing the U2000 database using the database client, or accessing the U2000
database using the northbound database. You can add remote IP addresses to the access
control list of the IP addresses so that users can access the U2000 database using the
added remote IP addresses.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
~> su - root
Password: Password of root
Step 3 Run the following commands to check whether U2000 database ports have been hardened:
# . /opt/oss/server/svc_profile.sh
# cd /opt/oss/server/rancn/tools/DBIptables
# ./DBAccessControl.sh -q
l If the system displays the following information, U2000 database ports have been
hardened:
DB ports have been hardened.
l If the system displays the following information, U2000 database ports have not been
hardened:
Check DB ports have not been hardened.
If the system displays succeeded, U2000 database ports are successfully hardened or
unhardened. Otherwise, contact Huawei technical support.
Step 5 After U2000 database ports are hardened, perform this step only if you need to add a remote
IP address for accessing the U2000 database. Otherwise, ignore this step.
# . /opt/oss/server/svc_profile.sh
# cd /opt/oss/server/rancn/tools/DBIptables
NOTE
----End
Context
Alarm configuration between the U2000 and OSMU is used to send hardware alarms from the
OSMU to the U2000 using the SNMPv3 protocol.
The SNMPv3 protocol supports data encryption using an encryption algorithm. By default,
when the OSMU reports alarms to the U2000, the Advanced Encryption Standard (AES)
algorithm is used as an encryption algorithm (priv_protocol) if the U2000 V200R015C00 is
newly installed, whereas the original encryption algorithm is used if the U2000 server is
upgraded to V200R015C00 or later.
To enhance U2000 system security, the AES128 algorithm that ensures high security is
recommended. The encryption algorithm configured on the OSMU for reporting alarms must
be consistent with the encryption algorithm configured on the U2000 server.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
Step 2 Run the following commands to query the current encryption algorithm used for alarms
between the U2000 server and OSMU:
~> . /opt/oss/server/svc_profile.sh
3. Run the following commands to check whether the encryption algorithm has been
successfully changed:
~> ConfigTool -cmd getparam -path /sf/sysmonitor/atae/ -name priv_protocol -
target /opt/oss/server/etc/conf/sf_config.xml
If usmAESPrivProtocol is displayed, the encryption algorithm has been
successfully changed.
Step 4 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 5 Start U2000 services. For details, see 4.5 Starting U2000 Services.
Step 6 Check and set the encryption algorithm on the OSMU to be consistent with that on the U2000
server. For detailed operations, see Checking and Setting the Alarm Encryption and
Heartbeat Authentication Algorithms on the OSMU in ATAE Cluster System Product
Documentation.
----End
Follow-up Procedure
If the emergency system is configured in the ATAE cluster system, you need to manually
perform full synchronization after the configuration on the U2000 server is complete. For
details, see Synchronizing Manually the Data Between the Primary System and the
Emergency System in U2000 ATAE Cluster Emergency System User Guide.
Context
Heartbeat configuration between the U2000 and OSMU is used to monitor the heartbeats
between the U2000 and OSMU.
The SNMPv3 protocol uses the cryptographic hash functions and keys to generate message
authentication codes. By default, Secure Hash Algorithm (SHA1) is used as an authentication
algorithm for monitoring the heartbeats between the newly installed U2000 V200R015C00
and the OSMU, whereas the original authentication algorithm is used if the U2000 server is
upgraded to V200R015C00 or later.
To improve U2000 system security, the SHA1 algorithm that ensures high security is
recommended. The authentication algorithm configured on the OSMU for monitoring
heartbeats must be consistent with that configured on the U2000 server.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
NOTE
The public IP address of the U2000 board at the standby site in an ATAE cluster online remote HA
system is unavailable. When performing operations at the standby site, log in to the U2000 board using
either of the following two modes:
l Log in to the OSMU of the standby site, and then log in to the U2000 board through the KVM of
the OSMU.
l Use PuTTY to log in to the OSMU board at the standby site in SSH mode as user osmuuser,
switch to user root, run the ssh command to switch to the U2000 board using the private IP
address of the board at the standby site.
Step 2 Run the following command to query the current authentication algorithm for heartbeats
between the U2000 server and OSMU:
~> cat /opt/oss/server/common/resourcemonitor/conf/TS_config.xml | grep true
If there is no command output, the U2000 uses the SHA1 algorithm as the authentication
algorithm. Otherwise, the U2000 uses another authentication algorithm.
If you want to change the authentication algorithm configured on the U2000 server to the
SHA1 algorithm, perform Step 3. Otherwise, perform Step 4.
Step 3 Perform the following operations to change the authentication algorithm used for the
heartbeats between the U2000 server and OSMU:
1. Run the following command to change the authentication algorithm to SHA1:
~> sed 's/true/false/g' /opt/oss/server/common/resourcemonitor/conf/TS_config.xml
> /tmp/TS_config.tmp
2. Run the following commands to change the file permission:
~> mv /tmp/TS_config.tmp /opt/oss/server/common/resourcemonitor/conf/
TS_config.xml
~> chown ossuser:ossgroup /opt/oss/server/common/resourcemonitor/conf/
TS_config.xml
~> chmod 750 /opt/oss/server/common/resourcemonitor/conf/TS_config.xml
3. Run the following command to restart the ResourceMonitor process:
~> ps -ef | grep -v grep | grep ResourceMonitor | awk '{print $2}' | xargs kill -9
4. Run the following command to check whether the authentication algorithm has been
successfully changed:
~> cat /opt/oss/server/common/resourcemonitor/conf/TS_config.xml | grep true
If no information is displayed, the authentication algorithm has been successfully
changed.
Step 4 Check and set the authentication algorithm on the OSMU to be consistent with that on the
U2000 server. For detailed operations, see Checking and Setting the Alarm Encryption
and Heartbeat Authentication Algorithms on the OSMU in ATAE Cluster System Product
Documentation.
----End
Follow-up Procedure
If the emergency system is configured in the ATAE cluster system, you need to manually
perform full synchronization after the configuration on the U2000 server is complete. For
details, see Synchronizing Manually the Data Between the Primary System and the
Emergency System in U2000 ATAE Cluster Emergency System User Guide.
Context
Alarm configuration between the U2000 and PRS is used to send resource monitoring
exception alarms, threshold alarms, and hardware alarms from the PRS to the U2000 using
the SNMPv3 protocol.
The SNMPv3 protocol supports data encryption using an encryption algorithm. By default,
SNMPv3-based Secure Hash Algorithm (SHA1) is used as an authentication algorithm and
SNMPv3-based Advanced Encryption Standard (AES) is used as an encryption algorithm
between the newly installed U2000 V200R015C00 and the PRS, whereas the original
authentication and encryption algorithms are used if the U2000 server is upgraded to
V200R015C00 or later.
To improve U2000 system security, the SHA1 (authentication algorithm) and AES
(encryption algorithm) algorithms that ensure high security are recommended. The SNMPv3-
based authentication and encryption algorithms configured on the PRS must be consistent
with the algorithms configured on the U2000 server.
NOTICE
If the version of the PRS interconnecting with the U2000 is earlier than
V100R014C00SPC200, the SNMPv3-based authentication and encryption algorithms
configured on the PRS cannot be changed. To improve security between the U2000 and PRS,
upgrade the PRS and then change the PRS authentication algorithm to SHA1 and the PRS
encryption algorithm to AES. Contact Huawei technical support to upgrade the PRS.
If you do not want to upgrade the PRS, change the SNMPv3-based authentication and
encryption algorithms configured on the U2000 to be consistent with those configured on the
PRS.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
NOTE
The public IP address of the U2000 board at the standby site in an ATAE cluster online remote HA
system is unavailable. When performing operations at the standby site, log in to the U2000 board using
either of the following two modes:
l Log in to the OSMU of the standby site, and then log in to the U2000 board through the KVM of
the OSMU.
l Use PuTTY to log in to the OSMU board at the standby site in SSH mode as user osmuuser,
switch to user root, run the ssh command to switch to the U2000 board using the private IP
address of the board at the standby site.
Step 2 Run the following command to query the current SNMPv3-based authentication and
encryption algorithms between the U2000 server and PRS:
~> cat /opt/oss/server/common/resourcemonitor/conf/PRS_config.xml | grep true
If no information is displayed, the U2000 uses SHA1 as the authentication algorithm and AES
as the encryption algorithm. Otherwise, the U2000 uses another authentication and encryption
algorithms.
If you want to change the SNMPv3-based authentication and encryption algorithms
configured on the U2000 server, perform Step 3. Otherwise, perform Step 4.
Step 3 Perform the following operations to change the SNMPv3-based authentication and encryption
algorithms used between the U2000 server and PRS:
1. Run the following command to change the SNMPv3-based authentication and encryption
algorithms:
– If you want to change the authentication algorithm to SHA1 and the encryption
algorithm to AES, run the following command:
~> sed 's/true/false/g' /opt/oss/server/common/resourcemonitor/conf/
PRS_config.xml > /tmp/PRS_config.tmp
– If the version of the PRS interconnecting with the U2000 is earlier than
V100R014C00SPC200, the SNMPv3-based authentication and encryption
algorithms configured on the PRS cannot be changed. To improve security between
the U2000 and PRS, upgrade the PRS and then change the PRS authentication
algorithm to SHA1 and the PRS encryption algorithm to AES. Contact Huawei
technical support to upgrade the PRS.
If you do not want to upgrade the PRS, run the following command to change the
SNMPv3-based authentication and encryption algorithms configured on the U2000
to be consistent with those configured on the PRS:
~> sed 's/false/true/g' /opt/oss/server/common/resourcemonitor/conf/
PRS_config.xml > /tmp/PRS_config.tmp
2. Run the following commands to change the file permission:
~> mv /tmp/PRS_config.tmp /opt/oss/server/common/resourcemonitor/conf/
PRS_config.xml
~> chown ossuser:ossgroup /opt/oss/server/common/resourcemonitor/conf/
PRS_config.xml
~> chmod 750 /opt/oss/server/common/resourcemonitor/conf/PRS_config.xml
3. Run the following command to restart the ResourceMonitor process:
~> ps -ef | grep -v grep | grep ResourceMonitor | awk '{print $2}' | xargs kill -9
4. Run the following command to check whether the SNMPv3-based authentication and
encryption algorithms have been successfully changed:
~> cat /opt/oss/server/common/resourcemonitor/conf/PRS_config.xml | grep true
----End
Follow-up Procedure
If the emergency system is configured in the ATAE cluster system, you need to manually
perform full synchronization after the configuration on the U2000 server is complete. For
details, see Synchronizing Manually the Data Between the Primary System and the
Emergency System in U2000 ATAE Cluster Emergency System User Guide.
Prerequisites
l Ensure that the SSLManageService is stopped before this tool is executed.
l This command must be run in /opt/oss/server/common/nessl/bin.
Context
l From the security management aspect, you must change the private key password
periodically to ensure the password security.
l You are advised to change the password every month.
l For details about the password complexity rules, see nesslCryptTool in U2000 Command
Reference.
l If the password is disclosed to an unauthorized user, you are advised to change it
immediately to ensure the secure management and maintenance of the U2000.
l In the non-single-server system, you need to perform related operations only on the
active server or master server.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following command to update the default private key password in /opt/oss/
server/etc/ssl/ne/ltecertlist.xml file, The default password is Changeme_123.
~> . /opt/oss/server/svc_profile.sh
~> cd /opt/oss/server/common/nessl/bin
~> ./nesslCryptTool
Old password:
New Password:
Confirm new password:
----End
Context
l After the SSLv3 protocol is disabled, the U2000 server cannot be connected using the
SSLv3 protocol.
l The SSLv3 protocol can be disabled in the following usage scenarios:
– U2000 processes communicate with each other using the CORBA or MRB
interface.
– The desktop service on the U2000 server communicates with other devices.
– Files are transmitted between U2000 server and NEs.
– The northbound interfaces (CORBA, alarm streaming, and command line
interfaces) on the U2000 server interconnect with the the NMS using the SSLv3
protocol.
– The SSLv3 protocol is used when NE LMT communicates with U2000 NE user
services.
– The SSLv3 protocol is used when U2000 NE user services communicate with NEs.
l In the HA system, related operations must be performed on only the active server.
l In the Sun SLS system or ATAE cluster system, related operations must be performed on
the master and slave servers, respectively.
l In ATAE cluster online remote HA system, you need to run this command on the master
and slave servers of active site and standby site.
Procedure
Step 1 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 2 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
NOTE
The public IP address of the U2000 board at the standby site in an ATAE cluster online remote HA
system is unavailable. When performing operations at the standby site, log in to the U2000 board using
either of the following two modes:
l Log in to the OSMU of the standby site, and then log in to the U2000 board through the KVM of
the OSMU.
l Use PuTTY to log in to the OSMU board at the standby site in SSH mode as user osmuuser,
switch to user root, run the ssh command to switch to the U2000 board using the private IP
address of the board at the standby site.
c. Run the following command on the U2000 server to synchronize the data from the
current U2000 system to the emergency system in full data synchronization mode:
# emgproxy_adm -c synchronize -t all
When the system displays The synchronization
succeeded............................. [100.0%], data
synchronization is complete.
d. Use PuTTY to log in to the emergency system server as user ossuser in SSH mode.
NOTE
You can perform the following operation to query the external IP address for the emergency
system server.
Use a browser to log in to the OSMU server, and choose Device Management > Hardware
Device > Board from the navigation tree in the left pane of the OSMU window. The
external IP address for the board whose Cluster Name is ESCluster is the external IP
address for the emergency system server.
NOTICE
If multiple emergency system instances are deployed, the value of Cluster Name
for each emergency system is unique, for example, ESCluster#2. Select an
emergency system according to the actual requirements.
f. Run the following command to check whether the SSLv3 protocol used during file
transfer between the emergency system and NEs has been disabled:
# /opt/oss/server/3rdTools/ftp/files/setSSLForFtpSvr.sh querySSLv3
If information similar to the following is displayed, the SSLv3 protocol has been
disabled. In this case, go to Step 3.h.
/opt/oss/server/3rdTools/ftp/files
setSSLForFtpSvr_i begin
SSLv3 protocol is disabled transfer over FTP.
setSSLForFtpSvr_i end
Step 4 Start U2000 services. For details, see 4.5 Starting U2000 Services.
----End
Follow-up Procedure
l Check whether the SSLv3 protocol used in the following three scenarios has been
disabled: U2000 processes communicate with each other using the CORBA or MRB
interface; the desktop service on the U2000 server communicates with other devices; the
U2000 communicates with the NMS using the socket or CORBA northbound interface.
Run the following command:
Take the file /opt/oss/server/etc/ssl/option.xml for example:
~> . /opt/oss/server/svc_profile.sh
~> ssl_adm -cmd querySSLv3 -file /opt/oss/server/etc/ssl/option.xml
– If the command output similar to the following is displayed, the SSLv3 protocol has
been disabled.
SSLv3 protocol is disabled in file /opt/oss/server/etc/ssl/option.xml.
– If the command output similar to the following is displayed, the SSLv3 protocol is
not disabled.
SSLv3 protocol is enabled in file /opt/oss/server/etc/ssl/option.xml.
l Check whether the SSLv3 protocol used for file transmission between the U2000 server
and NEs has been disabled. (Run the following command as user root:)
# /opt/oss/server/3rdTools/ftp/files/setSSLForFtpSvr.sh querySSLv3
– If the command output similar to the following is displayed, the SSLv3 protocol has
been disabled.
/opt/oss/server/3rdTools/ftp/files
setSSLForFtpSvr_i begin
SSLv3 protocol is disabled transfer over FTP.
setSSLForFtpSvr_i end
– If the command output similar to the following is displayed, the SSLv3 protocol is
not disabled.
/opt/oss/server/3rdTools/ftp/files
setSSLForFtpSvr_i begin
SSLv3 protocol is enabled transfer over FTP.
setSSLForFtpSvr_i end
l If you need to query whether the SSLv3 protocol has been disabled for the U2000 proxy,
run the following command:
~> . /opt/oss/server/svc_profile.sh
~> cd /opt/oss/server/rancn/tools/ProxyTools
~> ./ProxySSLV3Adm.sh query
If the command output similar to the following is displayed, the SSLv3 protocol has
been disabled.
U2000 proxy has been disabled sslv3 version.
Context
l After the TLSv1.0 protocol is disabled, the U2000 server cannot be connected using the
TLSv1.0 protocol.
l For details about how to disable the SSLv3 protocol, see 8.14 Disabling the SSLv3
Protocol Used on the U2000.
Procedure
l To disable TLS 1.0 from the U2000 client, set the following parameters:
a. Open Internet Explorer and choose Tools > Internet Options.
b. In the Internet Options dialog box, click the Advanced tab.
c. Deselect Use TLS 1.0, and select Use TLS 1.1 and Use TLS 1.2.
d. Click OK.
l To disable TLS 1.0 from the U2000 server, contact Huawei technical support.
----End
Context
l For NodeBs (except the NodeB where the local Web LMT is not installed and that
supports built-in Web LMT), CBSCs, UGWs and some core network NEs (for example,
CAS9910, CHLR-DC, FIXMGW, FMCMGW, HLR, HLR-DC, HLR-SC, IWF, MGW,
MSCServer, MiniMGW, SAEGW, SE2600, SG7000, SOFTX3000, SPS, rMSCSvr), you
must enable the proxy service ACL function before setting the proxy service ACL.
l After the proxy service ACL function is enabled, if you do not set the proxy service ACL
control item, the proxy login will fail.
l In a new installation scenario and in an upgrade scenario, the proxy service ACL
function is disabled by default.
Procedure
Step 1 You have logged in to the U2000 server as user ossuser in SSH mode using PuTTY, in the
non-single-server system, the operation needs to be performed only on the active node or
master node.
Step 2 Run the following commands to check the proxy service ACL status:
~> cd /opt/oss/server/rancn/tools/ProxyTools/
l If information similar to the following is displayed, the proxy service ACL function is
disabled.
ACL-Control of U2000 proxy has been disabled
l If information similar to the following is displayed, the proxy service ACL function is
enabled.
ACL-Control of U2000 proxy has been enabled
Step 3 If the function is in the expected status, no further action is required. Otherwise, proceed with
the following steps.
Step 4 Enable or disable the proxy service ACL function based on your requirements.
l If you need to enable this function, run the following command:
~> ./ProxyACLAdm.sh enable
If information similar to the following is displayed, the proxy service ACL function is
enabled.
Enable proxy ACL-Control...
Enabled ACL-Control of U2000 proxy successfully,it will take effect after
restart NeUserService...
Step 5 Run the following commands to restart the NeUserService for the settings to take effect.
~> . /opt/oss/server/svc_profile.sh
----End
Context
Configure the DH key length for all DS services. (-Djdk.tls.ephemeralDHKeySize=2048)
NOTICE
The DH key length can be set only for DS services running on the JRE1.8. After the DH key
length is set, the U2000 client running on a JRE earlier than JRE1.8 cannot use DS services
for upgrade.
Procedure
Step 1 Log in to the U2000 server as user ossuser in SSH mode using PuTTY. In the non-single-
server system, the operation needs to be performed only on the active node or master node.
Step 2 Run the following command to switch to user root.
~> su - root
Password:Password of root
The DS service supports multiple instances. The configuration file is DesktopServicexxxxsvc.xml. xxxx
indicates the DS service number. The first two digits indicate the host number, and the last two digits indicate
the DS service number on the host.
Before modification:
<param name="args">-Xrs -Dds.config.home=D:/oss/server/etc/ds/cfg -DprocID=9999 -
DprocHandle=1 -Xms8m -Xmx512m -XX:+UseSerialGC
-XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=40 -XX:PermSize=22m -
XX:MaxPermSize=64m -Xverify:none -Djava.awt.headless=true -Dfile.encoding=UTF-8
-Djava.library.path=D:/iMAP/server/ds/lib -jar D:/iMAP/server/ds/lib/
launcher.jar</param>
After modification:
<param name="args">-Xrs -Dds.config.home=D:/oss/server/etc/ds/cfg -DprocID=9999 -
DprocHandle=1 -Xms8m -Xmx512m -XX:+UseSerialGC
-XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=40 -XX:PermSize=22m -
XX:MaxPermSize=64m -Xverify:none -Djava.awt.headless=true -
Djdk.tls.ephemeralDHKeySize=2048
Step 6 Run the following commands to import the modified configuration file to the database:
# SettingTool -cmd import -file DesktopServicexxxxsvc.xml
# svc_adm -cmd reload
Step 7 Restart all DS services.
1. Log in to all U2000 servers as user ossuser in SSH mode using PuTTY.
2. Run the following command to check DS services on the current server:
~> svc_adm -cmd status
Service Agent: ds0101_agent [1 service(s)] pid: 20914
DesktopService0101 [running ]
----End
The U2000 server supports three communication modes: common, Secure Sockets Layer
(SSL), and both. Clients support two communication modes: common and SSL. The clients
can successfully connect to the server only when the communication modes are consistent
between the clients and server. The security of the SSL mode is higher than the security of the
common and both modes. The default communication mode on the server is SSL. The client
must connect to the server in SSL mode.
If the communication mode of the U2000 is SSL or both, but a specified set of certificates
(including the identity certificate, trust certificate, and CRL) is required, you must replace the
digital certificates.
9.7 Updating Certificates
In SSL or both communication mode, if identity certificates expire, you need to update them;
if another trust certificate authority (CA) is trusted or the CA issues new certificate revocation
lists (CRLs), you need to update trust certificates or CRLs.
Context
NOTICE
Before switching the communication mode of the server, U2000 services need to be stopped,
resulting in OSS service interruption.
l When the client performs communication with the server in SSL mode, you need to
deploy certificates on the server and client, respectively. After deploying certificates for
the client, you need to restart the client and enable the client to log in to the server in
SSL mode. The client cannot log in to the server in common mode.
l Exercise caution when using the common mode because the common mode has security
risks.
l For details about how to learn the current communication mode of the server, see 9.5.2
Querying the Communication Mode of the Server.
Switching Scenarios
Switching scenarios vary depending on operation and maintenance phases. For details about
deployment scenarios, see corresponding commissioning guide. For details about routine
maintenance scenarios, see Table 9-1.
NOTE
Huawei preset certificates are used only in commissioning scenarios. To improve data security, apply for
certificates from official authority and replace the preset certificates.
In routine maintenance, to switch to the common mode, follow the instructions provided in
9.5.5 Switching the Communication Mode of the U2000 Server. To switch to the SSL or
both mode, follow the instructions provided in the following table.
Table 9-1 Maintenance scenarios for switching to the SSL or both mode
Is Server Is Client Change of the CA Operation
Certificate Authentic Granting
Update ation Certificates to
Required? Required Clients
for the
Server?
Certificate Authority
A certificate authority (CA) issues digital certificates. The CA has digital certificates to
authenticate itself and other certificate owners. When issuing a digital certificate to a device,
the CA writes a digital signature to the certificate using its own certificate and users can
verify the digital signature using the digital signature of the CA to ensure that the digital
certificate is not modified.
Trust Certificates
Trust certificates are a set of CA digital certificates. Only the digital certificates issued by the
CAs in a trust certificate are valid. If the OSS servers use certificates issued by CAs in the
trust certificate, clients trust these OSS servers.
Concept
The Security Socket Layer (SSL) protocol encrypts/decodes data and authenticates concerned
entities. In addition, it ensures security and data integrity for network communication on the
transmission layer.
Functions
A security channel is established between the client and server to ensure secure and effective
communication. The SSL functions are as follows:
l Data confidentiality: Both parties obtain encrypted private keys after negotiating using a
handshake protocol and transfer encrypted messages. A single key encryption algorithm
is used, such as Advanced Encryption Standard (AES).
l Identity authentication: Both parties use an asymmetric algorithm to authenticate them,
such as Revist-Shamir-Adleman Algorithm (RSA).
l Data integrity: The hash algorithm, such as secure hash algorithm (SHA) and message
digest algorithm 5 (MD5), is used to generate message digests and message
authentication code (MAC). Transmitted data includes digital signatures, which ensures
data integrity.
1. The SSL client and server establish security capabilities by sending connection requests.
2. The SSL client and server transfer their digital certificates to authenticate their identities.
3. The SSL client and server negotiate and choose a symmetric encryption plan for
communication.
4. The SSL client and server complete handshake and start to communicate with each other.
Certificate Environment
Generally, CAs are located at various levels. Assume that the certificates used on the U2000
server and client are issued by a level-2 CAs. Figure 9-2 shows the hierarchy of CAs.
Table 9-2 describes the file names of various levels of certificates that users must obtain
based on the relationships shown in Figure 9-2.
NOTE
Currently, the U2000 uses the digital certificate preconfigured by Huawei, and the digital certificate is
used only in commissioning scenarios. The U2000 supports the replacement of a digital certificate.
Apply to an authority institute for a digital certificate and replace the digital certificate preconfigured by
Huawei with the new digital certificate.
The certificates obtained by the user can be renamed according Table 9-2. The deployment tool of the
U2000 has no special requirements on the certificate names. Different file name extensions stand for
different certificates:
l .cer: Identity certificate. Generally, it works with a .pem key file.
l .p12: Identity certificate of the PKCS#12 (a single file in PFX format) type. The .p12 contains the
certificate file and key file, and is saved with a password. Before using this type of device certificate,
you must obtain the corresponding password.
l .crl: Certificate revocation list. The file lists the identity certificates to be revoked.
The identity certificates in .cer format and CRL files in .crl format of the CAs (including rootCA,
subCA1, and subCA2) are trustworthy. These identity certificates and CRLs issued by the CAs must be
respectively added to the trust certificate list and CRL on the U2000 server and client.
Preparing Certificates
When the U2000 client performs communication with the server in SSL mode, deploy
certificates for the U2000 client and server respectively in advance. Otherwise, services
cannot run. Table 9-3 lists the certificates to be deployed.
NOTE
The directories for storing certificates on the server and the client listed in this section are fixed. Files or
folders not listed below may exist in the preceding paths depending on services managed by the U2000.
| certificateConfig.xml
| cipherSuiteConfig.xml (The directory for storing certificates on the client
does not contain the file.)
| client_option.xml
| commini.dtd
| option.xml
|
|--crl
| |--DER
| |--PEM
| |--revoke.crl
|
|--cross (The directory for storing certificates on the client does not contain
the node.)
| |--DER
| |--PEM
| |--cross.cer
|
|--keyStore
| |--DER
| |--PEM
| |--server.cer
| |--PFX
| |--server.p12 (client.p12)
|
|--privatekey (The directory for storing certificates on the client does not
contain the node.)
| |--DER
| |--PEM
| |--server_key.pem
|
|--trust
|--DER
|--PEM
|--trust.cer
certificates, which are used in commissioning scenarios. To improve data security, apply for
certificates from official authority and replace the preset certificates.
Context
NOTICE
Before switching the communication mode of the server, U2000 services need to be stopped,
resulting in OSS service interruption.
l When the client performs communication with the server in SSL mode, you need to
deploy certificates on the server and client, respectively. After deploying certificates for
the client, you need to restart the client and enable the client to log in to the server in
SSL mode. The client cannot log in to the server in common mode.
l Exercise caution when using the common mode because the common mode has security
risks.
l For details about how to learn the current communication mode of the server, see 9.5.2
Querying the Communication Mode of the Server.
Switching Scenarios
Switching scenarios vary depending on operation and maintenance phases. For details about
deployment scenarios, see corresponding commissioning guide. For details about routine
maintenance scenarios, see Table 9-5.
NOTE
Huawei preset certificates are used only in commissioning scenarios. To improve data security, apply for
certificates from official authority and replace the preset certificates.
In routine maintenance, to switch to the common mode, follow the instructions provided in
9.5.5 Switching the Communication Mode of the U2000 Server. To switch to the SSL or
both mode, follow the instructions provided in the following table.
Table 9-5 Maintenance scenarios for switching to the SSL or both mode
Is Server Is Client Change of the CA Operation
Certificate Authentic Granting
Update ation Certificates to
Required? Required Clients
for the
Server?
Context
In ATAE cluster system, run this command on the master server only.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following command to query the U2000 communication mode:
~> . /opt/oss/server/svc_profile.sh
l If the following information is displayed, the communication mode of the server is both.
The current communication mode is both common and SSL.
l If the following information is displayed, the communication mode of the server is SSL.
The current communication mode is SSL.
The SSL mode is more secure. You are advised to use the SSL mode. For details about how to
switch the communication mode of the server, see 9.5.5 Switching the Communication
Mode of the U2000 Server.
----End
Prerequisites
The desired identity certificates, trust certificates, and CRLs are obtained. For details about
these certificates, see Table 9-3 in 9.3 Preparing Digital Certificates.
Context
l In ATAE cluster system, run this command on the master server only.
l Re-log in to the client after deploying the certificates on the server.
NOTICE
The U2000 system has been preconfigured with a digital certificate. To improve the system
security, deploy a certificate applied from a recognized third-party certificate authority.
When SSL is enabled, the system automatically disables port 80. As a result, HTTP-based
web applications on the U2000 cannot be used. In this situation, use the HTTPS protocol. The
following applications must use the HTTPS protocol after SSL is enabled:
l Open the web page for installing the U2000 client.
http://IP address of the U2000 server/cau or https://IP address of the U2000 server/cau
l Log in to the NIC.
https://IP address of the U2000 server:31040/nic.
When you access the previous web applications in HTTPS mode, the web browser may
display a certificate error message or untrusted website message. In this situation, install
certificates for the web browser. The methods of installing certificates for different web
browsers are similar. For details, see 26.2.1 Setting Internet Explorer or 26.2.2 Setting
Firefox.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following commands to create a path for the certificates. In this example, /opt/oss/
server/sslcertificates is created.
~> cd /opt/oss/server
Step 3 Use the FileZilla tool to upload the certificates to the U2000 server.
For details about how to use the FileZilla tool, see 26.1.12 Transferring Files by Using
FileZilla. You must set the following information when uploading the certificates:
l User name and password: name and password of the ossuser user
l File path on the server: /opt/oss/server/sslcertificates
Step 4 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 5 Run the following command on the server to back up the certificates:
~> . /opt/oss/server/svc_profile.sh
NOTE
The path can be an absolute or relative path. The relative path is relative to /opt/oss/server. Assume that
certificates are backed up to /opt/oss/server/var/backup/deployssl/ssl.
Step 6 Run the following command to deploy certificates (identity certificate, trust certificate, and
CRL) on the U2000 server:
~> ssl_adm -cmd replace_certs -dir /opt/oss/server/sslcertificates
NOTE
In the command, var/backup/deployssl is the path to the certificate backup, which can be an
absolute or relative path. The relative path is relative to /opt/oss/server.
Step 7 Check whether the communication mode of the server needs to be switched.
l If the communication mode of the server needs to be switched, go to 9.5.5 Switching the
Communication Mode of the U2000 Server. The procedure ends.
NOTE
If the U2000 system is configured with the Trace Server independently deployed, update the
certificates of the Trace Server by referring the Postrequisite and then switch the communication
mode of U2000.
l If the communication mode of the server does not need to be switched, go to Step 8.
Step 8 Start U2000 services. For details, see 4.5 Starting U2000 Services.
----End
Follow-up Procedure
If the U2000 system is configured with the Trace Server independently deployed, you also
need to update the authentication certificates of the Trace Server. For details, see Updating
Authentication Certificates of the Trace Server (Cluster, ATAE) in U2000 Trace Server
User Guide (ATAE Cluster, Standalone).
Prerequisites
The trust certificate of the peer has been deployed on the U2000 server.
Context
l In ATAE cluster system, run this command on the master server only.
l If peer authentication is enabled for the U2000 server, to allow the U2000 server to
properly communicate with multiple peers, deploy required certificates on the peers, and
deploy the trust certificates and CRLs of all the peers on the U2000 server.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 3 Run the following commands to enable the U2000 server to authenticate its communication
peer.
~> ssl_adm -cmd enableAuthPeer -app common -file /opt/oss/server/etc/ssl/option.xml
~> ssl_adm -cmd enableAuthPeer -app corba -file /opt/oss/server/etc/conf/svc_ssl.conf
~> ssl_adm -cmd enableAuthPeer -app corba -file /opt/oss/server/etc/conf/notify_ssl.conf
~> ssl_adm -cmd enableAuthPeer -app apache -file /opt/oss/server/etc/apache/conf/extra/
httpd-ssl.conf
If information similar to the following is displayed, the U2000 server has been enabled to
authenticate its communication peer:
Operation succeeded.
NOTE
l The U2000 server uses the certificate (certificate of the U2000 server) under the /opt/oss/
server/etc/ssl directory to receive NE Syslog logs by default. If you use a new certificate in this
scenario, run the following command to enable peer authentication:
~> ssl_adm -cmd enableAuthPeer -app common -file Path for deploying the certificate used for
the U2000 server to receive NE Syslog logs/option.xml
l The value of SSLCertPath in /opt/oss/server/etc/conf/u2ksyslogcollector_init.cfg is the path for
deploying the certificate used for the U2000 server to receive NE Syslog logs.
When the U2000 server is used as an FTP server, perform the following steps to enable the
communication peer authentication function.
Step 4 Start U2000 services. For details, see 4.5 Starting U2000 Services.
----End
Follow-up Procedure
Check whether the U2000 server has been enabled to authenticate its communication peer.
~> . /opt/oss/server/svc_profile.sh
l If information similar to the following is displayed, the U2000 server has been enabled
to authenticate its peer set in /opt/oss/server/etc/ssl/option.xml.
The common service end authenticates the peer end in the option.xml file
under the /opt/oss/server/etc/ssl directory.
l If information similar to the following is displayed, the U2000 server is not enabled to
authenticate its peer set in /opt/oss/server/etc/ssl/option.xml.
The common service end does not authenticate the peer end in the option.xml
file under the /opt/oss/server/etc/ssl directory.
When the U2000 server is used as an FTP server, run the following command as user root to
check whether the FTP server has been enabled to authenticate its communication peer:
# /opt/oss/server/3rdTools/ftp/files/setSSLForFtpSvr.sh queryAuthPeer
l If information similar to the following is displayed, the FTP server has been enabled to
authenticate its peer:
The FTPS service end authenticates the peer.
l If information similar to the following is displayed, the FTP server is not enabled to
authenticate its peer:
The FTPS service end does not authenticate the peer.
Context
l In SSL or both mode, deploy certificates on the U2000 server and client. Otherwise,
services cannot run. By default, the U2000 uses the Huawei preset certificates, which are
used only in commissioning scenarios. The U2000 supports certificate replacement.
Apply for certificates from an authority and replace the certificates preset by Huawei
with the certificates that are applied for.
l In common mode, you do not need to deploy certificates on the client and server. You
need to set the communication mode on the server to common and then select common
when you log in to the client.
l In ATAE cluster system, run this command on the master server only.
l Relog in to the client after switching the communication mode on the server.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 3 Run the following commands to switch the communication mode of the server:
l To switch the communication mode of the server to SSL, run the following command:
~> ssl_adm -cmd setmode ssl
l To switch the communication mode of the server to both, run the following command:
~> ssl_adm -cmd setmode both
l To switch the communication mode of the server to common, run the following
command:
~> ssl_adm -cmd setmode common
Step 4 Start U2000 services. For details, see 4.5 Starting U2000 Services.
----End
Follow-up Procedure
If the U2000 system is configured with the Trace Server independently deployed in the ATAE
cluster system, and you switch the communication mode of U2000:
l The communication mode of U2000 is consistent with that of the Trace Server, restart
the Trace Server services. For details, see section Stopping Trace Server system
Services (Cluster, ATAE) and Starting Trace Server system Services (Cluster,
ATAE) in U2000 Trace Server User Guide (ATAE Cluster, Standalone).
l The communication mode of U2000 is not consistent with that of the Trace Server, you
need to switch the communication mode of Trace Server to ensure that they are
consistent with each other. For details, see section Querying the Communication Mode
of the Trace Server and Switching the Communication Mode of the Trace Server in
U2000 Trace Server User Guide (ATAE Cluster, Standalone).
Prerequisites
l The desired identity certificates, trust certificates, and certificate revocation lists (CRLs)
are obtained. For details about these certificates, see Table 9-3 in 9.3 Preparing Digital
Certificates.
l The client is not running.
Context
After the U2000 client is installed, the certificate is available in the corresponding path. You
can deploy the preset certificate before a new certificate is applied. Certificate files deployed
on a client are saved in the client installation directory \client\client\style\defaultstyle\conf
\ssl. The save paths for certificate files are the same on the U2000 server. For details, see 9.4
Certificate Save Path and Naming Conventions. To improve system security, apply for and
deploy the new certificate in a timely manner.
Procedure
Step 1 Run Client installation directory\client\client\bin\CertConfigurator.bat (SUSE Linux and
Windows OS) or Client installation directory/client/client/bin/CertConfigurator.sh (Solaris
OS) to start the certificate configuration tool, as shown in Figure 9-3.
1. On the ID Certificate tab, click next to File Name, and select an identity certificate
(a .p12 file).
2. Enter the password of the identify certificate in the PFX Password text box.
NOTE
If the ID certificate of the U2000 client is selected, enter the password Changeme_123 for the
ID certificate. If another certificate is selected, enter the password based on the actual situations.
Step 3 Click the Trust Certificate tab, click Add, and select a trust certificate (a .cer file).
l If the certificate is in a correct format, the Trust Certificate tab displays the certificate
information, as shown in Figure 9-5.
l If the certificate is in an incorrect format, the message "The selected file is
not a certificate of the X509 type." is displayed.
Step 4 Click the Certificate Revocation List tab, click Add, and select a CRL (a .crl file).
l If the .crl file is in a correct format, the Certificate Revocation List tab displays the
certificate information, as shown in Figure 9-6.
l If the .crl file is in an incorrect format, the message "The contents of the
specified CRL file are incorrect." is displayed.
l After deployment, the certificates on the client are deployed in client installation directory\client
\client\style\defaultstyle\conf\ssl\.
l For the directory where certificates are stored on the U2000 client, see 9.4 Certificate Save Path
and Naming Conventions.
Step 6 Start the client and check whether you can log in to the server in SSL mode. (The server has
been switched to the SSL mode or both mode.)
l If the login is successful, the client is switched to the SSL mode successfully.
l If the login fails, locate and handle the failure according to the prompt message. If the
login still fails, contact Huawei technical engineers for assistance.
----End
Context
l If you replace all digital certificates, all the digital certificates deployed before are
deleted. Prepare the specified set of certificates (including the identity certificate, trust
certificate, and CRL) before replacing the digital certificates.
l If you need to replace only some of the deployed digital certificates, perform 9.7
Updating Certificates.
Procedure
Step 1 For details about how to replace the certificates of the server, see 9.5.3 Deploying
Certificates on U2000 the Server.
Step 2 For details about how to replace the certificates of the client, see 9.5.6 Deploying Certificates
on the U2000 Client.
----End
Context
l After you update identity certificates, original identity certificates are overwritten.
l After you update trust certificates, original trust certificates are overwritten.
l After CRLs are updated, the original and new CRLs are valid. The revoked digital
certificates cannot be used in communication between the client and the server.
l If updating trust certificates or CRLs on the server, you also need to update them on the
client.
Prerequisites
The certificates and CRLs to be updated on the server are obtained. For details about these
certificates, see Table 9-3 in 9.3 Preparing Digital Certificates. You do not need to prepare
for the certificates that are not to be updated.
Context
l When updating certificates, you must provide identity certificates. If the identity
certificates do not need to be updated, use the original identity certificates.
l In ATAE cluster system, run this command on the master server only.
l Re-log in to the client after deploying the certificates on the server.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following commands to create a path for the certificates. In this example, /opt/oss/
server/sslcertificates is created.
~> cd /opt/oss/server
Step 3 Use the FileZilla tool to upload the certificates to the U2000 server.
For details about how to use the FileZilla tool, see 26.1.12 Transferring Files by Using
FileZilla. You must set the following information when uploading the certificates:
l User name and password: name and password of the ossuser user
l File path on the server: /opt/oss/server/sslcertificates
Step 4 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 5 Run the following command on the server to back up the certificates:
~> . /opt/oss/server/svc_profile.sh
NOTE
The path can be an absolute or relative path. The relative path is relative to /opt/oss/server. Assume that
certificates are backed up to /opt/oss/server/var/backup/deployssl/ssl.
Step 6 Run the following command to update certificates (identity certificate, trust certificate, and
CRL) on the U2000 server:
~> ssl_adm -cmd update_certs -dir /opt/oss/server/sslcertificates
NOTE
In the command, var/backup/deployssl is the backup path of the certificates, which can be an
absolute or relative path. The relative path is relative to /opt/oss/server.
Perform Step 6 to deploy certificates after they are restored.
If the certificates fail to be re-deployed, contact Huawei technical support engineers.
Step 7 Start U2000 services. For details, see 4.5 Starting U2000 Services.
----End
Follow-up Procedure
l If updating the trust certificate and the CRL on the server, you also need to update them
on the client. For details about how to update the trust certificate and the CRL on the
client, see 9.7.4 Updating Certificates on the U2000 Client.
l If the U2000 system is configured with the Trace Server independently deployed, you
also need to update the authentication certificates of the Trace Server. For details, see
Updating Authentication Certificates of the Trace Server (Cluster, ATAE) in U2000
Trace Server User Guide (ATAE Cluster, Standalone).
Prerequisites
l The new trust certificate granted by the certificate authority (CA) of the peer has been
obtained.
l You have deployed certificates on the U2000 server by running the ssl_adm -cmd
replace_certs command.
Context
l When the U2000 server functions as an SSL server, enable the U2000 server to
authenticate its peer. For details, see 9.5.4 Enabling the U2000 Server to Authenticate
Its Peer.
l The new trust certificate must contain its root certificate. If the root certificate has been
deployed on the U2000 server, delete the root certificate by following the instructions
provided in 9.7.3 Deleting Trust Certificates of the U2000 Client from the U2000
Server, and then add it again.
l In ATAE cluster system, run this command on the master server only.
l After a certificate is deployed on the server, you must log in to the client again.
l To update trust certificates of the U2000 client, delete the trust certificate that is no
longer trusted by following the instructions provided in 10.5 Deleting from the U2000
Server the Trust Certificates of the NE Sending Syslog Logs to It, and add a trust
certificate again.
l The certificate deployed by running the ssl_adm -cmd replace_certs command must be
updated by running the ssl_adm -cmd update_certs command.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following commands to create a directory for saving certificates. In this example, all
certificates are saved under the /opt/oss/server/certificates directory.
~> cd /opt/oss/server
NOTE
One trust certificate file can contain only one trust certificate.
Step 4 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 5 Run the following commands to add trust certificates of the U2000 client to the U2000 server.
NOTE
l In the preceding commands, /opt/oss/server/certificates is the directory for saving new trust
certificates.
l After the command is executed, all certificates in the /opt/oss/server/certificates directory are
deployed to /opt/oss/server/etc/ssl.
l For details about the certificate directory after certificates are added, see 9.4 Certificate Save Path
and Naming Conventions.
Execution result:
l If the system displays the Operation succeeded. message, the certificates have
been added successfully. Go to Step 6.
l Otherwise, the trust certificates fail to be added. If this occurs, locate the failure and then
restore the trust certificates by running the following command:
~> ssl_adm -cmd restore -backpath var/backup/ssl_backup/YYYYMMDDhhmmss
NOTE
Step 6 Start U2000 services. For details, see 4.5 Starting U2000 Services.
----End
Prerequisites
You have run the ssl_adm -cmd addCA command to add trust certificates to the U2000
server. For details, see 9.7.2 Adding Trust Certificates of the U2000 Client to the U2000
Server.
Context
l The certificate deployed by running the ssl_adm -cmd replace_certs command must be
updated by running the ssl_adm -cmd update_certs command.
l In ATAE cluster system, run this command on the master server only.
l After a certificate is deployed on the server, you must log in to the client again.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 3 Run the following commands to query file names and issuers of the added trust certificates of
the U2000 client.
Execution result:
l If the message No trust certificate is incrementally deployed by
running the ssl_adm -cmd addCA command. is displayed, no trust
certificate has been added by running the ssl_adm -cmd addCA command.
l If information similar to the following is displayed, the file name and issuer of the
current trust certificate are 600755ba.0 and C=CN, ST=Guangdong, L=ShenZhen,
O=Huawei, OU=CMC, CN=huawei_root, respectively. Go to Step 4.
Deployed trust certificates are as follows:
name: issuer:
600755ba.0 C=CN, ST=Guangdong, L=ShenZhen, O=Huawei,
OU=CMC, CN=huawei_root
Step 4 Run the following commands to delete trust certificates of the U2000 client from the U2000
server. The trust certificate 600755ba.0 is used as an example.
Execution result:
l If the system display a message similar to the following, the trust certificates have been
deleted. Go to Step 5.
Operation succeeded.
l Otherwise, the trust certificates fail to be deleted. If this occurs, locate the failure and
then restore the trust certificates by running the following command:
~> ssl_adm -cmd restore -backpath var/backup/ssl_backup/YYYYMMDDhhmmss
NOTE
Step 5 Start U2000 services. For details, see 4.5 Starting U2000 Services.
----End
Prerequisites
l The certificates and CRLs to be updated on the client are obtained. For details about
these certificates, see 9.3 Preparing Digital Certificates in Table 9-3. You do not need
to prepare for the certificates that are not to be updated.
l The client is not running.
Context
After the U2000 client is installed, the certificate is available in the corresponding path. You
can deploy the preset certificate before a new certificate is applied. Certificate files deployed
on a client are saved in the client installation directory \client\client\style\defaultstyle\conf
\ssl. The save paths for certificate files are the same on the U2000 server. To improve system
security, apply for and deploy the new certificate in a timely manner.
Procedure
Step 1 Run Client installation directory\client\client\bin\CertConfigurator.bat (SUSE Linux and
Windows OS) or Client installation directory/client/client/bin/CertConfigurator.sh (Solaris
OS) to start the certificate configuration tool.
Step 2 Perform the following operations to update identity certificates:
1. Click the ID Certificate tab, as shown in Figure 9-7.
2. Select a client identify certificate (a .p12 file) in File Name and enter its password in the
PFX Password text box.
NOTE
If the ID certificate of the U2000 client is selected, enter the password Changeme_123 for the
ID certificate. If another certificate is selected, enter the password based on the actual situations.
Step 6 Start the client and log in to the client in SSL mode to verify that certificates are updated
successfully.
l If the login is successful, certificates are updated successfully.
l If the login fails, certificates fail to be updated. Contact Huawei technical engineers for
assistance.
NOTE
l After deployment, the certificates on the client are deployed in client installation directory\client
\client\style\defaultstyle\conf\ssl\.
l For the directory where certificates are stored on the U2000 client, see 9.4 Certificate Save Path
and Naming Conventions.
----End
When the U2000 server functions as an SSL server for communication with the U2000 client
and NEs, you are advised to enable authentication of the communication peer on the U2000
server for security concerns. After this function is enabled, you must deploy the required trust
certificates on the U2000 server to ensure normal communication.
Prerequisites
The identity certificates of NEs that need to be authenticated have been deployed.
Context
NOTICE
Before enabling authentication of the communication peer on the U2000 server, stop the
U2000 services. The U2000 services will be interrupted.
Process for Configuring the U2000 Server to Receive Syslog Logs Sent from NEs
1. Check whether the communication mode of the U2000 server is SSL or both by
following the instructions provided in 9.5.2 Querying the Communication Mode of the
Server.
– If yes, go to 2.
– If no, go to 9.5.5 Switching the Communication Mode of the U2000 Server.
2. Check whether peer authentication has been enabled for the U2000 server by following
the instructions provided in ssl_adm -cmd queryAuthPeer.
– If yes, go to 3.
– If no, go to 9.5.4 Enabling the U2000 Server to Authenticate Its Peer.
3. On the U2000 server, deploy the trust certificates and CRLs of NEs sending Syslog logs
to this server by following the instructions provided in 10.2 Deploying a Certificate for
the U2000 Server to Receive NE Syslog Logs.
NOTE
By default, the U2000 server uses the TLS protocol and the certificates of the U2000 server to
receive NE Syslog logs. The certificate is saved in the /opt/oss/server/etc/ssl directory. To prevent
the certificates from affecting each other in different scenarios, you are advised to deploy the
certificates for receiving NE Syslog logs under /opt/oss/server/etc/ssl/nelog.
Scenarios for Maintaining the U2000 Server to Receive NE Syslog Logs After
Peer Authentication Is Enabled
If the CA granting certificates to the NE is changed, you need to update the trust certificates
deployed on the U2000 server. Table 10-1 shows required operations in various scenarios.
The CA granting l If the CAs granting certificates to the U2000 server and to
certificates to the NE is not the NE are the same, or are two sub-CAs in the same CA,
changed, and trust perform the following operations:
certificates are updated. 10.3 Updating a Certificate for the U2000 Server to
Receive NE Syslog Logs
l If the CAs granting certificates to the U2000 server and to
the NE are different, and are not two sub-CAs in the same
CA, perform the following operations:
1. Delete old trust certificates of the NE by following the
instructions provided in 10.5 Deleting from the
U2000 Server the Trust Certificates of the NE
Sending Syslog Logs to It.
2. Add new trust certificates of the NE by following the
instructions provided in 10.4 Adding to the U2000
Server the Trust Certificates of the NE Sending
Syslog Logs to It.
The server trusts a new CA 10.4 Adding to the U2000 Server the Trust Certificates of
granting certificates to the the NE Sending Syslog Logs to It
NE.
The server untrusts a CA Query the file name and issuer of the trust certificate of the
granting certificates to the NE by following the instructions provided in ssl_adm -cmd
NE. queryCA.
l If the file name and issuer of the trust certificate exist,
follow the instructions provided in 10.5 Deleting from
the U2000 Server the Trust Certificates of the NE
Sending Syslog Logs to It.
l If the file name and issuer of the trust certificate do not
exist, no further action is required.
Context
l You can query only the logs of the devices in your own domains.
l The users in the admin and Administrators groups can query device logs of all users.
Procedure
Step 1 Choose Security > NE Log Management > NE Syslog Operation Logs (traditional style);
alternatively, double-click Security Management in Application Center and choose Log
Management > NE Syslog Operation Logs (application style) from .
Step 2 In the Filter dialog box, set filter criteria and click OK.
NOTE
You can also query device logs by performing the following steps:
1. In the Filter dialog box, click Cancel.
2. In the NE Syslog Operation Logs window, click Filter.
3. In the Filter dialog box, set filter criteria and click OK. Click Reset to reset all the parameters.
Step 3 In the NE Syslog Operation Logs window, double-click a record to view the log details.
l Click a field in the column header of the query result table to sort the query results by
field.
l The white upward triangular icon indicates that you can sort the results by field. The
black upward triangular icon indicates that the results are sorted in ascending order of
the field. The black downward triangular icon indicates that the results are sorted in
descending order of the field.
l Click Device name or Access Method. Different from other table header fields, these
fields are displayed in groups. Therefore, they are not sorted in alphabetical order.
----End
Prerequisites
l You have obtained the following certificates:
– Identity certificate and key of the U2000 server: server.cer and server_key.pem or
server.p12 and its encrypted password.
– Trust certificates of an NE
– Optional: Certificate revocation list (CRL) granted by the Certificate Authority
(CA) trusted by the NE
l NE authentication has been enabled on the U2000 server. For details about how to check
whether the U2000 server authenticates the communication peer, see ssl_adm -cmd
queryAuthPeer. For details about how to enable peer authentication, see 9.5.4 Enabling
the U2000 Server to Authenticate Its Peer.
Context
l If bidirectional authentication is applied, deploy not only the trust certificates of the NE
and the CRL released by the CA trusted by the NE on the U2000 server but also the trust
certificates of the U2000 and the CRL released by the CA trusted by the U2000 server on
the NE. This section describes how to deploy the trust certificates and CRL of an NE on
the U2000 server.
l In ATAE cluster system, run this command on the master server only.
l Re-log in to the client after deploying the certificates on the server.
l If the U2000 server needs to receive Syslog logs of multiple NEs, you must deploy all
the trust certificates of these NEs on the U2000 server. You can deploy the certificates of
a single NE on the U2000 server by following the instructions provided in this section
and deploy the certificates of other NEs by following the operations provided in 10.4
Adding to the U2000 Server the Trust Certificates of the NE Sending Syslog Logs to
It.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following commands to create a directory for saving certificates. In this example, all
certificates are saved in the /opt/oss/server/nelogcertificates directory.
~> cd /opt/oss/server
Step 3 Use FileZilla to upload the trust certificates, identity certificate, and CRL to the U2000 server.
For details about how to use the FileZilla tool, see How Do I Use FileZilla to Transfer Files?.
Set the following information when uploading the files:
l User name and password: name and password of user ossuser
l File path on the server: /opt/oss/server/nelogcertificates
Step 4 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 5 Run the following command to back up the deployed certificates. If no certificate has been
deployed, perform Step 6.
~> ssl_adm -cmd backup -app nelog -backpath var/backup/deployssl
NOTE
l The certificate backup path can be an absolute or relative path. The relative path is relative
to /opt/oss/server.
l In the example provided in this section, certificates are backed up to /opt/oss/server/var/backup/
deployssl/ssl/nelog.
NOTE
In the command, var/backup/deployssl is the path for saving backup certificates. The path can be
an absolute or relative path. The relative path is relative to /opt/oss/server.
After the certificates are restored, perform Step 6 to deploy the certificates again.
If the certificates still fail to be deployed, contact Huawei technical support engineers.
Step 7 Optional: If an NE supports 2048, perform the following operations to set the parameter
length for a secure DH algorithm:
1. Run the vi command to open /opt/oss/server/etc/ssl/option.xml.
~> vi /opt/oss/server/etc/ssl/option.xml
NOTE
By default, the U2000 server uses the certificate (namely, the certificate for the U2000 server) in
the /opt/oss/server/etc/ssl directory to receive NE Syslogs. To use another certificate in such a
scenario, run the following command to open the configuration file:
~> vi Path for deploying the certificate used for the U2000 server to receive NE Syslogs/
option.xml
The path for deploying the certificate used for the U2000 server to receive NE Syslogs is the value
of the SSLCertPath configuration item in /opt/oss/server/etc/conf/u2ksyslogcollector_init.cfg.
2. Change value in <PARA name="secureDHLen" value="1024"/> to 2048.
NOTE
– 1024: indicates that the DH parameter with 1024 or less bits is used.
– 2048: indicates that the 2048-bit DH parameter is used.
– The DH algorithm with value set to 2048 is more secure than that with value set to 1024.
3. Press Esc to switch to the command mode. Run the :wq! command to save the
option.xml file and exit.
Step 8 Modify the configuration file /opt/oss/server/etc/conf/u2ksyslogcollector_init.cfg, and
specify the path for saving the certificates used by the U2000 server to authenticate NEs.
1. Run the following command to open the configuration file:
~> vi /opt/oss/server/etc/conf/u2ksyslogcollector_init.cfg
2. Change the value of SSLCertPath to /opt/oss/server/etc/ssl/nelog.
3. Press Esc to switch to the command mode. Run the :wq! command to save
u2ksyslogcollector_init.cfg and exit the command mode.
NOTE
If you do not modify the configuration file, the U2000 server will use the deployed certificates of the
U2000 server to authenticate NEs by default. The certificate is deployed in the /opt/oss/server/etc/ssl
directory.
Step 9 Start U2000 services. For details, see 4.5 Starting U2000 Services.
----End
Prerequisites
You have obtained the following certificates:
l Identity certificate and key of the U2000 server: server.cer and server_key.pem or
server.p12 and its encrypted password.
l Trust certificates of an NE
l Optional: Certificate revocation list (CRL) granted by the Certificate Authority (CA)
trusted by the NE
Context
l When updating certificates, you must provide identity certificates. If the identity
certificates do not need to be updated, use the original identity certificates.
l In ATAE cluster system, run this command on the master server only.
l Re-log in to the client after deploying the certificates on the server.
l To use a trust certificate granted by a new CA, you can only deploy the certificate. For
details, see 10.2 Deploying a Certificate for the U2000 Server to Receive NE Syslog
Logs.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following commands to create a directory for saving certificates. In this example, all
certificates are saved in the /opt/oss/server/nelogcertificates directory.
~> cd /opt/oss/server
Step 3 Use FileZilla to upload the trust certificates, identity certificate, and CRL to the U2000 server.
For details about how to use the FileZilla tool, see How Do I Use FileZilla to Transfer Files?.
Set the following information when uploading the files:
l User name and password: name and password of user ossuser
l File path on the server: /opt/oss/server/nelogcertificates
Step 4 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
NOTE
l The certificate backup path can be an absolute or relative path. The relative path is relative
to /opt/oss/server.
l In the example provided in this section, certificates are backed up to /opt/oss/server/var/backup/
deployssl/ssl/nelog.
NOTE
In the command, var/backup/deployssl is the path for saving backup certificates. The path can be
an absolute or relative path. The relative path is relative to /opt/oss/server.
After the certificates are restored, perform Step 6 to deploy the certificates again.
If the certificates still fail to be deployed, contact Huawei technical support engineers.
Step 7 Start U2000 services. For details, see 4.5 Starting U2000 Services.
----End
Prerequisites
l The new trust certificate granted by the certificate authority (CA) of the peer has been
obtained.
l You have deployed certificates on the U2000 server by running the ssl_adm -cmd
replace_certs command.
Context
l When the U2000 server functions as an SSL server, enable the U2000 server to
authenticate its peer. For details, see 9.5.4 Enabling the U2000 Server to Authenticate
Its Peer.
l The new trust certificate must contain its root certificate. If the root certificate has been
deployed on the U2000 server, delete the root certificate by following the instructions
provided in 10.5 Deleting from the U2000 Server the Trust Certificates of the NE
Sending Syslog Logs to It, and then add it again.
l In ATAE cluster system, run this command on the master server only.
l After a certificate is deployed on the server, you must log in to the client again.
l To update trust certificates of the NE, delete the trust certificates that is no longer trusted
by following the instructions provided in 10.5 Deleting from the U2000 Server the
Trust Certificates of the NE Sending Syslog Logs to It, and add trust certificates
again.
l The certificate deployed by running the ssl_adm -cmd replace_certs command must be
updated by running the ssl_adm -cmd update_certs command.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following commands to create a directory for saving certificates. In this example, all
certificates are saved under the /opt/oss/server/certificates directory.
~> cd /opt/oss/server
For details about how to use the FileZilla, see How Do I Use FileZilla to Transfer Files?. Set
the following information when uploading the files:
l User name and password: name and password of user ossuser
l File path on the server: /opt/oss/server/certificates
NOTE
One trust certificate file can contain only one trust certificate.
Step 4 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 5 Run the following commands to add trust certificates of the NE to the U2000 server.
NOTE
l In the preceding commands, /opt/oss/server/certificates is the directory for saving new trust
certificates.
l After the command is executed, all certificates in the /opt/oss/server/certificates directory are
deployed to /opt/oss/server/etc/ssl/nelog.
l For details about the certificate directory after certificates are added, see 9.4 Certificate Save Path
and Naming Conventions.
Execution result:
l If the system displays the Operation succeeded. message, the certificates have
been added successfully. Go to Step 6.
l Otherwise, the trust certificates fail to be added. If this occurs, locate the failure and then
restore the trust certificates by running the following command:
~> ssl_adm -cmd restore -backpath var/backup/ssl_backup/YYYYMMDDhhmmss
NOTE
Step 6 Start U2000 services. For details, see 4.5 Starting U2000 Services.
----End
Prerequisites
You have run the ssl_adm -cmd addCA command to add trust certificates to the U2000
server. For details, see 10.4 Adding to the U2000 Server the Trust Certificates of the NE
Sending Syslog Logs to It.
Context
l The certificate deployed by running the ssl_adm -cmd replace_certs command must be
updated by running the ssl_adm -cmd update_certs command.
l In ATAE cluster system, run this command on the master server only.
l After a certificate is deployed on the server, you must log in to the client again.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Stop U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 3 Run the following commands to query file names and issuers of the added trust certificates of
the NE.
~> ssl_adm -cmd queryCA -app nelog
Execution result:
l If the message No trust certificate is incrementally deployed by
running the ssl_adm -cmd addCA command. is displayed, no trust
certificate has been added by running the ssl_adm -cmd addCA command.
l If information similar to the following is displayed, the file name and issuer of the
current trust certificate are 600755ba.0 and C=CN, ST=Guangdong, L=ShenZhen,
O=Huawei, OU=CMC, CN=huawei_root, respectively. Go to Step 4.
Deployed trust certificates are as follows:
name: issuer:
600755ba.0 C=CN, ST=Guangdong, L=ShenZhen, O=Huawei,
OU=CMC, CN=huawei_root
Step 4 Run the following commands to delete trust certificates of the NE from the U2000 server. The
trust certificate 600755ba.0 is used as an example.
~> ssl_adm -cmd deleteCA -name 600755ba.0 -app nelog
Execution result:
l If the system display a message similar to the following, the trust certificates have been
deleted. Go to Step 5.
Operation succeeded.
l Otherwise, the trust certificates fail to be deleted. If this occurs, locate the failure and
then restore the trust certificates by running the following command:
~> ssl_adm -cmd restore -backpath var/backup/ssl_backup/YYYYMMDDhhmmss
NOTE
----End
This section describes how to manage and monitor the U2000 users. The users involved in the
U2000 system are Linux user, database user, OM users, and storage system users.
User admin is created by default before VCS delivery. To ensure system security, you are
advised to change its initial password during onsite commissioning based on the password
complexity requirements. For an ATAE cluster online remote HA system, you need to
perform the following steps on the active and standby sites.
11.9 Changing Passwords for Database User of FMA
This section describes how to change the password of user fmauser.
11.10 Setting Security Policies of U2000 Users
Setting account policy of the U2000 user to improve the security of the U2000.
Prerequisites
You have logged in to the U2000 server through the KVM of the OSMU as user root. For
details, see 26.1.2 Logging In to the board by Using the KVM of the OSMU.
Context
To improve security of users' passwords, set passwords based on the following rules:
l A password must contain 8 to 30 characters.
l A password must contain at least one uppercase letter.
l A password must contain at least one lowercase letter.
l A password must contain at least one digit.
l A password must contain at least one special character @%-=_.]{}
l A password must not be the same as the user name or the reverse order of the user name.
l A password cannot contain three or more consecutive characters that are the same (for
example, AAA and 111).
l The number of neighboring digits or letters is limited to four pairs
For example, the password Changeme_121212 does not meet this complexity
requirement because 121212 has a total of five pairs of digits (12 is a pair, 21 is another
pair, and so on).
l A password must not contain any spaces.
l A password must not be one of the 12 passwords that are recently used.
NOTE
The maximum password length varies according to the operating system. To ensure compatible system
interconnection, the recommended maximum password length is 30 characters.
Procedure
l This section takes creating user omc1 as an example. User omc1 belongs to the ossgroup
user group. The main directory /home1 is automatically created. The template files are
saved in the /etc/skel directory. The user ID is 1023. B shell is applied.
a. Run the following command to create the user:
# useradd -d /home1 -g ossgroup -m -k /etc/skel -u 1023 -s /bin/bash omc1
Parameter Description
NOTE
To learn the user-defined users that have been created, you can run the following command:
# cat /etc/passwd|awk 'BEGIN {FS=":"} $3 > 499 {print $1}'
b. Run the following command to set the password for the new user:
# passwd omc1
Changing password for omc1.
----End
Prerequisites
l You have obtained the password of the desired operating system user.
l Database services are running properly.
l The U2000 software is installed successfully.
Context
NOTICE
After the password of OS user ftpuser is changed, back up OS data and dynamic data. For
detailed operations, see 21 Backing Up and Restoring the U2000. If you do not back up OS
data and dynamic data, the original data may be restored during subsequent restoration
operations, causing inconsistency between the passwords of user ftpuser recorded in the OS
data and dynamic data. As a result, some U2000 functions become invalid.
You must change the passwords for the operating system users based on service system.
To improve security of users' passwords, set passwords based on the following rules:
l A password must contain 8 to 30 characters.
l A password must contain at least one uppercase letter.
l A password must contain at least one lowercase letter.
Procedure
Step 1 Perform the following operations by scenario.
If... Then...
Step 2 You have logged in to the OSMU through a web browser. For details, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
The passwords of operating system users must be changed by service system. When you
change the passwords of the operating system users in a service system, you must verify
that all the boards in the service system are in the Active, Service Stopped, Standby,
Service Takeover or Normal state.
Step 4 In the left pane of the OSMU window, expand the Routine Maintenance navigation tree and
choose Password Management > Change OS/DB User Password.
Step 5 In the Change OS User Password area on the Change OS/DB User Password tab page in
the right pane, select the Service system for the user whose password you want to change.
Step 6 Type the User name and set its new password.
If the dialog box similar as Figure 11-1 is displayed, click No. The operation continues, and
the computer responds to your operations properly.
The OSMU will create a task for changing the password, and you can view the task execution
status in the Centralized Task Management area in the lower part of the OSMU window.
l When Status of the task is displayed as Succeeded, the password for the desired user on
all boards of the service system has been changed successfully.
l If Status of the task is displayed as Failed, contact Huawei technical support.
Step 9 If you need to change the password of user iscript or webuser, perform the following
operations:
1. Use PuTTY to log in to the U2000 master service board and standby service board as
user ossuser in SSH mode. For detailed operations, see 26.1.1 Logging In to the Board
by Using PuTTY.
2. Run the following command to switch to user root.
~> su - root
Password: Password of root
NOTE
The maximum password length varies according to the operating system. To ensure compatible
system interconnection, the recommended maximum password length is 30 characters.
# passwd username
When the system displays New Password: , enter the new password for user.
When the system displays Re-enter new Password: , enter the new password
again for user.
If the system displays as the following information, the password of user has been
changed successfully:
Password Changed.
----End
Follow-up Procedure
If the password of user ftpuser is changed and the U2000 system is configured with the Trace
Server independently deployed, you also need to synchronize the configurations recorded in
the Trace Server. For details, see Synchronizing the FTP Configurations from the U2000 in
U2000 Trace Server User Guide (ATAE Cluster, Standalone).
Prerequisites
You have logged in to the U2000 server through the KVM of the OSMU as user root. For
details, see 26.1.2 Logging In to the board by Using the KVM of the OSMU.
Procedure
l Run the following command to delete a user account and the main directory of the
account:
# userdel -r user name
NOTICE
If the user has logged in to the system, you cannot run the userdel command to delete
this user.
----End
Example
Assume that user omc1 is in the system. To delete user omc1, run the following command:
# userdel -r omc1
If the system does not display any information, the user has been successfully removed. If the
system displays the following information, user omc1 is not running any timing task. In this
case, omit the information.
no crontab for omc1
Prerequisites
l The Sybase database is used for the U2000 server.
l The new database administrator and its password are available.
Context
NOTICE
l If the new user exists, perform this operation to assign database administrator rights to the
new user and change its password.
l For the multi-instance database whose default database administrator sa has been disabled
successfully, after a database instance is added, disable the database administrator sa
again.
l The new user name must meet the following requirements:
l The new user name must contain a maximum of 16 characters and start with a letter.
It contains only lowercase letters, digits, and underscores (_).
l The new user name cannot be sybuser, AutoCfg, sybase1, or probe.
l The password of the new user must meet the following requirements:
l The password must contain 8 to 30 characters.
l The first character of the password must be a letter.
l The password contains at least one uppercase letter.
l The password contains at least one lowercase letter.
l The password contains at least one digit.
l The password contains at least one special character, which can only be ~@#^*-_+
[{}]:./?=%.
l The password can not contain the case-insensitive current user name.
l The password must not be the same as the user name or the reverse order of the user
name.
l A password cannot contain three or more consecutive characters that are the same
(for example, AAA and 111).
Procedure
Step 1 If any U2000 services are running, stop them.
l Check the running status of the U2000 services. For details, see 4.1 Checking the
U2000 Service Status.
l Stop the U2000 services. For details, see 4.6 Stopping U2000 Services.
Step 3 Use PuTTY to log in to the U2000 master service board as user ossuser in SSH mode. For
details, see 26.1.1 Logging In to the Board by Using PuTTY.
~> su - root
Password: Password of root
Step 5 Run the following commands to disable the current database administrator:
1. Run the script for changing the database administrator.
# cd /opt/oss/server/rancn/tools/modifyDBAUser
# ./modifyDBAUserName.sh
NOTE
In the following part, the default Sybase database administrator sa is disabled, the new database
administrator ossdba is created, and user ossdba have all rights of user sa.
2. When the system displays the following information, enter the Sybase database server
name DBSVR1 corresponding to the U2000 master service board:
Please input database server name, "q" to quit: DBSVR1
3. When the system displays the following information, enter the name of the current
Sybase database administrator, for example, sa:
Please input the database administrator name, "q" to quit: sa
4. When the system displays the following information, enter the name of the user-defined
Sybase database administrator, for example, ossdba:
Please input the new database administrator name, "q" to quit: ossdba
5. When the system displays the following information, enter the password of the current
Sybase database administrator, for example, the password of user sa:
Please input the password of the sa user, "q" to quit:
6. When the system displays the following information, enter the password of the user-
defined Sybase database administrator, for example, the password of user ossdba:
Please input the password of the ossdba user, "q" to quit:
7. When the system displays the following information, enter the password of the user-
defined Sybase database administrator again, that is, the password of user ossdba:
Please input the password of the ossdba user again, "q" to quit:
NOTE
When the system displays information similar to the following, the Sybase database administrator has
been changed successfully.
Fri Jan 3 01:47:03 CST 2014 : Modify the sa to ossdba successfully.
When the system displays information similar to the following, the Sybase database administrator has
been changed unsuccessfully, contact Huawei technical support engineers.
Fri Jan 3 01:47:03 CST 2014 : Modify the sa to ossdba failed.
----End
Prerequisites
l You have logged in to the OSMU using a web browser. For detailed operations, see
26.2.5 Logging In to the OSMU by Using a Web Browser.
l Database services are running normally.
Context
The password can contain 8 to 30 characters, including digits 0 to 9, lowercase letters a to z,
uppercase letters A to Z, and special characters underscores (_). To improve password
security, you are advised to use the following password policies:
l The first character of the password must be a letter.
l The password contains at least one uppercase letter.
l The password contains at least one lowercase letter.
l The password contains at least one digit.
l The password must contain the special character underscore (_).
l The password must not be the same as the user name or the reverse order of the user
name.
l A password cannot contain three or more consecutive characters that are the same (for
example, AAA and 111).
l The password cannot be reused within one year.
l The password that has been used in the recent 20 times cannot be reused.
Procedure
Step 1 Perform the following operations to check the board status:
1. In the navigation tree of the OSMU in the left pane, choose Service System > Service
Management > Board Services.
2. Check the status of the board on the Board Services tab page in the right pane.
The cluster system of the same product must not be switched over. Database services
must be running normally, and the board status is the same as the following describe.
– Status of service board must be Service Stopped, Normal, or Active.
– Status of standby service board must be Standby.
– Status of DB board and standby DB board must be Normal and Standby,
respectively.
The OSMU will create a task for changing the password, and you can view the task execution
status in the Centralized Task Management area in the lower part of the OSMU window.
l When Status of the task is displayed as Succeeded, the password of the desired user on
all boards of the cluster has been changed successfully.
l If Status of the task is displayed as Failed, contact Huawei technical support.
Step 5 In the displayed dialog box, click OK.
Table 11-2 lists the database users whose passwords can be changed using the OSMU as well
as their default passwords.
NOTICE
l The password of - in Table 11-2 indicates that the user is not created.
l If a new version is deployed through upgrade, one can keep using the previous password.
OSSTEMPDB
NOTE
For V200R011
that is newly emsems Changeme_123
installed, the
user name is
OMCTEMPD
B.
SMDB
NOTE
For V200R011
that is newly emsems Changeme_123
installed, the
user name is
OMCSMDB.
LOGDB
NOTE
For V200R011
that is newly emsems Changeme_123
installed, the
user name is
OMCLOGDB.
TOPODB - Changeme_123
Specify New Password in the preceding command based on the planned password
policies.
Step 7 Optional: Change the password of the northbound interface user AutoCfg.
NOTE
Perform this step only when the U2000 is accessible to the NMS and you need to change the password
of the northbound interface user AutoCfg; otherwise, skip this step.
If the system displays the following information, the password has been changed successfully:
User altered.
SQL> exit
~> exit
Step 9 Start U2000 services. For detailed operations, see 4.5 Starting U2000 Services.
----End
Follow-up Procedure
After the password of database users is changed, back up database static data and dynamic
data. For detailed operations, see 21 Backing Up and Restoring the U2000. If you do not
back up static data and dynamic data, the original data may be restored during subsequent
restoration operations, causing inconsistency between the passwords of database users
recorded in the OS data and dynamic data. As a result, some U2000 functions become invalid.
Prerequisites
l You have logged in to the OSMU through a web browser. For details, see 26.2.5
Logging In to the OSMU by Using a Web Browser.
l Database services are running normally.
Context
The password can contain 8 to 30 characters, including digits 0 to 9, lowercase letters a to z,
uppercase letters A to Z, and special characters. To improve password security, you are
advised to use the following password policies:
l The first character of the password must be a letter.
l The password contains at least one uppercase letter.
l The password contains at least one lowercase letter.
l The password contains at least one digit.
l The password contains at least one special character, which can only be ~@#^*-_+
[{}]:./?=%.
l The password can not contain the case-insensitive current user name.
l The password must not be the same as the user name or the reverse order of the user
name.
l A password cannot contain three or more consecutive characters that are the same (for
example, AAA and 111).
Procedure
Step 1 Perform the following operations to check the board status:
1. In the navigation tree of the OSMU in the left pane, choose Service System > Service
Management > Board Services.
2. Check the status of the board on the Board Services tab page in the right pane.
The cluster system of the same product must not be switched over. Database services
must be running normally, and the board status is the same as the following describe.
– Status of service board must be Service Stopped, Normal, or Active.
– Status of standby board must be Standby.
– Status of DB board must be Normal.
Check whether U2000 services are running by following instructions provided in4.1
Checking the U2000 Service Status. If the U2000 services are running, stop them by
following instructions provided in 4.6 Stopping U2000 Services.
Step 3 In the navigation tree of the main window, choose Routine Maintenance > Password
Management > Change OS/DB User Password.
Step 4 On the Change DB Password area on theChange OS/DB User Password tab page in the right
pane, change the password.
1. Set Service system to U2000 Database System.
2. Select Database user to the user whose password you want to change, and then enter the
original password and new password and confirm the new password.
3. Click Modify.
If the dialog box similar as Figure 11-3 is displayed, click No. The operation continues, and
the computer responds to your operations properly.
The OSMU will create a task for changing the password, and you can view the task execution
status in the Centralized Task Management area in the lower part of the OSMU window.
l When Status of the task is displayed as Succeeded, the password of the desired user on
all boards of the cluster has been changed successfully.
l If Status of the task is displayed as Failed, contact Huawei technical support.
Default user of the Changeme_123 This user is an operation user of the redis
redis database (the database. The redis database is installed
redis database does with the CME software. The password of
not open this user the redis database user is the same as that of
name) the Sybase database user sybuser. If you
change the password of user sybuser, the
password of the redis database user will be
also changed.
Step 6 Optional: Change the password of the northbound interface user AutoCfg.
NOTE
Perform this step only when the U2000 is accessible to the NMS and you need to change the password
of the northbound interface user AutoCfg; otherwise, skip this step.
1. Use PuTTY to log in to the U2000 DB active node in SSH mode as user dbuser. For
detailed operations, see 26.1.1 Logging In to the Board by Using PuTTY.
2. Run the following command to change the password of user AutoCfg:
~> isql -Sdatabase server name -UAutoCfg
Password: password of user AutoCfg
NOTE
Replace the database server name with the actual name onsite. For details about how to query the
actual database server name, see 26.1.9 Checking the Sybase Database Server Name.
1> sp_password "old password of AutoCfg user", "new password of AutoCfg user"
2> go
When the system displays Password correctly set, the password of user AutoCfg has
been changed successfully.
3. Run the following command to exit the SQL:
1> exit
Step 7 Start U2000 services. For details, see 4.5 Starting U2000 Services.
----End
Follow-up Procedure
After the password of database users is changed, back up database static data and dynamic
data. For detailed operations, see 21 Backing Up and Restoring the U2000. If you do not
back up static data and dynamic data, the original data may be restored during subsequent
restoration operations, causing inconsistency between the passwords of database users
recorded in the OS data and dynamic data. As a result, some U2000 functions become invalid.
The site power management application software uses the MySQL database. For details about
the database user and how to change the password, see section Managing MySQL Users in
iManager U2000-Site Power Management Product Documentation. You can log in to the
http://support.huawei.com website and search for the product documentation with
iManager U2000-Site Power Management Product Documentation as the keyword.
l U2000 allows you to access NEs using the U2000 server as a proxy. When accessing
NEs using the U2000 server as a proxy, you must enter the proxy user name and
password for authentication. In addition, you are advised to deploy a physical firewall
and configure security policies on the firewall to improve system security.
l The default proxy user on the U2000 is proxyuser, and the password is Changeme_123.
To increase system security, change the password of user proxyuser in time. The proxy
user can be added or deleted as required.
Context
l For HA system, perform the following operations on the active server only. For ATAE
cluster system, perform the following operations on the master server only.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
~> . /opt/oss/server/svc_profile.sh
~> cd /opt/oss/server/3rdTools/apache/bin
New password:Password
If the command output is blank, the web proxy user is created successfully.
NOTE
l The variable username indicates the name of the web proxy user to be created.
l You can repeat the previous commands to create multiple web proxy users.
----End
Context
For HA system, perform the following operations on the active server only. For ATAE cluster
system, perform the following operations on the master server only.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following commands to modify the proxy_users file and delete a web proxy user.
1. Run the vi command to open the proxy_users file in /opt/oss/server/etc/apache/conf.
~> vi /opt/oss/server/etc/apache/conf/proxy_users
2. Delete the line that contains the desired user name.
In the vi command mode, move the cursor to the desired line and press S to delete the
line.
3. Press Esc. Then, run the :wq! command to save the file and exit the vi editor.
----End
Context
l For HA system, perform the following operations on the active server only. For ATAE
cluster system, perform the following operations on the master server only.
l To improve password security, it is recommended that the following conditions for
passwords should be met:
– A password contains at least eight characters and a maximum of 255 characters.
– A password contains at least two types of the following characters: lowercase
letters, uppercase letters, digits, and special characters (spaces and ` ~ ! @ # $ % ^
& * ( ) - _ = + \ | [ { } ] ; : ' " , < . > / ?).
– A password cannot be the user name or user name in reverse order.
l You are advised to change the password every month.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
~> . /opt/oss/server/svc_profile.sh
Step 3 Run the following commands to change the password of a web proxy user:
~> cd /opt/oss/server/3rdTools/apache/bin
If the command output is blank, the web proxy user password is changed successfully.
NOTE
The variable username indicates the name of the web proxy user whose password is to be changed. If the
web proxy user does not exist, a web proxy user is created.
----End
NOTE
If the user password is still the initial password when you perform operations using the SNMPv3 users,
change the password in time to improve system security.
Prerequisites
l You have obtained the old authentication private key and encryption private key of the
SNMPv3 User.
l The U2000 server software has been installed normally.
l You have changed the authentication private key of the SNMPv3 User in PRS server and
obtained them.
Context
The private key can contain 8 to 30 characters, including digits 0 to 9, lowercase letters a to z,
uppercase letters A to Z, and special characters @%-=_.]{}. To improve private key
security, please use the following private key policies:
l The private key contains at least one uppercase letter.
l The private key contains at least one lowercase letter.
l The private key contains at least one digit.
l The private key contains at least one special character.
l The key cannot be composed of duplicate character strings, for example, Te_1Te_1.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
Step 3 Run the following commands to start the tool for changing the private key.
# cd /opt/oss/server/common/resourcemonitor/bin/
# ./modifyUSMvalue.sh
Step 4 Choose PRS > authpasswd, change the authentication private key of the SNMPv3 to the new
authentication private key you have obtained as prompted.
When the system displays Operation succeeded..., the authentication private key of
the SNMPv3 user is changed successfully.
Step 5 Choose privpasswd, change the encryption private key of the SNMPv3 to the new encryption
private key you have obtained as prompted.
Old key: old key
When the system displays Operation succeeded..., the encryption private key of the
SNMPv3 user is changed successfully.
Step 6 Choose Exit to exit the tool for changing the private key.
Step 7 Run the following commands to restart the ResourceMonitor process:
$ ps -ef | grep "ResourceMonitor"
ossuser 13382 1 0 07:13:20 ? 0:38 /opt/oss/server/platform/bin/
ResourceMonitor -cmd start >/dev/null 2>&1
ossuser 17176 16883 0 15:32:15 pts/2 0:00 grep ResourceMonitor
In the command output, the second row of the ResourceMonitor -cmd start line displays the
ID of ResourceMonitor.
~> kill -9 13382
NOTE
In the preceding command, 13382 is the process ID of ResourceMonitor. Replace it with the actual
value.
~> . /opt/oss/server/svc_profile.sh
----End
Context
l The authentication protocol and its password, and the data encryption protocol and its
password must be consistent with those in the OSMU and AMOS. Do not change the
protocols and their passwords without notifying the OSMU and AMOS side.
l For the security purpose, you need to change the v3username user password regularly.
l You are advised to change the password every month.
l The password must contain at least three of the following types of characters: lowercase
letters, uppercase letters, digits, and special characters. It must contain at least eight
characters.
Procedure
Step 1 Use PuTTY to log in to the master node in SSH mode as user ossuser.
NOTE
The public IP address of the U2000 board at the standby site in an ATAE cluster online remote HA
system is unavailable. When performing operations at the standby site, log in to the U2000 board using
either of the following two modes:
l Log in to the OSMU of the standby site, and then log in to the U2000 board through the KVM of
the OSMU.
l Use PuTTY to log in to the OSMU board at the standby site in SSH mode as user osmuuser,
switch to user root, run the ssh command to switch to the U2000 board using the private IP
address of the board at the standby site.
~> . /opt/oss/server/svc_profile.sh
----End
Prerequisites
l You have obtained the old authentication private key and encryption private key of the
SNMPv3 User.
l The U2000 server software has been installed normally.
l You have changed the private key of the SNMPv3 User for heartbeats on OSMU board
and obtained them.
Context
The private key can contain 8 to 30 characters, including digits 0 to 9, lowercase letters a to z,
uppercase letters A to Z, and special characters @%-=_.]{}. To improve private key
security, please use the following private key policies:
l The private key contains at least one uppercase letter.
l The private key contains at least one lowercase letter.
l The private key contains at least one digit.
l The private key contains at least one special character.
l The key cannot be composed of duplicate character strings, for example, Te_1Te_1.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
NOTE
The public IP address of the U2000 board at the standby site in an ATAE cluster online remote HA
system is unavailable. When performing operations at the standby site, log in to the U2000 board using
either of the following two modes:
l Log in to the OSMU of the standby site, and then log in to the U2000 board through the KVM of
the OSMU.
l Use PuTTY to log in to the OSMU board at the standby site in SSH mode as user osmuuser,
switch to user root, run the ssh command to switch to the U2000 board using the private IP
address of the board at the standby site.
~> su - root
Password: Password of root
Step 3 Run the following commands to start the tool for changing the private key.
# cd /opt/oss/server/common/resourcemonitor/bin/
# ./modifyUSMvalue.sh
Step 4 Choose OSMU Heartbeat > authpasswd, change the authentication private key of the
SNMPv3 to the new authentication private key you have obtained as prompted.
Old key: old key
When the system displays Operation succeeded..., the authentication private key of
the SNMPv3 user is changed successfully.
Step 5 Choose privpasswd, change the encryption private key of the SNMPv3 to the new encryption
private key you have obtained as prompted.
Old key: old key
When the system displays Operation succeeded..., the encryption private key of the
SNMPv3 user is changed successfully.
Step 6 Choose Exit to exit the tool for changing the private key.
In the command output, the second row of the ResourceMonitor -cmd start line displays the
ID of ResourceMonitor.
NOTE
In the preceding command, 13382 is the process ID of ResourceMonitor. Replace it with the actual
value.
~> . /opt/oss/server/svc_profile.sh
----End
Prerequisites
l You have obtained the old authentication private key and encryption private key of the
SNMPv3 User.
Context
The private key can contain 8 to 30 characters, including digits 0 to 9, lowercase letters a to z,
uppercase letters A to Z, and special characters @%-=_.]{}. To improve private key
security, please use the following private key policies:
l The private key contains at least one uppercase letter.
l The private key contains at least one lowercase letter.
l The private key contains at least one digit.
l The private key contains at least one special character.
l The key cannot be composed of duplicate character strings, for example, Te_1Te_1.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
~> su - root
Password: Password of root
Step 3 Run the following commands to start the tool for changing the private key.
# cd /opt/oss/server/common/resourcemonitor/bin/
# ./modifyUSMvalue.sh
Step 4 Choose SON Master > authpasswd, change the authentication private key of the SNMPv3 to
the new authentication private key you have obtained as prompted.
Old key: old key
When the system displays Operation succeeded..., the authentication private key of
the SNMPv3 user is changed successfully.
Step 5 Choose privpasswd, change the encryption private key of the SNMPv3 to the new encryption
private key you have obtained as prompted.
Old key: old key
When the system displays Operation succeeded..., the encryption private key of the
SNMPv3 user is changed successfully.
Step 6 Choose Exit to exit the tool for changing the private key.
In the command output, the second row of the ResourceMonitor -cmd start line displays the
ID of ResourceMonitor.
NOTE
In the preceding command, 13382 is the process ID of ResourceMonitor. Replace it with the actual
value.
~> . /opt/oss/server/svc_profile.sh
----End
Prerequisites
l You have obtained the old authentication private key and encryption private key of the
SNMPv3 User.
l The U2000 server software has been installed normally.
l You have changed the authentication private key of the SNMPv3 User in TSP server and
obtained them.
Context
The private key can contain 8 to 30 characters, including digits 0 to 9, lowercase letters a to z,
uppercase letters A to Z, and special characters @%-=_.]{}. To improve private key
security, please use the following private key policies:
l The private key contains at least one uppercase letter.
l The private key contains at least one lowercase letter.
l The private key contains at least one digit.
l The private key contains at least one special character.
l The key cannot be composed of duplicate character strings, for example, Te_1Te_1.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
~> su - root
Password: Password of root
Step 3 Run the following commands to start the tool for changing the private key.
# cd /opt/oss/server/common/resourcemonitor/bin/
# ./modifyUSMvalue.sh
Step 4 Choose TSP > authpasswd, change the authentication private key of the SNMPv3 to the new
authentication private key you have obtained as prompted.
Old key: old key
When the system displays Operation succeeded..., the authentication private key of
the SNMPv3 user is changed successfully.
Step 5 Choose privpasswd, change the encryption private key of the SNMPv3 to the new encryption
private key you have obtained as prompted.
Old key: old key
When the system displays Operation succeeded..., the encryption private key of the
SNMPv3 user is changed successfully.
Step 6 Choose Exit to exit the tool for changing the private key.
In the command output, the second row of the ResourceMonitor -cmd start line displays the
ID of ResourceMonitor.
NOTE
In the preceding command, 13382 is the process ID of ResourceMonitor. Replace it with the actual
value.
~> . /opt/oss/server/svc_profile.sh
----End
Prerequisites
l You have obtained the new password for user admin of the VCS.
l The communication between the PC and the OSMU board is normal.
Context
To improve security of users' passwords, set passwords based on the following rules:
l A password must contain 8 to 30 characters.
l A password must contain at least one uppercase letter.
l A password must contain at least one lowercase letter.
l A password must contain at least one digit.
l A password must contain at least one special character @ % - = _ . ] { }
l A password must not contain any special character \ and spaces.
l A password must not be the same as the user name or the reverse order of the user name.
l Do not use the 12 passwords that are recently used.
Procedure
Step 1 Type the following website in the Address bar of the browser on the PC and press Enter.
Then, log in to the OSMU as an OSMU web user.
https://<public IP address of the OSMU server>:30088/osmu or https://<private IP address
of the OSMU server>:30084/osmu
NOTE
l The OSMU server has a private IP address and a public IP address. When you log in to the OSMU
by using the private IP address of the OSMU server, the PC must be connected to the base network
port on the RTM of the switching board through a network cable. You are advised to log in to the
OSMU by using the private IP address of the OSMU server only in scenarios where the public IP
address of the OSMU server is not set or when a network failure occurs. For details about the IP
address planning of the OSMU server, see 27.3 Default Host Names and IP Addresses of
Boards.
l If the OSMU login window is not displayed after you type the preceding website in the address bar
of the browser and press Enter, perform the following operations:
– If you use Internet Explorer to access the OSMU, perform the operations described in 26.2.1
Setting Internet Explorer. If the problem persists, perform the operations described in
26.1.4 Starting the OSMU Service.
– If the OSMU login window is not displayed after you use Mozilla Firefox to access the
OSMU, perform the operations described in 26.1.4 Starting the OSMU Service.
l If a message indicating that the website is insecure is displayed on the browser after login to the
OSMU, solve the problem by referring to 26.2.1 Setting Internet Explorer or 26.2.2 Setting
Firefox.
Step 2 In the left pane of the OSMU window, expand the Device Management navigation tree and
choose Hardware Device > Board.
On the Board tab page in the right pane, the boards whose Cluster Name values are the same
belong to the same cluster.
NOTICE
If the standby OSMU board is deployed, a board whose Cluster Name is OSMUCluster
exists on the Board tab page. When this occurs, do not record the private IP address of this
board and do not perform this operation.
Step 4 Log in to the OSMU board as user osmuuser in SSH mode using PuTTY. For detailed
operations, see 26.1.1 Logging In to the Board by Using PuTTY.
~> su - root
Password: Password of root
Step 6 Log in to the boards whose private IP addresses have been recorded in Step 3, Change the
passwords for user admin of VCS.
1. Run the following command to log in to the board:
# rpm -q VRTSvcs
– If information similar to the following is displayed, the VCS software has been
installed on the board. In this case, perform Step 6.3.
VRTSvcs-6.1.1.000-SLES11
– If information similar to the following is displayed, the VCS software has not been
installed on the board. In this case, perform Step 7.
package VRTSvcs is not installed
3. Run the following command to change the password for user admin of VCS.
# haconf -makerw
When the # prompt is displayed, the password has been changed successfully.
Step 7 Repeat Step 6 to change the password for user admin of VCS of all boards recorded in Step
3.
----End
Prerequisites
l You have obtained the old password of user fmauser.
l The FMA service is stopped. For details, see Querying and Changing FMA Service
Status in U2000 OSMU User Guide.
Context
The password can contain 8 to 30 characters, including digits 0 to 9, lowercase letters a to z,
uppercase letters A to Z, and special characters ~!@#$%^&*()_+}[]{?/<>|\:,. To improve
password security, you are advised to use the following password policies:
l The first character of the password must be a letter.
l The password contains at least one uppercase letter.
l The password contains at least one lowercase letter.
l The password contains at least one digit.
l The password contains at least one special character.
l The password does not contain the user name.
l The password must not be the same as the user name or the reverse order of the user
name.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
Step 2 Run the following command to switch to user root.
~> su - root
Step 3 Run the following commands to start the tool for changing the password.
# cd /export/home/tran/as/bin/script
# ./modify_db_password.sh
Enter y to change the password. When the message Finish to modify database
password. is displayed, the password is changed successfully. Enter n to cancel the
change.
Step 4 Start FMA services, For details, see Querying and Changing FMA Service Status in U2000
OSMU User Guide.
----End
Prerequisites
l The line feed character of the blacklist.conf file in /opt/oss/server/etc/security must be
set to UNIX.
l The code format of the blacklist.conf file must be UTF-8.
Procedure
Step 1 Log in to the U2000 server as user ossuser.
----End
Prerequisites
You have run the U2000 environment variable.
Context
The language of the login prompt message depends on the language of U2000 applications on
the server. That is, if the language of U2000 applications on the server is English, the message
displayed on the client is in English.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 3 Modify the configuration item to enable the login prompt message function.
1. Find IMAP_smsvc.xml in /opt/oss/server/etc/conf.
2. Open IMAP_smsvc.xml by using the text editor.
3. Search for the configuration item lawParam in IMAP_smsvc.xml.
4. Set that the value of <param name="Open"></param> is YES.
Step 4 Run the following commands to import the IMAP_smsvc.xml configuration file into the
database:
~> . /opt/oss/server/svc_profile.sh
Step 5 Stop U2000 services. For details, see Stopping U2000 Services.
Step 6 Start U2000 services. For details, see Starting U2000 Services.
----End
Follow-up Procedure
l The login prompt message is displayed when you log in to the U2000 client next time.
l If you set the login prompt message function on the server, the login prompt message is
displayed when you log in to the U2000 client.
11.10.3 Setting Display of the Last Login User Name in the Login
Dialog Box
This topic describes how to set display of the last login user name in the U2000 client login
dialog box. The function of hiding the name of the last login user reduces the risks of user
name divulgence, enhancing the security of the U2000 system.
Context
l The settings take effect for all clients connected to the current server if you set the
parameters for this function on the server.
l The settings take effect only for the current client if you set the parameters for this
function on the client.
l If the settings on the server and those on the client conflict, the settings take effect on the
server.
Procedure
l Two methods are provided for not displaying the name of the last login user in the login
dialog box.
Method one: For the name of the last login user on any of the client connected to the
U2000 server, perform the following steps. In the non-single-server system, you need to
perform related operations only on the active or master server.
a. Use the text editor to open the smconf.xml file in /opt/oss/server/etc/conf.
b. In the smconf.xml file, change the value of the configuration item
NotShowLastLoginNameFlag to 1.
NOTE
Method two: For the name of the last login user on the current U2000 client. The setting
takes effect for only the current client. Perform the following steps. In the non-single-
server system, you need to perform related operations only on the active or master server.
a. Use the text editor to open the smconf.xml file in /opt/oss/server/etc/conf.
b. In the smconf.xml file, change the value of the configuration item
NotShowLastLoginNameFlag to 0. For details about parameters, see Note in step
b in method one.
This describes how to manage the file systems and disks on the U2000 server.
In the ATAE cluster system, the U2000 is deploying on service boards and the U2000
database is deploying on DB boards.
Unless otherwise specified, in the ATAE cluster system, the directory structure of the U2000
server software on the master node, the standby node, and each slave node are the same. For
details on the directory structure of the U2000 server, see Table 12-1.
Table 12-1 Directories for storing the U2000 server software (service boards)
Directory Description
Directory Description
Prerequisites
l You have logged in to the U2000 client.
l You are authorized to clear the U2000 databases.
Context
l Dump conditions can be set according to the following aspects: execution type,
execution time, and file saving format.
l After data is dumped, the following data is saved as files in the default directory for
saving dumped data of the U2000 server and removed from the databases:
Procedure
Step 1 Dump the alarm and event logs in the fmdb database.
1. On the GUI of the U2000 client, choose Maintenance > Task Management (traditional
style); alternatively, double-click System Management in Application Center and
choose Task Schedule > Task Management (application style).
The Task Management window is displayed.
2. In the left pane of the Task Management window, choose Alarm/Event Log Dump
under the Database Capacity Management node from the Task Type navigation tree.
3. Select a task in the right pane of the Task Management window, and then click
Attribute.
4. In the Attribute dialog box, set the dump parameters. Then, click OK.
Step 2 Dump the operation logs in the logdb database.
1. On the GUI of the U2000 client, choose Maintenance > Task Management (traditional
style); alternatively, double-click System Management in Application Center and
choose Task Schedule > Task Management (application style).
The Task Management window is displayed.
2. In the left pane of the Task Management window, choose Operation Log Dump under
the Database Capacity Management node from the Task Type navigation tree.
3. Select a task in the right pane of the Task Management window, and then click
Attribute.
4. In the Attribute dialog box, set the dump parameters. Then, click OK.
Step 3 Dump the system logs in the logdb database.
1. On the GUI of the U2000 client, choose Maintenance > Task Management (traditional
style); alternatively, double-click System Management in Application Center and
choose Task Schedule > Task Management (application style).
The Task Management window is displayed.
2. In the left pane of the Task Management window, choose System Log Dump under the
Database Capacity Management node from the Task Type navigation tree.
3. Select a task in the right pane of the Task Management window, and then click
Attribute.
4. In the Attribute dialog box, set the dump parameters. Then, click OK.
Step 4 Dump the security logs in the logdb database.
1. On the GUI of the U2000 client, choose Maintenance > Task Management (traditional
style); alternatively, double-click System Management in Application Center and
choose Task Schedule > Task Management (application style).
The Task Management window is displayed.
2. In the left pane of the Task Management window, choose Security Log Dump under
the Database Capacity Management node from the Task Type navigation tree.
3. Select a task in the right pane of the Task Management window, and then click
Attribute.
4. In the Attribute dialog box, set the dump parameters. Then, click OK.
----End
Context
During the routine operation and maintenance, back up and delete the following files to
release more disk space:
l Files storing information about NEs and the U2000 server
l Software upgrade package and decompressed files
l Trace logs
l Backup files
l Temporary files created during system operations
NOTICE
You can delete files when the server is running. Before deleting files, run the ls -l command to
check the date when the files are generated. Do not delete the files generated on the current
day.
Procedure
Step 1 Export the files that store information about NEs and the U2000 server, and back up the files
to a tape.
l Files generated during automatic alarm dump
Alarm dump files are stored in the /opt/oss/server/var/ThresholdExport/FM directory.
l User log files
User log dump files are stored in the /opt/oss/server/var/userlogs directory.
l Core files generated by the system
Core files are stored in the /opt/oss/server/var/logs/ directory.
l Historical trace files
Historical trace files are stored in the /opt/oss/server/var/logs/tracebak/ directory.
Step 2 Delete the software update package and the decompressed files.
After the software is successfully upgraded, you can delete the original upgrade package and
the decompressed files. The upgrade package and decompressed files are stored in the folder
named after the patch in the /export/home directory.
NOTICE
Generally, the decompressed upgrade files are stored in the /export/home directory. The
folder for saving the decompressed upgrade files is named after the patch. Sometimes, the
folder is created in the /export/home/bak directory.
NOTICE
Backup trace files are used for locating and analyzing problems. Reducing the value in
tracebackupnum reduces the number of backup trace files, which may make problem
location and analysis inconvenient.
----End
This section describes how to manage the U2000 client. The graphic user interface (GUI) on
the U2000 client supports the O&M for the NEs and enables you to monitor the U2000. You
must manage the U2000 client to ensure its proper operation.
Context
The requirements of the U2000 client for operation rights are as follows:
l The users who are authorized to install, upgrade, and uninstall the U2000 client are
Windows users. They belong to the Administrators user group.
l The users who are responsible for the routine maintenance of the U2000 client must
belong to the Users user group and have the read and write permissions on the U2000
client installation directory.
13.1 Managing Files and Disks on U2000 Clients
This section describes how to manage the file systems and disks on the U2000 clients.
13.2 Monitoring the Login Status of the U2000 Clients
This section describes how to monitor the login status of the U2000 clients (including the
LMTs which access NEs using the U2000 as a proxy). When the number of login clients
exceeds the preset maximum number of U2000 threads, you must force a user out to establish
a new connection.
13.3 Setting the Number of Clients Accessible on a PC
This section describes how to set the number of clients in the same installation directory on a
personal computer (PC) that can log in by modifying the configuration file on the U2000
client. The clients do not include the local maintenance terminals (LMTs) that access NEs
using the U2000 as a proxy.
13.4 Modifying the Date, Time, and Time Zone on the U2000 Client
This section describes how to modify the date, time, and time zone on the U2000 client that
runs the Windows operating system. This section uses the Windows 7 operating system as an
example.
The client software runs on the Windows operating system and is based on Java Virtual
Machine (JVM). The U2000 client software package contains the JVM that is compatible
with the Windows operating system.
Required disk space on the client (for reference only): F = I +T + S x N, where I refers to the
size of the initial version (about 800 MB); T refers to the temporary space for storing patches
(less than 20 MB); S refers to the size of NE mediation files (3 MB to 10 MB); and N refers
to the number of NE versions.
Table 13-1 describes the directory structure of the U2000 client software.
Directory Description
U2000 client installation directory\cau Directory for storing the client automatic
upgrade (CAU) client software and the
version, document abstract, and group
information about the U2000 client.
NOTE
l The CAU provides an upgrade detection
mechanism that is based on the document
abstract and is used to compare the document
abstract on the server with that on the client. If
the document abstracts are inconsistent, you
need to upgrade the client.
l Based on the group information, the server
groups and packs all the client files deployed on
the server for the client to download, install,
and upgrade. Based on the group information,
the client also groups and packs all client files.
When these files are being downloaded, they
can be compared with those files grouped and
packed by the server.
U2000 client installation directory\jre Directory for storing the JVM delivered with
the U2000 client.
U2000 client installation directory\client Directory for storing the programs for starting
the client.
U2000 client installation directory\client Directory for storing the library files.
\lib
Directory Description
U2000 client installation directory\client Directory for storing the remote alarm
\notify notification tool.
U2000 client installation directory\client Directory for storing the scripts for starting the
\client\bin U2000 client program.
U2000 client installation directory\client Directory for storing CBB files of the U2000
\client\cbb client.
U2000 client installation directory\client Buffer directory of the U2000 client, which is
\client\configuration generated automatically when the client starts.
U2000 client installation directory\client Directory for storing DTD files of dynamic
\client\dtd charts used on the client.
U2000 client installation directory\client Directory for storing the feature configuration
\client\features file of each subsystem of the U2000 client.
U2000 client installation directory\client Directory for storing the plugin debug package
\client\IviewPlugin of the client.
U2000 client installation directory\client Directory for storing the dynamic libraries
\client\lib shared among the U2000 client, remote alarm
notification client, script framework client,
and data management client.
U2000 client installation directory\client Directory for storing the configuration file of
\client\plugins each subsystem of the U2000 client as a plug-
in.
U2000 client installation directory\client Directory for storing client configuration files.
\client\style
U2000 client installation directory\client Directory for storing client temporary files,
\client\tmp which can be cleaned up.
U2000 client installation directory\client Directory for storing the tools invoked by the
\client\tools U2000.
Directory Description
U2000 client installation directory\client Directory for storing the file that records the
\client\installflag installed components.
If you deploy the latest version by upgrading
the system, the directory is not generated. If
you deploy the latest version by installation,
the directory is generated.
U2000 client installation directory Directory for storing the uninstall program.
\uninstall
U2000 client installation directory\client Directory for storing the file protection tool.
\client\USBProtector The tool is used to encrypt specified files or
files in specified directories or protect the file
integrity.
U2000 client installation directory\client Default directory for storing exported files on
\client\report the client.
The U2000 system provides some tools to enhance the U2000 function. For details about the
types and application scenarios of the tools, see Table 13-2.
iSStar Tool Choose Start > All Programs > The iSStar is a secondary
(Offline) iManager U2000 Client > iSStar development platform for users to
Tool (Offline). extend the operation and
Run U2000 client installation path maintenance of the service
\client\script\bin functions. Users can perform
\Run_iScript_global.bat. secondary development in the
iSStar secondary platform as
required. The iSStar mainly applies
to scenario that requires operations
in batches or routine and automatic
execution.
Antenna Start the Internet Explorer, type l By using the antenna attribute
Management https://IP address of the U2000 management function provided
server:31040/ams or http://IP by the U2000 system, you can
address of the U2000 server: remotely manage the ALDs of a
31038/ams, and then press Enter. site in a centralized manner.
Therefore, OM costs are
reduced.
l The U2000 system can detect a
faulty antenna based on the fault
detection algorithm. This
facilitates site maintenance.
Compared with traditional
troubleshooting methods, the
antenna fault detection function
can significantly reduce site
maintenance costs.
NIC Tool On the browser, enter http(s)://IP The NIC tool supports NE
address of the U2000 server/nic or management, scenario management,
https://IP address of the U2000 and task management functions.
server:31040/nic to open the login NOTE
page of Network Information You can use http(s)://Server IP
Collection (NIC). address/nic to access the login window
of the NIC only when the OSS server is
in the both or common communication
mode.
U2000 Choose Start > All programs > The remote notification service can
Remote iManager U2000 Client > U2000 send the alarms to users by ways of
Notification Remote Notification Manager. short messages or emails in time.
Manager
USB Choose Start > All Programs > The USB protector tool can encrypt
Protector iManager U2000 Client > Start or protect the integrity of the NE
Tool USB Protector Tool. files saved in USBs.
U2000 Data Choose Start > All Programs > The U2000 Data On-line Analysis
On-line iManager U2000 Client > U2000 Tool is a sub-function of U2000
Analysis Data On-line Analysis Tool. performance management. It offers
Tool Run U2000 client installation data analysis and detection
directory\client\client\bin functions.
\omcDOA.bat.
U2000 Log Choose Start > All Programs > If the client cannot be logged in
Information iManager U2000 Client > U2000 properly, use the U2000 Log
Collector Log Information Collector. Information Collector to collect and
Run U2000 client installation analyze U2000 client logs. You can
directory\client\client\bin rectify the client login failure based
\omcDiagnosis.bat. on the analysis result. If the
problem persists, contact Huawei
technical support to analyze the
collected information.
Re-parenting Run U2000 client installation This script is used for reparenting
NodeB NEs directory\client\client\bin NodeBs.
\omcNodebmove.bat.
Client Choose Start > All Programs > This application is used to uninstall
uninstallation iManager U2000 MBB Client > the U2000 client.
Uninstall Client.
Run U2000 client installation
directory\uninstall\uninstall.bat.
U2000 client Run U2000 client installation This application is used to log in to
directory\client\client\bin the U2000 client.
\omcClient.bat.
iView bundle Run U2000 client installation This application is used to start
startup directory\client\client\IviewPlugin iView in bundle mode.
application \IviewPluginRun.bat.
Log Query Run U2000 client installation If many log files have been dumped
Tool directory\client\logreview or exported, it is difficult for users
\startup_logreview_global.bat. to quickly find the log files they
want. This tool helps users quickly
find the log files they want and
therefore facilitates problem
identification.
Context
NOTICE
You can delete the files when the client is running. Do not delete the files generated on that
day.
Procedure
l Delete the trace logs.
Delete the historical trace logs saved in the U2000 client installation directory\client
\client\tracefile directory. It is recommended that you preserve the trace logs generated
during the latest two weeks.
----End
Prerequisites
Before monitoring the U2000 clients, ensure that you are authorized to monitor the users.
Procedure
Step 1 Start the U2000 client and log in to the U2000 server.
Step 2 Choose Security > User Session Monitor (traditional style); alternatively, double-click
Security Management in Application Center and choose OSS Security > User Session
Monitor (application style). The User Session Monitoring dialog box is displayed.
Step 3 Click the User Session Monitoring tab to monitor all the terminals connected to the U2000
system.
Pay special attention to information such as login IP address and login time.
Step 5 If you need to force a user out, select the user, and then click Force User to Log Out.
NOTE
The user of the selected client is forced out. The users of the other clients do not exit.
The current user cannot force itself out.
----End
Prerequisites
l You have logged in to the PC as a user in the Users user group.
l The U2000 client is running properly.
Context
Ideally, a maximum of 31 U2000 clients can be started concurrently on one PC. The number
of clients in the same installation directory on a PC that can log in concurrently depends on
the performance of the PC and that of the server for login.
In the communicate.xml in the U2000 client installation directory\client\client\plugins
\com.swimap.omc.common\style\productstyle\com.swimap.corba\conf directory, value of
corba_portpool indicates the port range that the client attempts to occupy. The minimum port
number is separated from the maximum number by -. The client tests the port from the
minimum number to the maximum number. If all the ports are occupied, the system displays
an Error message. You can set the maximum number of clients started on a PC by changing
the value of corba_portpool.
Procedure
Step 1 Open the communicate.xml file in the U2000 client installation directory\client\client
\plugins\com.swimap.omc.common\style\productstyle\com.swimap.corba\conf directory.
Step 2 Find the corba_portpool field, and then change the range of the ports as required.
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE COMMINIDATA SYSTEM "commini.dtd">
<COMMINIDATA>
<AREADESC areaname="communicate">
<DESC descname="communicate">
<PARAS>
<PARA name="operation" value="modify"></PARA>
<PARA name="corba_portpool" value="30500-30699"/>
</PARAS>
</DESC>
</AREADESC>
</COMMINIDATA>
NOTE
l The ports after modification cannot exceed the range from 30500 to 30699.
l When modifying the port range, ensure that the ports in this port range are enabled on the firewall.
l The ports may be used by other applications. Perform the following substeps to check the
occupation of the ports.
1. Choose Start > Run. The Run dialog box is displayed.
2. Type cmd. Then, click OK.
3. In the displayed window, run the netstat -an command to check the occupation of the ports.
----End
Prerequisites
l The Windows operating system is running properly.
l You have logged in to the Windows operating system as a user of the Administrators
user group.
Context
NOTICE
Before modifying the date, time, and time zone in the Windows operating system, close the
U2000 client software. Otherwise, the U2000 client software fails to function properly.
Procedure
Step 1 Choose Start > Control Panel.
Step 2 In the Control Panel window, set View by to Large icons or Small icons. Click Date and
Time.
Step 3 In the Date and Time dialog box, click Change date and time.
NOTE
If you are prompted for an administrator password or confirmation, input the password or provide
confirmation.
Step 4 In the Date and Time Settings dialog box, select the items to be modified. After modified the
date and time, click OK.
Item Operation
Date Set the required date in the Date area on the Date and Time Settings tab page.
Hour Set the required hour in the Time area on the Date and Time Settings tab page.
Minute Set the required minute in the Time area on the Date and Time Settings tab page.
Second Set the required second in the Time area on the Date and Time Settings tab page.
Step 6 In the Time Zone Settings dialog box, select your current time zone from the drop-down list,
and then click OK.
NOTICE
If your time zone uses the daylight saving time and you want your computer clock to be
adjusted automatically when the daylight saving time changes, make sure the Automatically
adjust clock for Daylight Saving Time check box is selected.
----End
U2000 licenses restrict the number of manageable devices, and the availability duration of the
U2000. You need to manage the licenses periodically.
When the consumption of each OSS license resource item reaches or exceeds the preset
threshold, the U2000 sends an alarm or periodically displays an Information dialog box,
reminding users to apply for or purchase a new license in a timely manner.
14.9 Reference for the U2000 License Interfaces
This section describes the references for U2000 license.
14.10 FAQs About U2000 Licenses
This topic describes how to resolve common problems occurring during U2000 license
management and solutions to them.
14.11 U2000 License Consumption Statistics Rule
This document describes the rules of collecting statistics on the consumption of U2000
license resource control items on the U2000 client.
Context
l When the period between the current day and Overflow Time of the license is less than
or equal to 30 days, the system displays a dialog box after a user logs in, prompting the
user to update the license. In addition, the system reminds the user of a license update
every 12 hours.
l If a user does not apply a new license after the license expires, the U2000 sends the
ALM-297 The OSS License Expired indicating that the license has expired. In addition,
the client periodically displays an expiration notification dialog box. Table 14-1
describes the frequency of displaying the expiration notification dialog box on the client.
Table 14-1 Frequency of displaying the license expiration notification dialog box
Duration After Expiration Frequency of Display
More than 30 days but less than or equal to Once every 6 hours
60 days
l Assume that the permanent commercial and fixed-period license files of a product are
used simultaneously on the OSS. If the fixed-period license file enters the retention
period, the U2000 reports ALM-294 Expired OSS License File.
l If a user uses the temporary license file of a product on the OSS, the OSS displays a
dialog box indicating that the temporary license file is used after the user logs in to a
client.
Procedure
Step 1 Choose License > OSS License Management > License Information (traditional style).
Alternatively, double-click System Management in Application Center and choose License
Management > License Information (application style).
NOTE
Step 2 In the License Information dialog box, query the license information about resources and
functions on the Resource Control Item and Function Control Item tabs.
----End
Related References
14.9.1 Parameters for Querying the U2000 License
Prerequisites
l The version of the license that you applied for must be the same as the version of the
U2000.
l You have logged in as a user who belongs to the Administrators or SMManagers user
group.
Context
l When the license files are about to expire, the U2000 displays a warning periodically.
l This chapter also applies to the scenario where the licenseis loaded for the first time.
Procedure
Step 1 Choose License > OSS License Management > License Information (traditional style).
Alternatively, double-click System Management in Application Center and choose License
Management > License Information (application style).
Step 2 In the License Information dialog box, click Update License.
Step 4 In the Open dialog box, select a license file to be loaded and click Open.
Step 5 In the Update License wizard, click Next. Select a license update mode as required.
The OSS allows users to load the permanent commercial and fixed-period license files of a
product. The available license update modes are as follows:
l Incremental: Update product license files based on the license file type (permanent
commercial or fixed-period).
– If the fixed-period license file of a product is used on the OSS, only the permanent
commercial license file of the product can be added during the incremental update.
– If the permanent commercial license file of a product is used on the OSS, only the
fixed-period license file of the product can be added during the incremental update.
– If the permanent commercial and fixed-period license files of a product are
simultaneously used on the OSS, only one license file can be updated during the
incremental update.
NOTE
Step 6 Click Next. View the license change information in the Comparison step of the Update
License wizard and click Finish.
NOTE
You can perform the following operations to export results of comparing the original and new licenses to
a CSV file and save the file in a specified path. License comparison files can be used in maintenance
later.
1. In the Comparison step of the Update License wizard, click Export.
2. In the Save dialog box, set the export path and file name, and click Save.
----End
Follow-up Procedure
After the license file update is complete, you need to re-log in to the U2000 client for the
update to take effect.
Related References
14.9.4 Parameters for Comparing the Original License with the Updated License
Procedure
Step 1 Choose License > OSS License Management > Query License Revocation Code
(traditional style); alternatively, double-click System Management in Application Center
and choose License Management > Query License Revocation Code (application style).
Step 2 In the Query License Revocation Code dialog box, view the license SN, license revocation
code and revocation setting time.
NOTE
Step 3 Right-click the information about the revocation code and choose Copy from the shortcut
menu to copy the information.
The copied information about the revocation code can be used to apply for a license.
NOTE
You can also select the information about the queried revocation code, and then press Ctrl+C to copy
the information.
----End
Related Tasks
14.4 Revoking a License on the U2000
Related References
14.9.2 Parameters for Querying the Revocation Code of an U2000 License
Prerequisites
You have logged in as a user who belongs to the Administrators or SMManagers user
group.
Context
The Revoke License dialog box displays only available license files and does not display
revoked and invalid licenses.
Procedure
Step 1 Choose License > OSS License Management > Revoke License (traditional style);
alternatively, double-click System Management in Application Center and choose License
Management > Revoke License (application style).
Step 2 In the Revoke License dialog box, select the license that will not be used any more, and then
click Revoke License.
NOTE
----End
Result
If you revoke a license file but do not apply a new license, the U2000 displays a dialog box
every hour, prompting you to update the license. The U2000 also displays License SN,
Revocation Time, and Valid Date (indicating the date before which the revoked license can
still be used) of the license, and License File.
Related Tasks
14.3 Querying the License Revocation Code on the U2000
Related References
14.9.3 Parameters for Revoking an U2000 License
Procedure
Step 1 Choose License > OSS License Management > License Information (traditional style).
Alternatively, double-click System Management in Application Center and choose License
Management > License Information (application style).
Step 2 In the License Information dialog box, click Export License.
NOTE
l If the Resource Control Item tab page is displayed, resource control item information is exported.
l If the Function Control Item tab page is displayed, function control item information is exported.
Step 3 In the Save dialog box, set the path, file name, file type, and encoding of the export file. Then
click Save.
----End
Prerequisites
You have logged in as a user who belongs to the Administrators or SMManagers user
group.
Procedure
Step 1 Select License > OSS License Management > Export License File (traditional style);
alternatively, double-click System Management in Application Center and choose License
Management > Export License File from the main menu (application style) .
Step 2 In the Export License File dialog box, select license files to be exported. Click Export.
Step 3 In the Save dialog box, set the path to save the exported license files. Click Save.
----End
Result
A dialog box is displayed, prompting the exporting result and the path to save the exported
license files.
Context
If the current license file used by the U2000 becomes invalid due to a license initialization
failure, the exporting task can not executed, and users need to contact Huawei technical
support to update the license.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
Step 2 In the Take Type navigation tree, choose File Interface > OSS License Export.
Step 3 In the task list on the right, double-click the OSS License Export task.
Step 4 In the Attributes dialog box, set the parameters on the Common Parameters and Extended
Parameters tabs, and then click OK.
----End
Procedure
Step 1 Choose License > OSS License Management > Alarm Configuration for License
Resource Item Capacity (traditional style). Alternatively, double-click System Management
in Application Center and choose License Management > Alarm Configuration for
License Resource Item Capacity (application style).
Step 2 In the Alarm Configuration for License Resource Item Capacity dialog box, set the
threshold for each resource item, and set whether to send an alarm, whether to enable timed
prompting, and the prompting interval if the consumption of the resource item reaches or
exceeds the preset threshold.
Step 3 Optional: Select one or more configured resource items and click Modify in Batches. In the
displayed Modify Alarm Configurations in Batches dialog box, set the parameters.
Step 4 Optional: Set Display to Not configured. Select one or more resource items that are not
configured and click Add in Batches. In the displayed Add Alarm Configurations in
Batches dialog box, set the parameters.
----End
Result
When the consumption of the OSS license resource item reaches or exceeds the preset
thresholds, the U2000 generates ALM-55 OSS License Consumption Reaches or Exceeds the
Preset Threshold alarm and periodically displays an Information dialog box. When the
consumption of the OSS license resource item is lower than the preset thresholds,The OSS
License Consumption Reached the Threshold alarm is automatically cleared and the
Information dialog box is not displayed any longer.
Related References
14.9.6 Parameters for Setting Alarms for U2000 License Resource Item Capacity
14.9.6 Parameters for Setting Alarms for U2000 License Resource Item Capacity
Buttons
Button Description
Export License Exports a license to a file on the local client for future maintenance
and use.
Parameters
Parameter Description Setting
Find Description: -
Keyword used for querying license items
in the table. Enter a license keyword in
the text box and click .
Find supports approximate string
matching.
Resource Description: -
Names of authorization items.
ID Description: -
Identifier of the resource control item.
Capacity Description: -
Capacity of a resource control item in
the license file. For example, if the
license file allows a maximum of 100
online clients, 100 is the capacity value.
Authorizati Description: -
on For details about Authorization
Expiration Expiration Time in different license
Time application scenarios, see Table 14-2.
Consumptio Description: -
n Capacity consumption of a resource
control item in the license file. For
example, if the license file allows a
maximum of 100 online clients, and 20
users have already logged in to the
clients, 20 is the consumption value.
NOTE
For details about the rules of collecting
statistics on license consumption, see U2000
License Consumption Statistics Rule
Reference.
Overflow Description: -
Time l When Resource is set to Valid Day,
Overflow Time does not need to be
specified.
l When Resource is not set to Valid
Day, Overflow Time indicates the
time when consumption of a license
authorization item exceeds its
capacity.
When consumption of the license
authorization item exceeds its
capacity, the U2000 reports
ALM-801 OSS License Beyond
Limitation.
Supported Description: -
Whether the license file used by the
U2000 supports this function.
Authorizati Description: -
on For details about Authorization
Expiration Expiration Time in different license
Time application scenarios, see Table 14-2.
The permanent Expiration time of the license Expiration time of the fixed-period
commercial plus file, which is displayed as No license.
fixed-period limit. If the current system time exceeds
license Authorization Expiration Time
of the fixed-period license, the
U2000 will report ALM-51 The
temporary Feature field of the
OSS license file expires.
The permanent Expiration time of the license Expiration time of the fixed-period
commercial and file. license file.
fixed-period The license information about the If the current system time exceeds
license files permanent commercial license Authorization Expiration Time
file and fixed-period license file of the fixed-period license file, the
is displayed in two lines, where U2000 will report ALM-294
Authorization Expiration Time Expired OSS License File.
of the permanent commercial
license file is displayed as No
limit, and Authorization
Expiration Time of the fixed-
period license file is displayed as
the expiration time of the specific
fixed-period license file.
Related Tasks
14.1 Checking the Status of the U2000 License
Parameters
Parameter Description
License SN Description:
SN of a license file.
Parameter Description
Related Tasks
14.3 Querying the License Revocation Code on the U2000
Buttons
Button Description
Revoke License Revokes the license that is not in use to obtain the revocation
code. You can use the code to apply use the code to apply for a
new license.
Parameters
Parameter Description
Product Description:
Name of a product.
License SN Description:
SN of a license file.
Related Tasks
14.4 Revoking a License on the U2000
Parameters
Parameter Description
Find Description:
Keyword used for querying license items in
the table. Enter a license keyword in the
text box and click .
Find supports approximate string
matching.
ID Description:
ID of the resource control item.
Consumption Description:
Number of used licenses.
Parameter Description
ID Description:
ID of the resource control item.
Risk Some resources may The expiration date specified The new license
become unavailable by New Capacity and that capacity is less than the
immediately after the specified by Current current consumption or
license update. Capacity are earlier than the some resource items
current system time or are deleted.
certain resource items are
deleted.
Warning Some resources may The expiration date specified The new license
be unavailable after by New Capacity is later capacity is greater than
the license update. than or equal to the current or equal to the current
system time and is earlier consumption but is less
than the expiration date than the current license
specified by Current capacity.
Capacity.
Info A small risk is The expiration date specified The new license
brought after the by New Capacity is later capacity is greater than
license update. than or equal to the current or equal to the current
system time and the consumption, and is
expiration date specified by greater than the current
Current Capacity. license capacity.
NOTE
When Resource is set to Valid Day:
l Current Capacity indicates the expiration date of the original license file. New Capacity indicates
the expiration date of the new license file.
l If two license files exist before or after the update, the system compares first the expiration dates of
the permanent commercial license files and then those of the fixed-period license files. In this case,
if Risk Level is set to Risk or Warning, the system will not compare the expiration dates of the
fixed-period license files after permanent commercial license file comparison.
Related Tasks
14.2 Loading or Updating the U2000 License
Parameters
Execution Description: -
type Specifies whether the task is a
one-time task or a periodic task.
Times Description: -
Number of times a periodic task
is executed.
NOTE
The file clearance mechanism in the export directory is implemented only if the U2000 export task has
been executed, and the number of exported logs is not 0.
Buttons
Button Description
Modify in Select one or more configured resource items and click Modify in
Batches Batches. You can modify thresholds for the selected resource items in
batches and select processing policies to be used when the consumption of
the resource items reaches or exceeds the preset thresholds.
Button Description
Add in Select one or more resource items that are not configured and click Add in
Batches Batches. You can set thresholds for the selected resource items in batches,
select processing policies to be used when the consumption of the resource
items reaches or exceeds the preset thresholds, and set the selected
resource items to be configured.
Cancel Select one or more configured resource items and click Cancel
Configuratio Configuration to set the selected resource items to be not configured.
n
Reset Restore the alarm settings for license resource item capacity to the status
after the previous application modification.
Parameters
Name Description Setting
Status Description: -
Configuration status of the
license resource item, including
configured and not configured.
Product Description: -
Name of the product that uses
the license resource item.
NOTE
You can filter resource items by
choosing the product name from the
drop-down list in the upper part of
the table.
Resource Description: -
Name of a license resource item.
ID Description: -
ID of a license resource item.
Capacity Description: -
Capacity of a resource item
specified in the license file. For
example, if the maximum
number of online clients
specified in the license file is
100, the capacity is 100.
Related Tasks
14.8 Setting Alarms for U2000 License Resource Item Capacity
14.8 Setting Alarms for U2000 License Resource Item Capacity
Possible Causes
The U2000 allows the functions controlled by the license to be used during the keep-alive
period for the license, improving user experience.
NOTE
Procedure
Step 1 Contact Huawei technical support engineers to apply for a new license.
----End
Symptom
A license is revoked. As a result, the license file is deleted after the keep-alive period for the
license ends.
Possible Causes
The license has been revoked, and the keep-alive period for it has ended.
NOTE
If a license is revoked, the ESN in the license file does not match the MAC address of the server, or the fixed-
period license in the scenario of permanent commercial license and fixed-period license expires, the license
file is deleted after the keep-alive period for the license ends.
Procedure
Step 1 Choose License > OSS License Management > Query License Revocation Code
(traditional style); alternatively, double-click System Management in Application Center
and choose License Management > Query License Revocation Code (application style) .
Step 2 In the Query License Revocation Code dialog box, select the queried revocation code
information, right-click, and choose Copy from the shortcut menu to copy the revocation code
information.
Step 3 Send the copied revocation code information to the Huawei technical support engineers to
apply for a new license.
----End
Symptom
When a license file whose ESN does not match the MAC address of the server replaces the
original license file to update the license, a message is displayed, indicating that the license
file fails to be checked.
Possible Causes
The ESN of the license file used by the OSS does not match the MAC address of the OSS
server, and the keep-alive period for the license has ended. Therefore, the license file fails to
be checked.
NOTE
l Keep-alive period: indicates the days during which a license can still be used when the ESN in the
substitute license file does not match the MAC address of the server, or the license has expired. After the
keep-alive period for a license ends, the license cannot be used.
l If you initially use a license file whose ESN does not match the MAC address of the server to replace the
original license file, the license is updated successfully. After the keep-alive period for the license ends,
the substitute license file becomes invalid.
l The ESN in the current license file does not match the MAC address of the server, and the keep-alive
period for the license does not end. When you use another license file whose ESN does not match the
MAC address of the server to replace the original license file, the keep-alive period for the license does
not change.
Procedure
Step 1 Obtain an ESN matching the MAC address of the server again to apply for a new license and
replace the original license file with the new one.
----End
Symptom
The OSS simultaneously uses the permanent commercial license and fixed-period license of a
product. If the permanent commercial license is revoked, no information dialog box is
displayed, prompting you to immediately update the license.
Possible Causes
If no new license is used after the permanent commercial license is revoked, the U2000
detects the license update status every hour. If the license is not updated, the U2000 displays
an information dialog box, prompting you to immediately update the license and providing
License SN, Revocation Time, Valid Date (last day when a license can still be used after it is
revoked), and License File information.
You can monitor the service status, hard disk status, database status, resource status,
component information of the U2000 server, and log information on system monitor
operations. If the Trace Server independently deployed in the ATAE cluster system or virtual
cluster system is used with the U2000, the Trace Server status can also be monitored. The
status query method is the same as that of the U2000. The U2000 monitoring parameters also
take effect on the Trace Server. Therefore, you do not need to set monitoring parameters for
the Trace Server.
Context
l The parameter Server usage sampling interval indicates the sampling interval. The
CPU and memory usage is sampled at the specified interval.
l CPU overload indicates that the CPU usage is higher than or equal to the alarm
generation threshold.
l If the CPU usage sampled each time is higher than or equal to the alarm generation
threshold, the CPU is continuously overloaded. In this case, the number of continuous
CPU overload times is equal to that of continuous sampling times.
Procedure
Step 1 Choose Monitor > System Monitor > Settings (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Settings from the main menu (application style).
Step 2 In the System Monitor Settings dialog box, click the Server Monitor tab.
Step 3 On the Server Monitor tab, set the required parameters.
The default value of Alarm Generation Threshold and Alarm Clearance Threshold, both
parameters for Swap memory usage, are 95 and 85, respectively. You are advised to use the
default values. You can perform the following operations to change their values.
1. Run the following command to view the value of Total Physical Memory.
~> cat /proc/meminfo | grep MemTotal
2. Run the following command to view the swap space size.
~> cat /proc/meminfo | grep SwapTotal
3. Use the following formulas to calculate the values of Alarm Generation Threshold and
Alarm Clearance Threshold. The parameter value is the calculation result rounded up
to an integer. For example, if the calculation result is 66.3, the parameter value is 67.
– Alarm generation threshold = (Total physical memory + 0.7 x Swap space size) /
(Total physical memory + Swap space size)
– Alarm clearance threshold = (Total physical memory + 0.6 x Swap space size) /
(Total physical memory + Swap space size)
Step 4 Click OK.
----End
Result
l If the number of consecutive times that the CPU is overloaded reaches the value
specified by Max. consecutive CPU overloads for alarm, a high CPU usage alarm is
generated. When the CPU usage sampled is lower than the alarm clearance threshold, the
high CPU usage alarm is cleared.
l When the swap memory usage is higher than or equal to the alarm generation threshold,
a high swap usage alarm is generated. When the swap memory usage is lower than the
alarm clearance threshold, the high swap usage alarm is cleared.
l When a high usage alarm is generated, the icon in the CPU Usage, or Swap Memory
Usage column changes from to on the Server Monitor tab of the System Monitor
Browser window. If you have enabled the function of displaying pop-up messages, you
will receive messages on the status bar of the client, prompting you of performance
exceptions.
Related Tasks
15.2.5 Monitoring the Resource Status of the U2000 Server
Related References
15.3.1 Parameters for Setting the Monitoring Thresholds of the U2000 Server
15.3.1 Parameters for Setting the Monitoring Thresholds of the U2000 Server
Procedure
Step 1 Choose Monitor > System Monitor > Settings (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Settings from the main menu (application style).
Step 2 In the System Monitor Settings dialog box, click the Hard Disk Monitor tab.
Step 3 On the Hard Disk Monitor tab, set Hard disk usage sampling interval, Alarm Generation
Threshold, and Alarm Clearance Threshold.
l Under the Default node, set default values shared by all hard disks. Click + before
Default, and then set the thresholds for generating and clearing alarms of each severity.
The threshold specified for generating alarms of a low severity must be smaller than that
for generating alarms of a high severity.
l Under the Custom node, set values specific to a hard disk. Expand Custom and click +
before the server name. You will find that all disks use the default thresholds. To specify
other values for a disk, click + before the disk name, and then click the cell next to the
disk name. In the drop-down list, select Customize value. Now, the threshold for
generating alarms of each severity can be changed. To change a threshold, in the text box
next to the desired alarm severity, enter a value. If you do not want to receive alarms of a
disk, select Disable alarm generation from the drop-down list next to the disk name.
Step 4 Optional: Expand Custom and click + before the server name. Then the disk names are
displayed. In the Show Pop-Up Message column, select Yes or No from the drop-down list
next to the desired disk name.
Step 5 Click OK.
----End
Result
l When the hard disk space usage reaches the threshold for generating an alarm of a
certain severity, the corresponding alarm is generated. When the usage reaches the
threshold for generating an alarm of a higher severity, the alarm of the higher severity is
generated and the existing alarm of a lower severity is automatically cleared. When the
usage is lower than a threshold for clearing alarms of a severity, the alarm of this severity
is cleared.
l When a high disk usage alarm is generated, the icon in the Status column changes from
to on the Hard Disk Monitor tab of the System Monitor Browser window. If you
enable the function of displaying pop-up messages, the message The hard disk
partition is abnormal is displayed on the status bar of the client.
Related Tasks
15.2.3 Monitoring the Disk Status of the U2000 Server
Related References
15.3.2 Parameters for Setting the Hard Disk Monitoring Thresholds of the U2000 Server
15.3.2 Parameters for Setting the Hard Disk Monitoring Thresholds of the U2000 Server
Procedure
Step 1 Choose Monitor > System Monitor > Settings (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Settings from the main menu (application style).
Step 2 In the System Monitor Settings dialog box, click the Database Monitor tab.
Step 3 On the Database Monitor tab, set Database usage sampling interval and the alarm
generation thresholds.
l Under the Default node, set default values shared by all databases. Click + before
Default, and then set the thresholds for generating alarms of each severity. The threshold
specified for generating alarms of a low severity must be smaller than that for generating
alarms of a high severity.
l Under the Custom node, set values specific to a database. Expand Custom, and click +
before the server name and database instance name. You will find that all databases use
the default thresholds. To specify other values for a database, click + before the database
name, and then click the cell next to the database name. In the drop-down list, select
Customize value. Now, the threshold for generating alarms of each severity can be
changed. To change a threshold, in the text box next to the desired alarm severity, enter a
value. If you do not want to monitor the usage of a database, select Disabled
Monitoring from the drop-down list next to the database name.
Step 4 After the setting, click OK.
----End
Result
l When the database usage of the U2000 server reaches the threshold for generating an
alarm of a certain severity, the corresponding alarm is generated. When the usage
reaches the threshold for generating an alarm of a higher severity, the alarm of the higher
severity is generated and the existing alarm of a lower severity is automatically cleared.
When the usage is smaller than the threshold, the corresponding clear alarm is generated.
l When the condition for generating a high database usage alarm is met, the icon in the
Status column changes from to on the Database Monitor tab of the System
Monitor Browser window.
Related References
15.3.3 Parameters for Setting the Database Monitoring Thresholds of the U2000 Server
Procedure
Step 1 Choose Monitor > System Monitor > Settings (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Settings from the main menu (application style).
Step 2 In the System Monitor Settings dialog box, click the Service Monitor tab.
Step 3 On the Service Monitor tab, set Service status sampling interval and specify whether to
display pop-up messages.
Step 4 Click OK.
----End
Result
l The information displayed on the Service Monitor tab of the System Monitor Browser
window is refreshed at the specified interval.
l If you enable the function of display pop-up messages for some services, a status
indicator is displayed on the status bar in the lower-right corner of the client. When all of
these services are running, the status indicator turns green. When one or some of these
services is stopped, the status indicator turns red and a pop-up message is displayed.
Related References
15.3.4 Parameters for Setting the Service Monitoring Thresholds of the U2000 Server
Context
If a service is stopped or abnormal, its status icon is displayed in red.
Procedure
Step 1 Choose Monitor > System Monitor > Browser (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Browser (application style).
Step 2 In the System Monitor Browser window, click the Service Monitor tab.
Step 3 On the Service Monitor tab, right-click a service and choose Details from the shortcut menu.
NOTE
You can also double-click a service to open the Service Details dialog box.
Step 4 In the Service Details dialog box, view the service details and dependencies.
----End
Related References
15.3.5 Parameters for Monitoring the Service Status of the U2000 Server
Procedure
Step 1 Choose Monitor > System Monitor > Browser (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Browser (application style).
Step 2 In the System Monitor Browser window, click the Process Monitor tab.
Step 3 On the Process Monitor tab, view the process status of the server.
----End
Related References
15.3.6 Parameters for Monitoring the Process Status of the U2000 Server
Procedure
Step 1 Choose Monitor > System Monitor > Browser (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Browser (application style).
Step 2 In the System Monitor Browser window, click the Hard Disk Monitor tab.
Step 3 On the Hard Disk Monitor tab, view the disk status of the server.
The Status depends on the specified alarm generation thresholds. When the usage of the
hard disk partition is higher than or equal to the threshold, Status changes to Abnormal.
----End
Related Tasks
15.1.2 Setting the Parameters for Monitoring the Disk Usage of the U2000 Server
Related References
15.3.7 Parameters for Monitoring the Hard Disk Status of the U2000 Server
Procedure
Step 1 Choose Monitor > System Monitor > Browser (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Browser (application style).
Step 2 In the System Monitor Browser window, click the Database Monitor tab.
Step 3 On the Database Monitor tab, view the database status of the U2000 server.
Status of a database depends on the database process running status, status of connection
between the server and database, log space usage in the database, and specified alarm
threshold. When a database process is abnormal, the connection between the server and
database is abnormal, the log space usage in the database is excessively high, or the database
usage is higher than or equal to the specified alarm threshold, Status changes to Abnormal.
----End
Related References
15.3.8 Parameters for Monitoring the Database Status of the U2000 Server
Procedure
Step 1 Choose Monitor > System Monitor > Browser (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Browser (application style).
Step 2 In the System Monitor Browser window, click the Server Monitor tab.
Step 3 On the Server Monitor tab, view the resource status of the U2000 server.
----End
Related Tasks
15.1.1 Setting the Parameters for Monitoring the U2000 Server
Related References
15.3.9 Parameters for Monitoring the Status of the U2000 Server
15.3.9 Parameters for Monitoring the Status of the U2000 Server
Procedure
Step 1 Choose Monitor > System Monitor > Browser (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Browser (application style).
Step 2 In the System Monitor Browser window, select the Operation Logs tab.
Operation logs are listed.
Step 3 In the Time range drop-down list, select a time range of the logs to be viewed.
Step 4 Right-click an operation log and choose Details from the shortcut menu. In the displayed Log
Details dialog box, view the details of the operation log.
NOTE
You can also double-click an operation log to access the Log Details dialog box.
----End
Related References
15.3.10 Parameters for Viewing System Monitoring Operation Logs
Context
l Only the current tab is refreshed.
l After you switch to another monitor tab, the monitoring information on this tab is
refreshed immediately.
Procedure
Step 1 Choose Monitor > System Monitor > Browser (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Browser (application style).
Step 2 In the System Monitor Browser window, click the tab corresponding to the monitoring
information to be refreshed.
----End
Procedure
Step 1 Choose Monitor > System Monitor > Browser (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Browser (application style).
Step 2 In the System Monitor Browser window, click the tab corresponding to the monitoring
information and click Save As.
NOTE
l The monitoring information can be saved in TXT, HTML, CSV, or XML format.
l For .txt files, code formats ISO-8859-1 and UTF-8 are supported. The default encoding format is
ISO-8859-1. You are advised to use the default encoding format if the saved file does not need to
support multiple languages; otherwise, UTF-8 is recommended.
Step 3 In the Save dialog box, select a path, enter a file name, and click Save.
NOTE
After the file is saved successfully, you can open the file or navigate to the folder that stores the file.
----End
Parameters
Parameter Description Settings
Related Tasks
15.1.1 Setting the Parameters for Monitoring the U2000 Server
Parameters
Parameter Description Settings
l Show Pop-up
Message: If Show Pop-
up Message is set to
Yes for a disk partition,
a pop-up message is
displayed on the U2000
client when the usage of
the disk partition
reaches Alarm
Generation Threshold.
When the usage is
smaller than Alarm
Clearance Threshold,
the pop-up message
disappears.
Related Tasks
15.1.2 Setting the Parameters for Monitoring the Disk Usage of the U2000 Server
15.1.2 Setting the Parameters for Monitoring the Disk Usage of the U2000 Server
Parameters
Parameter Description Settings
alarm generation
threshold.
Disable the
database
monitoring.
Related Tasks
15.1.3 Setting the Parameters for Monitoring the Database Usage of the U2000 Server
Parameters
Parameter Description Settings
Related Tasks
15.1.4 Setting the Parameters for Monitoring the Service Status of the U2000 Server
Find 1. Select one or more logs in the query window, right-click, and choose
Find from the shortcut menu.
2. Enter a keyword in Find what in the Find dialog box for search.
NOTE
l Match case: determines whether the case of search contents matches the case of
the keyword. By default, the cases do not match.
l Match entire cell contents: If you want the search contents to partially match the
cell contents, clear Match entire cell contents. If you want the search contents
to exactly match the cell contents, select Match entire cell contents. By
default, Match entire cell contents is cleared.
Details Indicates the general information about the selected services and
dependencies among these services.
Parameters
Parameter Description
Description Description:
Description of functions, interfaces, and other information of a service.
Status Description:
Status of a service. The value is Running, Unknown or Stopped.
Parameter Description
Related Tasks
15.2.1 Monitoring the Service Status of the U2000 Server
Find 1. Select one or more logs in the query window, right-click, and choose
Find from the shortcut menu.
2. Enter a keyword in Find what in the Find dialog box for search.
NOTE
l Match case: determines whether the case of search contents matches the case of
the keyword. By default, the cases do not match.
l Match entire cell contents: If you want the search contents to partially match the
cell contents, clear Match entire cell contents. If you want the search contents
to exactly match the cell contents, select Match entire cell contents. By
default, Match entire cell contents is cleared.
Parameters
Parameter Description
Process ID Description:
ID of a process.
Handles Description:
Number of handles occupied by a process.
NOTE
This parameter is displayed as a hyphen (-) if the process is a
database process or the process status cannot be obtained in the
event of the Trace Server (TS) service.
Threads Description:
Number of threads generated by a process.
NOTE
This parameter is displayed as a hyphen (-) if the process status
cannot be obtained in the event of the TS service.
Related Tasks
15.2.2 Monitoring the Process Status of the U2000 Server
Find 1. Select one or more logs in the query window, right-click, and choose
Find from the shortcut menu.
2. Enter a keyword in Find what in the Find dialog box for search.
NOTE
l Match case: determines whether the case of search contents matches the case of
the keyword. By default, the cases do not match.
l Match entire cell contents: If you want the search contents to partially match the
cell contents, clear Match entire cell contents. If you want the search contents
to exactly match the cell contents, select Match entire cell contents. By
default, Match entire cell contents is cleared.
Parameters
Parameter Description
Parameter Description
Status Description:
Status of a specified partition. The value is Normal,
Unknown or Abnormal. In the event of the TS service, if
the hard disk status cannot be obtained, the value is
Unknown. If the hard disk usage is greater than or equal to
the threshold, the value is Abnormal.
Related Tasks
15.2.3 Monitoring the Disk Status of the U2000 Server
Find 1. Select one or more logs in the query window, right-click, and choose
Find from the shortcut menu.
2. Enter a keyword in Find what in the Find dialog box for search.
NOTE
l Match case: determines whether the case of search contents matches the case of
the keyword. By default, the cases do not match.
l Match entire cell contents: If you want the search contents to partially match the
cell contents, clear Match entire cell contents. If you want the search contents
to exactly match the cell contents, select Match entire cell contents. By
default, Match entire cell contents is cleared.
Parameter Description
Status Description:
The value is Normal or Abnormal. If the database
usage is larger than or equal to the threshold, the
state is Abnormal.
Description Description:
Database description of the U2000 server.
Parameter Description
Status Description:
The value is Normal or Abnormal. If the database
usage is larger than or equal to the threshold, the
state is Abnormal.
Description Description:
Database description of the U2000 server.
Related Tasks
15.2.4 Monitoring the Database Status of the U2000 Server
Find 1. Select one or more logs in the query window, right-click, and choose
Find from the shortcut menu.
2. Enter a keyword in Find what in the Find dialog box for search.
NOTE
l Match case: determines whether the case of search contents matches the case of
the keyword. By default, the cases do not match.
l Match entire cell contents: If you want the search contents to partially match the
cell contents, clear Match entire cell contents. If you want the search contents
to exactly match the cell contents, select Match entire cell contents. By
default, Match entire cell contents is cleared.
Parameters
Parameter Description
OS Description:
Operating system of the server.
Related Tasks
15.2.5 Monitoring the Resource Status of the U2000 Server
15.2.5 Monitoring the Resource Status of the U2000 Server
Parameters
Parameter Description
Parameter Description
Client Description:
IP address of the system monitor client where a user performs an
operation.
Result Description:
Operation result, namely, success or failure.
Details Description:
Operation description.
Related Tasks
15.2.6 Viewing Logs of System Monitoring Operations
The U2000 provides the function of centrally managing scheduled tasks. You can browse
information such as the task status and the progress as well as create, modify, and delete user-
scheduled tasks. In addition, you can suspend, restore, cancel scheduled tasks, and save task
result files to the client.
The NEs that support CME tasks are the RNC, NodeB, BSC6000, BSC6900 GSM, BSC6900 UMTS,
BSC6900 GU, BSC6910 GSM, BSC6910 UMTS and BSC6910 GU .CME tasks are available only after
the CME software corresponding to the NE version is installed.
Database Capacity The U2000 periodically deletes the data whose storage duration
Management reaches the specified Save Days from the database. Database
capacity management tasks ensure that the database capacity is
maintained within a proper range, avoiding database faults
caused by insufficient database capacity.
Manual Dump By manually executing a dump task, you can dump alarm/
event/log data from database to the specific file on the U2000
server. Dumped alarms/events/logs are deleted from the
database, thereby preventing insufficiency of database space.
NIC NIC tasks provide the Nastar with the NE data required for
analyzing system performance, querying and verifying
configuration data, scanning uplink frequencies, and optimizing
neighboring cells.
Backup The U2000 allows you to save server data and NE data in
backup files to a specified directory on the U2000 server. The
stored server data and NE data can be used for restoring the
system and NEs in case of any data loss or any exception in the
system and NEs.
System Scheduled Task System scheduled tasks are the tasks required for the normal
operation of the U2000 system. For details about these tasks,
see 16.1.2 System Scheduled Tasks.
User Scheduled Task User scheduled tasks are the tasks customized to meet the
requirements of network maintenance. For details about these
tasks, see 16.1.3 User Scheduled Tasks.
The U2000 uses to identify system scheduled tasks and uses to identify user scheduled
tasks.
NOTE
l A system scheduled task can be browsed and managed only by users in the Administrators group
and the common user bond with the permissions for the system scheduled task. It is recommended
that the management domain of the common user include all network devices. If the system
scheduled task supports template export, it is recommended that the user have the permission to
view all templates. Otherwise, during task modification, the user cannot view the NEs or templates
selected by other users due to insufficient permission. As a result, the modifications will replace
the settings of other users.
l System scheduled tasks cannot be copied. Only some parameters of system scheduled tasks can be
modified. These parameters, however, cannot be deleted.
l Some system scheduled tasks can be suspended or canceled.
l The NEs that support CME tasks are the RNC, NodeB, BSC6000, BSC6900 GSM, BSC6900
UMTS, BSC6900 GU, BSC6910 GSM, BSC6910 UMTS and BSC6910 GU .CME tasks are
available only after the CME software corresponding to the NE version is installed.
Tasks related After the MBB backhaul For details see Bearer
to the MBB device management Network Management >
backhaul component is installed, the Basic Configuration of
device, such task is available. MBB Backhaul Devices >
as Task Management of
Performance iManager U2000 MBB
Event Period Backhaul Device
Dump Management Compoment
Product Documentation. You
can log in to the http://
support.huawei.com website
and search for the product
documentation with
iManager U2000 MBB
Backhaul Device
Management Compoment
Product Documentation as
the keyword.
Manual Alarm You can manually dump For details, see Parameters
Dump Manual alarms, events, operation for Manually Dumping
Dump logs, security logs or system Alarms/Events.
logs. Dumped alarms,
Event Manual events, operation logs,
Dump security logs or system logs
Operation are deleted from the For details, see Parameters
Log Manual database, thereby preventing for Manually Dumping
Dump insufficiency of database U2000 Logs.
space.
Security Log l Alarm Manual Dump:
Manual alarms data of the U2000
Dump and all NEs.
System Log l Event Manual Dump:
Manual events data of the U2000
Dump and all NEs.
l Operation Log Manual
Dump: U2000 operation
logs.
l System Log Manual
Dump: U2000 system
logs.
l Security Log Manual
Dump: U2000 security
logs.
NIC Network These tasks are used for For details, see Parameters
Logs collecting the CHR logs of for Modifying a Network
Collection WiMAX BTS and eNodeB Log Data Collection Task.
and neighboring cell
relationship logs and
interference logs of WiMAX
BTS, providing the Nastar
with the data about abnormal
call events, terminal
handover events, and base
station frequency
interference.
Synchroni NE The U2000 obtains the latest For details, see Parameters
zation Configuration data from NEs on a for Modifying an NE
Data scheduled basis by Configuration Data
Synchronizati performing an NE Synchronization Task.
on configuration data
synchronization task, NE log
Inventory synchronization task, NE For details, see Parameters
Data inventory data for Modifying Inventory
Synchronizati synchronization task, alarm Data Synchronization Tasks.
on scheduled synchronization
NE Log task, or MBTS correlation For details, see 16.8.4
Synchronizati synchronization task. Parameters for Scheduled
on Task Attributes.
Alarm
Synchronizati
on
MBTS
Correlation
Synchronizati
on
NE Upgrade
Log
Synchronizati
on
Backup Server The dynamic service data of For details, see Extended
Backup the U2000 system and Parameters for Backing Up
certain CME data can be Server Data.
backed up. The operating
system data, however, cannot
be backed up.
Base Station The U2000 saves base For details, see Parameters
Backup station data in backup files to for Backing Up Base Station
the specified directory on the on Schedule.
server periodically or on a
scheduled basis. The backup
files are used for restoring
base stations in case of any
data loss or base station
exception.
SAIC You can set the SAIC For details, see Parameters
Terminal Terminal Capability for the SAIC Terminal
Capability Sharing task to share with Capability Sharing Task.
Sharing other BSCs the BSC data
identified by VAMOS SAIC
capability identification on a
scheduled basis.
Overflow Alarm After you set alarm/event For details, see Parameters
Dump Overflow overflow dump, the U2000 for Setting an Alarm or
NOTE Dump periodically checks whether Event Overflow Dump Task.
This the number of alarms or
function events in the database
can only reaches the specified
be used in
threshold. If the overflow
a virtual
system. dump condition is met, the
U2000 automatically dumps
alarm/event logs. The
dumped alarm/event logs are
deleted from the database,
l The NEs that support CME tasks are the RNC, NodeB, BSC6000, BSC6900 GSM, BSC6900
UMTS, BSC6900 GU, BSC6910 GSM, BSC6910 UMTS, and BSC6910 GU . CME tasks are
available only after the CME software mapping the NE version is installed.
l User scheduled tasks can be managed only by the creator and the users in the administrator group. If
the users in the non-Administrators groups have the Task Management permission, they can view
user tasks but cannot manage these tasks.
Backup NE Backup The U2000 saves NE data in For details, see Parameters
backup files to the specified for Backing Up NE Data
directory on the server on Schedule.
periodically or on a scheduled
basis. The backup files are used
for restoring NEs in case of any
data loss or NE exception. You
can back up the data of all the
NEs on the entire network, NEs
of a specified type, or specified
NEs.
CM RAN Report The U2000 periodically exports For details, see Parameters
Report Export configuration reports in files to a for Creating, Modifying,
specified directory on the or Copying a
Core Network U2000 server. You can use this Configuration Report
Resource function to save data outside the Export Task.
Report Export system. The exported data is
NE Report still stored in the database.
Export
NE Statistical
Report Export
Link Report
Export
MBTS
Relationship
Report Export
Cell RF Data The U2000 provides the cell RF For details, see Parameters
Collection data collection function. The for Creating a Cell RF
collected data is used as input Data Collection Task.
for network planning and
optimization tools.
FFT Data The U2000 provides the fast For details, see Parameters
Collection Fourier transformation (FFT) for Creating an FFT Data
data collection function. Before Collection Task.
collecting the FFT data, you
must create an RF data
collection task and export the
required configuration file using
a network planning and
optimization tool.
Frequency This task provides the Nastar For details, see Parameters
Scan with uplink frequency data for for Creating an Uplink
uplink interference analysis. ARFCN Data Collection
This task is controlled by the Task.
U2000 license.
Neighboring This task provides the Nastar For details, see Creating a
Cell with neighboring cell Data Collection Task for
Optimization optimization data for Neighboring Cell
neighboring cell analysis. This Optimization.
task is controlled by the U2000
license.
Synchro NE Operating The U2000 obtains the latest For details, see 16.8.4
nization System Log data from NEs on a scheduled Parameters for
Synchronizatio basis by performing an NE Scheduled Task
n operating system log Attributes.
Synchronization
synchronization task.
Security NE Security You can create an NE security For details, see Parameters
Monitoring monitoring task to promptly for NE Security
identify security attacks and Monitoring Tasks.
risks on NEs so that you can
take appropriate security
protection measures.
Others MML Script After an MML script is For details, see Parameters
configured, the U2000 issues the for Creating/Modifying/
commands in the script in Copying MML Command
batches on a scheduled basis. Script Tasks.
Therefore, you do not need to
manually issue the commands
one by one.
Base Station The U2000 performs scheduled For details, see Parameters
License tasks for allocating Base Station for Creating/Modifying
Scheduled license resources at a specified Scheduled NodeB License
Distribution time, reducing manual Allocation Tasks.
operations.
PRS You can set PRS scheduled For details, see Parameter
Scheduled tasks on the U2000 for the Description: Creating,
Task desired performance reports. Viewing, or Modifying a
Then the U2000 collects Scheduled Report Task.
performance data and generates
performance reports on a
scheduled basis.
RSSI Test The U2000 collects the RSSI For details, see 16.8.7
values of base stations on a Parameters for
scheduled basis. Therefore, Creating/Modifying/
exceptions in the radio Copying an RSSI Test
frequency (RF) subsystem of a Task.
base station can be identified in
time and voice quality can be
ensured. Performing an RSSI
test task consumes a large
number of system resources.
Therefore, you are advised to
perform such a task only for
batch test. Currently, only
CBTSs and CBSCs support
RSSI test tasks.
Upgrade The U2000 checks whether the For details, see Parameters
Checking services are functioning for Creating an NE
normally after an NE is Upgrade Verification
upgraded. Task.
Dual Home The U2000 checks the data of For details, see
Auto NEs that have the dual-homing Parameters for
Consistency relation periodically or on a Creating/Modifying/
Check scheduled basis. Therefore, you Copying a Dual-Homing
Management can ensure that an MSCServer Auto Consistency Check
can take over some or all data Task of the dual homing.
on the other MSCServer in case
of a dual-homing failover.
Alarm Check The U2000 analyzes NE alarm For details, see Parameters
trends, comparisons between for Setting Special Alarm
alarms, common alarm TopNs, Check Tasks.
TopN alarm features, alarm
maintenance, and fault alarms
and generates check reports
in .html format on a scheduled
basis, enabling you to analyze
network faults in detail.
Top Power The U2000 collects the value of For details, see 16.8.6
Test the transmit power on top of the Parameters for
cabinet on a scheduled basis. Creating/Modifying/
Therefore, exceptions in the Copying a Task for
radio frequency (RF) subsystem Testing BTS Cabinet-
of a base station can be Top Power.
identified in time and voice
quality can be ensured.
Performing a top power test task
consumes a large number of
system resources. Therefore,
you are advised to perform such
a task only for batch test.
Currently, only CBTSs and
CBSCs support RSSI test tasks.
Tasks related After the MBB backhaul device For details see Bearer
to the MBB management component is Network Management >
backhaul installed, the task is available. Basic Configuration of
device MBB Backhaul Devices
> Task Management of
iManager U2000 MBB
Backhaul Device
Management Compoment
Product Documentation.
You can log in to the
http://support.huawei.com
website and search for the
product documentation
with iManager U2000
MBB Backhaul Device
Management
Compoment Product
Documentation as the
keyword.
For details about the states of scheduled tasks, see Table 16-6.
State Description
Running After being dispatched, an idle task changes to the running state.
State Description
Suspended You can suspend an idle scheduled task. Then, the task is in the
suspended state.
The suspended task changes to the idle state if you resume it.
The state of a scheduled task changes with operations performed by users. For details, see
Figure 16-1.
Certain idle tasks such as dump tasks are not allowed to be suspended to ensure the proper running
of the U2000. In other word, these idle tasks are never in the suspended state.
l A running periodic task is changed to the idle state after being canceled. A running one-
time task is changed to the finished state after being canceled.
l If a task does not need to be scheduled when the task is complete, it is in the finished
state. If the task needs to be scheduled again, it restores to the idle state.
l A finished one-time task can be manually rescheduled. After rescheduling, the task is
changed to a running task. A finished periodic task cannot be rescheduled.
Users can delete user timer tasks in the idle, suspended or finished state. Users in non-
Administrators groups can delete only user timer tasks created by themselves. Users in the
Administrators group can delete all user timer tasks.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
Step 2 In the Task Management window, perform operations based on custom requirements.
Custom Operation
Requirement
Customize the 1. Right-click in the navigation tree and choose Type Filter from
navigation tree the shortcut menu.
2. In the Type Filter dialog box, select the type of the scheduled
tasks to be displayed. By default, all types of scheduled tasks that
the current user is authorized to browse are displayed.
Customize the task 1. Right-click the task list and choose Filter from the shortcut
list menu.
2. In the Filter dialog box, set the filter criteria, including Created
By, Category, Task Status, and Execution Result. For details
about the parameters, see 16.8.2 Parameters for Setting Task
Filter Criteria.
----End
Context
l This topic describes the common procedure for creating a user scheduled task. The
parameter settings vary according to different user scheduled tasks. When creating a user
scheduled task on the task creation interface, you can press F1 to view the help
information about the task.
l To quickly create tasks, you can copy a multi-instance user scheduled task (this task
enables you to create multiple tasks) and then modify its parameters.
l The instance quantity of the scheduled tasks of a specific type is limited. If the instance
quantity of the existing scheduled tasks of a specific type reaches the maximum, you
cannot create or copy a scheduled task of this type.
l If right control is set for tasks of a specific type and you are not authorized, you cannot
create or copy these tasks.
l The U2000 server may respond slowly due to too many scheduled tasks. The total
number of scheduled tasks (including system scheduled tasks and user scheduled tasks)
cannot exceed 500. The total number of script timer tasks cannot exceed 200.
l When creating scheduled tasks, users can set whether the scheduled tasks are
automatically deleted after executed. If the scheduled tasks are set to be automatically
deleted after executed, no excessive user tasks are accumulated in the system, which
facilitates task management. One-time tasks are automatically deleted two days after
Expiration time and periodic tasks are automatically deleted two days after executed.
l Excessive short-period scheduled tasks may occupy a large number of U2000 server
resources. As a result, the server responds slowly and other services may be affected.
Carefully consider the task object, content, execution type, and period when creating a
scheduled task. Do not create excessive short-period scheduled tasks. When the CPU or
memory usage is excessively high and the server responds slowly, these short-period
scheduled tasks need to be canceled or parameters for them need to be adjusted so that
the U2000 can run properly.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
Step 2 In the Task Management window, create a user scheduled task.
You can create a user scheduled task by using any of the following methods:
l In general, click New.
l To quickly create a task of the specified type, double-click a user scheduled task in the
Task Type navigation tree.
l To quickly create a multi-instance user scheduled task whose parameter settings are
similar to those of a specified task, select the multi-instance user scheduled task, and
then click Copy.
Step 3 In the New Task or Copy Task dialog box, set the parameters of the created user scheduled
task.
Parameter Setting
NOTICE
iSStar scripts can deliver MML commands to NEs. If an iSStar script contains MML
commands, confirm the impact of the commands on NE services before they are delivered and
exercise caution.
----End
Prerequisites
You have logged in to the U2000 client successfully.
Context
l Scheduled tasks are classified into 16.1.2 System Scheduled Tasks and 16.1.3 User
Scheduled Tasks.
l If you are not authorized to operate certain tasks, you can only view the attributes of the
tasks created by other users, but cannot modify these attributes.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
Step 2 In the Task Management window, modify the attributes of a scheduled task by using any of
the following methods:
l Select a task from the task list, and then click Attributes. In the Attributes dialog box,
modify common and extended parameters.
l Double-click a task in the task list. In the displayed Attributes dialog box, modify
common and extended parameters.
NOTICE
If a user needs to modify a system scheduled task, it is recommended that the management
domain of the user include all network devices and the user have the permissions for the
system scheduled task. If the system scheduled task supports template export, it is
recommended that the user have the permission to view all templates. Otherwise, during task
modification, the user cannot view the NEs or templates selected by other users due to
insufficient permission. As a result, the modifications will replace the settings of other users.
----End
Context
l Only idle tasks can be scheduled.
l Certain idle tasks, such as dump tasks, cannot be suspended. This is to ensure the proper
running of the U2000.
l If right control is disabled, users can suspend only the tasks created by themselves. If
right control is enabled, authorized users can suspend the tasks created by themselves
and other users. The users of the Administrators user group can suspend the tasks
created by all users.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
Step 2 In the Task Management window, choose Task Type in the navigation tree.
Step 3 Suspend one or more idle tasks with either of the following methods:
l Manual suspending
Select one or more idle tasks in the task list in the right pane, right-click the task(s) and
choose Suspend from the shortcut menu. In the Confirm dialog box, click Yes.
NOTE
If the shortcut menu displayed after you right-click a selected scheduled task does not contain
Suspend, the selected scheduled task does not support suspend. If the shortcut menus displayed
after you right-click multiple selected scheduled tasks do not contain Suspend, the selected
scheduled tasks do not support concurrent suspend.
l Automatic suspending
Select one or more scheduled tasks to be automatically suspended in the task list in the
right pane, right-click the task(s) and choose Suspend/Resume Schedule from the
shortcut menu. In the Suspend/Resume Schedule dialog box, select Suspension time
and then set the time. Click OK.
NOTE
– If the shortcut menu displayed after you right-click a selected scheduled task does not contain
Suspend/Resume Schedule, the selected scheduled task does not support scheduled suspend.
If the shortcut menus displayed after you right-click multiple selected scheduled tasks do not
contain Suspend/Resume Schedule, the selected scheduled tasks do not support concurrent
scheduled suspend.
– Automatic suspending supports a maximum of 500 tasks at a time.
For details about how to set the time for automatic suspension, see 16.8.5 Parameters
for Automatically Suspending and Resuming a Scheduled Task.
After the task is suspended, the U2000 does not schedule it until its status changes to idle.
----End
Prerequisites
At least one suspended scheduled task exists.
Context
l Only idle tasks can be scheduled.
l If right control is disabled, users can resume only the tasks created by themselves. If
right control is enabled, authorized users can resume the tasks suspended by themselves
and other users. The users of the Administrators user group can resume the tasks
suspended by all users.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
Step 2 In the Task Management window, choose Task Type in the navigation tree.
– If the shortcut menu displayed after you right-click a selected scheduled task does not contain
Suspend/Resume Schedule, the selected scheduled task does not support scheduled resume. If
the shortcut menus displayed after you right-click multiple selected scheduled tasks do not
contain Suspend/Resume Schedule, the selected scheduled tasks do not support concurrent
scheduled resume.
– Automatic resuming supports a maximum of 500 tasks at a time.
For details about how to set the time for automatic resuming, see 16.8.5 Parameters for
Automatically Suspending and Resuming a Scheduled Task.
----End
Prerequisites
l You have logged in to the U2000 client.
l At least one scheduled task in the Running state exists.
Context
If the tasks are not controlled by permission, you can cancel only the tasks created by
yourself. If the tasks are controlled by permission, authorized users can cancel the tasks
created by other users. The users in the Administrators user group can cancel the tasks of all
users.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
Step 2 In the Task Management window, select Task Type in the navigation tree.
Step 3 Select one or more running tasks in the task list in the right pane. Right-click the task and
select Cancel.
NOTE
If the Cancel menu item is not contained in the shortcut menu of a scheduled task, this task cannot be
cancelled.
----End
Context
l If right control is disabled, users can delete only the tasks created by themselves. If right
control is enabled, authorized users can delete the tasks created by themselves and other
users. The users of the Administrators user group can delete the tasks created by all
users.
l You cannot delete system tasks.
l You cannot delete the running tasks. You can delete only the user tasks in the idle,
suspended, or finished state.
l Deleting a scheduled task will delete the execution result files generated during task
execution. If multiple tasks are deleted at a time, system response may time out.
l When creating scheduled tasks, users can set whether the scheduled tasks are
automatically deleted after executed. If the scheduled tasks are set to be automatically
deleted after executed, no excessive user tasks are accumulated in the system, which
facilitates task management. One-time tasks are automatically deleted two days after
Expiration time and periodic tasks are automatically deleted two days after executed.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
Step 2 In the Task Management window, choose Task Type in the navigation tree.
Step 3 Select one or more user tasks in the task list in the right pane.
----End
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
Step 2 In the task list on the right of Task Management, right-click the selected record and choose
Save Selected Records from the shortcut menu or right-click in the current area and choose
Save All Records from the shortcut menu.
Step 3 In the displayed Save dialog box, select Save In, enter File Name, and select File Type.
NOTE
l File Type can be set to .txt, .html, .csv, .pdf, .xls, and .xlsx.
l For .txt files, code formats ISO-8859-1 and UTF-8 are supported. The default encoding format is
ISO-8859-1. You are advised to use the default encoding format if the saved file does not need to
support multiple languages; otherwise, UTF-8 is recommended.
----End
Prerequisites
l At least one scheduled task exists.
l You have the permission to perform operations in the Task Management window.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
Step 2 In the Task Management window, perform operations based on various scheduled task
viewing requirements.
Viewing Operation
Scheduled
Tasks
Viewing Operation
Scheduled
Tasks
Viewing In the navigation tree of the Task Management window, choose the task
Task whose progress you want to view. In the Progress column of the task list in
Progress the right pane of the window, view the task progress.
----End
Prerequisites
l You have logged in to the U2000 client.
l NodeB license allocation tasks are available in the system.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style). The Task Management window is displayed.
Step 2 In the navigation tree, choose Task Type > Other > Base Station License Scheduled
Distribution.
Step 3 In the task list on the right, right-click a task, and then choose Download Task File from the
shortcut menu to download the license resource allocation file set in the task to a local PC.
----End
Prerequisites
l You have logged in to the U2000 client.
l The timing task that is used for downloading the result files exists and it is run for at
least once.
Context
The allowable operations vary depending on the task type, as shown in Table 16-7.
Script Timer Task The task result is saved on the server in logs. The Result Info
area displays only the information about the last task execution.
The result logs are not displayed.
You can download all the result files to the local client. Result
files of multiple tasks can be downloaded concurrently.
MML Script task You can download the latest result file to the local client. Result
files of multiple tasks can be downloaded concurrently.
NOTE
In a remote HA system, task result files cannot be downloaded if the
active and standby servers are switched over.
Alarm Check task You can download the result file of the selected task. Result files
of multiple tasks can not be downloaded concurrently.
Dual Home You can view the latest consistency check result on line.
Management task
Timing task, and NE If a task is performed at least once, you can save the messages in
Backup task the Result Info area to a local path.
RAN Report Export You can download the latest result file to the local client. Result
files of multiple tasks can not be downloaded concurrently.
NOTE
In a remote HA system, task result files cannot be downloaded if the
active and standby servers are switched over.
Link Report Export You can download the latest result file to the local client. Result
files of multiple tasks can not be downloaded concurrently.
NOTE
In a remote HA system, task result files cannot be downloaded if the
active and standby servers are switched over.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style). The Task Management window is displayed.
Step 2 In the navigation tree, select the type of the task that is used to download the result files.
Select the specific tasks in the right pane.
Step 3 Perform the following operations according to the task type.
Script Timer To download the result logs of a download task, perform the following
Task steps:
1. Select the task whose result logs you plan to download.
2. Click Save Log. In the displayed Please select a directory dialog
box, set the save path
3. Click OK.
NOTE
The system generates a folder for the log file generated each time and saves
the folder to the specified path. The result log file is named in the format
YYYY-MM-DD_HH-MM-SS, for example, 2008-04-18_10-27-53.
Alarm Check 1. Select the task whose result files you plan to download.
task 2. Right-click a task and choose Alarm Check Report on the shortcut
menu.
3. In the displayed Alarm Check Report dialog box, select the check
report based on Report Name and then click Save.
NOTE
You can click Open to view the contents of the check report and decide
whether the report needs to be downloaded.
4. Set the save path in the displayed Please select a directory dialog
box.
5. Click OK.
Dual Home Right-click a task and choose Checked Result from the shortcut menu.
Management NOTE
task If data inconsistency exists, you need to generate a script to adjust the data
difference and synchronize the data.
Timing task, and To download the result information about a download task, perform the
NE Backup task following steps:
1. Select a task whose result information needs to be downloaded.
2. Right-click in the Result Info area can choose Save As from the
shortcut menu.
3. Set the save path in the displayed Save dialog box, and then click
Save.
RAN Report 1. Select the task whose result files you plan to download.
Export 2. Right-click a task and choose Download File on the shortcut menu.
Link Report 1. Select the task whose result files you plan to download.
Export 2. Right-click a task and choose Download File on the shortcut menu.
----End
Parameters
Parameter Description
Running Description:
A task is being scheduled by the system.
Suspended Description:
A task is not ready to be scheduled.
Finished Description:
Indicates that a task has been executed by the system.
Partially Description:
successful Execution of a task was partially successful.
Failed Description:
A task failed.
Parameter Description
Missed Description:
execution A task was not scheduled because the server was running
time abnormally or the task was suspended before scheduling.
A task will miss scheduling in any of the following conditions:
l The ItmService is running abnormally.
l The task is manually suspended before the execution time.
l The CPU usage reaches or crosses the threshold configured
for the type of the task.
l The memory usage reaches or crosses the threshold
configured for the type of the task.
NOTE
If a task misses scheduling because the CPU or memory usage reaches or
crosses the upper threshold specified for the related task type, execution
of the task is delayed or canceled. The delayed task is executed at the
next scheduling time without checking whether the CPU or memory
usage has reached or crossed the upper threshold.
Unknown Description:
The task execution result is lost due to a service exception or
power failure. After recovery, the task execution result cannot be
restored.
Parameters
Delete Description: -
automatically The periodic task will be automatically
deleted two days after executed.
Parameters
Execution Description: -
type Indicates whether the task is a
one-time task or a periodic task.
Execution Description: -
type Indicates whether the task is a
one-time task or a periodic task.
Delete Description: -
automatically The periodic task will be
automatically deleted two days
after executed.
Parameters
Parameter Description Settings
Parameter Description
Parameter Value Range Description
Parameter Description
Parameter Value Range Description
Start Time The start time must meet the All NE upgrade logs within the
requirement of time format. time range specified by the start
time and end time are to be
queried.
End Time The end time must meet the All NE upgrade logs within the
requirement of time format. time range specified by the start
time and end time are to be
queried.
File Format The default file format must be Operation logs are exported
retained. to .xml files.
File Path The default file path must be Refers to the path for saving NE
retained. logs.
The default path is /opt/oss/
server/var/field/
UpgradeHistorystory.
You can use the NE data collection function provided by the U2000 to collect configuration
data and basic information of NEs and save the collected data to a specified directory. The
Nastar, PRS, and TranSight can then navigate to the directory and obtain NE data for network
analysis and optimization analysis.
Procedure
Step 1 Choose Maintenance > NE Data Collection Settings (traditional style); alternatively,
double-click Trace and Maintenance in Application Center and choose Maintenance > NE
Data Collection Settings (application style) .
Step 2 In the navigation tree of the NE Data Collection Settings dialog box, choose Periodic
Export or Immediate Export under Configuration Data.
Periodic Export 1. In the right pane, set periodic export parameters. For details, see
17.4.1 Parameters for Modifying NE Configuration Data
Collection Settings.
2. Click Save.
3. In the Confirm dialog box, click Yes.
Immediate 1. In the right pane, select the desired NEs and click Immediate Export.
Export 2. In the Confirm dialog box, click Yes.
----End
Procedure
Step 1 Choose Maintenance > NE Data Collection Settings (traditional style); alternatively,
double-click Trace and Maintenance in Application Center and choose Maintenance > NE
Data Collection Settings (application style) .
Step 2 In the navigation tree of the NE Data Collection Settings dialog box, choose Basic
Information.
----End
Procedure
Step 1 Choose Maintenance > NE Data Collection Settings (traditional style); alternatively,
double-click Trace and Maintenance in Application Center and choose Maintenance > NE
Data Collection Settings (application style) .
Step 2 In the NE Data Collection Settings dialog box, click the Browse Export Task node in the
left navigation tree to view status of the export tasks.
----End
Parameter Description
Table 17-1 and Table 17-2 describe the extended parameters for NE Configuration Data
Export.
Table 17-1 Extended parameters for the Periodically Export Settings task
Parameter Value Range Description
Start time This parameter This parameter specifies the start time of an
can be set based exported configuration data file.
on site
requirements.
Export period Default value, This parameter specifies the time interval at which
which cannot be configuration data files are exported periodically.
changed.
Default value: one
day.
Export path Default value, This parameter specifies the path for saving the
which cannot be exported configuration data files on the U2000
changed. server.
Table 17-2 Extended parameters for the Immediately Export Settings task
Parameter Value Range Description
Export path Default value, This parameter specifies the path for saving the
which cannot be exported configuration data files on the U2000
changed. server
Parameter description
The U2000 provides the function of exporting NE basic information. Thus, it can provide data
to the Nastar, PRS, and TranSight for performance analysis.
Parameter Description
When the U2000 is deployed in an SLS ,virtual or ATAE cluster system, NEs are allocated to
different U2000 servers for management. NEs can be migrated from one server to another
when a server manages too many NEs or a server is added to the SLS or ATAE cluster system.
NE migration helps balance load between servers.
Migration Scenarios
l In the U2000 SLS system, NEs can be migrated:
– From the master server to slave server
– From slave server to the master server
– From slave server A to slave server B
l In an ATAE cluster system, the master server does not connect to any NE, and therefore
NEs can only be relocated between slave servers.
NOTICE
Migrate NEs when the impact of migration on the network is small because a large amount of
data is migrated during NE migration.
NE Migration Impact
l NE status has no impact on NE migration. Therefore, an NE disconnected from the
U2000 can also be migrated.
l The performance measurement status is abnormal during the NE migration and becomes
normal after the NE migration. You do not need to pay attention to the performance
measurement status.
l Historical performance data is not migrated during NE migration. You can query
historical performance data on the source server after NE migration.
l If information about the NE to be migrated is configured on the NMS, reconfigure the
NMS after the NE migration.
l Data for the NEs that failed to be migrated is still saved on the source server, and you
can still manage the NEs on the U2000.
Prerequisites
l You have logged in to the OSMU through a web browser. For details, see Logging In to
the OSMU by Using a Web Browser.
l You have logged in to the U2000 client as a user granted with permissions to migrate
NEs.
– For details about how to grant users with permissions to migrate NEs, see .
– When setting operation sets for a user, grant the user with the Transfer NE
Management operation rights.
– When setting object sets for a user, grant the user with the management rights of the
NE to be migrated.
l The U2000 service is running properly.
l If a switchover (for example, from the master or a slave server to the standby server)
occurs, NE migration is not allowed.
l The routes between the master server and the NEs to be migrated are reachable.
l The routes between the slave server and the NEs to be migrated are reachable.
l When multiple network planes are used, migrate an NE to another board on the same
network plane. If the NE is migrated to a board on another network plane, the NE may
be disconnected.
Context
NOTICE
l The U2000 automatically divides NEs to be migrated into groups, each of which contains
a maximum of 100 NEs. In a virtual system, migrating a group of NEs takes about 15
minutes. In non-virtual systems, migrating a group of NEs takes about 6 minutes. If the
destination slave node is newly added or measurement information about the NEs to be
migrated has significantly changed, NE migration takes a longer period of time.
l The source subarea for an NE indicates the source server that manages the NE before
migration, and the destination subarea for the NE indicates the destination server that will
manage the NE after migration.
l Do not perform any operation on the NE being migrated.
l The ALM-301 NE Is Disconnected alarm may be reported during NE migration. It will be
automatically cleared after a certain seconds, and therefore you can ignore it.
l During NE migration, threshold alarms may not be properly reported. If this occurs, check
whether threshold alarms are reported properly after two to three periods. If they are still
not reported, contact Huawei technical support.
l When you migrate the CGPOMU deployed on the Advanced Telecom Computing
Architecture (ATCA) platform, its sub-NEs are migrated to the destination server at the
same time. The sub-NEs of the CGPOMU cannot be migrated separately. If no med
partition has sufficient space to save data about the CGPOMU and its sub-NEs, the
CGPOMU cannot be migrated.
Procedure
Step 1 Perform the following operations to check the board status:
1. In the navigation tree of the OSMU in the left pane, choose Service System > Service
Management > Board Services.
2. Check the status of the board on the Board Services tab page in the right pane.
The board whose System is U2000 must be in the Normal state.
NOTICE
If the board whose System is U2000 is in the Switched Over state, manually switch
services and then perform subsequent operations. Otherwise, you cannot perform NE
migration. For detailed operations, see Switching Resources Between U2000 Nodes
Manually (Oracle) or Switching Resources Between U2000 Nodes Manually (Sybase).
Step 2 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style) .
Step 3 In the Task Management window, click New.
NOTE
Only one NE migration task can be created in the U2000 system. If there is an NE migration task in the
U2000 system, no new NE migration task can be created.
Step 4 Set the basic information about the task, and click Next.
l Enter the name of the scheduled task in the Task Name field.
l Select Transfer NE Management from Task Type.
l Select One-time in the Execution Type area.
Step 5 Click , and select the start time for performing the task in the displayed dialog box.
NOTE
Select Run now to perform the task immediately after the task is created.
Step 6 Click Next, select NEs to be migrated and servers that manage these NEs before and after
migration.
l In Source NE subarea, select the logical IP address of the server that manages the NE
before migration.
l In Destination NE subarea, select the logical IP address of the server that will manage
the NE after migration.
l Select the NEs to be migrated from the navigation tree.
Step 7 Click Finish.
l If the task execution result is Successful, perform Step 8.
l If the task execution result is Partially successful or Failed, contact Huawei technical
support engineers.
NOTE
l The new task is displayed in the task list. Perform the NE migration task immediately or at the
specified time.
l When the NE migration task is being performed, migration status of each NE is displayed in Result
Information.
l The following are possible causes of migration failures:
– The installed NE mediation is incorrect.
– The U2000 system services are not running properly.
– The database system is not running properly.
NOTICE
The selected NE must be in the connection state. If the NE is disconnected, connect it and
then perform the following steps.
If the preceding operations are successful, NEs are migrated successfully. Otherwise, contact
Huawei technical support.
----End
Procedure
Step 1 Choose Performance > Query Result (traditional style); alternatively, double-click
Performance in Application Center and choose Result > Query Result (application style),
and click New Query.
Step 2 Set Organization Style to Object type or Function subset.
Step 3 In the navigation tree in the left pane of the New Query dialog box, select the NE type node
of the NEs to be migrated.
NEs that you can select are displayed in the navigation tree in the Available Objects area of
the Object tab page.
Step 5 On the Counter and Time tab pages, set other search criteria.
----End
Parameters
Parameter Description
Parameter Description
NE Description:
If you select this option, the system performs the created task once
at the specified time point.
Description:
Select NEs to be migrated.
NOTE
Use the filter or search function to quickly locate NEs to be migrated.
Logs record the operations on the U2000 and important system events. In the log
management, you can query and collect statistics on the log information.
Context
NOTE
This section describes operating system logs and how to set U2000 log forwarding. For details about
other types of logs and the log management functions on the client, see U2000 Log Management User
Guide.
U2000 log management includes the functions such as querying logs, managing log
templates, saving logs, and printing logs.
NOTE
This section describes operating system logs. For details about other types of logs, see Log Types in
U2000 Log Management User Guide.
Log Content
SUSE logs records boot messages during the startup of the SUSE Linux operating system,
and other status messages during system running.
Log Path
SUSE logs are recorded in the messages file in /var/log.
Log Format
SUSE logs are recorded in the following format:
Date and time of events Host name Event description
Log Check
Generally, the messages file does not contain error information such as error, Error, failed
and Failed. If the file has any error information, contact technical support personnel for
assistance.
Log Content
The system tool logs consist of the U2000 application system log, OSS Self-Maintenance
Unit system log (OSMU), operating system (OS) background tool log, and FTP log.
Log Path
l The U2000 application system log and OS background tool log are saved in the
localmessages file in the /var/log path.
l The FTP log is saved in the vsftpd.log file in the /var/log path.
l The OSMU system log is saved in the Operation.log file in the /export/home/
omc_control path.
Log Dump
The system automatically dumps a log file that exceeds 20 MB, and a maximum of 10 log
files can be dumped at a time.
l The log dump path is the same as its save path.
l A dumped log file is named in the following format: source log file name-
YYYYMMDD.number.
For example, localmessages-20120423.0.
are discarded and cannot be restored. Operation records and system running records in these
logs cannot be found any more. With the log forwarding service, the U2000 can send OSS
logs and NE logs as Syslog packets to a third-party Syslog server for unified management.
The third-party Syslog server software can be one of the following: Syslog Watcher, Kiwi
Syslog Daemon, 3CDaemon, WinSyslog.
Figure 19-1 Position of the log forwarding service in the entire log forwarding system
Topo Service
DB Syslog Forwarding agent Syslog Server
Security Service
... ...
NOTE
l The logs in the U2000 Syslog database (omcDB) are written by each service module (such as the
fault, topology, and security modules). Log data in the OSS database is not deleted after logs are
forwarded.
l Satisfy the following two conditions to implement the log forwarding function:
l Related logs have been written into the Syslog database. For details about the write function
configuration method, see Enabling Logging to U2000 Syslog Database in U2000
Administrator Guide.
l The U2000 and a third-party Syslog server haven been interconnected and can communicate
with each other. For details about the interconnection configuration method, see Setting the
Interconnection Between the U2000 and the Syslog Server.
Context
For HA and ATAE cluster system, perform the following operations on the active server.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the vi command to open the /opt/oss/server/etc/conf/IMAP_logsvc.xml file.
~> vi /opt/oss/server/etc/conf/IMAP_logsvc.xml
Step 3 Set syslogReportFlag of the log to 1. The function of writing the logs into the Syslog
database is enabled.
The following is an example of writing the system logs, operation logs, and security logs of
the U2000 into the Syslog database.
<syslog name="syslogReport">
<logType name="41">
<!-- Report switch: 0 - Off; 1 - On. This swtich is for system
logs. The switch is turned off by default.-->
<param name="syslogReportFlag">1</param>
<!-- Report level control: Only the logs at the same level or a
higher level are reported. The default value is 2 (Risk). -->
<!-- Log level are 0:warning, 1:minor, 2:risk -->
<param name="syslogReportLevel">2</param>
</logType>
<logType name="42">
<!-- Report switch: 0 - Off; 1 - On. This swtich is for
operation logs. The switch is turned off by default. -->
<param name="syslogReportFlag">1</param>
</logType>
<logType name="43">
<!-- Report switch: 0 - Off; 1 - On. This swtich is for security
logs. The switch is turned off by default. -->
<param name="syslogReportFlag">1</param>
<!-- Report level control: Only the logs at the same level or a
higher level are reported. The default value is 1 (Minor). -->
NOTE
Log level selection is not provided for operation logs (42) because operation logs at all levels are
reported.
Step 4 Run the vi command to save and exit from the file. Run the following commands to
import /opt/oss/server/etc/conf/IMAP_logsvc.xml to the database:
~> cd /opt/oss/server
~> . svc_profile.sh
NOTE
l When log service is restarted, all the dependent services will also be restarted.
l You can check the list of dependent services of log service on the System Monitor Browser
window of U2000 client through double clicking LogService on the Service Monitor tab.
----End
Context
For HA and ATAE cluster system, perform the following operations on the active server.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Perform the following operations, enabling NE Operation Log Forwarding and NE Security
Log Forwarding.
1. Run the vi command to modify the /opt/oss/server/etc/SWMService/Fixture/NeLog/
ne_syslog_forward.xml file. Refer to the following example to set NEOperationLog
and NESecurityLog to 1.
<syslogReport>
<!-- Report switch: 0 - Off; 1 - On. The switch is turned off by
default. -->
<logType name="NEOperationLog">1</logType>
<logType name="NESecurityLog">1</logType>
</syslogReport>
2. Save the file and exit the vi.
3. Run the following command to restart SWMService service.
~> svc_adm -cmd restartsvc SWMService
NOTE
The NE system log forwarding function relies on the SyslogCollectorDM service. Therefore, you must
enable the SyslogCollectorDM service before enabling NE system log forwarding.
----End
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following command to open the configuration file /opt/oss/server/etc/conf/
IMAP_syslogsvc.xml:
~> vi /opt/oss/server/etc/conf/IMAP_syslogsvc.xml
Step 3 Based on the format of logs to be forwarded, add or modify configuration items that specify
regular expressions under filterRegexList. By default, the configuration file provides the
following configuration item that specifies the regular expression for filtering and forwarding
NE security logs:
<filterRegexList name="filterRegexList">
<param name="r01">\(s\)(\[[0-9]+\])?:</param>
</filterRegexList>
NOTE
When adding a configuration item, specify a number and a regular expression for the configuration item.
The configuration item number must be unique in the file. For example, to filter and forward NE
operation logs, add <param name="r02">\(l\)(\[[0-9]+\])?:</param> under filterRegexList.
Step 4 Press Esc to switch to the command-line interface (CLI) mode. Run the :wq! command to
save and close the IMAP_syslogsvc.xml file.
Step 5 Run the following command to import the configuration file into the database:
~> SettingTool -cmd import -file /opt/oss/server/etc/conf/IMAP_syslogsvc.xml
Step 6 When setting the interconnection between the U2000 and the Syslog server on a client, set
String filter to a regular expression specified in the configuration file so that logs that match
the regular expression can be forwarded to the specified server. For details, see 19.3.5 Setting
the Interconnection Between the U2000 and the Syslog Server. If the value of String filter
on the client is different from the regular expression or the configuration file does not contain
the regular expression, logs are filtered based on the value of String filter, which is used as a
common string. That is, if logs contain the value of String filter, the U2000 forwards the
logs. Otherwise, the U2000 does not forward the logs.
For example, if the regular expression \(s\)(\[[0-9]+\])?: for filtering and forwarding NE
security logs is specified on the server, you can set String filter to \(s\)(\[[0-9]+\])?: on a
client so that the U2000 forwards NE security logs that contain (s): or (s)[n]: (n indicates a
non-negative integer) to the specified server.
----End
Context
The log forwarding server forwards only security logs, operation logs, and system logs.
Procedure
Step 1 Choose System > Log Management > Log Forwarding Servers (traditional style);
alternatively, double-click Security Management in Application Center and choose
Settings > Log Forwarding Servers (application style) from .
Step 2 You can perform the following operations in the Log Forwarding Servers window.
Refresh After another user updates the information about the log
forwarding server, click Refresh to obtain the updated
information.
----End
Context
When TCP or Transport Layer Security (TLS) mode is configured for Syslog servers, there
are three situations:
1. If the U2000 successfully connects to the primary Syslog server, it forwards logs only to
this Syslog server.
2. If the U2000 fails to connect to the primary Syslog server, it attempts to connect to the
secondary Syslog server. If the connection is successful, the U2000 forwards logs only to
the secondary Syslog server.
3. If U2000 fails to connect to either of the primary and secondary Syslog servers, log
forwarding is unavailable for the Syslog servers.
The log forwarding service reports the following two alarms to the fault module when the
connection is abnormal:
l ALM-121 Alarm of the Switchover to the Standby Syslog Server: This alarm is
reported when the U2000 fails to connect to the primary Syslog server and attempts to
connect to the secondary Syslog server.
l ALM-122 Alarm of the Failure to Connect the Master and Standby Syslog Servers:
This alarm is reported when the U2000 fails to connect to either of the primary and
secondary Syslog servers.
To ensure proper communication between the U2000 and Syslog server, you must clear the
alarm in a timely manner.
Procedure
l Clear the ALM-121 Alarm of the Switchover to the Standby Syslog Server alarm by
following the procedure provided in ALM-121 Alarm of the Switchover to the
Standby Syslog Server in the online help.
l Clear the ALM-122 Alarm of the Failure to Connect the Master and Standby Syslog
Servers alarm by following the procedure provided in ALM-122 Alarm of the Failure
to Connect the Master and Standby Syslog Servers in the online help.
----End
Scenario Introduction
If the trust certificates of the third-party Syslog server are changed, you need to update the
trust certificates deployed on the U2000 server. For detailed operations in a specific scenario,
see Table 19-1.
Table 19-1 Managing trust certificates of the Syslog server on the U2000 server
Scenario Operation
The third-party Syslog log 19.3.7.1 Deploying Log Forwarding Service Certificates
forwarding server is used NOTE
for the first time. When forwarding logs using the TLS protocol, the U2000 uses the
certificate of the U2000 server by default. The certificate is saved in
the /opt/oss/server/etc/ssl directory. To prevent the certificates from
affecting each other in different scenarios, you are advised to deploy
the certificate in the /opt/oss/server/etc/ssl/syslog directory.
Scenario Operation
The CA granting l If the CAs granting certificates to the U2000 server and to
certificates to the third- the third-party Syslog log forwarding server are the same,
party Syslog log or are two sub-CAs in the same CA, perform the following
forwarding server it not operations:
changed, and the trust 19.3.7.2 Updating Log Forwarding Service Certificates
certificates are updated. l If the CAs granting certificates to the U2000 server and to
the third-party Syslog log forwarding server are different,
and are not two sub-CAs in the same CA, perform the
following operations:
1. Delete old trust certificates of the third-party Syslog
log forwarding server by following the instructions
provided in 19.3.7.4 Deleting Trust Certificates of the
Third-party Syslog Server from the U2000 Server.
2. Add new trust certificates of the third-party Syslog log
forwarding server by following the instructions
provided in 19.3.7.3 Adding Trust Certificates of the
Third-party Syslog Server to the U2000 Server.
The server trusts a new 19.3.7.3 Adding Trust Certificates of the Third-party
CA granting certificates to Syslog Server to the U2000 Server
the third-party Syslog log
forwarding server.
The third-party Syslog log Query the file name and issuer of the trust certificate of the
forwarding server is no third-party Syslog log forwarding server by following the
longer used. instructions provided in ssl_adm -cmd queryCA.
l If the file name and issuer of the trust certificate exist,
follow the instructions provided in 19.3.7.4 Deleting
Trust Certificates of the Third-party Syslog Server
from the U2000 Server.
l If the file name and issuer of the trust certificate do not
exist, no further action is required.
Prerequisites
The following certificates have been obtained:
l Identity certificate and key of the U2000 server: server.cer and server_key.pem or
server.p12 and its encrypted password
l Trust certificate of the third-party Syslog server
l Optional: Certificate revocation list (CRL) issued by CA trusted by the third-party
Syslog server
NOTE
The identify certificate of the U2000 server and the trust certificate of the third-party Syslog server must
be issued by the same CA or two sub-CAs in the same CA. When they are issued by two sub-CAs in the
same CA, the trust certificates of both the CA and the two sub-CAs must be prepared.
Context
l The authentication mode including unidirectional and bidirectional authentication for the
log forwarding services is configured on the third-party Syslog server. To ensure
security, bidirectional authentication is recommended.
l If the U2000 server and the third-party Syslog server trust the same CA, they can use the
certificate deployed on the U2000 server during the mutual authentication. Certificate
deployment is not required.
l If unidirectional authentication (only the U2000 server authenticates the third-party
Syslog server) is applied and the U2000 server and the third-party Syslog server trust
respective CAs, deploy the trust certificate of the third-party Syslog server and the CRL
issued by an authorized CA on the U2000 server.
l If bidirectional authentication is applied and the U2000 server and the third-party Syslog
server trust respective CAs, deploy the trust certificate of the third-party Syslog server
and the CRL issued by an authorized CA on the U2000 server. In addition, deploy the
trust certificate of the U2000 server and the CRL issued by an authorized CA on the
third-party Syslog server.
l This section describes how to deploy a trust certificate and the CRL for the third-party
Syslog server on the U2000 server. In ATAE cluster system, run this command on the
master server only.
l Re-log in to the client after deploying the certificates on the server.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following commands to create a path for the certificates. In this example, /opt/oss/
server/syslogcertificates is created.
~> cd /opt/oss/server
Step 3 Use FileZilla to upload the trust certificate, identity certificate, and CRL to the U2000 server.
For details about how to use the FileZilla tool, see Transferring Files by Using FileZilla. You
must set the following information when uploading the certificates:
l User name and password: name and password of the ossuser user
l File path on the server: /opt/oss/server/syslogcertificates
Step 4 Stop U2000 services. For details, see Stopping U2000 Services.
Step 5 Run the following command on the server to back up the certificates. If the certificates have
not been deployed, perform Step 6.
~> . /opt/oss/server/svc_profile.sh
NOTE
l The certificate backup path can be an absolute or relative path. The relative path is relative
to/opt/oss/server.
l Assume that certificates are backed up to /opt/oss/server/var/backup/deployssl/ssl/syslog.
Step 6 Run the following command to deploy the log forwarding service certificates.
NOTE
In the command, var/backup/deployssl is the path to the certificate backup, which can be an
absolute or relative path. The relative path is relative to /opt/oss/server.
Perform Step 6 to deploy certificates after they are restored.
If the failure persists, contact Huawei technical support engineers.
----End
Prerequisites
The following certificates have been obtained:
l Identity certificate and key of the U2000 server: server.cer and server_key.pem or
server.p12 and its encrypted password
l Trust certificate of the third-party Syslog server
l Optional: Certificate revocation list (CRL) issued by CA trusted by the third-party
Syslog server
NOTE
The identify certificate of the U2000 server and the trust certificate of the third-party Syslog server must
be issued by the same CA or two sub-CAs in the same CA. When they are issued by two sub-CAs in the
same CA, the trust certificates of both the CA and the two sub-CAs must be prepared.
Context
l When updating certificates, you must provide identity certificates. If the identity
certificates do not need to be updated, use the original identity certificates.
l In ATAE cluster system, run this command on the master server only.
l Re-log in to the client after deploying the certificates on the server.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following commands to create a path for the certificates. In this example, /opt/oss/
server/syslogcertificates is created.
~> cd /opt/oss/server
Step 3 Use FileZilla to upload the trust certificate, identity certificate, and CRL to the U2000 server.
For details about how to use the FileZilla tool, see Transferring Files by Using FileZilla. You
must set the following information when uploading the certificates:
l User name and password: name and password of the ossuser user
NOTE
l The certificate backup path can be an absolute or relative path. The relative path is relative
to/opt/oss/server.
l Assume that certificates are backed up to /opt/oss/server/var/backup/deployssl/ssl/syslog.
Step 6 Run the following command to update the log forwarding service certificates.
~> ssl_adm -cmd update_certs -app syslog -dir /opt/oss/server/syslogcertificates
Enter the identity certificate password of the U2000 server as prompted.
NOTE
In the command, var/backup/deployssl is the path to the certificate backup, which can be an
absolute or relative path. The relative path is relative to /opt/oss/server.
After the certificates are restored, perform Step 6 to deploy the certificate again.
Step 7 Start U2000 services. For details, see Starting U2000 Services.
----End
19.3.7.3 Adding Trust Certificates of the Third-party Syslog Server to the U2000
Server
To allow the U2000 server to properly communicate with the third-party Syslog server using
SSL or TLS, deploy the trust certificates of the third-party Syslog server on the U2000 server.
If the U2000 server trusts a new CA granting certificates to the third-party Syslog server, or if
the trust certificate is updated, the CA granting certificates to the third-party Syslog server is
not changed but different from that granting certificates to the U2000 server, and the two CAs
are not sub-CAs in the same CA, add the new trust certificate of the third-party Syslog server
to the U2000 server.
Prerequisites
l The new trust certificate granted by the certificate authority (CA) of the peer has been
obtained.
l You have deployed certificates on the U2000 server by running the ssl_adm -cmd
replace_certs command.
Context
l When the U2000 server functions as an SSL client, the peer is authenticated by default.
l The new trust certificate must contain its root certificate. If the root certificate has been
deployed on the U2000 server, delete the root certificate by following the instructions
provided in 19.3.7.4 Deleting Trust Certificates of the Third-party Syslog Server
from the U2000 Server, and then add it again.
l In ATAE cluster system, run this command on the master server only.
l After a certificate is deployed on the server, you must log in to the client again.
l To update trust certificates of the third-party Syslog server, delete the trust certificate that
is no longer trusted by following the instructions provided in 19.3.7.4 Deleting Trust
Certificates of the Third-party Syslog Server from the U2000 Server, and add a trust
certificate again.
l The certificate deployed by running the ssl_adm -cmd replace_certs command must be
updated by running the ssl_adm -cmd update_certs command.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Run the following commands to create a directory for saving certificates. In this example, all
certificates are saved under the /opt/oss/server/certificates directory.
~> cd /opt/oss/server
For details about how to use the FileZilla, see How Do I Use FileZilla to Transfer Files?. Set
the following information when uploading the files:
l User name and password: name and password of user ossuser
l File path on the server: /opt/oss/server/certificates
NOTE
One trust certificate file can contain only one trust certificate.
Step 4 Stop U2000 services. For details, see Stopping U2000 Services.
Step 5 Run the following commands to add trust certificates of the third-party Syslog server to the
U2000 server.
NOTE
l In the preceding commands, /opt/oss/server/certificates is the directory for saving new trust
certificates.
l After the command is executed, all certificates in the /opt/oss/server/certificates directory are
deployed to /opt/oss/server/etc/ssl/syslog.
l For details about the certificate directory after certificates are added, see Certificate Save Path and
Naming Conventions.
Execution result:
l If the system displays the Operation succeeded. message, the certificates have
been added successfully. Go to Step 6.
l Otherwise, the trust certificates fail to be added. If this occurs, locate the failure and then
restore the trust certificates by running the following command:
~> ssl_adm -cmd restore -backpath var/backup/ssl_backup/YYYYMMDDhhmmss
NOTE
Step 6 Start U2000 services. For details, see Starting U2000 Services.
----End
19.3.7.4 Deleting Trust Certificates of the Third-party Syslog Server from the
U2000 Server
When the U2000 server communicates with the third-party Syslog server using SSL or TLS,
deploy the trust certificate of the third-party Syslog server on the U2000 server. If you no
longer use the third-party Syslog log forwarding server, delete the trust certificates of the
third-party Syslog server from the U2000 server.
Prerequisites
You have run the ssl_adm -cmd addCA command to add trust certificates to the U2000
server. For details, see 19.3.7.3 Adding Trust Certificates of the Third-party Syslog Server
to the U2000 Server.
Context
l The certificate deployed by running the ssl_adm -cmd replace_certs command must be
updated by running the ssl_adm -cmd update_certs command.
l In ATAE cluster system, run this command on the master server only.
l After a certificate is deployed on the server, you must log in to the client again.
Procedure
Step 1 Use the PuTTY to log in to the U2000 server as user ossuser in SSH mode.
Step 2 Stop U2000 services. For details, see Stopping U2000 Services.
Step 3 Run the following commands to query file names and issuers of the added trust certificates of
the third-party Syslog server.
~> ssl_adm -cmd queryCA -app syslog
Execution result:
l If the message No trust certificate is incrementally deployed by
running the ssl_adm -cmd addCA command. is displayed, no trust
certificate has been added by running the ssl_adm -cmd addCA command.
l If information similar to the following is displayed, the file name and issuer of the
current trust certificate are 600755ba.0 and C=CN, ST=Guangdong, L=ShenZhen,
O=Huawei, OU=CMC, CN=huawei_root, respectively. Go to Step 4.
Deployed trust certificates are as follows:
name: issuer:
600755ba.0 C=CN, ST=Guangdong, L=ShenZhen, O=Huawei,
OU=CMC, CN=huawei_root
Step 4 Run the following commands to delete trust certificates of the third-party Syslog server from
the U2000 server. The trust certificate 600755ba.0 is used as an example.
~> ssl_adm -cmd deleteCA -name 600755ba.0 -app syslog
Execution result:
l If the system display a message similar to the following, the trust certificates have been
deleted. Go to Step 5.
Operation succeeded.
l Otherwise, the trust certificates fail to be deleted. If this occurs, locate the failure and
then restore the trust certificates by running the following command:
~> ssl_adm -cmd restore -backpath var/backup/ssl_backup/YYYYMMDDhhmmss
NOTE
Perform Step 4 to delete the trust certificates after they are restored.
If the trust certificates still fail to be deleted, contact Huawei technical support engineers.
Step 5 Start U2000 services. For details, see Starting U2000 Services.
----End
If the Trace Server and U2000 are deployed on different ATAE server boards but in the same
ATAE subrack, The Trace Server maintenance and measurement tool and OSS Management
Tool can be used to collect service logs, analyze reported abnormal data, query the
subscription content, and NE distribution to quickly maintain the Trace Server system when
the Trace Server system is running.
Context
l Trace Server maintenance and measurement tool is supported in Trace Server
V200R015C10SPC230 and later.
l Only one user can use the Trace Server maintenance and measurement tool at a time. If
the system displays the message This script is being used by another
user when you use this tool, another user is using the tool. Ensure that the tool is not
used by others before using it.
l The Trace Server maintenance and measurement tool must be running in the U2000
server.
20.1 Querying System Information
This section describes how to query the deployment mode, IP address, and software version
of the Trace Server using Trace Server maintenance and measurement tool.
20.2 Subscription and Collection
This section describes how to perform subscription and collection operations on the Trace
Server, such as querying and synchronizing subscription information between the Trace
Server and its upper-layer application.
20.3 Enabling the Trace Server to Process Data of an RNC with Extra-large Specifications
If data generated on an RNC exceeds the processing capability of a single Trace Server board
(the RNC is referred to as an RNC with extra-large specifications), configure the Trace Server
so that RNC data can be offloaded to other Trace Server board. If the Trace Server does not
need to collect or process the data of such RNCs, skip this section.
20.4 Configuring the Trace Server to Process Data of PS Domain NEs
The reporting mechanism for data of PS domain NEs is different from that for data of RAN
NEs. By default, the Trace Server cannot process data of PS domain NEs and RAN NEs at the
same time. If the Trace Server manages both PS domain NEs and RAN NEs, you need to
configure the Trace Server by following the operations provided in this section. Otherwise,
skip this section.
20.5 Managing Trace Server Load
If the Trace Server load is high, the system may become slow or have no response. If
resource-related alarms, such as high CPU, memory, or disk usage, are generated, you can
collect statistics on and analyze Trace Server load and migrate NEs in a timely manner to
ensure that the Trace Server runs properly.
20.6 Fault Locating and Handling
This section describes how to locate and handle common faults.
20.7 Configuring the LTE Cell Management Capability
This section describes how to use Trace Server maintenance and measurement tool to
configure the LTE cell management capability of the Trace Server.
20.8 Managing the NEs in Trace Server
Prerequisites
The U2000 Server services runs properly.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following commands to run the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Choose Information Collection > Trace Server Basic Information and query the system
information about the Trace Server.
Trace Server Deploy Type :
Co-deployed with the U2000 in the ATAE cluster system
Slave IP :
10.144.255.38
U2000 Master IP :
10.144.255.28
Parameter Description
Parameter Description
U2000 Master IP The IP address of the U2000 corresponding to the Trace Server. If the
U2000 is not deployed on a single server, this parameter specifies the
IP address of the host U2000.
NOTE
----End
Prerequisites
The U2000 Server services runs properly.
Context
Trace Server maintenance and measurement tool saves seven latest querying result files only
and automatically deletes files generated earlier in time sequence.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following commands to execute the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Choose Statistics and Migrate > Query Subscribe Information > By NE.
NOTE
This function can only be used to query information about NE distribution and cell subscription on a
specific server or all servers at a time.
When information similar to the following is displayed, a slave server is deployed in the
system. Enter the IP address of one board on which the information needs to be queried as
prompted. Alternatively, press Enter to query the information about all service boards.
All Trace Server IP :
10.144.48.42 10.144.48.45 10.144.48.46
Enter the IP address of a Trace Server. If the IP address is empty, the
information of all Trace Server boards are collected by default:
l When information similar to the following is displayed, the information about there is
not NE subscription information on the board of Trace Server.
No subscribe information.
Parameter Description
Step 4 Perform the following operations to query detailed NE distribution information on all boards
by data collection service using the Trace Server maintenance and measurement tool.
1. Run the following commands, to run the Trace Server maintenance and measurement
tool.
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
2. Choose Statistics and Migrate > Query NE Information.
IP,TSPARTITION,NEFDN,NETYPE
10.144.48.41,TSCollector0301,NE=256,eNodeBNE
10.144.48.41,TSCollector0302,NE=257,eNodeBNE
10.144.48.41,TSCollector0303,NULL,NULL
10.144.48.41,TSCollector0304,NULL,NULL
The preceding command output is used as an example. The parameters are describes as
follows:
----End
Prerequisites
The U2000 Server services runs properly.
Context
l Trace Server maintenance and measurement tool supports synchronization of
subscription information to all NEs or specified NEs.
l Trace Server maintenance and measurement tool supports synchronization of
subscription information only to LTE NEs.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
NOTE
○ You can input multiple eNodeB IDs and separate them by a semicolon (;). And the
content you input must end with a complete eNodeB ID without ;.
○ If the subscription information needs to be synchronized to eNodeBs whose IDs
are 123, 456, 111, 222, and 555, the content you input is as follows:
123;456;111;222;555
iv. Confirm the number of specified NEs and enter y/Y when the information
similar to the following is displayed by the system, then press Enter to start
synchronize.
The number of specified NEs is X.Are you sure you want to
synchronize LTE subscription information to these NEs(Y/N)? y
NOTE
The X in the information displayed by the system stands for the number of specified
NEs. It varies based on actual situation.
v. If the message Successful is displayed, the synchronization is successful.
Otherwise, handle the synchronization failure according to the displayed
instructions.
○ If the displayed information contains The eNodeB ID is invalid,
it indicates that there are invalid eNodeB IDs. In this case, choose
Synchronize NE subscription information to NEs > Synchronize LTE
NE subscription information to specified NEs > By the command line
in the menu displayed by the system and input right eNodeB IDs and then
execute the synchronization. If the system still displays The eNodeB
ID is invalid, query whether the configuration data of the
corresponding eNodeB has been synchronized successfully or not by
referring the section Viewing NE Configuration Data Synchronization
Information in U2000 Online Help. If the data has been synchronized
successfully, contact Huawei technical support engineers. Otherwise,
ii. Upload the synchronization list file synSubscribe.txt to the path /opt/oss/
server/var/TSService on the master server by using FileZilla as user ossuser.
For details, see Transferring Files to the Trace Server by Using FileZilla.
iii. Run the following command to change the file format.
~> dos2unix /opt/oss/server/var/TSService/synSubscribe.txt
iv. Run the following commands to execute the Trace Server maintenance and
measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
v. Choose the corresponding operation based on the version of Trace Server:
○ If Trace Server is V200R016C10SPC240 or later version, choose
Statistics and Migrate > Synchronize NE subscription information to
NEs > Synchronize LTE NE subscription information to specified
NEs > By uploading file.
○ If Trace Server is other version, choose Statistics and Migrate >
Synchronize NE subscription information to NEs > Synchronize LTE
NE subscription information to specified NEs.
vi. Confirm the number of specified NEs and enter y/Y when the information
similar to the following is displayed by the system, then press Enter to start
synchronize.
The number of specified NEs is X. Are you sure you want to
synchronize LTE subscription information to these NEs(Y/N)? y
X stands for the number of the NEs whose subscription information needs to
be synchronized. If the number of NEs in the displayed information is
inconsistent with that in the synchronization list file, enter n/N, and perform
Step 2.i again to modify the synchronization list file and synchronize
subscription information after uploading the list file to Trace Server.
vii. If the message Successful is displayed, the synchronization is successful.
Otherwise, handle the synchronization failure according to the displayed
instructions.
○ If the displayed information contains The eNodeB ID is invalid,
the synchronization list file contains invalid eNodeB IDs. In this case,
perform Step 2.i to correct the format or eNodeB IDs, and execute the
synchronization after uploading the list file to the Trace Server. If the
system still displays The eNodeB ID is invalid, query whether
the configuration data of the corresponding eNodeB has been
synchronized successfully or not by referring the section Viewing NE
Configuration Data Synchronization Information in U2000 Online
Help. If the data has been synchronized successfully, contact Huawei
technical support engineers. Otherwise, synchronize the configuration
data of the corresponding eNodeB by referring the section Synchronizing
NE Configuration Data in U2000 Online Help. And then synchronize
the subscription by referring this section.
○ If the displayed information contains TSCollector0X0Y Service
Exception, the data collection service in the subarea to which the
specified NEs belong is abnormal. In this case, contact Huawei technical
support engineers.
○ If the displayed information contains This NE is subscribing, a
subscription task is being executed for this NE. Subscription information
is automatically checked during a subscription task. You can ignore the
information.
viii. Run the following commands to delete the synchronization list file.
~> cd /opt/oss/server/var/TSService
~> rm synSubscribe.txt
----End
Prerequisites
l The U2000 services are running properly.
l You have obtained the FDN of the RNC.
Context
If the Trace Server is not enabled to process data of an RNC with extra-large specifications
and the existing partition is used to manage the RNC, the partition is the Master partition for
the RNC by default.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Perform the following operations to query Master partition information of the RNC:
1. Run the following commands to export a partition information file of all NEs:
~> cd /opt/oss/server/rancn/bin
~> sh getNeToTSRelation.sh
----End
Prerequisites
l The U2000 services are running properly.
l You have obtained the FDN of the RNC.
l You have contacted Huawei technical support engineers to confirm the Master partition
name for an RNC.
Context
l For an RNC, the sum of the load ratios of Master and Overflow partitions processing
services is 100. Use the Trace Server maintenance and measurement tool to modify the
load ratio of an Overflow partition. After the modification, the load ratio of the Master
partition automatically changes.
l Only one Master partition can be allocated to a given RNC.
Procedure
l Add the Master partition.
a. Create or modify the configuration file by using PC:
NOTE
When you initially create the MasterPatitions file during function commissioning, create
and save this file as a CSV file using Notepad. To perform maintenance operations in the file
using Notepad, obtain the file from the /opt/oss/server/var/TSService directory on the
Trace Server master board as user ossuser using FileZilla.
i. Add information about the RNC to the file. The format is as follows:
FDN of the RNC,TSCollectorXXXX
If the FDN of an RNC is NE=256 and the Master partition to be added is
TSCollector0101, add the following information to the file:
NE=256,TSCollector0101
NOTE
l In a given row, the Master partition can be configured for only one RNC.
l In the preceding command, TSCollectorXXXX indicates the data collection
service. Replace it with the actual name.
l FDN of the RNC and TSCollectorXXXX are separated by a comma (,).
ii. Upload the configuration file MasterPatitions.csv to the path /opt/oss/
server/var/TSService on the master server by using Filezilla as user ossuser.
For details, see Transferring Files to the Trace Server by Using FileZilla.
b. Use PuTTY to log in to the master server of Trace Server in SSH mode as ossuser.
For details, see Logging In to a Board Using PuTTY.
c. Run the following command to change the format of the configuration file.
~> dos2unix /opt/oss/server/var/TSService/MasterPatitions.csv
d. Run the following commands to run the Trace Server maintenance and
measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
e. Choose Statistics and Migrate > Add NE Master Partition. Add a Master
partition to the RNC.
Prerequisites
The U2000 services are running properly.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following commands to run the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Choose Statistics and Migrate > Export Overflow Partition Information. Export the
Overflow partition information file of the RNC.
If information similar to the following is displayed, the Overflow partition information file
has been exported successfully. Otherwise, contact Huawei technical support engineers.
Export overflow partition information successfully! Result file is /opt/oss/
server/var/TSService/OverFlowPartitionInfosYYYYMMDDhhmmss.csv
NOTE
Step 4 Run the following commands to view the Overflow partition information file of the RNC:
~> cd /opt/oss/server/var/TSService
NE=256,TSCollector0301,40
NE=285,TSCollector0402,40
NE=285,TSCollector0504,20
The preceding command output is for reference only. These parameters are described as
follows:
l If no Overflow partitions are configured for the RNC, the file contains only the parameter name line.
This is a normal phenomenon, and you can ignore it.
l For an RNC, the sum of the load ratios of Master and Overflow partitions is 100. After obtaining the
load ratio of each Overflow partition, subtract the sum of these values from 100 to obtain the load
ratio of the Master partition.
----End
Prerequisites
l The U2000 services are running properly.
l You have obtained the FDN of the RNC.
l You have added the Master partition to the RNC.
Context
For an RNC, the sum of the load ratios of Master and Overflow partitions processing services
is 100. Use the Trace Server maintenance and measurement tool to modify the load ratio of an
Overflow partition. After the modification, the load ratio of the Master partition automatically
changes.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following commands to run the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Choose Statistics and Migrate > Export Overflow Partition Information. Export the
Overflow partition information file of the RNC.
If information similar to the following is displayed, the Overflow partition information file
has been exported successfully. Otherwise, contact Huawei technical support engineers.
Export overflow partition information successfully! Result file is /opt/oss/
server/var/TSService/OverFlowPartitionInfosYYYYMMDDhhmmss.csv
The name of the Overflow partition information file in the preceding command output is for
reference only. Use the actual file name.
Step 4 Choose Quit > Quit to exit the Trace Server maintenance and measurement tool.
Step 5 Download the partition information file to the PC and change its name to
ModifyOverFlowPartition.csv.
- TSCollector0302
, 40
NE=2 40 TSCollector0301 80 -
57 , 40
TSCollector0401 TSCollector0401
, 20 , 20
After the modification, the contents of the Overflow partition information file are as
follows:
NEFDN,OVERFLOWPARTITION,OVERFLOWRATIO
NE=256,TSCollector0201,20,UPDATE
NE=257,TSCollector0301,40,DELETE
NE=257,TSCollector0401,20
NE=256,TSCollector0302,40,ADD
NOTE
– All the Overflow partitions of an RNC must be located on different servers from each other.
The Overflow partitions of an RNC must be located on different servers from its Master
partition. Check whether any two partitions are located on the same server based on the
partition names. If the second digits of certain partition names are the same, these partitions
are located on the same server. For example, TSCollector0301 and TSCollector0302 are
located on the same server.
For details about how to query the Master partition an RNC belongs to, see Querying Master
Partition Information.
– OVERFLOWRATIO indicates the load ratio, which is an integer ranging from 1 to 99.
– When modifying the load ratio of a partition for an RNC, ensure that the partition information
is in the same row.
– For an RNC, the maximum total load ratio of Overflow partitions is 99.
– If performing multiple operations on an Overflow partition for an RNC on the same server, for
example, adding, modifying, and deleting an Overflow partition, modify and import the
partition information file one operation at a time.
2. Upload the partition information file to the path /opt/oss/server/var/TSService on the
master server by using Filezilla as user ossuser. For details, see Transferring Files to the
Trace Server by Using FileZilla.
Step 7 Run the command to change the format of the partition information file.
~> dos2unix /opt/oss/server/var/TSService/ModifyOverFlowPartition.csv
Step 8 Run the following commands to run the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 9 Choose Statistics and Migrate > Import Overflow Partition Information. Import the
partition information file modified to make the modification effective.
...
Total 4 rows imported.
1 rows added. 1 rows updated, 1 rows deleted, 1 rows ignored, 0 rows failed.
Import overflow partition operations success.
In the preceding command output, four rows of configuration information have been
successfully imported: one row added, one row modified, one row deleted, and one row
unchanged.
If any row fails to be imported, check whether the contents of the partition information file
ModifyOverFlowPartition.csv are correct. If they are incorrect, go to Step 6 to correct the
contents, and import the file again. If the import failure persists, contact Huawei technical
support engineers.
----End
Prerequisites
l IP addresses of the Trace Server boards planned to process NE services in the PS domain
have been obtained.
l The U2000 services are running properly.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following commands to run the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Chosse Statistics and Migrate > Set PS Partition > Add.
Input the IP addresses of the boards planned to process NE services in the PS domain when
the system displays the following information. Use space to separate multiple IP addresses.
Please input the PS node IP. If there is more than one IP, use blank to separate
them.
NOTE
l If the IP address of Trace Server is translated using NAT, input the IP address of the default network
port before translated.
l If the service network plane isolation is used, input the IP address of the default network port.
When the system displays the following information, it indicates that you configured
successfully. Otherwise, contact the Huawei engineer.
Set successfully.
----End
Follow-up Procedure
After configuring the Trace Server board as PS board, activate the data reporting function of
NEs in the PS domain. For detailed operations, see Activating Data Reporting of NEs in the
PS Domain.
Prerequisites
You have contacted Huawei technical support to obtain iManager U2000 Network
Management Capacity Specification and Trace Server Management Capability Calculation
used with the Trace Server version. You also have obtained the NE traffic model on the live
network and calculated the number of Trace Server servers with which PS domain NEs need
to be connected.
Context
NOTICE
Unless otherwise specified in calculation and operation procedures of this section, upper-layer
applications, NEs, and Trace Server servers indicate upper-layer applications using PS
services, PS domain NEs, and Trace Server servers managing PS domain NEs, respectively.
Before allocating PS domain NE to Trace Server servers, you need to know the following
concepts:
l Number of Trace Server servers with which NEs are to be connected: It indicates the
number of Trace Server servers with which PS domain NEs are to be connected for a
specified traffic model.
Contact Huawei technical support to calculate this number based on the traffic model on
the live network by following the instructions provided in iManager U2000 Network
Management Capacity Specification and Trace Server Management Capability
Calculation.
l Bandwidth: It indicates the bandwidth over the network interface on a Trace Server
server.
Use Trace Server maintenance and measurement tool to calculate the bandwidth over the
network interface by following the instructions provided Collecting Load Statistics in
U2000 Trace Server User Guide (ATAE Cluster, Standalone).
l Number of data copies to be forwarded: It indicates the number of data copies provided
by the Trace Server for upper-layer applications, including the NMS. This number
increases by 1 each time the Trace Server provides data collection for one upper-layer
application. If the Trace Server uses the northbound feature, this number also increases
by 1.
For example, if the Trace Server provides data collection for the PRS and uses the
northbound feature, this number is 2.
l NE type: It indicates the type of PS domain NEs to be connected with the Trace Server.
USNs include those with the EVU board and those without the EVU board.
l Service type: It indicates the service type for different data processing specifications
when the Trace Server forwards data to the NMS and when the Trace Server does not
forward data to the NMS. The service types include enabled and disabled northbound
features.
l Available load margin: It indicates the available load margin for NE services on a Trace
Server server. The available load margin for the Trace Server server managing no NEs is
1.
The available load margin is calculated based on the bandwidth, service type, and other
parameters. When the Trace Server is commissioned, the available load margin for each
Trace Server server planned for managing PS domain NE is 1 because no NEs connected
to the Trace Server.
Comply with the following principle when allocating PS domain NE to Trace Server servers:
Available load margin > Number of Trace Server servers with which NEs are to be connected.
Only values of the two parameters need to be compared, and parameter units can be ignored.
Procedure
l If the Trace Server is commissioned, perform the following procedure:
NOTICE
All calculations and operations in this procedure applies only to Trace Server servers
managing PS domain NEs.
a. Plan the Trace Server servers for all PS domain NEs based on the principle:
Available load margin > Number of Trace Server servers with which NEs are to be
connected.
If the number of Trace Server servers with which a single PS domain NE is to be
connected is greater than the available load margin, perform the following
operations:
n For the USN with the EVU board, allocate the EVU board to multiple Trace
Server servers.
n For the USN without the EVU board, contact Huawei technical support.
NOTE
l If more PS domain NEs need to be connected with Trace Server servers and Trace
Server servers cannot be planned for these NEs based on the preceding principle, contact
Huawei technical support to expand the capacity of Trace Server servers.
l When the preceding principle is met, preferentially allocate the same PS domain NE to a
single Trace Server server.
Types of PS domain NEs to be connected with Trace Server servers are used as
examples in Table 20-4. IP addresses of Trace Server servers are 10.1.1.1, 10.1.1.2,
and 10.1.1.3, respectively. Table 20-5 lists the NE allocation planning.
AAA 10.1.1.1
b. Contact Huawei technical support to activate data reporting of PS domain NEs and
set the IP addresses of CHR servers of USNs to those of planned Trace Server
servers. For details, see Activating Data Reporting of NEs in the PS Domain in
U2000 Trace Server User Guide (ATAE Cluster, Standalone).
The PS domain NEs in step 1 are used as examples. You can set the IP address of
the CHR server of AAA to 10.1.1.1 and set IP addresses of the CHR server of BBB
to 10.1.1.2 and 10.1.1.3.
l If the Trace Server is in O&M mode, perform the following procedure:
NOTICE
All calculations and operations in this procedure applies only to Trace Server servers
managing PS domain NEs.
a. Perform the following operations to calculate the available load margin of a Trace
Server server.
i. Calculate the bandwidth over the network interface on a Trace Server server
by following the instructions provided Collecting Load Statistics in U2000
Trace Server User Guide (ATAE Cluster, Standalone).
When service network planes of the Trace Server are isolated, calculate the
bandwidth over the network interface sharing the same planes with PS domain
NEs.
ii. Calculate the throughput rate of NE-reported data for a Trace Server server
based on the following formula:
Throughput rate = Bandwidth/(1 + Number of data copies to the forwarded)
In the preceding formula, 1 indicates the number of NE-reported data copies,
and the number of data copies to be forwarded indicates the number of data
copies provided by the Trace Server for upper-layer applications, including the
NMS.
For example, if the IP addresses of three Trace Server servers providing data
forwarding for two applications and using the northbound feature are 10.1.1.1,
10.1.1.2, and 10.1.1.3, respectively, and the throughput rates are listed in Table
20-6 based on relevant IP addresses and bandwidths.
iii. Calculate the available load margin of a Trace Server server based on the
following formula.
Available load margin = 1 - Bandwidth/Data processing specifications
Data processing specifications of Trace Server servers depend on types of PS
domain NEs to be connected with the Trace Server servers and Trace Server
service features, as listed in Table 20-7.
NOTE
If NEs of multiple types are to be connected with a Trace Server server, the data
processing specifications of the Trace Server server are subject to the smaller data
processing specifications for these NEs.
Table 20-8 lists the available load margins for Trace Server servers based on
the throughput rates obtained in a.ii when NEs to be connected with the Trace
Server servers include USNs with EVU boards and those without EVU boards.
b. Plan the Trace Server servers for all PS domain NEs based on the principle:
Available load margin > Number of Trace Server servers with which NEs are to be
connected.
n For the USN with the EVU board, allocate the EVU board to multiple Trace
Server servers.
n For the USN without the EVU board, contact Huawei technical support.
NOTE
l If more PS domain NEs need to be connected with Trace Server servers and Trace
Server servers cannot be planned for these NEs based on the preceding principle, contact
Huawei technical support to expand the capacity of Trace Server servers.
l When the preceding principle is met, preferentially allocate the same PS domain NE to a
single Trace Server server.
Types of PS domain NEs to be connected with Trace Server servers are used as
examples in Table 20-9. IP addresses of Trace Server servers are 10.1.1.1, 10.1.1.2,
and 10.1.1.3, respectively. Table 20-10 lists the NE allocation planning.
AAA 10.1.1.1
c. Contact Huawei technical support to activate data reporting of PS domain NEs and
set the IP addresses of CHR servers of USNs to those of planned Trace Server
servers. For details, see Activating Data Reporting of NEs in the PS Domain in
U2000 Trace Server User Guide (ATAE Cluster, Standalone).
The PS domain NEs in step 1 are used as examples. You can set the IP address of
the CHR server of AAA to 10.1.1.1 and set IP addresses of the CHR server of BBB
to 10.1.1.2 and 10.1.1.3.
----End
Prerequisites
The U2000 services are running properly.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following command to execute the Trace Server maintenance and measurement tool.
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Choose Statistics and Migrate > Set PS Partition > Query to query the IP address of the
server that processes the data generated by the NEs in the PS domain.
l The system displays the IP address of the corresponding service board. The following is
an example.
10.185.196.141 10.185.196.142
l When the system displays the following information, it indicates that there is no service
board can manage NEs in the PS domain.
There is no PS node.
----End
Prerequisites
The U2000 services are running properly.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following command to execute the Trace Server maintenance and measurement tool.
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Choose Statistics and Migrate > Set PS Partition > Delete to delete the PS partition on the
Trace Server board.
When the system displays the following information, input the IP address of the Trace Server
board whose PS partition needs to be deleted. Use space to separate multiple IP addresses.
Please input the PS node IP. If there is more than one IP, use blank to separate
them.
When the system displays the following information, it indicates that you configured
successfully. Otherwise, contact the Huawei engineer.
setPSPart success.
----End
Procedure
l Activating the CHR data reporting function of USNs.
For details, see Activating the Call History Record Feature in USN9810 Product
Documentation for a specific USN version.
NOTE
l Set the IP address of the CHR server to that of the PS board described in 20.4.1 Configuring
Boards as PS Boards. If Network Address Translation (NAT) is performed during
communication between the Trace Server and the USN, set the IP address to the translated IP
address of the PS board.
l If the EVU board is configured on the USN, set the port number to 31132. If the EVU board is
not configured on the USN, set the port number to 31131.
----End
When resource-related alarms are generated, you are advised to analyze and handle faults
based on the following procedure:
1. Collect statistics on Trace Server load. Obtain the resource usage of all servers within a
certain period of time.
The recommended statistical period is 7 days. Set it based on site requirements. For
details about how to collect statistics on Trace Server load, see 20.5.1 Collecting Load
Statistics.
2. Preliminarily determine whether the servers are busy or idle:
– Busy: The average CPU usage is greater than or equal to 75%.
– Idle: The average CPU usage is less than 75%.
Perform the corresponding operation:
– If all servers are busy, you are advised to enable the flow control function of the
Trace Server. When this function is enabled, you do not need to perform subsequent
operations.
For details about how to query and set the flow control function, see 20.5.3 Setting
the Trace Server Flow Control Switch.
NOTE
If all servers are still busy after flow control is enabled, contact Huawei technical support.
– If some servers are idle, perform the following operations:
3. Query the distribution of NEs and subscription information on the servers. For details,
see 20.2.1 Querying Information About NE Distribution and LTE Cell
Subscription.
4. Collect data traffic statistical results reported by NEs. For details, see 20.5.2 Collecting
Data Traffic Statistical Results of NEs.
5. Contact Huawei technical support to identify busy subareas based on the statistical
results obtained in 3 and 4.
6. Migrate NEs from busy subareas to idle subareas. For details, see 20.8 Managing the
NEs in Trace Server.
NOTICE
During NE migration, pay attention to the following principles:
l The type of NE to be migrated must be the same as the existing NE type in the target
subarea.
l Generally, the RNC generates a large amount of data. You are advised to migrate the
RNC to an empty subarea.
Prerequisites
The U2000 Server services runs properly.
Context
The Trace Server maintenance and measurement tool collects the CPU usage, memory usage,
and bandwidth usage in real time and obtains the maximum, minimum, and average usage of
these resources in the specified period. The Trace Server maintenance and measurement tool
is able to display real-time resource usage on the client, save the usage data in files, and
analyze the data on the server. You can set the tool to perform only statistics tasks on the
server. The real-time usage and load are saved in different files under the /opt/oss/server/
rancn/bin/tsfOMTools/collectResult/staticResult directory of the Trace Servermaster server.
You can obtain and view these files as user ossuser. The other files in this directory are
process files, which can be ignored.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following commands to execute the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Perform the following operations to query and collect load statistics on the Trace Server:
1. Choose Statistics and Migrate > IO Load Statistics.
2. If information similar to the following is displayed, a statistics task is running. Perform
the operations based on the actual requirements. Otherwise, go to Step 3.3.
This function is running in background.
Are you want to stop it(y or n)?
– If you need to stop the running statistics task, enter y, press Enter, and go to Step
3.3 for starting a new task.
– If you do not process the running statistics task, enter n, press Enter, and return to
the upper-level menu. No further operation is needed.
3. When information similar to the following is displayed, enter the duration for load
statistics collection, and press Enter:
Enter an integer of hours from 1-168,representing time IO Load Statistics
execution.If the input is empty,24 is used by default.
NOTE
– The digit to be entered is hour quantity and is an integer ranging from 1 to 168.
– If you do not enter a digit but press Enter, the system will collect load statistics generated
within the latest 24 hours.
4. If the following information is displayed, enter the load measurement period and press
Enter:
NOTE
If You... Then...
Choose A|a) The system displays the statistics in command output and
Foreground refreshes it every 30s. You can wait until the task is complete
or press Enter to stop statistics collection and return to the
upper-level menu.
boradIP cpuUsage(%) memUsage(%) bond1(Mbps)
bond2(Mbps) bond3(Mbps) bond4(Mbps) loadAverage
10.144.48.43 1 7 0.098777
NIL NIL NIL 0.150
10.144.48.43 1 7 0.098777
NIL NIL NIL 0.150
----End
Prerequisites
l The Trace Server services are running properly.
Context
l The Trace Server Maintenance and Measurement Tool is able to collect data traffic
statistical results of RNCs, eNodeBs, NodeBs, and BSCs.
l The Trace Server maintenance and measurement tool saves seven most recent statistical
result files only and automatically deletes files generated earlier in time sequence.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following commands to run the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Perform the following operations to collect data traffic statistical results of NEs on the Trace
Server:
1. Choose Information Collection > DataCollectionStatistics Collection.
2. When information similar to the following is displayed, enter the start date for statistics
collection, and press Enter:
Please input the start time, such as 20150714:
NOTE
NOTE
– The end date entered must be later than the start date.
– If you press Enter without entering any digits, the system collects all the data traffic statistical
results generated until the current date.
4. When information similar to the following is displayed, enter the IP address of the Trace
Server whose statistical results need to be collected, and press Enter:
All Trace Server IP :
10.144.48.43 10.144.48.44 10.144.48.45
Please input the IP address of servers you want to collect
DataCollectionStatistics [ Press Enter key to collect all servers ]:
NOTE
If you press Enter without entering the IP address, the system collects the data traffic statistical
results on all Trace Server boards.
5. If the following information is displayed, the statistical results are collected successfully.
Otherwise, contact Huawei technical support engineers.
– During a measurement period, if an NE reports data to the Trace Server, a result file is
generated; otherwise, no result file is generated.
– The result files are named in the following format: Data type_Board IP address_Service
name_Date (YYYYMMDD).csv. A result file whose Data type is unknow supports other date
types besides the NE data types collected.
– Parameters in the title line of a result file are described as follows:
n periodStartTime: indicates the start time of the measurement period.
n neFdn: indicates the NE identifier.
n neName: indicates the name of NE.
n dataType: indicates the data type of collected statistics.
n fileSize(KB): indicates the size (KB) of files collected during the measurement period.
n fileCount: indicates the number of files collected during the measurement period.
– Data in each line of the result file is collected at a 5-minute interval after the start time of the
collection.
----End
Context
l If a large amount of NE data flows into the Trace Server, the CPU usage of the Trace
Server may become excessively high, causing switchovers or no response of the
operating system. The NE data flow control function is used to restrict the NE data
amount processed by the Trace Server when the CPU usage is high, thereby ensuring the
normal operating of the Trace Server.
NOTE
This function cannot be used to control data amount of NEs in the PS domain.
l The flow control function is implemented as follows:
– When the average CPU usage is lower than 85%:
n If the CPU usage is always lower than 85% and the system has not entered the
flow control phase, the flow control function is not implemented on NE data.
n If the system has entered the flow control phase and the CPU usage decreases
to below 85%, the flow control function cancels the restriction on NE data
amount and resumes the parsing of NE data files that account for a specified
proportion.
– When the average CPU usage is within the range of 85%–90%:
n If the CPU usage increased from a value less than 85% to a value within this
range, the status before the flow control is maintained.
n If the CPU usage decreased from a value greater than 90% to a value within
this range, the status after the flow control is maintained.
– When the average CPU usage is greater than 90%, the system automatically sorts
NE data files in the descending order of NE data amount and stops the parsing of
NE data files that account for a specified proportion. In this way, the CPU usage can
gradually decrease to a normal value.
NOTE
l The Trace Server measures the average CPU usage once every 10 minutes.
l For the NEs whose data traffic is filtered out in the flow control phase, the Trace Server stops
reporting required result files to upper-layer applications, such as FARS, Nastar, and NMS.
l After the Trace Server enters the flow control state, a system log is generated on the
U2000 client, and the value of the Basic Information column for the log is Flow
Control. For details about how to query system logs, see section Querying OSS Logs in
U2000 Online Help.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following commands to run the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Choose Set Trace Server Param > Set the switch of flow control to enter the flow control
switch setting interface.
Flow control is enabled
NOTE
Flow control is enabled indicates that flow control has been enabled. Flow control is disabled
indicated that flow control has been disabled. Set the flow control switch based on actual requirements.
l To enable flow control, type A or a. When the following information is displayed, flow
control is enabled. Otherwise, contact Huawei technical support engineers.
Enable flow control successfully.
l To disable flow control, type B or b. When the following information is displayed, flow
control is disabled. Otherwise, contact Huawei technical support engineers.
Disable flow control successfully.
----End
Prerequisites
The U2000 Server services runs properly.
Context
The Trace Server maintenance and measurement tool can collect service logs of all current
service boards in the Trace Server system.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following command to check and configure the available space size of the root
directory on the master server required for the Trace Server maintenance and measurement
tool and size of collected service logs:
~> vi /opt/oss/server/rancn/bin/tsfOMTools/inc/tsfOMTools.ini
LOG_SIZE=5120MB
NEEDSPACE=5GB
l LOG_SIZE: Total size of logs collected byTrace Server maintenance and measurement
tool. It is 5120 MB by default.
l NEEDSPACE: Available space size of the root directory on the master server required
for log collection function. It is 5 GB by default. For details about how to check the disk
usage of the server, see Querying the Disk Usage of the Trace Server (Cluster, ATAE).
NOTE
l The value of LOG_SIZE is an integer greater than 0 (MB), for example, 123 MB.
l The value of NEEDSPACE is an integer greater than 0 (GB), for example, 123 GB.
Change the two parameters based on actual requirements. After the change, press Esc,
enter :wq! to save the changed parameter, and exit the vi editor. If no modification is needed,
press Esc, enter :q!, and exit the vi editor.
Step 3 Run the following commands to execute the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
3. Enter the start time and end time of log collection as prompted.
NOTE
----End
Prerequisites
The U2000 Server services runs properly.
Context
l Trace Server maintenance and measurement tool can analyze data abnormality generated
within 12 hours.
l Trace Server maintenance and measurement tool can analyze data abnormality of
eNodeBs and NodeBs.
l Ensure that Trace Server maintenance and measurement tool is used to analyze data
abnormality after at least one subscription task has been complete. Otherwise, the
analysis result may be incorrect. You are advised to use the analysis function after the
subscription task is complete 1 hour later.
l Trace Server maintenance and measurement tool saves seven latest analysis result files
only and automatically deletes files generated earlier in time sequence.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following commands to execute the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Choose Collection Issue > Missing File Locate to analyze data abnormality.
Step 4 When the following information is displayed, enter the required duration for data analysis. If
you press Enter, this tool analyzes the data generated within 2 hours by default.
NOTE
This function can only be used to analyze data abnormality on a specific server or all servers at a time.
Use this function 1 hour after subscription is delivered. Enter an integer from
1-12, which indicates a time 1 to 12 hours earlier than the current time. The
default value is 2.
When information similar to the following is displayed, Enter the IP address of the board
which need to be analyzed as prompted. Alternatively, press Enter to analyze all the service
boards.
All Trace Server IP :
10.144.48.42 10.144.48.45 10.144.48.46
Enter the IP address of a Trace Server. If the IP address is empty, the
information of all Trace Server boards are collected by default:
Trace Server maintenance and measurement tool generates the analysis result file
AnaResult_NE type_Board IP address_Random number by NE type and board IP address,
saves the file in the /opt/oss/server/rancn/bin/tsfOMTools/collectResult/
southdataAnaResult/YYYYMMDDhhmmss directory on the master server.
YYYYMMDDhhmmss is the exact start time for the task analysis. You can obtain the analysis
result file as user ossuser. Table 20-11 lists description of parameters in the analysis result
file.
Parameter Description
----End
Prerequisites
The U2000 Server services runs properly.
Context
Four data collection processes TSCollectorXXXX are deployed on the Trace Server service
board. All the four processes have the same LTE cell management capability. If the network
planning is changed, the number of LTE NEs is also changed. When the number exceeds the
current management capability, the Trace Server automatically adjusts the management
capability of each data collection process and ensures that the capability does not exceed the
maximum management capability. Use Trace Server maintenance and measurement tool to
change the management capability of each process and adjust it based on the actual
requirements on the live network when it exceeds the upper threshold.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
Step 2 Run the following commands to execute the Trace Server maintenance and measurement tool:
~> cd /opt/oss/server/rancn/bin/tsfOMTools
~> sh tsfOMtools.sh
Step 3 Perform the following operations to configure the LTE cell management capability of the
Trace Server:
1. Choose Set Trace Server Param > Set the number of cells managed by each
TSCollector.
2. If the following information is displayed, set the LTE cell management capability of a
collection process. The value is an integer ranging from 100 to 3000.
The value of MaxCellCntPerPartition in the current configuration file is 1500.
Enter the value of MaxCellCntPerPartition. Value range:[100,3000](If you
press Enter, MaxCellCntPerPartition is set to 1500 by default.), or enter q/Q
to quit.
NOTE
3. When the following information is displayed, enter the margin for which the system can
automatically increase the management capability after the NE quantity exceeds the LTE
cell management capability. The value is an integer ranging from 0 to 1500.
The value of AllowAddCellCnt in the current configuration file is 1000.
Enter the value of AllowAddCellCnt you want to set:[0,1500](If you press
Enter, AllowAddCellCnt is set to 1000 by default.), or enter q/Q to quit.
NOTE
– If you press Enter, the management capability will be automatically increased by 1000 cells.
– Type Q or q to close the operation interface.
– The command output contains the current management capability increasing margin. The
preceding command output is used as an example in which the LTE cell management
capability increasing margin is 1000 cells.
4. When the following information is displayed, enter y. The system will automatically
restart the TSService service to make the change take effect.
The entered values of configuration items verified successfully.
Are you sure to restart the TSService service, whether to continue (Y/N)
----End
Prerequisites
l You have obtained the permission on Trace Server NE Management and have logged
in to the U2000 client as a user who has permission on Network Management
Application.
For details about how to grant permissions on NE migration to users if required, see .
l The U2000 service is running properly.
l The Trace Server service is running properly.
l Subscription tasks have been issued to the NEs managed by the Trace Server.
Context
Due to management mechanism differences between PS domain NEs and other NEs, you
cannot query subarea information about PS domain NEs that have accessed the Trace Server.
Contact maintenance engineers of the core network to check configurations of these NEs.
Procedure
Step 1 Choose Maintenance > Trace Server Maintenance > NE Partition Management
(traditional style) or double click Trace and Maintenance in Application Center and choose
Trace Server Maintenance > NE Partition Management (application style).
Step 2 Click Query and select the query type based on the actual requirements.
l Query subarea information by service name.
a. In the Query Criteria area box, select Trace Server service, enter the keyword of
the Trace Server service name to be queried in the text box, or select the Trace
Server service name to be queried from the navigation tree.
b. Click Query. Information about the NEs managed by the specified service is
displayed in the right area.
l Query subarea information by NE name.
a. In the Query Criteria area box, select NE, and enter the keyword of the NE name
to be queried in the text box, or select the NEs to be queried.
b. Click Query. Information about the NEs whose names include the keyword entered
is displayed in the right area.
Application in the query result indicates the names of upper-layer applications that have
issued subscription tasks to the selected NEs. Table 20-12 lists the mapping between
keywords in Application and upper-layer application names.
Table 20-12 Mapping between keywords in Application and upper-layer application names
Keyword in Application Upper-layer Application Name
FARS FARS
Nastar Nastar
EBC EBC
NIC NIC
l eCoordinator SONMaster
l SONMaster
PRS PRS
TSP TSP
l TS_NBI Northbound
l TS_KCDR
l TS_CDR
l TS_TDS
l OSSii_NBI
l TSNBI_MCMR
l NMS_FLOW_TS
l TS_NBITC
l NMS_FILE
l NMS_FLOW
Step 3 Click Save in the lower right corner. Set the file name and save path. Export the query result
and save it to your local PC.
By default, an NE subarea information file is named in the format of User name_NE subarea
information file_YYYYMMDD_HHMMSS. The file can be saved in .xls, .csv, or .xlsx
format.
Step 4 In the displayed dialog box indicating that the file is saved successfully, click OK.
----End
capability of the server to decrease in the Trace Server system. You are not allowed to deliver
NEs or cancel the subscription task while migrating NEs. After the migration is complete, you
can deliver NEs and cancel the subscription task. This section describes how to use the U2000
client to migrate NEs in the Trace Server system.
Prerequisites
l You have obtained the permission on Trace Server NE Management and have logged
in to the U2000 client as a user who has permission on Network Management
Application.
For details about how to grant permissions on NE migration to users if required, see .
l The U2000 service is running properly.
l The Trace Server service is running properly.
l Subscription tasks have been issued to the NEs to be migrated.
Context
NOTICE
l If the function of processing data of RNCs with extra-large specifications has been enabled
for the Trace Server, you can migrate the master subarea of such an RNC only by using the
U2000 client, and you cannot migrate the master subarea to the server where overflow
subareas are located.
l Only one NE migration task can exist in the Trace Server system. If an NE migration task
is running on the U2000 client or Trace Server Maintenance and Measurement Tool, a new
NE migration task cannot be executed.
l The Trace Server supports BSC, RNC, eNodeB, NodeB, BTS3900 or MAG9811
migration.
l If the service network plane solution is used, you are advised to migrate NEs between
servers on the same service network plane. If NEs are migrated between servers on
different service network planes, NEs may be disconnected.
l This section uses the related NE information as an example. You can perform the
operation according to the actual conditions.
l The management mechanism for PS domain NEs is different from that for other NEs. If
PS domain NEs need to be migrated, change the CHR server of the PS domain NEs to the
new CHR server by following the instructions provided in the corresponding NE product
documentation.
Procedure
Step 1 Choose Maintenance > Trace Server Maintenance > NE Partition Management
(traditional style) or double click Trace and Maintenance in Application Center and choose
Trace Server Maintenance > NE Partition Management (application style).
Step 2 Perform the following operations to migrate NEs based on the actual condition:
NOTE
If the NE Partition Management window has been opened, and if the Trace Server system capacity has
been expanded or the subarea managing PS domain NEs is added or modified, close and re-open the NE
Partition Management window to ensure that all available servers are properly displayed during NE
migration.
l Migrate to multiple batches
Migrate the NEs managed by different subareas to other subareas in batches.
a. Export the NE subarea information file. For details, see 20.8.1 Querying Subarea
Information of NEs Managed by the Trace Server.
b. Open and edit the NE subarea information file.
Change Trace Server IP Address and Trace Server Service Name of the NEs to
be migrated to Trace Server IP Address and Trace Server Service Name of the
destination subarea. Do not change other information in the file. Otherwise, NE
migration will fail.
NOTE
You may not specify Trace Server Service Name when editing the NE subarea information
file. If it is not specified, the system automatically allocates Trace Server services based on
Trace Server service load on the destination server.
c. Click the Migrate tab.
d. Choose Migrate to multiple batches, then click and select the modified file.
e. Click Migrate. In the displayed dialog box, confirm the number of migration
records, and click Yes to start the migration.
You can view the progress and execution result of the NE migration task on the
GUI. If an NE fails to be migrated, modify the NE subarea information file based
on the recorded failure information, and import the file again. If the migration still
fails, contact Huawei technical support.
l Migrate to a board
Migrate NEs between different boards or between different Trace Server services on the
same board.
a. Click Migrate tab.
b. Choose Migrate to a board.
c. In the Source Subarea area box, select the source server IP address and source
service name of the NEs to be migrated.
d. In the Destination Subarea area box, select the destination server IP address and
destination service name of the NEs to be migrated.
NOTE
When Allocated automatically is selected for Service name, the system automatically
allocates Trace Server services based on Trace Server service load on the destination server.
e. In the navigation tree in the Select NEs area box, select the NEs to be migrated.
f. Click Migrate. In the displayed dialog box, confirm the number of migration
records, and click Yes to start the migration.
You can view the progress and execution result of the NE migration task on the
GUI. If an NE fails to be migrated, contact Huawei technical support.
----End
Prerequisites
l The Trace Server services runs properly. For details about querying the status of Trace
Server services, see Querying the Status of Trace Server Services (OSMU).
l The U2000 services runs properly.
Context
NOTICE
l If the function of processing data of RNCs with extra-large specifications has been enabled
for the Trace Server, you can migrate the master subarea of such an RNC only by using the
U2000 client, and you cannot migrate the master subarea to the server where overflow
subareas are located.
l Only one NE migration task can exist in the Trace Server system. If an NE migration task
is running on the U2000 client or Trace Server Maintenance and Measurement Tool, a new
NE migration task cannot be executed.
l The Trace Server supports BSC, RNC, eNodeB, NodeB, BTS3900 or MAG9811
migration.
l If the service network plane solution is used, you are advised to migrate NEs between
servers on the same service network plane. If NEs are migrated between servers on
different service network planes, NEs may be disconnected.
l This section uses the related NE information as an example. You can perform the
operation according to the actual conditions.
l The management mechanism for PS domain NEs is different from that for other NEs. If
PS domain NEs need to be migrated, change the CHR server of the PS domain NEs to the
new CHR server by following the instructions provided in the corresponding NE product
documentation.
Procedure
Step 1 Use PuTTY to log in to the master server of Trace Server in SSH mode as ossuser. For
details, see Logging In to a Board Using PuTTY.
Step 2 Run the following commands to export a partition information file of all NEs:
~> cd /opt/oss/server/rancn/bin
~> sh getNeToTSRelation.sh
NOTE
Step 3 Check the NE partition information file, and record the information of NEs to be migrated.
Assume that the contents of the NE partition information file are as follows:
IP,TSPARTITION,NEFDN,NETYPE
10.144.48.41,TSCollector0301,NE=256,eNodeBNE
10.144.48.41,TSCollector0302,NE=257,eNodeBNE
10.144.48.41,TSCollector0303,NULL,NULL
10.144.48.41,TSCollector0304,NULL,NULL
10.144.48.40,TSCollector0401,NULL,NULL
10.144.48.40,TSCollector0402,NULL,NULL
10.144.48.40,TSCollector0403,NULL,NULL
10.144.48.40,TSCollector0404,NULL,NULL
......
You need to record the NEFDN of NEs to be migrated and the TSPARTITION of the target
data collect service.
Step 4 Perform the following operations to migrate NEs by using Trace Server maintenance and
measurement tool.
1. Create NE migration configuration file MigrateNE.csv and upload it by using Notepad
on PC:
Add information about NE migration to the file, and the format is as follows:
NEs to be migrated NEFDN, and TSPARTITION of the target data collect service
For example, to migrate NEs with FDN numbers 256 from the data collect service
TSCollector0301 to the other data collect service TSCollector0303, and migrate the
NES with FDN numbers 257 from the data collect service TSCollector0302 to the data
collect service TSCollector0401 on the other Trace Server, add the following contents.
NE=256,TSCollector0303
NE=257,TSCollector0401
NOTE
----End
NOTICE
You do not need to perform operations related to standby boards if they do not exist, and the
board will not be in the Standby or Switched Over state.
When backing up and restoring the three types of data, note that:
l You can back up any type of data independently.
l Before restoring upper-layer data, ensure that its lower-layer data is restored.
– If you want to restore the three types of data, sequentially restore operating system
data, static data, and dynamic data.
– If you want to restore static data and dynamic data, restore static data first.
NOTE
Figure 21-1 shows only data hierarchy rather than data size.
U200 Operating system data Backing up and For detailed For detailed
0 restoring data by operations, see operations, see
board using the 21.2 Backing 21.4 Restoring
OSMU. Up the U2000 the U2000
(Static Data (ATAE Cluster
Static Static data Backing up and and Operating System).
data of the restoring data by System Data,
U2000 U2000 system ATAE Cluster
system using the System).
OSMU.
The ATAE cluster system is not OSMU hard disk where This scenario applies
deployed with the BSS, and the backup space has been to initially installed
capacity of the OSMU board hard disk planned OSMUs in
is 600 GB or above. V200R001C01 or later
versions.
NOTICE
If the operating system malfunctions and no backup of the operating system is available,
contact Huawei technical support.
Item Content
Backup contents l Operating system of the board where the U2000 database
is deployed
l Operating system of the board where the U2000
applications are deployed
Backup mode You can manually create a backup task for full backup as
required.
Save path of the backup The operating system backup files are saved in /export/home/
files backup/os of the OSMU board and the latest three backup
data can be saved at most. A folder named in the fXsY-
YYYYMMDDhhmmss format is generated under this
directory each time the operating system is backed up.
In fXsY_YYYYMMDDhhmmss, YYYYMMDDhhmmss
indicates the start time of the backup task, X indicates the
subrack number, and Y indicates the slot number.
For example, f1s2_20130505153020 is the name of the folder
created for backing up the operating system data on the board
in slot 2 of subrack 1 at 15:30:20 on May 5, 2013.
l You need to back up the U2000 static data and the database static data after the service
board, standby service board, DB board, or standby DB board is replaced.
NOTICE
After you perform the initial backup for static data, no backup is required unless the database
application or the U2000 application is upgraded, the service board or DB board IP address is
changed, or the service board or DB board is replaced.
Backup U2000 static data All files in the installation path of the U2000
contents application. For example, the installation path of
the U2000 static data is /opt/oss.
Backup You can manually create a backup task for full backup as required.
mode
Storage l BSS
media l MSS where the backup space has been planned
l OSMU hard disk where the backup space has been planned
Item Content
Save path The backup files of the static data are saved in the OSMU board is saved in the
of the folder /export/home/backup/static/<Product name or DB>/
backup YYYYMMDDhhmmss/fXsY_YYYYMMDDhhmmss and the latest five backup
files files can be saved at most.
In fXsY_YYYYMMDDhhmmss, YYYYMMDDhhmmss indicates the start time
of the backup task, X indicates the subrack number, and Y indicates the slot
number.
For example, /export/home/backup/static/U2000/20100505153020/
f1s2_20100505153020 is the name of the folder generated for backing up the
static data on the board in slot 2 of subrack 1 at 15:30:20 on May 5, 2010.
NOTICE
If the password of OS user ftpuser is changed after the backup time of the backup data to be
restored, restore the OS data that is in the same period as the dynamic data. Otherwise, the
passwords of user ftpuser recorded in the OS data and dynamic data are different. As a result,
some U2000 functions become invalid.
Backup modes l Periodic backup: You can create a periodic backup task to perform
a full backup.
l Manual backup: You can create a backup task as required to
perform a full backup.
Save path of the The directory for saving the backup files of the dynamic data on the
backup files OSMU board is as follows:
/export/home/backup/dynamic/<Product name>/
YYYYMMDDhhmmss/<Backup folder name>.
The latest 10 backup files can be saved at most. For details, see 21.3.3
Setting Policies for Saving Dynamic Data Backup Packages.
In /export/home/backup/dynamic/<Product name>/
YYYYMMDDhhmmss, YYYYMMDDhhmmss indicates the start time
of the backup task.
For example, /export/home/backup/dynamic/
U2000/20120728170553 indicates the folder that stores the static data
backup file generated at 17:05:53 on July 28, 2012.
Prerequisites
l You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging
In to the OSMU by Using a Web Browser.
Context
NOTE
When the Sybase database is used, U2000 service boards and U2000 DB boards share the same standby
board. You can perform the operation on standby board by referring to the description of standby service
board.
When backing up the static data and operating system of the U2000 through the OSMU, as
listed in Table 21-6.
NOTE
The dynamic data of the U2000 is backed up through the U2000's own backup function. For details, see
21.3 Backing Up the U2000 (Dynamic Data).
U2000 operating system l Operating system of the board where the U2000 database is
deployed
l Operating system of the board where the U2000
applications are deployed
Procedure
Step 1 In the left pane of the OSMU window, expand the Service System navigation tree and choose
Service Management > Board Services.
Step 2 On the Board Services tab page, check the status of the boards whose data you want to back
up by scenario.
NOTICE
If any board is in a state other than those mentioned in the following steps, contact Huawei
technical support.
Back up the U2000 Ensure that the board where U2000 applications are deployed is in
static data the Normal, Standby, or Service Stopped state.
If any board is in the Switched Over state, switch the boards based
on the original active/standby relationship by referring to 5.5
Switching Resources Between U2000 Nodes Manually (Oracle) or
5.6 Switching Resources Between U2000 Nodes Manually
(Sybase).
Back up the U2000 Ensure that the board where the U2000 database is deployed is in the
database static data Normal, Standby, or Service Stopped state.
If any board is in the Switched Over state, switch the boards based
on the original active/standby relationship by referring to 5.5
Switching Resources Between U2000 Nodes Manually (Oracle) or
5.6 Switching Resources Between U2000 Nodes Manually
(Sybase).
Back up the U2000 Ensure that the board where the U2000 operating system is deployed
operating system is in the Normal, Standby, Switched Over, Service Stopped, or
Service Takeover state.
Step 3 Create backup tasks by scenario and ensure that the backup succeeds.
NOTICE
l You must ensure that the space for storing the backup data is sufficient. Otherwise, the
backup task will fail.
l You must ensure that no other tasks are being performed before you start a backup task.
Otherwise, the backup task will fail.
Back up the U2000 1. In the left pane of the OSMU window, expand the Routine
static data Maintenance navigation tree and choose Backup and Restore.
2. Click Create in the Backup area box on the right.
3. In Backup Task Wizard, select OSS application data (static
data) and click Next.
4. Select the U2000.
5. Click Finish. In the displayed dialog box, click OK to create a
backup task.
NOTE
It takes about 10 to 240 minutes to back up the static data, depending on
the size of data stored in the disk array partition of the board.
6. In the Centralized Task Management area, verify that the task is
executed successfully.
Back up the U2000 1. In the left pane of the OSMU window, expand the Routine
database static data Maintenance navigation tree and choose Backup and Restore.
2. Click Create in the Backup area box on the right.
3. In Backup Task Wizard, select DB application data (static
data) and click Next.
4. Select the board where the U2000 database is deployed and
whose data you want to back up.
5. Click Finish. Then click OK to create a backup task.
NOTE
It takes about 10 to 240 minutes to back up the static data, depending on
the size of data stored in the disk array partition of the board.
6. In the Centralized Task Management area, verify that the task is
executed successfully.
Back up the U2000 1. In the left pane of the OSMU window, expand the Routine
operating system Maintenance navigation tree and choose Backup and Restore.
2. Click Create in the Backup area box on the right.
3. In Backup Task Wizard, select OS data and click Next.
4. Select the board whose U2000 operating system you want to back
up.
NOTICE
The OS backup can be performed for a maximum of 10 boards at a time.
5. Click Finish. Then click OK to create a backup task.
NOTE
– It takes about 10 to 150 minutes to back up the operating system,
depending on the size of data stored in the disk array partition of the
board.
– Do not perform operations on the OSMU operating system during a
backup task, such as switching over boards and changing IP addresses.
6. In the Centralized Task Management area, verify that the task
has been executed.
NOTICE
Do not perform any operation on the board if the backup fails. Try to
backup data again. If the backup task still fails, contact Huawei technical
support.
----End
Prerequisites
l You have logged in to the U2000 client as a member of Administrators user group.
l A hard disk has sufficient free space if you plan to back up data on the hard disk.
Context
Generally, U2000 dynamic data is backed up periodically. The periodic backup of the
dynamic data is performed in full backup mode.
Dynamic data backup has no restriction on backup time. The backup can be performed during
the system operation. The time required for backing up U2000 dynamic data is related to the
actual environment. Generally, it takes about 2.5 hours to 3 hours to back up the dynamic
data.
NOTE
Procedure
Step 1 In the main window, choose Maintenance > Task Management (traditional style);
alternatively, double-click System Management in Application Center and choose Task
Schedule > Task Management (application style).
The Task Management window is displayed.
Step 2 Choose Task Type > Backup > Server Backup in the navigation tree and double-click the
node. The Attribute dialog box of server periodic backup is displayed, as shown in Figure
21-2.
Step 3 Click Common Parameters, and set Task Name and Start Time.
Step 4 Click the Extended Parameters tab and then set the backup period, as shown in Figure 21-3.
Select a backup period from the Backup Period (days) drop-down list. The backup period
can be set to 1 to 7.
Prerequisites
l You have logged in to the U2000 client.
l You are authorized to perform relevant operations.
l A hard disk has sufficient free space if you plan to back up data on the hard disk.
Context
Manual backup is required in special or emergency situations such as the failure of the U2000
system.
Dynamic data backup has no restriction on backup time. The backup can be performed during
the system operation. The time required for backing up U2000 dynamic data is related to the
actual environment. Generally, it takes about 2.5 hours to 3 hours to back up the dynamic
data.
Procedure
Step 1 In the main window, choose Maintenance > Backup Management > System Backup
(traditional style); alternatively, double-click System Management in Application Center
and choose System > System Backup (application style). The System Backup window is
displayed.
Step 2 In the System Backup window shown in Figure 21-4, click Full Backup.
When the Status displays Succeeded, the full backup is successful. If a backup failure occurs,
you can locate faults and resolve the problem by following instructions provided in 26.1.13
Solving the U2000 Backup or Restore Failure Problem. If the problem persists, contact
Huawei technical support.
----End
Prerequisites
You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Procedure
Step 1 In the left pane of the OSMU window, expand the Routine Maintenance navigation tree and
choose Backup and Restore.
Step 2 In the Backup Data Management area in the right pane, click Create.
Step 3 In the Backup Data Management dialog box, select Set the policy of saving dynamic data
backup package and click Next.
Step 4 Select U2000 in the System Name, and select the quantities of packages in the Reserved
Backup Packages drop-down list.
If the backup space is still insufficient after the dynamic data backup packages are decreased to the
specified quantities, the OSMU will continue to delete such packages to ensure sufficient backup space.
----End
Prerequisites
l You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging
In to the OSMU by Using a Web Browser.
l No task is running on the OSMU.
l You have obtained the backup data package used for U2000 restoration.
Context
NOTE
When the Sybase database is used, U2000 service boards and U2000 DB boards share the same standby
board. You can perform the operation on standby board by referring to the description of standby service
board.
When restoring U2000 data through the OSMU, strictly follow the sequence in Table 21-7.
3 U2000 service board and l Operating system of the U2000 service board.
standby service board l Operating system of the U2000 standby
operating system service board.
Procedure
Step 1 In the left pane of the OSMU window, expand the Service System navigation tree and choose
Service Management > Board Services.
Step 2 On the Board Services tab page, check the status of the boards whose data you want to
restore by scenario to ensure that the status meets the restoration requirements.
NOTICE
If any board is in a state other than those mentioned in the following steps, contact Huawei
technical support.
Restore the Ensure that the DB board and standby DB board are in the Normal,
operating system of Standby, Switched Over, Service Stopped and Faulty of any one
the U2000 DB state.
board and standby
DB board
Restore the U2000 1. Ensure that the boards where the U2000 database are in the
database static data Service Stopped state.
– If any board is in the Switched Over state, do as follows:
a. Switch the boards based on their original active/standby
relationship by referring to 5.5 Switching Resources
Between U2000 Nodes Manually (Oracle) or 5.6
Switching Resources Between U2000 Nodes Manually
(Sybase).
b. Stop the service of the board where the U2000 database is
deployed by referring to 4.4 Stopping the Database
Service.
– If the boards where the U2000 database are deployed in the
Normal state, stop the service by referring to 4.6 Stopping
U2000 Services.
2. Select the board where the U2000 database is deployed and click
View Resource Status to check that the resources whose names
containing mount are in the online state.
If any resource is in the offline state, contact Huawei technical
support.
Restore the Ensure that the service board and standby service board are in the
operating system of Normal, Standby, Active, Switched Over, Service Stopped or
the U2000 service Faulty of any one state.
board and standby
Ensure that the DB board and standby DB board are in the Normal
service board
and Standby state.
Restore the U2000 1. Ensure that the boards deployed with U2000 applications are in
static data the Service Stopped state.
– If any board is in the Switched Over state, switch the boards
based on the original active/standby relationship by referring
to 5.5 Switching Resources Between U2000 Nodes
Manually (Oracle) or 5.6 Switching Resources Between
U2000 Nodes Manually (Sybase). Then, stop U2000 system
services by referring to 4.6 Stopping U2000 Services.
– If any board is in the Normal state, stop U2000 system
services by referring to 4.6 Stopping U2000 Services.
2. Select the board where U2000 applications are deployed and click
View Resource Status to check that the resources whose names
containing mount are in the online state.
If any resource is in the offline state, contact Huawei technical
support.
Restore U2000 1. Ensure that the boards deployed with the U2000 database are in
dynamic data the Normal, Switched Over, Service Stopped or Standby state.
If the Sybase database is used and any board is in the Service
Stopped state, start the U2000 database service by referring to
4.3 Starting the Database Service.
2. Ensure that the boards deployed with U2000 applications are in
the Service Stopped, Switched Over, or Standby state.
If any board is in the Normal state, stop U2000 system services
by referring to 4.6 Stopping U2000 Services.
Step 3 In the left pane of the OSMU window, expand the Routine Maintenance navigation tree and
choose Backup and Restore.
Step 4 In the Restore area in the right pane, click Restore.
Step 5 Create restoration tasks by scenario and ensure that the restoration succeeds.
Restore the 1. In Restoration Task Wizard, select OS data, and click Next.
operating system of 2. Select the DB board and standby DB board whose operating
the U2000 DB system data you want to restore from the list.
board and standby
DB board 3. Specify Data Backup Time to restore the operating system of the
board by using the backup file created at this time.
4. Click Finish. In the displayed dialog box, click OK to create a
restoration task.
NOTE
– It takes about 10 to 100 minutes to restore operating system data,
depending on the size of data stored in the disk array partition of the
board.
– A board will restart when you restore the operating system data and
the board will be displayed as Faulty on the OSMU device panel
when the board is restarting. After the board is successfully restarted,
its status becomes normal.
5. Check in the Centralized Task Management area that the task is
executed successfully.
NOTICE
Do not perform any operation on the board if the restoration fails. Try to
restore data again. If the restoration still fails, contact Huawei technical
support.
6. In the left pane of the OSMU window, expand the Service
System navigation tree and choose Service Management >
Board Services.
7. Check on the Board Services tab page that the boards whose data
has been restored are in the Normal or Standby state.
If DB board is in the Switched Over state, services on the
standby DB board might have started earlier than those on the DB
board. In this case, switch the boards based on the original active/
standby relationship by referring to 5.5 Switching Resources
Between U2000 Nodes Manually (Oracle) or 5.6 Switching
Resources Between U2000 Nodes Manually (Sybase).
Restore the U2000 1. In Restoration Task Wizard, select DB application data (static
database static data data), and click Next.
2. Select the board where the U2000 database is deployed and
whose data you want to restore.
3. Specify Data Backup Time to restore the database static data of
the board by using the backup file created at this time.
4. Click Finish to create a restoration task.
NOTE
It takes about 10 to 60 minutes to restore static data, depending on the size
of data stored in the disk array partition of the board.
5. Check in the Centralized Task Management area that the task is
executed successfully.
6. In the left pane of the OSMU window, expand the Service
System navigation tree and choose Service Management >
Board Services.
7. Check on the Board Services tab page that the boards whose data
has been restored are in the Service Stopped or Standby state.
Restore the 1. In Restoration Task Wizard, select OS data, and click Next.
operating system of 2. Select the service board and standby service board whose
the U2000 service operating system data you want to restore from the list.
board and standby
service board 3. Specify Data Backup Time to restore the operating system of the
board by using the backup file created at this time.
4. Click Finish. In the displayed dialog box, click OK to create a
restoration task.
NOTE
– It takes about 10 to 100 minutes to restore operating system data,
depending on the size of data stored in the disk array partition of the
board.
– A board will restart when you restore the operating system data and
the board will be displayed as Faulty on the OSMU device panel
when the board is restarting. After the board is successfully restarted,
its status becomes normal. If the board is still in the Faulty state after
the restart, contact Huawei technical support.
– If the DB board and standby DB board are in the Service Stopped
state during operating system restoration, the service board and
standby service board are in the Faulty state after the operating
system is restored and boards are restarted. When this occurs, start
services on the DB board and standby DB board by referring to 4.3
Starting the Database Service and then perform a soft reset on the
service board and standby service board. If the service board and
standby service board are still in the Faulty state, contact Huawei
technical support.
5. Check in the Centralized Task Management area that the task is
executed successfully.
NOTICE
Do not perform any operation on the board if the restoration fails. Try to
restore data again. If the restoration still fails, contact Huawei technical
support.
6. In the left pane of the OSMU window, expand the Service
System navigation tree and choose Service Management >
Board Services.
7. Check on the Board Services tab page that the boards whose data
has been restored are in the Normal, Standby or Active state.
If service board is in the Switched Over state, services on the
standby service board might have started earlier than those on the
service board. In this case, switch the boards based on the original
active/standby relationship by referring to 5.5 Switching
Resources Between U2000 Nodes Manually (Oracle) or 5.6
Switching Resources Between U2000 Nodes Manually
(Sybase).
Restore the U2000 1. In Restoration Task Wizard, select OSS application data
static data (static data), and click Next.
2. Select the U2000 whose static data you want to restore.
3. Specify Restore to data backup time to restore the static data of
the selected U2000 by using the backup file created at this time.
4. Click Finish to create a restoration task.
NOTE
It takes about 10 to 60 minutes to restore static data, depending on the size
of data stored in the disk array partition of the board.
5. Check in the Centralized Task Management area that the task is
executed successfully.
6. In the left pane of the OSMU window, expand the Service
System navigation tree and choose Service Management >
Board Services.
7. Check on the Board Services tab page that the boards deployed
with U2000 applications are in the Service Stopped or Standby
state after the restoration.
Restore the U2000 1. In Restoration Task Wizard, select OSS dynamic data, and
dynamic data click Next.
2. Select the U2000 whose dynamic data you want to restore.
3. Specify Restore to data backup time to restore the dynamic data
of the selected U2000 by using the backup file created at this
time.
NOTICE
– If the Oracle database is used and The db service is not running. Are
you sure want to continue based on the product configuration?
dialog box is displayed, click YES.to continue.
– If you have changed the server's IP address or the database user
password, you need to select a time following the latest modification
for Restore to data backup time. Otherwise, the restoration will fail.
4. Click Finish to create a restoration task.
NOTE
It takes about 30 to 5000 minutes to restore dynamic data, depending on
the size of data stored in the disk array partition of the board.
5. Check in the Centralized Task Management area that the task is
executed successfully.
6. In the left pane of the OSMU window, expand the Service
System navigation tree and choose Service Management >
Board Services.
7. Check on the Board Services tab page that the boards deployed
with U2000 applications are in the Normal or Standby state after
the restoration.
If any board is in the Service Stopped state, start U2000 system
services by referring to 4.5 Starting U2000 Services.
8. Manually synchronize the NE measurement result.
After the dynamic data restores, manually recollect the NE
performance result data that is lost within the restoration period.
For details, see How Do I Synchronize Performance Results
Forcibly? in U2000 Performance Measurement Management
User Guide.
----End
This section describes how to perform the U2000 routine maintenance and recommends some
maintenance items and procedures.
Prerequisites
You have logged in to the OSMU through a web browser. For details, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Procedure
Step 1 In the navigation tree in the left pane, choose Service System > Service Management >
System Services.
Step 2 Select the cluster to be viewed from the list on the right side. Click View Resource Status.
You can view all the resource groups and their status in the cluster in the displayed dialog
box.
NOTE
A SR5S2 RUNNING 0
A SR5S3 RUNNING 0
A SR5S4 RUNNING 0
-- GROUP STATE
-- Group System Probed AutoDisabled
State
B U2000ClusterSnmpGroup SR5S2 Y N
ONLINE
B U2000ClusterSnmpGroup SR5S3 Y N
OFFLINE
B U2000ClusterSnmpGroup SR5S4 Y N
OFFLINE
B sr5s2_oss_sg SR5S2 Y N
ONLINE
B sr5s2_oss_sg SR5S4 Y N
OFFLINE
B sr5s3_oss_sg SR5S3 Y N
ONLINE
B sr5s3_oss_sg SR5S4 Y N
OFFLINE
The displayed information indicates that the service cluster consists of three resource
groups.
– Resource group U2000ClusterSnmpGroup consists of nodes SR5S2, SR5S3, and
SR5S4.
A SR5S11 RUNNING 0
A SR5S14 RUNNING 0
A SR6S4 RUNNING 0
-- GROUP STATE
-- Group System Probed AutoDisabled
State
B DBClusterSnmpGroup SR5S11 Y N
ONLINE
B DBClusterSnmpGroup SR5S14 Y N
OFFLINE
B DBClusterSnmpGroup SR6S4 Y N
OFFLINE
B sr5s11_db_sg SR5S11 Y N
ONLINE
B sr5s11_db_sg SR5S14 Y N
OFFLINE
B sr6s4_db_sg SR5S14 Y N
OFFLINE
B sr6s4_db_sg SR6S4 Y N
ONLINE
NOTE
The system will show all products's DB resource groups as database boards of all products
constitute one database cluster that share one standby DB board.
The displayed information indicates that the DB cluster consists of three resource
groups.
– Resource group DBClusterSnmpGroup consists of nodes SR5S11, SR5S14, and
SR6S4.
– Resource group sr5s11_db_sg consists of nodes SR5S11 and SR5S14.
– Resource group sr6s4_db_sg consists of nodes SR6S4 and SR5S14.
Correct status of the resource groups in the DB cluster is described as follows:
– Resource group DBClusterSnmpGroup is in the ONLINE state on only one node.
For example, in the preceding information, resource group DBClusterSnmpGroup
is in the ONLINE state on node SR5S11 only.
– Resource group sr5s11_db_sg is in the ONLINE state on only one node. The same
is true for resource group sr6s4_db_sg.
For example, in the preceding information, resource group sr5s11_db_sg is in the
ONLINE state on node SR5S11 only, and resource group sr6s4_db_sg is in the
ONLINE state on node SR6S4 only. Resource groups sr5s11_db_sg and
sr6s4_db_sg are both in the OFFLINE state on node SR5S14. This indicates that
node SR5S14 is the standby node of nodes SR5S11 and SR6S4. If the master node
in either resource group is faulty, services are switched to node SR5S14.
Step 3 Click OK. Then, the Query Cluster Resource dialog box is closed.
Step 4 Choose Service System > Service Management > Board Services from the navigation tree
in the left pane.
Step 5 Select the board where the cluster system resource status needs to be viewed from board list
on the right side. Click View Resource Status. The Query Board Resource dialog box is
displayed. Then the cluster system resource status on the board can be viewed.
NOTE
Step 6 Click OK. Then the Query Board Resource dialog box is closed.
----End
Prerequisites
l You have logged in to the U2000 client.
l You are authorized to perform performance management.
Procedure
Step 1 Choose Performance > Measurement Management (traditional style); alternatively, double-
click Performance in Application Center and choose Measurement > Measurement
Management (application style) . The Measurement Management window is displayed.
Step 2 On the Display By tab page, select Object type or Function subset.
Step 3 In the navigation tree in the upper left pane, select an NE type, object type, or a function
subset, select an NE from the NE navigation tree on the lower left.
Step 4 Click the Status tab page to view measurement status information about the selected NE.
----End
Expected Result
The measurement status information about the selected NE are normal. In addition, the alarm,
indicating that the value of a measurement entity reaches the preset threshold, is not
generated.
Exception Handling
If any fault occurs, contact Huawei technical support.
Prerequisites
l You have logged in to the U2000 client.
l You have permission to perform performance management.
Context
The diagnosis function applies only to performance results that meet the following
requirements:
l The query period is not a summary period.
l The query objects are not neighboring cells.
l The query time segment is continuous.
l The query counters are not busy-hour counters.
l The result loss diagnosis for the process of reporting 5-minute results is not supported.
l The result loss diagnosis for the process of reporting CBSC results is not supported.
Procedure
Step 1 Choose Performance > Query Result (traditional style); alternatively, double-click
Performance in Application Center and choose Result > Query Result (application style).
The Query Result window is displayed.
Step 2 In the lower part of the window, click Diagnose Result Loss.
Step 3 In the displayed Diagnose Condition window, set the relevant parameters.
For details about the parameters, see section Parameters for Setting Result Loss Diagnosis
Criteria in U2000 Performance Measurement Management User Guide.
Step 4 Click Diagnose.
Step 5 In the displayed Diagnose Result Loss window, check the cause of and solution to
performance result loss.
For details about the causes of and solutions to performance result loss, see section
Diagnosing Measurement Result Loss in U2000 Performance Measurement Management
User Guide.
----End
Prerequisites
l You have logged in to the U2000 client.
l You have permission to perform fault management.
Procedure
Step 1 Choose Monitor > Browse Current Alarms (traditional style); alternatively, double-click
Fault Management in Application Center and choose Browse Alarm > Browse Current
Alarms (application style). The Filter window is displayed.
If you have set the default template, or have specified that the Filter dialog box is not
automatically displayed by following the procedure described in Alarm/Event Filtering, you
need to click Filter to open the Filter dialog box.
Step 3 Verify that the U2000 can receive alarms reported by NEs in real time.
----End
Procedure
Step 1 Ensure that the NMS can collect the alarms and performance data reported from the U2000.
----End
Prerequisites
l You have logged in to the U2000 .
l You are authorized to perform fault management.
Procedure
Step 1 Choose Monitor > Alarm Settings > Options (traditional style); alternatively, double-click
Fault Management in Application Center and choose Alarm Settings > Options
(application style). The Alarm Option window is displayed.
Step 2 View the settings. Ensure that alarms generated from the NEs, which satisfy the conditions,
can be indicated on the alarm box in real time.
----End
Prerequisites
l You have logged in to the U2000 client.
l You have permission to query alarms and events.
Procedure
Step 1 In the U2000 client, choose Topology > Main Topology (traditional style); alternatively,
double-click Topo View in Application Center and choose Topology > Main Topology
(application style).
Step 2 In the topology view, check whether the OSS icon has an alarm indicator.
When the system is running properly, no alarm is generated. The OSS icon is not colored and
displays no alarm balloon.
Step 3 Right-click the OSS icon and choose Query Alarm/Event > Current Alarm from the
shortcut menu.
l If you see an alarm listed in Table 22-1, handle the alarm immediately.
l If you see an alarm listed in Table 22-2, handle the alarm within one day.
Step 4 Right-click the OSS icon and choose Query Alarm/Event > Event Logs from the shortcut
menu.
If you see an event listed in Table 22-3, handle the event immediately.
----End
Prerequisites
l You have logged in to the U2000 client.
l You have permission to query the connection status of NEs.
Procedure
Step 1 Choose System > NE Monitor (traditional style) or double-click Configuration in
Application Center and choose Browser > NE Monitor (application style). The NE
Monitor dialog box is displayed.
You can query the connection status of NEs. The connection status includes Normal and
Offline.
----End
Expected Result
When NEs are in the Normal state, they are properly connected to the U2000.
Exception Handling
If NEs are in the Offline state, the NEs cannot be pinged on the U2000 because the device is
shut down or deliberately isolated, the network communication is faulty, or NEs are not
allowed to communicate with the U2000. When this occurs, contact Huawei technical
support.
Prerequisites
l You have logged in to the U2000.
l You are authorized to check U2000 logs.
Procedure
Step 1 Choose System > Log Management > Query Operation Logs (traditional style);
alternatively, double-click Security Management in Application Center and choose Log
Management > Query Operation Logs (application style).
The Query Operation Logs window is displayed. By default, the system opens the Filter
window automatically.
Step 2 Set search criteria in the Filter window and click OK.
User logs can be queried based on users, operations, terminals, time ranges, results, or objects.
----End
Expected Result
The U2000 operation logs do not contain the records about abnormal operations, malicious
operations, or unauthorized logins.
Exception Handling
Make sure that the related operations are valid. You can reset the operation rights of a user if
necessary. For details about how to set the user rights, see Viewing Operation Rights of a User
or User Group in U2000 User Management User Guide.
Prerequisites
l You have logged in to the U2000 client.
l You have the relevant operation rights.
Context
l Querying the system logs requires only a few system resources and does not affect the
system operation.
l The contents of the system logs:
– Risk Level: System logs can be categorized into three levels in descending order:
Risk, Minor, Info.
– Source: Sources, such as Fault Management, Integrated Task Management, are
identified by the logos of the subsystems in the U2000 system.
– Operation Time: Identifies the time when a system log is recorded.
– Basic information: Provides the basic information on system operation, such as the
information about service startup.
– Operation Result: Identifies the result of operation.
– Details: Provides the details on system operation.
Procedure
Step 1 Choose System > Log Management > Query System Logs (traditional style); alternatively,
double-click Security Management in Application Center and choose Log Management >
Query System Logs (application style). The Filter dialog box is displayed.
Step 2 Set the filter criteria in the Filter dialog box, and then click OK. The Query System Logs
window is displayed.
In the displayed Log Details dialog box, the system displays details about a successful
operation or a failed operation.
Step 4 Right-click a record and save the specified system logs as a file.
----End
Prerequisites
You have logged in to the U2000 server through the KVM of the OSMU as user root. For
details, see 26.1.2 Logging In to the board by Using the KVM of the OSMU.
Procedure
Step 1 Run the following command:
# df -h
Clean up the disk space if the disk space is insufficient. For details, see 12.3 Clearing the
Disk Space of the U2000 Server.
Step 4 Check whether the disk usage of the server is in the required range.
Generally, the disk usage should be lower than 80%. That is, capacity is lower than 80% in
the command output.
----End
Prerequisites
l You have logged in to the U2000 client.
l You have the relevant operation rights.
Procedure
Step 1 Choose Monitor > System Monitor > Browser (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Browser (application style).
The System Monitor Browser window is displayed.
----End
Expected Result
The database works properly and the database usage is smaller than 90%.
Exception Handling
Clear the database usage if the database usage is insufficient. For details, see 12.2 Clearing
U2000 Databases. The clearing operation does not affect the system operation.
Prerequisites
l You have logged in to the U2000 client.
l You have the relevant operation rights.
Procedure
Step 1 Choose Monitor > System Monitor > Browser (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Browser (application style).
The System Monitor Browser window is displayed.
Step 2 Click the Service Monitor or Process Monitor tab to monitor the processes running on the
U2000 server.
----End
Expected Result
The Status of all U2000 services is Running.
Exception Handling
In case a process is running incorrectly or a process is terminated unexpectedly, log in to the
U2000 server as user ossuser. Run the kill -9 pid command to forcibly kill the process, where
pid indicates the process No.. The start_svc command is used to start all the U2000 services.
If some sessions are not started, run the start_svc command again. If a certain progress is still
inactive, contact Huawei technical support for assistance.
Prerequisites
You have logged in to the U2000 server through the KVM of the OSMU as user root. For
details, see 26.1.2 Logging In to the board by Using the KVM of the OSMU.
Procedure
Step 1 Navigate to the /opt/oss/server/var/logs directory.
# cd /opt/oss/server/var/logs
Step 2 Find files whose names begin with core in the /opt/oss/server/var/logs directory.
# ls -ltr core*
The files are listed in order of time from the earliest to the latest.
Step 3 Do as follows to ensure that there is no file whose name begins with core in the /opt/oss/
server/var/logs directory:
l Delete the files whose names begin with core generated one week ago or earlier.
l Contact Huawei technical support to handle the files whose names begin with core
generated within one week.
----End
Prerequisites
You have logged in to the OSMU through a web browser. For details, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Context
The disk array information of each board and tape controller is collected by a task for
collecting environment information, and a result file containing environment information is
generated. The collected information includes:
l Subrack information and disk array information
l Operating system information of a board, database information, logical volume manager
information, and cluster system information
l Information of each U2000 service module
For details about the collection items and the check results of environment information, see
Result Files for Environment Information in OSMU Online Help.
NOTE
You are advised to collect environment information of the ATAE cluster system once a week to find
potential system risks in time and prevent system faults.
Procedure
Step 1 From the navigation tree in the OSMU main window, choose Routine Maintenance >
Collect and Check System Info.
Step 2 Click Collect on the Collect and Check System Info tab page in the right pane. The Collect
and Check System Info dialog box is displayed.
Step 3 Set Select information type to collect to Environment information, and click Next.
Step 4 Set Select collect type to Collect exception items info or Collect all items info and click
Next.
Step 5 In the dialog box, select all the devices (by default) or select the devices whose environment
information you want to collect, and click Finish. The Information dialog box is displayed,
click OK.
Step 6 In the Centralized Task Management window, check the operating status of the task for
collecting environment information, and perform operations based on the execution result.
If... Then...
NOTE
If you want to view other files in the Rack1 folder, open these files by using the UltraEdit tool. If
you open these files by using the Notepad of the Windows operating system, the file format
becomes incorrect.
Step 8 Optional: Delete the result files that are not required to save system resources.
1. On the Collect and Check System Info tab page in the right pane, select the files that
you want to delete.
2. Click Delete.
3. In the displayed dialog box, click Yes.
----End
Prerequisites
You have logged in to the OSMU through a web browser. For details, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Context
You select collection items based on required software and hardware information. The
collection items include:
l Subrack information, disk array information, and logs generated during switching board
operation
l Operating system information of a board, database information, logical volume manager
information, and cluster system information
l Run logs of the OSMU
Procedure
Step 1 In the navigation tree of the main window, choose Routine Maintenance > Collect and
Check System Info.
Step 2 On the Collect and Check System Info tab page in the right pane, click Collect.
Step 3 In the displayed Collect and Check System Info dialog box, select Location information,
and click Next.
Step 4 In this dialog box, select required collection items, and click Next. Then, select all the devices
(by default) or select the devices whose environment information you want to collect, and
click Finish. In the next displayed dialog box, click OK.
NOTICE
If the required collection items include Switch Board Logs, the Switch Board Logs dialog
box is displayed, asking you to enter the password for user osmuuser.
Step 5 In the Centralized Task Management window, check the operating status of the task for
collecting locating information, and perform operations based on the execution result.
If... Then...
If you want to view other files in the Rack1 folder, open these files by using the UltraEdit tool. If
you open these files by using the Notepad of the Windows operating system, the file format
becomes incorrect.
Step 7 Optional: Delete the result files that are not required to save system resources.
1. On the Collect and Check System Info tab page in the right pane, select the files that
you want to delete.
2. Click Delete.
3. In the displayed dialog box, click Yes.
----End
Prerequisites
l You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging
In to the OSMU by Using a Web Browser.
l Kdump information has been generated. For details, see 26.1.11 Generating Kdump
Information of the Board
Procedure
Step 1 In the left pane of the OSMU window, expand the Routine Maintenance navigation tree and
choose Collect and Check System Info.
Step 2 Click Collect in the Collect and Check System Info tab on the right. The Collect and
Check System Info dialog box is displayed.
Step 3 Set Select information type to collect to Operating system Kdump information. Click
Next.
Step 4 Select the board whose operating system Kdump information you want to collect, and click
Finish. The Information dialog box is displayed.
Step 6 View the running state of the task of collecting Kdump information in the Centralized Task
Management window and perform the relevant operation based on the running result.
If... Then...
Step 8 Optional: Delete the Kdump information file that is not required to save system resources.
1. Select the check box in front of the file that is to be deleted in the Collect and Check
System Info tab on the right.
2. Click Delete.
3. In the displayed dialog box, click Yes.
----End
Prerequisites
l You have logged in to the U2000.
l You are authorized to check the configuration of U2000 integrated task management.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
The Task Management window is displayed.
Step 2 Under the Database Capacity Management node in the Task Type navigation tree in the left
pane, choose the Alarm Data node.
You can also double-click the Alarm/Event Log Dump node to open the Attributes window.
Step 3 Select the task in the right pane and click Attribute.
Step 4 In the Attribute window, check the configuration of automatic alarm data dumping.
Step 5 Ensure that the configuration of automatic alarm data dumping is correct.
----End
Prerequisites
l You have logged in to the U2000 client.
l You are authorized to check the configuration of U2000 integrated task management.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
The Task Management window is displayed.
Step 2 Check the configuration of automatic dump of U2000 operation logs.
1. Under the Database Capacity Management node in the Task Type navigation tree in
the left pane, choose Operation Log Dump.
2. Select the task in the right pane. Click Attribute.
3. Check the configuration of automatic dump of operation logs in the Attribute window.
4. Ensure that the configuration is appropriate.
Step 3 Check the configuration of automatic dump of U2000 system logs.
1. Under the Database Capacity Management node in the Task Type navigation tree in
the left pane, choose System Log Dump.
2. Select the task in the right pane. Click Attribute.
3. Check the configuration of automatic dump of system logs in the Attribute window.
4. Ensure that the configuration is appropriate.
----End
Prerequisites
l You have logged in to the U2000.
l You are authorized to check the configuration of U2000 integrated task management.
Context
You need to run the operation only if the NE supporting this function exists.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
Step 2 Under the Synchronization node in the Task Type navigation tree in the left pane, choose
NE Log Synchronization.
Step 3 Select the task in the right pane, and click Attribute.
Step 4 View the configuration of the time for synchronizing NE logs in the Attribute dialog box.
----End
Prerequisites
l You have logged in to the U2000.
l You are authorized to check the configuration of the U2000 file server.
Procedure
Step 1 Choose Software > File Server Settings (traditional style); alternatively, double-click
Configuration in Application Center and choose Settings > File Server Settings
(application style).
The File Server Setting window is displayed.
Step 2 Choose the NE type from the ROOT navigation tree in the left pane.
Step 3 Check the name and IP address of the file server in the right pane.
----End
Prerequisites
l You have logged in to the U2000.
l You are authorized to check the configuration of U2000 integration task management.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
The Task Management window is displayed.
Step 2 Check whether the periodic backup of the U2000 server is started and whether the start time is
correct.
1. Under the Backup node in the Task Type navigation tree in the left pane, choose the
Server Backup node.
2. View Last Run Time and State in the right pane. Ensure that the task is running in the
execution time.
3. Select the task in the right pane, and click Attribute.
4. View the configuration of periodic backup time for the U2000 server in the Attribute
dialog box.
5. Ensure that the configuration is correct.
Step 3 Check whether the periodic backup of the NE is started and whether the start time is
appropriate.
1. Under the Backup node in the Task Type navigation tree in the left pane, choose the NE
Backup node.
2. View Last Run Time and State in the right pane. Ensure that the task is running in the
execution time.
3. Select the task in the right pane, and click Attribute.
4. View the configuration of periodic backup time for NEs in the Attribute dialog box.
Ensure that the configuration is correct.
----End
Expected Result
The periodic auto-backup tasks of the U2000 server and the NE are started, and the start time
is set properly. The backup files exist in the backup directories of the U2000 server and the
NE.
Exception Handling
If the periodic auto-backup task of the U2000 or an NE is not started, you can reset the
backup task.
Context
The recommended thresholds of the CPU usage, memory usage, and database usage are 80%.
Procedure
Step 1 Choose Monitor > System Monitor > Settings (traditional style); alternatively, double-click
System Management in Application Center and choose System > System Monitor >
Settings from the main menu (application style).
The System Monitor Settings dialog box is displayed.
Step 2 Click the Server Monitor tab to check whether the settings of the CPU usage and memory
usage thresholds are appropriate.
Step 3 Click the Hard Disk Monitor tab to check whether the settings of the disk usage thresholds
are appropriate.
Step 4 Click the Database Monitor tab to check whether the settings of the database usage
thresholds are appropriate.
Step 5 Click the Service Monitor tab to check whether the settings of the service status refresh
interval thresholds are appropriate.
----End
Example
For details about the parameters for monitoring the server, see Server Monitor.
For details about the parameters for monitoring the disks of the server, see Hard Disk
Monitor.
l Show Pop-up
Message: If Show Pop-
up Message is set to
Yes for a disk partition,
a pop-up message is
displayed on the U2000
client when the usage of
the disk partition
reaches Alarm
Generation Threshold.
When the usage is
smaller than Alarm
Clearance Threshold,
the pop-up message
disappears.
For details about the parameters for monitoring the database of the server, see Database
Monitor.
alarm generation
threshold.
Disable the
database
monitoring.
For details about the parameters for monitoring the server services, see Service Monitor.
Prerequisites
l You have logged in to the U2000.
l You are authorized to check the configuration of the U2000 integrated task management.
Context
You need to run the operation only if the NE supporting this function exists.
Procedure
Step 1 Choose Maintenance > Task Management (traditional style); alternatively, double-click
System Management in Application Center and choose Task Schedule > Task
Management (application style).
The Task Management window is displayed.
Step 2 Under the Synchronization node in the Task Type navigation tree in the left pane, select the
NE Configuration Data Synchronization node.
Step 3 Select the task in the right pane. Click Attribute.
Step 4 View the setting of the time for synchronizing NE configuration data in the Attribute dialog
box.
Step 5 Ensure that the configuration is correct.
----End
Procedure
Step 1 Check whether the U2000 management capability exceeds the threshold. Ensure that the
number of equivalent NEs managed by the U2000 is not beyond the capacity.
Contact Huawei technical support.
----End
Prerequisites
l You have logged in to the U2000 client.
l You are authorized to back up the U2000 system.
Procedure
Step 1 Choose Maintenance > Backup Management > System Backup (traditional style);
alternatively, double-click System Management in Application Center and choose System
> System Backup (application style) in the main window.
Step 2 On the System Backup dialog box is displayed, click Full Backup.
----End
Prerequisites
You have logged in to the OSMU through a web browser. For details, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Procedure
Step 1 In the navigation tree in the left pane, choose Routine Maintenance > Time Management.
Step 2 In Time and Time Zone in the right pane, check whether the system time is correct.
If the time is incorrect, change it by following instructions provided in 3.10 Changing the
Time and Time Zone of the U2000 Server.
----End
Prerequisites
You have logged in to the OSMU through a web browser. For details, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Procedure
Step 1 In the navigation tree in the left pane, choose Service System > Service Management >
Board Services.
The basic information of all boards is listed in the right pane.
Step 2 Table 22-4 describes the current status of U2000 services and database services.
U2000DB l For the Oracle Normal The database services are running
database: properly.
– OSSDB
Service Stopped The database services are
– OSSPMDB stopped.
l For the Sybase
database: The Switched Over The database services on this
one whose node have been switched to the
name contains standby node.
DBSVR Others The database services are not
installed or are abnormal.
NOTE
When a node is in the Switched Over state, you can perform the following operations to check whether
the switchover is normal:
1. In the navigation tree in the main window, choose Device Management > Device Information >
Details.
2. Select the board that is in the Switched Over state and view the status of the board service in the
Details area.
– If the value of Service software running status is StoppedSwitchOver, the switchover is a
normal one and there are no abnormal resources on the node.
– If the value of Service software running status is AbnormalSwitchOver, the switchover is
caused by a fault and there are abnormal resources on the node.
NOTICE
The Veritas Cluster Software (VCS) in the ATAE cluster system monitors only the daemon
process of each board. Even if the daemon process is normal, U2000 services on some boards
may be abnormal. You can perform the following operations to check the status of all U2000
services.
1. In the navigation tree in the left pane, choose Service System > Service Management >
Board Services.
2. On the Board Services tab page in the right pane, find boards whose System is U2000
and that are in the Normal state, and record SN of these boards.
3. Log in to any of the boards found in Step 3.2 as user root using the keyboard, video, and
mouse (KVM) of the OSMU. For details, see 26.1.2 Logging In to the board by Using
the KVM of the OSMU.
4. Run the following commands to check the U2000 service status:
# cd /opt/oss/server
# . ./svc_profile.sh
– In the system output, if Not Running of all Host is 0, all U2000 services are
started.
– In the system output, if Running of all Host is 0, all U2000 services are stopped.
NOTE
The U2000 system generates processes and services dynamically during its operation.
Accordingly, the number of the processes and services that are found changes dynamically.
----End
Prerequisites
l You have applied for an account at http://support.huawei.com and have permission to
download related documents.
l You have contacted Huawei technical support engineers and asked them to download the
latest iManager OSMU V200R002C50CP2001 Release Notes at http://
support.huawei.com.
Huawei technical support engineers can obtain iManager OSMU(3rd-Upgrade_X.
0)V200R002C50CP2001 Third-Party Software Upgrade Guide and iManager OSMU
V200R002C50CP2001 Release Notes from iManager OSMU(3rd-Upgrade_X.0)target
version ReleaseDoc_ENG and iManager OSMU(Upgrade_X.0)target version
ReleaseDoc_ENG in the following path of http://support.huawei.com: Software >
Wireless Network > SingleOSS-MBB > SingleOSS-MBB > M2000-Common >
iManager OSMU.
l You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging
In to the OSMU by Using a Web Browser.
Context
NOTICE
You must check the kernel versions of the SUSE Linux OS, Oracle/Sybase database, and VCS
software. If the kernel version of one software is earlier than that required in the iManager
OSMU V200R002C50CP2001 Release Notes, you must upgrade the software by referring to
the latest iManager OSMU(3rd-Upgrade_X.0)V200R002C50CP2001 Third-Party Software
Upgrade Guide.
Procedure
Step 1 In the left pane of the OSMU window, expand the Service System navigation tree and choose
Service Management > Board Services.
Step 2 On the Board Services tab page in the right pane, check that the boards running basic
software are in any of the following states: Active, Service Stopped, Normal, Standby, and
Service Takeover.
Step 3 In the left pane of the OSMU window, expand the Software Management navigation tree
and choose OEM Part Version.
Step 4 On the OEM Part Version tab page in the right pane, select the relevant board and click
Query Version.
A dialog box is displayed, showing the versions of the basic software installed on the board.
NOTE
The basic software installed on boards varies from one board to another. If a software has not been
installed on a board, the version information is N/A.
----End
Prerequisites
You have contact Huawei technical support engineers to obtained the corresponding version
of SUSE Linux SPLX User Guide from http://support.huawei.com.
Procedure
Step 1 Install OS patches in time.
Step 2 Install antivirus software and check for antivirus software is successfully installed and
running properly.
For detailed operations, see SUSE Linux SPLX User Guide.
Step 3 Configure scan periods and periodic search for viruses.
For detailed operations, see SUSE Linux SPLX User Guide.
----End
Procedure
Step 1 Check whether the LED indicator of the front panel of a disk array is yellow. If the LED
indicator is yellow, a configuration or hardware fault occurs on the power supply, controller,
or disk array. In this case, contact Huawei technical support for assistance.
----End
Context
l When the period between the current day and Overflow Time of the license is less than
or equal to 30 days, the system displays a dialog box after a user logs in, prompting the
user to update the license. In addition, the system reminds the user of a license update
every 12 hours.
l If a user does not apply a new license after the license expires, the U2000 sends the
ALM-297 The OSS License Expired indicating that the license has expired. In addition,
the client periodically displays an expiration notification dialog box. Table 22-6
describes the frequency of displaying the expiration notification dialog box on the client.
Table 22-6 Frequency of displaying the license expiration notification dialog box
Duration After Expiration Frequency of Display
More than 30 days but less than or equal to Once every 6 hours
60 days
l Assume that the permanent commercial and fixed-period license files of a product are
used simultaneously on the OSS. If the fixed-period license file enters the retention
period, the U2000 reports ALM-294 Expired OSS License File.
l If a user uses the temporary license file of a product on the OSS, the OSS displays a
dialog box indicating that the temporary license file is used after the user logs in to a
client.
Procedure
Step 1 Choose License > OSS License Management > License Information (traditional style).
Alternatively, double-click System Management in Application Center and choose License
Management > License Information (application style).
NOTE
Step 2 In the License Information dialog box, query the license information about resources and
functions on the Resource Control Item and Function Control Item tabs.
----End
Reference Standard
l In normal cases, the temperature in equipment rooms ranges from 10°C to 35°C.
l In normal cases, the relative humidity in equipment rooms ranges from 10% to 80%.
Procedure
1. Observe the thermometers in the equipment room.
2. Observe the hygrometers in the equipment room.
Exception Handling
If the temperature and humidity of an equipment room do not meet requirements, perform the
following operations:
1. Check whether air conditioners are started.
If the air conditioners are not started, start them.
2. Check whether the air conditioners are faulty.
If the air conditioners are faulty, contact air conditioner maintenance engineers for
troubleshooting.
3. Check whether water penetration, leakage, or dew condensation appears in the
equipment room.
Reference Standard
l The RUN indicator is green.
l The ALM indicator is off.
Procedure
1. Access the equipment room where the cabinet is located.
2. Observe the indicator on the PDB on the cabinet.
RUN indicates a run indicator, and ALM indicates an alarm indicator.
Exception Handling
If the PDB indicator is abnormal, perform the following operations:
1. Check whether the telecommunications room is powered on properly.
2. Check whether the cables in the cabinet are connected properly.
3. If the PDB indicator is still faulty, contact Huawei technical support.
Reference Standard
The vacant slots in the shelf are installed with filler panels.
Procedure
1. Go to the equipment room where the shelf is located.
2. Check whether the slots in the shelf are installed with filler panels.
Exception Handling
Install the filler panels if the slots in the shelf are not installed with filler panels.
Reference Standard
l There is no dust on the surface of the cabinet and around the air intake vents at the
bottom of the cabinet.
l There is no foreign object inside a cabinet or on top of it.
l All the rodent-proof nets are bundled well. There is no damage.
l The power cables and signal cables are laid out from both sides of the cabinet.
l The optical fibers cannot be bent heavily or stretched forcibly.
Procedure
1. Check whether there is dust on the cabinet.
2. Check cabinet protection status.
a. Check for any foreign object that may have been attached to the top of the cabinet
or may have fallen into the cabinet.
b. Check whether the rodent-proof nets at the exits of signal cables on the top or at the
bottom of each cabinet are wrapped and bundled properly. Make sure that they are
not damaged.
3. Check the layout situation of the power cables and signal cables in the cabinet.
Exception Handling
If there is any dust on the cabinet, use clean and dry cotton gauze to clean the surface of
cabinet, and use a vacuum cleaner to clean the air exhaust vent at the bottom of the cabinet.
Reference Standard
l The spare parts must be stored in a specialized warehouse.
l Boards must be stored in ESD packages.
l At least one spare board is available for each model of board.
l At least one spare fan module, one spare power module, and two spare hard disks are
available.
l All spare parts are intact and complete without being damaged or eroded. The damaged
parts must be sent for repair in time.
Procedure
1. Check the conditions of the warehouses for storing spare parts.
Check the conditions of the warehouses, such as fire resistance, dust-proof, magnetic
resistance, damp-proof, ventilation, and shock-proof conditions.
2. Check the number of the spare parts.
Make sure that the number and types of spare parts can meet the maintenance
requirements.
Exception Handling
l If the spare part library does not meet requirements, optimize the repository.
l If the number of spare parts is insufficient, contact Huawei technical support engineers to
apply for spare parts.
Reference Standard
l The grounding system appearance is not damaged, aging, corroded, or arc burned.
l The ground terminal and captive screws are well contacted.
l The ground resistance of each component in the cabinet is about 1 ohm.
l The ground resistance of the ground network of the equipment room is less than 10 ohm.
Procedure
1. Check the appearance of ground cables.
2. Check connections of ground cables.
All the connection terminals and captive screws in the cabinet are not loose and eroded.
3. Use a multimeter to check whether all the components in a cabinet are grounded
properly.
a. Adjust the multimeter to the ohm range. Then connect one probe to a fixed
grounding point in the equipment room.
b. Connect the other probe to the grounding points in the cabinet in turn to measure
the resistance of each grounding point. The measurement resistance for each
grounding point must be about 1 ohm.
4. Use the ground resistance tester to measure the ground resistance of the ground network.
The ground resistance must be less than 10 ohm.
During the measurement, place the voltage pole and current pole of the earth resistance
tester as shown in Figure 23-1.
– The current pole is kept at a distance from the edge of the grounding network with
d1, which is four to five times of the maximum diagonal length (D) of the
grounding network.
– The voltage is kept at a distance from the edge of the grounding network with d2,
which is 50% to 60% of the distance d1 between the current pole and the grounding
network.
– When measuring the resistance, move the voltage pole three times along the line
between the current pole and the grounding network. The distance moved each time
is 5% of d1. If the resistance value measured for three times are close, take the
average value of the three values. This value is the resistance of the grounding
network.
– If d1 cannot be four to five times of D:
n Set d1 to 2D and d2 to D in areas with even earth resistance rate.
n Set d1 to 3D and d2 to 1.7D in areas with uneven earth resistance rate.
Cautions for measuring the grounding resistance:
– Place the current pole and voltage pole vertical to the line or the underground metal
pipe.
– Do not measure the grounding resistance immediately after rainfall.
Exception Handling
NOTICE
Before rectifying cable connection problems, take ESD or other measures to protect human
and device security.
l If the ground cable appearance does not meet requirements, replace the corresponding
ground cables.
l If ground cables are loose, use a tool to fasten them.
l If the measurement resistance of a grounding point is obviously greater than 1 ohm,
check ground cables, connection terminals, and captive screws of the grounding point
and take proper measures to rectify any problems.
l If the ground resistance of the ground network is obviously greater than 10 ohm, take
proper measures to rectify the problem.
Reference Standard
l All cables must not be damaged, aged, eroded, or burnt by electricity.
l The characters on the labels are clear. The label information is correct and the labels are
tightly fixed on cables.
l All the connecting points must be connected tightly and reliably. No erosion occurs.
Procedure
1. Check the power cables, ground cables, and signal cables in the cabinet.
2. Check whether the power cables of the shelf, and related disk arrays must be tightly
inserted into the power socket.
3. Check whether the signal and data cables are firmly inserted to connect the ATAE to the
related disk arrays and switches.
4. Check whether the terminals and captive screws of all ground cables in the cabinet are
connected well. Check whether any erosion occurs.
Exception Handling
NOTICE
l Cable connection problem rectification may affect services. Estimate the impact and then
rectify cable connection problems.
l Before rectifying cable connection problems, take ESD or other measures to protect
human and device security.
l If the cables in a cabinet do not meet requirements, replace cable labels or replace the
cables.
l If cable connections are abnormal, rectify the problem based on the site requirements.
When the U2000 server or the U2000 client incurs an emergency or a severe fault (for
example, the power failure of the U2000 server), you need to handle the emergency or severe
fault to minimize the loss.
24.1 Emergency Maintenance of the Server
This section describes the guide to emergency maintenance of the U2000 server. If the U2000
server breaks down, you can use the backup files to restore it. If the system cannot be
restored, install the operating system again.
24.2 Emergency Maintenance of the U2000 Client
This section provides guidance for emergency maintenance of the U2000 client.
25 U2000 Troubleshooting
Collecting Data
When a fault occurs, collect the following data:
l Time and place the fault has occurred
l Description of the fault
l Measures taken and the results
l Version information
l IP addresses
l Alarm information
l Logs
Logs are categorized into user logs, system logs, and trace files.
l Internal fault locating information
l Database deadlock information
NOTE
You can collect the information for locating faults by using the OSMU. For details, see 22.2.1
Collecting Environment Information.
Locating Faults
This part describes the procedure for locating faults. The collection and analysis of faults help
you know the causes of the faults.
The U2000 system faults are categorized into hardware faults and software faults.
l Hardware faults
Hardware faults are the faults that occur in the U2000 server, client, or other network
devices. The appearance of the hardware and indicators indicate the hardware faults
clearly.
l Software faults
Software faults are the faults that occur in the U2000 software, Linux operating system,
and Oracle or Sybase database.
Handling Faults
This part describes how to handle faults based on different fault causes:
l Hardware faults
Refer to the manuals delivered with the associated hardware.
l Software faults
For details on alarms, see the Help of the U2000 Mobile Element Management System.
For details on faults of software installation, see U2000 Software Installation Guide of
the relevant server type.
For details on the client faults, see the U2000 Online Help.
For details on the server faults, see 26.1 Operations Performed on the Server.
l Linux faults
See the Linux System Administrators Guide.
l Oracle or Sybase database faults
See the Oracle System Administrators Guide or Sybase System Administrators Guide.
The documents can be obtained from the CD-ROM delivered with the server.
l Uncleared faults
For the uncleared faults, collect all the information related to the faults by following
instructions provided in Collecting Data and contact Huawei technical support for
assistance.
Procedure
Step 1 Collect the U2000 site information.
The site information to be collected includes the site name, customer contact details, hardware
model, time when a fault occurs, and fault description.
----End
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
----End
Example
~> date
Thu Jul 28 09:56:39 EDT 2005
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
Step 2 Run the ifconfig -a command to obtain the IP address, subnet mask, and MAC address of the
U2000 server.
----End
Example
$ ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.161.94.254 netmask ffffff00 broadcast 10.161.94.255
ether 0:3:ba:12:bb:93
Prerequisites
You have logged in to the U2000 server in SSH mode using PuTTY as user ossuser.
Procedure
Step 1 Run the following command to switch to user root.
~> su - root
Password: Password of root
Step 2 Run the cat /etc/SuSE-release command to collect the version information about the SUSE
Linux operating system.
----End
Example
# cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (ia64)
VERSION = 11
PATCHLEVEL = 3
Procedure
Step 1 Use PuTTY to log in to the DB board as user oracle in SSH mode.
Step 2 Run the following commands to view the database software and its patch:
oracle@osssvr:~>sqlplus / as SYSDBA
Using the preceding system output as an example, 11.2.0.4.0 indicates the version of the
Oracle database. If the Oracle database version is inconsistent with those described in the
U2000 version mapping table, contact Huawei technical support.
----End
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user dbuser.
1>select @@version
2>go
NOTE
Replace the database server name with the actual name onsite. For details about how to query the actual
database server name, see 26.1.9 Checking the Sybase Database Server Name.
Using the preceding system output as an example, 15.7 indicates the version of the Sybase
database. 23724 indicates the version of the patch that has been installed. If the Sybase
database version and patch are inconsistent with those described in the U2000 version
mapping table, contact Huawei technical support.
----End
Procedure
Step 1 Use PuTTY to log in to the active node in SSH mode as user ossuser.
Step 2 Excutes the displayVersion -a command, to obtain all version information, including the
versions of the U2000, U2000 cold patch, components, and mediation.
----End
Example
~> . /opt/oss/server/svc_profile.sh
~> displayVersion -a
------------------------OSS Version--------------------------
Product Name: iManagerU2000
Version: iManagerU2000V***R***ENGC**SPC***
Release Date: 03/12/12
Prerequisites
You have logged in to the OSMU through a web browser. For details, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Procedure
Step 1 Choose Service System > U2000 > OSS Management Tool from the navigation tree on the
OSMU. The OSS Management Tool window is displayed.
If the system prompts Security Warning, configure the parameters for the browser by
following instructions provided in 26.2.1 Setting Internet Explorer or 26.2.2 Setting
Firefox.
Step 2 In the OSS Management Tool main window, click Smart Assistant.
Step 3 Choose Trouble Shooting > Trace Collection.
Step 4 Click Help in the upper right corner. Then, perform operations according to the online help on
the Trace Collection tab page.
----End
Prerequisites
You have logged in to the U2000 client.
Procedure
Step 1 Choose System > NE Partition (traditional style); alternatively, double-click Configuration
in Application Center and choose Browser > NE Partition (application style) to navigate to
the NE Partition window.
Step 2 Select a query condition and click Query.
You can query NE partitions by NE partition or NE name.
l Querying NE partitions by NE partition: In the Query Result dialog box, NE
distribution and NE information, such as No, NE Name, NE Version, and Number of
NEs, is displayed. In the Information dialog box, partition information, such as IP
addresses and database instance names, is displayed.
l Querying NE partitions by NE name: In the Query Result dialog box, NE distribution
and NE information, such as No, NE Name, NE Version, and Number of NEs, is
displayed. In the Information dialog box, partition information, such as IP addresses
and database instance names, is displayed.
NOTE
Parameter Description
----End
26 General Operation
Prerequisites
l The operating system has been installed.
l You have contacted Huawei technical support engineers to obtain PuTTY.zip at http://
support.huawei.com and decompressed it to your PC.
Huawei technical support engineers can quickly search for the tool package using its
name as the keyword after clicking Search by Category > Tools at http://
support.huawei.com.
Context
For details about how to log in to a board using the KVM of the OSMU, see 26.1.2 Logging
In to the board by Using the KVM of the OSMU.
Procedure
Step 1 Decompress PuTTY.zip. In the decompressed folder, double-click putty.exe. A dialog box is
displayed, as shown in Figure 26-1.
Step 2 In Host Name (or IP address), enter the IP address of the server that you want to log in to.
Step 4 In the Close window on exit: area, select Only on clean exit.
Step 6 When the following information is displayed, enter the user name and press Enter.
login as: osmuuser
NOTICE
l Assume that the user name is osmuuser.
l The operating system is hardened by default during installation. After operating system
hardening is performed, you cannot log in to the server as user root in SSH mode. To
switch to user root, you need to log in to the server as a user other than root and then run
the su - root command. After upgraded to V200R013 or later version, you cannot log in to
the server as user ftpuser.
Step 7 When the following information is displayed, enter the user password and press Enter.
Password:
----End
Prerequisites
l JRE 1.8.0_45 version, 1.8.0_51 version or 1.8.0_65 version has been installed on the PC.
For details about how to check the JRE version, see 26.2.8 Checking the JRE Version
on the PC.
Context
For details about how to log in to a board in SSH mode using PuTTY, see 26.1.1 Logging In
to the Board by Using PuTTY.
After logging in to the boards through the OSMU KVM, you can remotely perform the
following operations:
l Monitors the operating system startup process.
l Views the system running information.
l Terminates ongoing applications.
l Restarts the operating system.
Procedure
Step 1 Type the https://<public IP address of the OSMU server>:30088/osmu in the Address bar of
the browser on the PC and press Enter. Then, log in to the OSMU as user admin.
NOTE
l If the OSMU login window is not displayed after you type the preceding website in the address bar
of the browser and press Enter, perform the following operations:
– If you use Internet Explorer to access the OSMU, perform the operations described in 26.2.1
Setting Internet Explorer. If the problem persists, perform the operations described in
26.1.4 Starting the OSMU Service.
– If the OSMU login window is not displayed after you use Mozilla Firefox to access the
OSMU, perform the operations described in 26.1.4 Starting the OSMU Service.
l If a message indicating that the website is insecure is displayed on the browser after login to the
OSMU, solve the problem by referring to 26.2.1 Setting Internet Explorer or 26.2.2 Setting
Firefox.
Step 2 In the left pane of the OSMU window, expand the Routine Maintenance navigation tree and
select the cabinet and subrack housing the KVM you want to log in to under the KVM node.
Step 3 If a dialog box requiring the user name and password is displayed, enter OS user root of the
SMM board and its password and click OK. Otherwise, skip this step.
NOTE
For SMM board in a version earlier than OSTA2.0 V200R009C00, if the dialog box is not displayed,
you need to close all the opened browser pages and re-log in to the OSMU to select the KVM. You can
view the SMM board version on the device panel. Specifically, right-click the SMM board in the same
subrack as the KVM that you have logged in to and choose SMM Info from the shortcut menu.
Step 4 If a dialog box similar to Security Warning is displayed, configure the dialog box by
referring to 26.2.1 Setting Internet Explorer or 26.2.2 Setting Firefox. Otherwise, skip this
step.
Step 5 If a dialog box similar to Application Blocked is displayed, configure the dialog box by
referring to 26.1.35 Setting the KVM. Otherwise, skip this step.
Step 6 Click the board icon similar to to connect the board that you want to log in to.
NOTE
l Board icons from 0 to 13 correspond to board slots from 1 to 14 in the subrack, respectively. For
example, board icon 0 corresponds to board slot 1.
l The maximum number of boards that can be supported by the KVM depends on the model of the
SMM board. For details about how to query the SMM board model, see Checking the Model of the
Board.
– If SMM board model is SMMD, you can connect a maximum of 4 boards simultaneously
using the OSMU KVM (including OSMU and OGPU boards) .
– If SMM board model is SMME, you can connect a maximum of 12 boards simultaneously
using the OSMU KVM (including OSMU and OGPU boards) .
Icon Description
Step 7 When the boardX tab page is displayed, press Enter. In the command-line interface, log in to
the board using the operating system user and password.
Step 8 To improve system security, you are advised to close the KVM window and browser after the
operation is complete.
----End
Prerequisites
l The PC communicates with the OSMU properly.
l You have obtained the password of OSMU web user for logging in to the OSMU board.
To learn the initial passwords of users, see Default Users and Initial Passwords.
Procedure
Step 1 Type the following website in the Address bar of the browser on the PC and press Enter.
Then, log in to the OSMU as an OSMU web user.
NOTE
l The OSMU server has a private IP address and a public IP address. When you log in to the OSMU
by using the private IP address of the OSMU server, the PC must be connected to the base network
port on the RTM of the switching board through a network cable. You are advised to log in to the
OSMU by using the private IP address of the OSMU server only in scenarios where the public IP
address of the OSMU server is not set or when a network failure occurs. For details about the IP
address planning of the OSMU server, see 27.3 Default Host Names and IP Addresses of
Boards.
l If the OSMU login window is not displayed after you type the preceding website in the address bar
of the browser and press Enter, perform the following operations:
– If you use Internet Explorer to access the OSMU, perform the operations described in 26.2.1
Setting Internet Explorer. If the problem persists, perform the operations described in
26.1.4 Starting the OSMU Service.
– If the OSMU login window is not displayed after you use Mozilla Firefox to access the
OSMU, perform the operations described in 26.1.4 Starting the OSMU Service.
l If a message indicating that the website is insecure is displayed on the browser after login to the
OSMU, solve the problem by referring to 26.2.1 Setting Internet Explorer or 26.2.2 Setting
Firefox.
Step 2 In the left pane of the OSMU, expand the Device Management navigation tree and select a
rack number under the Device Panel node.
Step 3 On the rack tab page in the right, view the device status. Table 26-2 describes the device
states.
Not Configured The board is inserted into the subrack but the
data is not configured.
----End
Prerequisites
You have contacted Huawei technical support to obtain PuTTY.zip at http://
support.huawei.com and decompressed it to your PC. Huawei technical support can quickly
search for the tool package using its name as the keyword after clicking Search by Category
> Tools at http://support.huawei.com.
Procedure
Step 1 Use PuTTY to log in to the OSMU board in SSH mode as osmuuser. For detailed operations,
see 26.1.1 Logging In to the Board by Using PuTTY.
Step 2 Run the following command to switch to user root.
~> su - root
Password: Password of root
l When the system displays information similar to the following, the OSMU service has
been started:
Starting OSMU service: done
l When the system displays information similar to the following, the standby OSMU
board is not deployed in the system and the OSMU service is running:
OSMUWatchdog service is running skipped
OSMU service is running skipped
l When the system displays information similar to the following, the standby OSMU
board is deployed in the system and the OSMU service is running on the peer server:
[192.168.128.100](Remote) OSMU service has already running
l When the system displays information similar to the following, the standby OSMU
board is deployed in the system and the OSMU service is running on the current server:
[192.168.128.100](Local) OSMU service has already running
----End
Prerequisites
You have contacted Huawei technical support to obtain PuTTY.zip at http://
support.huawei.com and decompressed it to your PC. Huawei technical support can quickly
search for the tool package using its name as the keyword after clicking Search by Category
> Tools at http://support.huawei.com.
Procedure
Step 1 Use PuTTY to log in to the OSMU board in SSH mode as osmuuser. For detailed operations,
see 26.1.1 Logging In to the Board by Using PuTTY.
Step 2 Run the following command to switch to user root.
~> su - root
l When the following information is displayed, the OSMU service has been stopped:
NOTE
If the standby OSMU board is deployed in the system, the OSMU service has been stopped on the
local server. To stop the OSMU service on the peer server, log in to the peer server to perform this
operation.
OSMUWatchdog service was unused skipped
OSMU service was unused skipped
When the following information is displayed, the OSMU service is stopped successfully.
Stopping OSMU service: done
----End
Prerequisites
l You have obtained the IP address for the OSMU board. For detailed operations, see 27.3
Default Host Names and IP Addresses of Boards.
l You have obtained the passwords for users osmuuser, and root of the OSMU. To learn
the initial passwords for users, see 27.1 Default Users and Initial Passwords.
l The communication between the PC and the OSMU board is normal.
Procedure
l Log in to the OSMU server by using a web browser to view the OSMU version.
a. Type the following website in the Address bar of the browser on the PC and press
Enter. Then, log in to the OSMU as an OSMU web user.
https://<public IP address of the OSMU server>:30088/osmu or https://<private
IP address of the OSMU server>:30084/osmu
NOTE
l The OSMU server has a private IP address and a public IP address. When you log in to
the OSMU by using the private IP address of the OSMU server, the PC must be
connected to the base network port on the RTM of the switching board through a
network cable. You are advised to log in to the OSMU by using the private IP address
of the OSMU server only in scenarios where the public IP address of the OSMU server
is not set or when a network failure occurs. For details about the IP address planning of
the OSMU server, see 27.3 Default Host Names and IP Addresses of Boards.
l If the OSMU login window is not displayed after you type the preceding website in the
address bar of the browser and press Enter, perform the following operations:
l If you use Internet Explorer to access the OSMU, perform the operations
described in 26.2.1 Setting Internet Explorer. If the problem persists, perform
the operations described in 26.1.4 Starting the OSMU Service.
l If the OSMU login window is not displayed after you use Mozilla Firefox to
access the OSMU, perform the operations described in 26.1.4 Starting the
OSMU Service.
l If a message indicating that the website is insecure is displayed on the browser after
login to the OSMU, solve the problem by referring to 26.2.1 Setting Internet
Explorer or 26.2.2 Setting Firefox.
b. Click About in the upper right corner of the OSMU GUI, and view the OSMU
version in the displayed dialog box.
l Log in to the OSMU server by using PuTTY to view the OSMU version.
a. Use PuTTY to log in to the OSMU board in SSH mode as user omsuuser.
b. Run the following command to switch to user root.
~> su - root
Password: Password of root
In the system output similar to the preceding information, Version indicates the
OSMU base version, Patch Version indicates the OSMU patch version.
----End
Prerequisites
You have logged in to the OSMU using a web browser. For details, see 26.2.5 Logging In to
the OSMU by Using a Web Browser.
Procedure
l Log in to the OSMU server using a web browser to view the U2000 server version.
a. In the left pane of the OSMU window, expand the Service System navigation tree
and choose Service Management > System Services.
b. Select U2000 system on the right list. Click Query Version. You can view the
version of the system in the displayed dialog box.
c. Click OK. Then the Query Version dialog box is closed.
l Log in to the U2000 server by using PuTTY to view the U2000 version.
For details, see 25.2.7 Obtaining U2000 Version Information.
----End
Prerequisites
l The communication between the PC and the OSMU board or OGPU board is normal.
l The PuTTY.zip file has been downloaded to the PC by Huawei technical support
engineers from http://support.huawei.com and has been decompressed.
Huawei technical support engineers can quickly search for the tool package using its
name as the keyword after clicking Search by Category > Tools at http://
support.huawei.com.
Procedure
l Log in to the OSMU server by using a web browser to view the OS version of the
OSMU server. For detailed operations, see 22.3.2 Checking Basic Software Versions.
l Use PuTTY to log in to the OSMU or U2000 server in SSH mode.
a. 26.1.1 Logging In to the Board by Using PuTTY.
b. Check the version information about the server's OS:
i. Run the following command to view the OS version.
# cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 3
----End
Prerequisites
You have contacted Huawei technical support engineers to obtain PuTTY.zip at http://
support.huawei.com and decompressed it to your PC.Huawei technical support engineers
can quickly search for the tool package using its name as the keyword after clicking Search
by Category > Tools at http://support.huawei.com.
Procedure
Step 1 Use PuTTY to log in to the U2000 DB active node in SSH mode as user dbuser.
Step 2 Run the following command to view the name of the Sybase server:
~> ls /opt/sybase/ASE-15_0 |grep cfg |awk -F'.' '{print $1}' |uniq
In the following command output, the name of the database server is DBSVR1:
DBSVR1
----End
Prerequisites
You have obtained the private IP address for the OSMU board and all OGPU boards of the
ATAE cluster system. For detailed operations, see 27.3 Default Host Names and IP
Addresses of Boards.
Procedure
Step 1 Use PuTTY to log in to the OSMU server in SSH mode as user osmuuser. For detailed
operations, see 26.1.1 Logging In to the Board by Using PuTTY.
Step 2 Run the following command to switch to user root.
~> su - root
Password: Password of root
Step 3 Run the following command to change the OSMU board time to the local standard time.
2013-04-12 16:39:21 is used as an example. Replace it based on actual requirements.
# date -s '2013-04-12 16:39:21'
Step 4 Run the following command to change the OGPU board time to the local standard time.
Log in to all OGPU boards of the ATAE cluster system in SSH mode and change the time in
sequence. In the following example, users log in to No. 2 board whose private IP address is
192.168.128.158 and the time is 2013-04-12 16:39:21. Replace them based on actual
requirements.
# ssh 192.168.128.158
# rcosmu restart
When the system displays the following information, the OSMU service has been started.
Otherwise, contact Huawei technical support.
Starting OSMU service: done
Step 6 Check whether all faulty OGPU boards in the cabinet have been restored. For detailed
operations, see 26.1.3 Viewing Device States by Using the OSMU.
l If the boards have been restored, rechange the time to ensure that all boards' time is the
same. For detailed operations, see 3.10 Changing the Time and Time Zone of the
U2000 Server.
l If the boards have not been restored, contact Huawei technical support.
----End
Prerequisites
You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Context
NOTICE
Use the function with caution, because the operating system is forcibly restarted after clicking
the Generate Kdump Info.
Procedure
Step 1 In the left pane of the OSMU window, expand the Device Management navigation tree and
choose Hardware Device > Board.
Step 2 Select the board that needs to be restarted because the board does not respond or breaks down
from the Board List on the right. Click Generate Kdump Info.
NOTE
----End
Prerequisites
l You have obtained the IP address of the destination U2000 server.
l The communication between the PC and the destination U2000 server is normal.
l You have obtained the file to be uploaded to the U2000 server and have saved the file to
the PC.
l You have contacted Huawei technical support engineers to obtain FileZilla.zip at http://
support.huawei.com and decompressed it to your PC.
Huawei technical support engineers can quickly search for the tool package using its
name as the keyword after clicking Search by Category > Tools at http://
support.huawei.com.
l You have obtained the user password of the destination U2000 server.
Procedure
Step 1 Double-click filezilla.exe to start the tool.
Step 3 In the lower left area of the Site Manager dialog box, click New Site.
Step 4 On the General tab page, set site parameters by referring to Table 26-3.
Port 22
Port 22 is the default port for SFTP transfer.
Parameter Description
User Enter the user name and password of the destination U2000 server. The
user has the permission to access the destination directory.
Password
NOTE
l A user who wants to upload or download files must have the permission to
upload from or download to the destination directory.
l After operating system security hardening is performed, you cannot connect to
the server through SFTP as user root using FileZilla. To connect to the server
through SFTP, you must use a user account other than root, for example, ossuser.
After upgraded to V200R013 or later version, you cannot log in to the server as
user ftpuser.
Step 6 In the Remote site area, set the destination directory on the U2000 server.
After you set the directory, the Remote site area displays all files stored in this directory.
Step 7 In the Local site area, set the source directory on the PC.
After you set the directory, the Local site area displays all files stored in this directory.
NOTICE
l The name of the software package consists only of letters, numerals, hyphens,
underscores, and dots. You are not allowed to upload a software package whose name does
not meet the naming convention. Otherwise, the package fails to be identified.
l The available disk space in the partition for saving the uploaded file on the server must be
twice greater than the size of the software package to be uploaded.
Purpose Operation
Upload files In the Local site area, right-click the file to be uploaded and choose
Upload from the shortcut menu.
Download files In the Remote site area, right-click the file to be downloaded and choose
Download from the shortcut menu.
NOTE
You can click the Successful transfers or Failed transfers tab to view the upload process. If the upload
or download fails, click the Failed transfers tab in the lower left area of the FileZilla window. Then
right-click the file that fails to be transferred and choose Reset and requeue selected files from the
shortcut menu to resume the file transfer.
Step 9 If the file to be uploaded is a text file in DOS format, perform the following operations to
convert the text file from the DOS format to the ISO format.
NOTE
The FileZilla does not convert the text file from the DOS format to the ISO format while uploading.
Therefore, you need to manually convert the text file from the DOS format to the ISO format.
Otherwise, the Solaris or Linux operating system cannot recognize the text file correctly.
1. Use PuTTY to log in to the server as a user who has sufficient rights, for example, user
ossuser.
2. Run the following commands to convert the text file from the DOS format to the ISO
format.
– For the Linux operating system, run the following command:
cd directory for saving the file
dos2unix -n file name nattemp.txt
cat nattemp.txt > file name
rm nattemp.txt
– For the Solaris operating system, run the following commands:
cd directory for saving the file
dos2unix file name > nattemp.txt
cat nattemp.txt > file name
rm nattemp.txt
----End
Context
The reasons for data backup failures are as follows:
l The OSMU server does not have a backup disk array or the available disk space in the
disk array is insufficient. Handle the problem by following instructions provided in Step
1.
l The trust relationship is not configured between the OSMU board and the board for data
backup. Handle the problem by following instructions provided in Step 3.
l The board for data backup is not in the Normal or Standby state. For details about how
to check the board status, see 4.1 Checking the U2000 Service Status.
l The board for data restoration is not in the Normal or Standby state. For details about
how to check the board status, see 4.1 Checking the U2000 Service Status.
Procedure
Step 1 Check the backup disk array of the OSMU server.
1. Use PuTTY to log in to the OSMU board in SSH mode as user osmuuser. For detailed
operations, see 26.1.1 Logging In to the Board by Using PuTTY.
2. Run the following command to switch to user root.
~> su - root
Password: Password of root
# df -h
Step 2 Check the disk space of the board for data restoration.
1. Use PuTTY to log in to the board for data restoration in SSH mode as user ossuser. For
detailed operations, see 26.1.1 Logging In to the Board by Using PuTTY.
2. Run the following command to switch to user root.
~> su - root
Password: Password of root
# df -h
Check whether any value in the Use% column is 100%. If certain value is 100%, remove
the expired or trash files from the corresponding partition to ensure that the space usage
is less than 95%.
Step 3 Check whether the trust relationship is configured between the OSMU board and a service
board.
1. Use PuTTY to log in to the OSMU board in SSH mode as user osmuuser. For detailed
operations, see 26.1.1 Logging In to the Board by Using PuTTY.
2. Run the following command to switch to user root.
~> su - root
Password: Password of root
If the login is successful, the trust relationship is configured. Otherwise, the trust
relationship is not configured. When this occurs, contact Huawei technical support.
----End
Context
You can use any of the following methods to check the server disk space:
l View the information output area at the bottom of the U2000 client window. If the disk
partition usage reaches the threshold, you need to clean up the disk space immediately.
l View the disk partition usage in the Hard Disk Monitoring window on the U2000
client.
l Run the df -k command to check the disk partition usage.
Procedure
l If the system notifies you of the high disk space usage of the partition where the /data
directory is saved, do not delete or transfer any files. In this case, contact Huawei
technical support for assistance.
l If the system notifies you of the high disk space usage of the /export/home partition, see
12.3 Clearing the Disk Space of the U2000 Server to troubleshoot.
l If the system notifies you of the high disk space usage of the root partition / or /opt,
perform the following operations:
a. Use PuTTY to log in to the U2000 server in SSH mode as user ossuser. For details,
see 26.1.1 Logging In to the Board by Using PuTTY.
b. Run the following command to switch to user root.
~> su - root
Password: Password of root
For details about how to use the FileZilla tool, see 26.1.12 Transferring Files by
Using FileZilla. The configuration information required for transferring the files is
as follows:
n User and password: ossuser user and its password
n Directory of files on the server: /tmp
e. Send the collected results to Huawei technical support.
----End
Procedure
Step 1 Stop U2000 services.
For details, see 4.6 Stopping U2000 Services.
Step 2 Restart database services.
1. For details about how to stop database services, see 4.4 Stopping the Database Service.
2. For details about how to start database services, see 4.3 Starting the Database Service.
Step 3 In the navigation tree in the left pane, choose Device Management > Hardware Device >
Board.
Step 4 Query the slot number of the U2000 master server.
View and record the slot number of the board whose System is U2000 and Subsystem
contains BASE on the Board tab page in the right pane. This board serves as the U2000
master server.
Step 5 Log in to the U2000 master server using the KVM of the OSMU as user root. For details, see
26.1.2 Logging In to the board by Using the KVM of the OSMU.
Step 6 In the command line window, run the following commands to uninstall the U2000 server
software.
# . /opt/oss/server/svc_profile.sh
# /opt/oss/server/rancn/CBB/engineering/uninstall/uninstall_OSS_slt.sh -t all
Step 7 When the system displays the following information, enter Y to start uninstalling the U2000
server software.
Do you really want to uninstall U2000 server? [Y/N]:
----End
Prerequisites
You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Context
NOTICE
This operation is allowed only when the Veritas Cluster Server (VCS) software has been
installed.
Procedure
l Perform operations by scenario.
View the VCS 1. Choose Service System > Service Management > Board
resource status Services from the navigation tree on the left.
by board 2. In the board list in the right pane, select the board whose cluster
resource status you want to view, and click View Resource
Status. Then, view the cluster resource status in the displayed
Query Board Resource dialog box.
NOTE
The cluster resource status of boards is updated every 30 seconds.
3. Click OK. The Query Board Resource dialog box is closed.
----End
Procedure
Step 1 Use PuTTY to log in to the master node in SSH mode as user ossuser.
Step 2 Run the following command to check the license of the Veritas:
– In the system output, if the value of License Type corresponding to the VERITAS
Cluster Server and VERITAS Volume Manager are PERMANENT, you can
infer that the license of the Veritas is permanent and the following operation are not
required.
– If the system displays no command output, the commercial license is not installed:
n If the commercial license can be obtained and installed within a short time. In
this case, perform Step 3 to install the commercial license of the Veritas.
NOTICE
Before the commercial license is installed successfully, do not restart the
server or the VCS service. Otherwise, the VCS service is not running properly.
n If the commercial license cannot be obtained and installed within a short time,
run the following command to recover temporary license.
# vxkeyless set SFHASTD
When the following information is displayed, type y and press Enter.
Continue (y/n)? y
Run the following command to check if the temporary license is take effect.
# vxkeyless display
If the system displays SFHASTD, you can infer that there is temporary license;
otherwise, contact Huawei technical support engineers.
NOTICE
You must apply for and install the Veritas commercial license timely.
Otherwise, legal disputes with third-party companies may arise.
----End
Prerequisites
l A serial cable or a network cable is available. One end of the serial cable uses the RJ45
connector and the other end uses the DB9 connector.
l A PC is available.
l The PuTTY.zip file has been downloaded to the PC by Huawei technical support
engineers from http://support.huawei.com and has been decompressed.
Huawei technical support engineers can quickly search for the tool package using its
name as the keyword after clicking Search by Category > Tools at http://
support.huawei.com.
l The subrack housing the SMM board has been powered on. For details, see 1.1
Powering On the System in U2000 ATAE Cluster System Administrator Guide.
l You have obtained the password for user root of the SMM board. To learn the initial
passwords for users, see Default Users and Initial Passwords.
Procedure
l (Recommended) Connect the PC and the SMM board using a network cable.
a. Connect the ETH0 network interface on the SMM board and the network interface
on the PC using a network cable. Figure 26-4 shows the position of the ETH0
network interface on the SMM board.
b. The private IP address of the ETH0 network interface on the SMM board is
192.168.255.87 or 192.168.255.88 and the subnet mask is 255.255.255.0. Set the IP
address and subnet mask of the PC to 192.168.255.100 and 255.255.255.0 to ensure
that the IP address of the PC and the private IP address of the ETH0 network
interface on the SMM board are on the same network segment.
c. Choose Start > Run on the PC. In the displayed Run window, enter the cmd
command and press Enter.
d. Run the following command to test and record the private IP address of the SMM
board that can be pinged:
ping private IP address of the ETH0 network interface on the SMM board
e. Log in to the SMM board by using PuTTY.
i. Double-click putty.exe to start PuTTY.
ii. Enter the private IP address of the SMM board in Host Name (or IP address).
iii. Select SSH in the Connection type field.
iv. In the Close window on exit: field, select Only on clean exit and click Open.
If the PuTTY Security Alert interface is displayed, click Yes.
v. When login as: is displayed, type the user name root and press Enter.
vi. When the system displays root@<private IP address of the SMM
board>'s password:, type the password for user root and press Enter to
log in to the SMM board.
When the system displays # , the login is successful.
l Connect the PC and the SMM board using a serial cable.
a. Use the serial cable to connect the serial port of the SMM board to that of the PC.
One end of the serial cable is an RJ45 connector that is connected to the serial port
of the SMM board (COM), as shown in Figure 26-4. The other end is a DB9
connector that is connected to the serial port of the PC (COM1 or COM2).
After the PC and the SMM board are connected, the physical connection between
the PC and the SMM board is set up.
b. Connect the SMM board through a serial port by using PuTTY.
i. Double-click putty.exe to start PuTTY.
ii. Choose Connection > Serial from the navigation tree in the left pane on
PuTTY. A dialog box for setting the serial port connection parameters is
displayed.
iii. In the dialog box, set the serial port connection parameters by referring to
Table 26-4.
Serial line to Specify a serial port, for example, COM1, for the PC
connect to terminal to connect to the SMM board.
NOTE
The PC may contain several serial ports, and you can check
the name and number of the serial port by performing the
following procedures:
On a PC running on Windows 7 operating system, choose
Control Panel and locate Device Manager. In the displayed
Device Manager, choose Port to check the name and number
of the serial port.
Speed 115200
Data bits 8
Stop bits 1
Parity None
iv. Choose Session from the navigation tree in the left pane. In the right pane,
choose Serial, and click Open.
c. Log in to the SMM board as user root.
MontaVista(R) Linux(R) Professional Edition 4.0.1 (0502020)
Linux/ppc 2.6.10_mvl401-8272ads
SMM login:
Password:
----End
26.1.19 Viewing and Setting the IP Addresses for the SMM Board
This section describes how to view and set the IP addresses for the SMM board by logging in
to the SMM board.
Prerequisites
l The subrack housing the SMM board whose IP addresses need to be changed has been
powered on. For details, see 1.1 Powering On the System in U2000 ATAE Cluster
System Administrator Guide.
l You have obtained the password for user root of the SMM board. To learn the initial
passwords for users, see Default Users and Initial Passwords.
NOTICE
The default IP addresses for SMM board network interfaces in all ATAE subracks are the
same. When you need to install multiple ATAE subracks in one cabinet, you need to power on
the subracks and then immediately change the IP addresses for the SMM board to avoid IP
address conflicts.
Context
For details about the planned default IP addresses of SMM boards, see Table 26-5.
NOTE
l For the scenario of an EPS is newly added, if the IP address of the maintenance plane in the MPS
have been changed. That is, the first two fields of the IP address may have been changed. If this
occurs, you must change the first two fields 192.168 of the default SMM board IP address for the
EPS to the current values of the first two fields of the IP address for the MPS.
l For the scenario of an EPS is newly added, the subnet mask of the maintenance plane in the MPS
has been changed. When setting the subnet mask of the maintenance plane for the SMM boards in
the new EPS, set the subnet mask to be the same as that in the MPS.
Procedure
Step 1 26.1.18 Connecting the PC and SMM Board.
Step 2 Run the following command to check the active and standby status of the SMM board that
you have logged in to:
# smmget -l smm -d redundancy
The Redundancy States of SMMs:
SMM1: Present(active)*
SMM2: Present(standby)
* = The SMM you are currently logged into.
In the system output similar to the preceding information, * indicates the SMM board that you
have logged in to. Present whose value is active indicates the active SMM board. Present
whose value is standby indicates the standby SMM board.
l If the SMM board that you have logged in to is the active SMM board, perform Step 3.
l If the SMM board that you have logged in to is the standby SMM board, perform Step 4.
Step 3 The SMM board that you have logged in to is the active SMM board.
1. Run the following command to check whether vbond0 of the SMM board is configured
successfully and whether its physical IP address is consistent with the plan:
For details about the planned default IP addresses of SMM boards, see Table 26-5.
# ifconfig vbond0
– If the system displays information similar to the following, the vbond0 Ethernet
port has not been configured. Perform Step 3.2.
vbond0: error fetching interface information: Device not found
– If the system displays information similar to the following, the vbond0 Ethernet
port has been configured. If the displayed IP address is consistent with the plan, do
not perform Step 3.2; If the displayed IP address is inconsistent with the plan,
perform Step 3.2.
vbond0 Link encap:Ethernet HWaddr 00:18:82:B0:A7:34
inet addr:192.168.128.23 Bcast:192.168.135.255 Mask:
255.255.248.0
UP BROADCAST RUNNING MASTER MTU:1500 Metric:1
RX packets:2458561 errors:0 dropped:0 overruns:0 frame:0
TX packets:2149006 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:227733989 (217.1 MiB) TX bytes:371623257 (354.4 MiB)
2. Run the following command to change the physical IP address, subnet mask, and
gateway of vbond0 on the current SMM board to ensure that they are consistent with the
plan.
NOTE
To view and change the physical IP address for vbond0 on an SMM board, you need to log in to
the SMM board.
# smmset -l smm -t vbond0 -d staticip -v physical IP address for vbond0 on the SMM
board subnet mask broadcast address
When the preceding information is displayed, type y to confirm the change. When the
following information is displayed, the physical IP address for vbond0 on the current
SMM board has been changed successfully.
Success
3. Run the following command to view the logical IP address for vbond0 on the two SMM
boards.
NOTE
The network interfaces vbond0 on the two SMM boards in a subrack work in active/standby
mode. You can only log in to the active SMM board to view and change the logical IP address.
# smmget -l smm -t vbond0 -d floatip
– If the system displays information similar to the following, the logical IP address
for vbond0 on the two SMM boards has not been set. Then, performStep 3.4.
IP address does not exist.
– If the system displays information similar to the following, the logical IP address
for vbond0 on the two SMM boards has been set. If the displayed IP address is
consistent with the plan, do not perform Step 3.4; If the displayed IP address is
inconsistent with the plan, perform Step 3.4.
Ip address : 192.168.128.25
Mask : 255.255.248.0
Broadcast address : 192.168.135.255
4. Run the following command to change the logical IP address, subnet mask, and gateway
for vbond0 on the two SMM boards and ensure that they are consistent with the plan:
# smmset -l smm -t vbond0 -d floatip -v logical IP address for vbond0 on the SMM
board subnet mask broadcast address
5. Repeat Step 1 through Step 2 to connect the SMM boards in all ATAE subracks until the
physical IP addresses, logical IP addresses, subnet masks, and gateways for vbond0 on
all SMM boards have been changed by referring to Table 26-5.
Step 4 The SMM board that you have logged in to is the standby SMM board.
1. Run the following command to check whether vbond0 of the SMM board is configured
successfully and whether its physical IP address is consistent with the plan:
For details about the planned default IP addresses of SMM boards, see Table 26-5.
# ifconfig vbond0
– If the system displays information similar to the following, the vbond0 Ethernet
port has not been configured. Perform Step 4.2.
vbond0: error fetching interface information: Device not found
– If the system displays information similar to the following, the vbond0 Ethernet
port has been configured. If the displayed IP address is consistent with the plan, do
not perform Step 4.2; If the displayed IP address is inconsistent with the plan,
perform Step 4.2.
vbond0 Link encap:Ethernet HWaddr 00:18:82:B0:A7:34
inet addr:192.168.128.23 Bcast:192.168.135.255 Mask:
255.255.248.0
UP BROADCAST RUNNING MASTER MTU:1500 Metric:1
RX packets:2458561 errors:0 dropped:0 overruns:0 frame:0
TX packets:2149006 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:227733989 (217.1 MiB) TX bytes:371623257 (354.4 MiB)
2. Run the following command to change the physical IP address, subnet mask, and
gateway of vbond0 on the current SMM board to ensure that they are consistent with the
plan.
NOTE
To view and change the physical IP address for vbond0 on an SMM board, you need to log in to
the SMM board.
# smmset -l smm -t vbond0 -d staticip -v physical IP address for vbond0 on the SMM
board subnet mask broadcast address
When the preceding information is displayed, type y to confirm the change. When the
following information is displayed, the physical IP address for vbond0 on the current
SMM board has been changed successfully.
Success
3. Repeat Step 1 through Step 2 to connect the SMM boards in all ATAE subracks until the
physical IP addresses, logical IP addresses, subnet masks, and gateways for vbond0 on
all SMM boards have been changed by referring to Table 26-5.
----End
Prerequisites
You have contacted Huawei technical support engineers to obtain PuTTY.zip at http://
support.huawei.com and decompressed it to your PC.Huawei technical support engineers
can quickly search for the tool package using its name as the keyword after clicking Search
by Category > Tools at http://support.huawei.com.
Context
NOTICE
l Using this method, only the NE mediation of a certain version and its patches are
uninstalled. The uninstallation does not affect the use of mediations of other versions or
history traffic statistics.
l Before uninstallation, you must be familiar with the uninstallation procedure and strictly
perform the uninstallation operation in accordance with the procedure described in the
guide.
l During uninstallation, run a command and wait until the system responds with a
message, indicating that the command is successfully executed.
l When a switchover from a slave server to the standby server is triggered, the
uninstallation of the mediation application is not supported.
Procedure
Step 1 Delete the NE instances mapping the NE mediation to be uninstalled from the U2000 client.
Step 2 Use PuTTY to log in to the master node in SSH mode as user ossuser. Run the following
command to set the operating environment of the U2000:
~> . /opt/oss/server/svc_profile.sh
Step 3 Run the following command to check whether the NE mediation is installed:
~> displayVersion -ne NE type
l If the system output contains the previous information, the NE mediation is installed.
Then, proceed to Step 4.
l If the system output does not contain the previous information, the NE mediation is not
installed. You do not need to perform the uninstallation.
Step 4 Stop U2000 services. For detailed operations, see 4.6 Stopping U2000 Services.
Step 5 Run the following commands to uninstall the mediation:
~> cd /opt/oss/server/med/CBTS3601CNE/
iManagerOSS_CBTS3601C_MATCH_ENG_V200R007C05SPC001
~> uninstallmed.sh
When the system displays the following information, type y, and press Enter:
the Uninstall NE Type is : CBTS3601C
the Uninstall NE Version is :
iManagerOSS_CBTS3601C_MATCH_ENG_V200R007C05SPC001
the OSS environment variable is : /opt/oss/server
Are you sure to continue? [y/n] y
NOTE
Step 6 Start U2000 services. For detailed operations, see 4.5 Starting U2000 Services.
----End
Prerequisites
You have logged in to the OSMU through a web browser. For details, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Procedure
Step 1 In the navigation tree in the left pane, choose Service System > U2000 > OSS Management
Tool.
If the system prompts Security Warning, configure the parameters according to the browser
by referring to 26.2.1 Setting Internet Explorer or 26.2.2 Setting Firefox.
Step 3 Choose Mediation Package Management from the navigation tree in the left pane. The page
for managing mediation software is displayed.
Step 4 Click the Mediation Installation tab in the right pane. The tab page for installing mediation
software is displayed.
Step 5 Click the mediation software to be uninstalled in the Installed Mediation area, and click
Uninstall.
The mediation software can be uninstalled in batches. You can select multiple pieces of
mediation software for batch uninstallation.
Step 6 In the displayed dialog box, the mediation software to be uninstalled is displayed. If the
displayed information is correct, click OK.
NOTICE
l Ensure that you have deleted from the U2000 client the NE instances matching the NE
mediation to be uninstalled.
l When uninstalling a mediation, the OSMU will automatically stop and start the U2000
services. It takes about 15 to 20 minutes to stop and start the U2000 services, depending
on the actual environment.
l It takes about 3 to 10 minutes to uninstall a mediation (excluding the time on starting and
stopping the U2000 services).
During the uninstallation, you can view the uninstallation process in the Mediation
Uninstallation Log area. If error or fail exists in the uninstallation log, contact Huawei
technical support.
Step 8 After the mediation software is uninstalled, the system displays a dialog box, indicating that
the installation is successful. Click OK.
After the uninstallation is complete, click Download to download the log file to check
whether the mediation software has been uninstalled successfully. If error or fail exists in the
uninstallation log, contact Huawei technical support.
NOTE
You can click Clear to clear uninstallation information in the Mediation Uninstallation Log area.
When you perform this operation, the historical records in the uninstallation log are not deleted. To view
historical records in the uninstallation log, navigate to the /opt/oss/server/var/logs/mediation/
med_uninstall.log file.
----End
Prerequisites
You have logged in to the master node in SSH mode using PuTTY as user ossuser.
Context
The services listed in Table 26-6 are disabled by default. You can start the services as
required. Table 26-6 describes the configuration files of each service.
NOTICE
l The NGNNIService is dependent on the NGNFullFillService and the FNLicenseService.
To use the service provisioning function of the TL1 NBI, you need to enable the
NGNNIService, NGNFullFillService, and FNLicenseService manually at the same time.
For details how to start the NGNNIService, see U2000 TL1 NBI User Guide .
l The NGNNI112Service is dependent on the NGNTestManageService and the
FNLicenseService. To use the 112 NBI test management function of a fixed network
device, you need to enable the NGNNI112Service, NGNTestManageService, and
FNLicenseService manually at the same time. For details how to start the
NGNNI112Service, see U2000 Line Test NBI User Guide..
l The SyslogCollectorDM service on the U2000 and the syslog service in the SUSE Linux
operating system collect information through the port 514. Both services cannot be used
concurrently. Before enabling the SyslogCollectorDM service, see 26.1.25 Solving the
Problem of the Port for the U2000 SyslogCollectorDM Service and the syslog Service
Conflicts and disable the syslog service in the SUSE Linux operating system.
Procedure
l Run the following command to start the service that is disabled.
~> . /opt/oss/server/svc_profile.sh
For example:
----End
Context
l The NE LMT must be installed on the U2000 client PC.
l ACL rules must be configured on both the NEs and U2000 client. If you configure ACL
rules only on the NEs or U2000 client, connections between the NEs and the U2000
cannot be set up.
– The ACL rule configuration file for NEs is named acl_ne_rule.cfg and is saved in
the /opt/oss/server/etc/porttrunking directory.
– The ACL rule configuration file for the U2000 client must be set on the U2000
client GUI.
l Configure the IP addresses and ports in the ACL rule configuration file to limit the NEs
that a user can access. The configured ACL rules take effect for new proxy connections
but do not take effect for proxy connections that have been set up. To apply the
configured ACL rules for proxy connections that have been set up, close and set up the
connections again.
l If the networking includes gateway devices such as the Network Address Translation
(NAT) device, and NEs are located on the internal NAT network, you must set IP
addresses in ACL rule configuration files to IP addresses that are stored on the NAT
device and can be connected to by the U2000 server. Do not set IP addresses to internal
network IP addresses to which NEs are bound.
NOTICE
IP addresses configuration on the NAT device may pose security risks. Assess
networking security before the configuration.
l If the BSC6000 LMT requires access to NEs through the U2000, the ports used when
you configure the ACL for the PortTrunking service are described in Table 26-7.
l To start the LMT of the CGPOMU through the U2000 proxy, the ACL must be
configured for PortTrunking service. The ports listed in the Table 26-8 are used.
CGPOMU 9101 and These ports are used to connect the LMT to the
11101 (SSL) OMU. 9101 is the ID of an ordinary port. 11101 is
the ID of an encrypted port using SSL.
2198 and 2199 The ports are control port and data port used for
KVM over IP function on the WEBUI.
NE Port ID Description
9095 and 9443 The ports are provided for the update of the LMT.
(SSL) 9095 is the ID of an ordinary port. 9443 is the ID
of an encrypted port using SSL.
l To remotely upgrade the LMT of the MSC Server, MSCe, or SOFTX3000 through the
U2000 proxy, the ACL must be configured for PortTrunking service. The ports listed in
the Table 26-9 are used.
Table 26-9 MSC Server, MSCe, and SOFTX3000 LMT port description
Port ID Description
1024 to 65535 This is an FTP data port, used to upgrade LMTs remotely.
The supported port ID range is too wide. Before configuring the
PortTrunking ACL, run the SET FTPSSRV command to set the
port ID range as required on the MML command client.
l To use remote SSH functions of the SBC, SE2600, SVN, CX600, ViewPoint, MAG9811
and Eudemon, the ACL must be configured for PortTrunking service. The 22 port is
used.
l To use remote SSH functions of the VNF, the ACL must be configured for PortTrunking
service. The 6000 port is used.
Procedure
Step 1 Use PuTTY to log in to the master server in SSH mode as user ossuser.
For details, see 26.1.1 Logging In to the Board by Using PuTTY.
Step 2 Run the following command to write the IP address and port to the rule file:
~> cd /opt/oss/server/etc/porttrunking
NOTE
Step 3 To add other IP addresses or ports to the rule file, repeat Step 2.
Step 4 Perform the following steps to add the information about the PC where the U2000 client is
installed to Proxy Service ACL.
1. Log in to the U2000 client and choose Security > Proxy Service ACL (traditional
style); alternatively, double-click Security Management in Application Center and
choose OSS Security > Settings > Proxy Service ACL (application style).
2. In the Proxy Service ACL dialog box, click Add.
3. In the Add Access Control Item dialog box, configure IP Address or Network
Segment for the PC where the U2000 client is installed, set Operation to Accept, and
click OK.
NOTE
If IP Address or Network Segment is set to 0.0.0.0/0 in the access control list and Operation is
set to Accept, the clients on all network segments can access NEs.
----End
Follow-up Procedure
After you connect to NEs from a client by using the PortTrunking service and perform
required operations, manually delete rules that you have written in the ACL configuration
files to prevent other users from connecting to the NEs based on the rules.
1. Use PuTTY to log in to the master server in SSH mode as user ossuser.
2. Run the following command to delete the IP address and port from the rule file:
~> cd /opt/oss/server/etc/porttrunking
~> sed '/10.146.60.53\/23,22|80|9990-9995,A/d' acl_ne_rule.cfg >
acl_ne_rule.cfg.bak
~> cp acl_ne_rule.cfg.bak acl_ne_rule.cfg
NOTE
Procedure
Step 1 Use PuTTY to log in to the master server as user ossuser in SSH mode. For details, see 26.1.1
Logging In to the Board by Using PuTTY.
Step 2 Run the following command to run the U2000 environment variables:
~> . /opt/oss/server/svc_profile.sh
Step 3 Run commands according to the following table to switch the LMT login mode.
l When the system displays the following information, the LMT login mode has been
switched:
Success !
l When the system displays information different from the preceding information, contact
Huawei technical support.
----End
Context
To ensure that the NE logs are properly displayed on the U2000 client, disable the function for
receiving remote logs for the syslog service on the operating system, and allow the U2000
SyslogCollectorDM service instead of the OS receives the remote logs. Perform the following
operations on the nodes where the SyslogCollectorDM service has been deployed to ensure
that UDP port 514 is not used by the OS.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
Step 4 Run the following command to enable the U2000 SyslogCollectorDM service:
# svc_adm -cmd enable -svcname SyslogCollectorDM
l If the SyslogCollectorDM service is started, the problem is not caused by the port
conflict. The procedure ends.
l If the SyslogCollectorDM service is not started, perform Step 5.
Step 5 Run the following command to view the usage of port UDP 514:
# lsof -i:514
If the following information is displayed, port UDP 514 has been occupied by the syslog
service of the OS:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
syslog-ng 8786 root 5u IPv4 8511952 UDP *:syslog
Step 6 Disable the syslog service function for receiving remote logs in the operating system.
1. Run the following command to stop the syslog service on the OS:
# service syslog stop
2. Run vi to modify the syslog-ng.conf file in /etc/syslog-ng.
Comment on the udp<ip<"0.0.0.0"> port<514>> line. Run :wq! to save the
file and exit.
unix-dgram("/dev/log");
#
# uncomment to process log messages from network:
#
# udp<ip<"0.0.0.0"> port<514>>;
Step 7 Run the following command to check whether the U2000 SyslogCollectorDM service is
running.
# svc_adm -cmd status
If the service is not running, run the following command to start the SyslogCollectorDM
service:
# svc_adm -cmd startsvc SyslogCollectorDM
Step 8 Run the following command to view the usage of port UDP 514 again:
# lsof -i:514
If the following information is displayed, the U2000 SyslogCollectorDM service has occupied
this port.
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
SyslogCol 11101 root 31u IPv4 8519207 UDP *:syslog
----End
Prerequisites
You have obtained the private IP address of the board. For detailed operations, see 27.3
Default Host Names and IP Addresses of Boards.
Procedure
Step 1 Log in to the OSMU board as user osmuuser in Secure Shell (SSH) mode using PuTTY. For
detailed operations, see 26.1.1 Logging In to the Board by Using PuTTY.
Step 2 Run the following command to switch to user root:
~> su - root
Password: Password of root
Step 3 Run the following command to log in to the board in SSH mode:
# ssh private IP address of the board
Step 4 Run the following command to check the users who have logged in to the board:
# who
If tty1 is displayed, a user has been logged in to the board by using KVM. The following is
shown as an example:
root tty1 Sep 18 16:05
root pts/0 Sep 16 12:27 (10.10.10.1)
root pts/1 Sep 18 15:10 (10.10.10.2)
----End
Context
NOTE
Using the FTP protocol has security risks, it is recommended that you use the SFTP protocol to perform
related operations.
The symptom, cause, and solution of the problem that users cannot download files using the
FTP or SFTP protocol are as follows:
l User root cannot log in to the server using FTP or SFTP.
Cause: Due to security requirements, user root is prohibited from logging in to the server
using FTP or SFTP.
Solution: When logging in to the server using the FTP protocol, use user ftpuser; and
when logging in to the server using the SFTP protocol, use a account other than user
root (for example, ossuser).
l The login user cannot navigate to the path saving the file to be downloaded on the server.
FileZilla is used as an example. The following information is displayed:
Error: Directory /etc/ntp: permission denied
Error: Failed to retrieve directory listing
Cause: The login user does not have the right to access the file save path.
Solution: Copy the file to be downloaded to the home directory of the login user, add
related permissions, and download it by referring to this section.
l The login user can access the file path on the server but fails to download the file.
Cause: The read permission of the file is insufficient. For example, if the owner of the
file to be downloaded is root and the permission is rwx------, only user root can read the
file.
Solution: Copy the file to be downloaded to the home directory of the login user, add
related permissions, and download it by referring to this section.
NOTE
Users can run the ls command to query the file owner and related permissions. For details about
how to use the ls command, see the chapter ls of U2000 Command Reference.
ftpuser /export/home/sysm
ossuser /export/ossuser
oracle /export/home/oracle
dbuser /export/home/sybase
osmuuser /home/osmu
Procedure
Step 1 Use PuTTY to log in to the server as user ossuser in SSH mode.
NOTE
l In this section, user ossuser is used as an example to explain the operations. When a user other than
ossuser is used to download files, perform operations by referring to this section.
l Assume that the file to be downloaded is abc.txt, the file owner is root, the permission is rwx------,
and the file save path on the server is /etc/ntp.
Step 3 Run the following command to go to the path saving the file to be downloaded:
# cd /etc/ntp
Step 4 Run the following command to copy the file to the home directory of user ossuser:
# cp abc.txt /export/ossuser
NOTE
l The home directory of user ossuser is /export/ossuser. When a user other than ossuser is used to
download files, replace the home directory.
l If the files to be downloaded is too many, you can run the tar command to pack the files and copy the
package to the home directory of user ossuser. For details about how to use the tar command, see the
chapter tar of U2000 Command Reference.
Step 5 Run the following commands to grant the read permission to the file to be downloaded:
# cd /export/ossuser
Step 6 Use FileZilla to download the file as user ossuser. For details about how to use the FileZilla,
see section 26.1.12 Transferring Files by Using FileZilla.
Step 7 Run the following commands on the server to delete the copied file in the homer directory of
user ossuser:
# cd /export/ossuser
# rm abc.txt
----End
Context
NOTE
l Due to security requirements, user root is prohibited from logging in to the server using FTP or
SFTP. When logging in to the server using the FTP protocol, use user ftpuser; and when logging in
to the server using the SFTP protocol, use a account other than user root (for example, ossuser).
l Using the FTP protocol has security risks, it is recommended that you use the SFTP protocol to
perform related operations.
ftpuser /export/home/sysm
ossuser /export/ossuser
oracle /export/home/oracle
dbuser /export/home/sybase
osmuuser /home/osmu
Procedure
Step 1 Use FileZilla to upload the file as user ossuser to the home directory of user ossuser.
NOTE
l In this section, user ossuser is used as an example to explain the operations. Assume that the file to
be uploaded is abc.txt and the save path after the file is uploaded to the server is /etc/ntp.
l The home directory of user ossuser is /export/ossuser. When a user other than ossuser is used to
upload files, replace the home directory. When user ftpuser is used to log in to the server, the upload
file must be set to /export/home/sysm/ftproot.
l For details about how to use the FileZilla, see section 26.1.12 Transferring Files by Using
FileZilla.
l The format of some files needs to be changed after being uploaded to the server. Before uploading
such files, contact Huawei technical support to confirm whether the format needs to be changed.
Step 2 Use PuTTY to log in to the server as user ossuser in SSH mode.
Step 4 Run the following command to go to the path saving the uploaded file:
# cd /export/ossuser
Step 5 Run the following command to copy the file to the save path:
# cp abc.txt /etc/ntp
Step 6 Run the following commands to change the file owner and grant the corresponding
permissions:
# cd /etc/ntp
# chown ossuser abc.txt
# chmod u+rwx abc.txt
# chmod g+rx abc.txt
NOTE
l The chown command is used to change the file owner. For details about how to use the chown
command, see the chapter chown of U2000 Command Reference.
l The chmod command is used to change the read, write, and execute permissions for the file. For
details about how to use the chmod command, see the chapter chmod of U2000 Command
Reference.
----End
Prerequisites
l A network interface is available on the U2000 server for setting the DHCP listening IP
address. If no such a network interface is available, add a network adapter which
interconnects with the network on the NE side. In a non-single-server system, you only
need to ensure that a network interface for DHCP listening IP address exists on the
active server.
l The IP address of the idle network interface on the U2000 server has been set to the
DHCP listening IP address.
Context
With the DHCP function, the destination IP address used by NEs to send DHCP messages can
be different from the southbound IP address of the U2000. By default, the DHCP service
listens to the DHCP port for which the southbound IP address of the U2000 is configured. To
listen to other IP addresses of the U2000 server, perform the following operations mentioned
in this section.
NOTICE
For ATAE Cluster Remote HA System, after a switchover of the systems in active/standby
mode, you need to set the DHCP listening IP address again on the node taking over services.
Procedure
Step 1 Use PuTTY to log in to U2000 server in SSH mode as user dbuser.
In a non-single-server system, log in to the active (or master) server.
~> vi /opt/oss/server/etc/ADNService/DHCPManager/DHCPIP.xml
Add the listening IP address to IP value, for example, 10.71.15.20. The file contents after the
modification are as follows:
<?xml version="1.0" encoding="utf-8"?>
<root>
<IP value="10.71.15.20" />
<root>
Step 3 After the modification, press Esc and run the :wq command to save the modification and exit.
~> . /opt/oss/server/svc_profile.sh
~> su - root
Password: Password of root
Step 6 Run the following commands to change the port mapping relationship:
# . /opt/oss/server/svc_profile.sh
# cd /opt/oss/server/rancn/lbin/
# ./mapDhcpPort.sh
----End
Follow-up Procedure
If you need to restore the settings, delete the listening IP address from the DHCPIP.xml file
and restart the ADNService service. For details, see Step 1 to Step 6.
Procedure
Step 1 Use PuTTY to log in to the U2000 server as user oracle in SSH mode.
NOTE
In an HA system, log in to only the active server. In an ATAE cluster system or an ATAE cluster online
remote HA system, log in to the database board whose database account is locked.
----End
Context
This section describes how to unlock a sybase database account by an administrator account.
If the administrator account is locked, contact Huawei technical support engineers.
Procedure
Step 1 Use PuTTY to log in to the database board whose database account is locked in SSH mode as
user dbuser.
NOTE
DBSVR is the name of the database server, For details about how to query the actual database server
name, see 26.1.9 Checking the Sybase Database Server Name.
The following uses how to unlock user sybuser as an example. You need to replace sybuser with the
actual account to be unlocked.
2> go
1> exit
----End
Context
l After the audit is performed, all operations performed by operating system users are
recorded in audit logs. The audit logs are in turn recorded to audit.log, audit.log.1,
audit.log.2, and audit.log.3. audit.log is the latest log file, and audit.log.3 is the oldest
log file.
l The path of the audit logs is defined by log_file in the auditd.conf file. The default path
is /var/log/audit/audit.log.
l After the operating system log audit function is enabled, audit logs will record the
commands and parameters used by users. The information may include sensitive user
information, which brings risks. Therefore, use this function with caution. If users have
enabled this function, keep the audit log files properly.
NOTE
l The directory of the audit logs must have sufficient space. The minimum space is 2 GB, and it is
recommended that a file system with 20 GB space be created for the directory.
l The audit logs (the audit.log.N files) must be manually backed up. The bakcup interval depends on
the number of generated logs. It is recommended that the logs be backed up at least once every
week.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
~> su - root
Password: Password of root
Step 3 Run the following command to check whether the Audit Framework and related libs files
have been installed in the SUSE Linux operating system:
Step 4 Run the following command to set parameters in the /etc/sysconfig/auditd file:
# vi /etc/sysconfig/auditd
Step 5 Run the following command to set parameters in the /etc/auditd.conf file:
# vi /etc/auditd.conf
NOTE
You can run the man auditd.conf command to query the description of each parameter in the
auditd.conf file.
Step 6 Run the following command to check the login, sshd, crond, and atd files under the /etc/
pam.d directory and verify that each file contains the following contents:
# vi /etc/pam.d/file name
session required pam_loginuid.so
session include common-session
# Set the failure flag to use when the kernel needs to handle critical errors.
# Possible values are 0 (silent), 1 (printk, print a failure message),
# and 2 (panic, halt the system).
-f 1
# Feel free to add below this line. See auditctl man page
# Set watches on the at and cron configuration and the scheduled jobs
# and assign labels to these events.
-w /var/spool/at -k Cron_cfg
-w /etc/at.allow -k Cron_cfg
-w /etc/at.deny -k Cron_cfg
-w /etc/cron.allow -p wa -k Cron_cfg
-w /etc/cron.deny -p wa -k Cron_cfg
-w /etc/cron.d/ -p wa -k Cron_cfg
-w /etc/cron.daily/ -p wa -k Cron_cfg
-w /etc/cron.hourly/ -p wa -k Cron_cfg
-w /etc/cron.monthly/ -p wa -k Cron_cfg
-w /etc/cron.weekly/ -p wa -k Cron_cfg
-w /etc/crontab -p wa -k Cron_cfg
-w /var/spool/cron/root -k Cron_cfg
# Set watches on the user, group, password, and login databases and logs
# and set labels to better identify any login-related events,
# such as failed login attempts.
-w /etc/group -p wa -k LoginFile_access
-w /etc/passwd -p wa -k LoginFile_access
-w /etc/shadow -k LoginFile_access
-w /etc/login.defs -p wa -k LoginFile_access
-w /etc/securetty -k LoginFile_access
-w /var/log/faillog -k LoginFile_access
-w /var/log/lastlog -k LoginFile_access
# Set a watch on the directory where the audit log is located. Trigger an
# event for any type of access attempt to this directory.
-w /var/log/audit/ -k AuditDir_access
-w /var/log/audit/audit.log -k AuditLog_access
# Set a watch on an audit configuration file. Log all write and attribute
# change attempts to this file.
-w /etc/auditd.conf -p wa -k Audit_cfg
-w /etc/audit.rules -p wa -k Audit_cfg
-w /etc/libaudit.conf -p wa -k Audit_cfg
-w /etc/sysconfig/auditd -p wa -k Audit_cfg
# dos2unix /etc/audit.rules
dos2unix: converting file /etc/audit.rules to UNIX format ...
# auditctl -R /etc/audit.rules
No rules
AUDIT_STATUS: enabled=1 flag=1 pid=5749 rate_limit=0 backlog_limit=25600
lost=1049 backlog=0
AUDIT_STATUS: enabled=1 flag=1 pid=5749 rate_limit=0 backlog_limit=25600
lost=1049 backlog=0
AUDIT_STATUS: enabled=1 flag=1 pid=5749 rate_limit=0 backlog_limit=25600
lost=1049 backlog=0
----End
Context
l After the audit is performed, all operations performed by operating system users are
recorded in audit logs. The audit logs are in turn recorded to audit.log, audit.log.1,
audit.log.2, and audit.log.3. audit.log is the latest log file, and audit.log.3 is the oldest
log file.
l The path of the audit logs is defined by log_file in the auditd.conf file. The default path
is /var/log/audit/audit.log.
l After the operating system log audit function is enabled, audit logs will record the
commands and parameters used by users. The information may include sensitive user
information, which brings risks. Therefore, use this function with caution. If users have
enabled this function, keep the audit log files properly.
NOTE
l The directory of the audit logs must have sufficient space. The minimum space is 2 GB, and it is
recommended that a file system with 20 GB space be created for the directory.
l The audit logs (the audit.log.N files) must be manually backed up. The bakcup interval depends on
the number of generated logs. It is recommended that the logs be backed up at least once every
week.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
~> su - root
Password: Password of root
Step 3 Run the following command to check whether the Audit Framework and related libs files
have been installed in the SUSE Linux operating system:
Step 4 Run the following command to set parameters in the /etc/sysconfig/auditd file:
# vi /etc/sysconfig/auditd
Step 5 Run the following command to set parameters in the /etc/audit/auditd.conf file:
# vi /etc/audit/auditd.conf
NOTE
You can run the man auditd.conf command to query the description of each parameter in the
auditd.conf file.
Step 6 Run the following command to check the login, sshd, crond, and atd files under the /etc/
pam.d directory and verify that each file contains the following contents:
# vi /etc/pam.d/file name
session required pam_loginuid.so
session include common-session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!
=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!
=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -
F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -
F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -
S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -
S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k
privileged
-a always,exit -F path=/bin/login -F perm=x -F auid>=500 -F auid!=4294967295 -k
privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k
privileged
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k
privileged
-a always,exit -F path=/bin/eject -F perm=x -F auid>=500 -F auid!=4294967295 -k
privileged
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k
privileged
-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=500 -F auid!
=4294967295 -k privileged
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!
=4294967295 -k privileged
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F
auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F
auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-w /etc/sudoers -p wa -k scope
-w /var/log/sudo.log -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules " > /etc/audit/audit.rules
# dos2unix /etc/audit/audit.rules
dos2unix: converting file /etc/audit/audit.rules to UNIX format ...
# auditctl -R /etc/audit/audit.rules
No rules
AUDIT_STATUS: enabled=1 flag=1 pid=5749 rate_limit=0 backlog_limit=25600
lost=1049 backlog=0
AUDIT_STATUS: enabled=1 flag=1 pid=5749 rate_limit=0 backlog_limit=25600
lost=1049 backlog=0
AUDIT_STATUS: enabled=1 flag=1 pid=5749 rate_limit=0 backlog_limit=25600
lost=1049 backlog=0
# rcauditd restart
Shutting down auditd done
Starting auditd done
----End
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
~> su - root
Password: Password of root
Step 3 Run the following command to disable SUSE Linux operating system audit:
# rcauditd stop
Shutting down auditd done
----End
Prerequisites
You have logged in to the OSMU on the PC. For detailed operations, see 26.2.5 Logging In
to the OSMU by Using a Web Browser.
Context
The KVM page is unavailable when one of the following conditions is met:
l Java security settings stop the execution of signed and unsigned applications on the JRE
of an earlier version.
l The current system JRE is out of date.
Procedure
Step 1 Click Start on the PC and choose Control Panel.
Step 2 In the displayed window, set View by to Large icons or Small icons.
Step 3 Click Java. The Java Control Panel dialog box is displayed.
Step 4 In the displayed dialog box, as shown in Figure 26-5, click the Security tab. Then, click Edit
Site List.
Step 5 In the displayed Exception Site List dialog box, click Add.
Step 6 Enter the URL of the OSMU in Location. Then, click OK.
Step 7 In the left pane of the OSMU page, choose Routine Maintenance > KVM.
Step 8 In the displayed dialog box, select I accept the risk and want to run this application. and
click Run. The KVM page on the OSMU is opened.
----End
Prerequisites
The firewall function of the operating system has been enabled.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
NOTE
The public IP address of the U2000 board at the standby site in an ATAE cluster online remote HA
system is unavailable. When performing operations at the standby site, log in to the U2000 board using
either of the following two modes:
l Log in to the OSMU of the standby site, and then log in to the U2000 board through the KVM of
the OSMU.
l Use PuTTY to log in to the OSMU board at the standby site in SSH mode as user osmuuser,
switch to user root, run the ssh command to switch to the U2000 board using the private IP
address of the board at the standby site.
Step 4 Set the whitelist to add the IP addresses or network segments that are allowed to access the
server.
1. Run the following command to add the local IP address of the server to the whitelist:
# iptables -A INPUT -s <Local IP address of the server> -j ACCEPT
NOTE
For an ATAE cluster system or ATAE cluster online remote HA system, you need to add the IP
address (including private and public IP addresses) of each board to the whitelist.
2. Run the following command to add an IP address or network segment that is allowed to
remotely access the server to the whitelist:
# iptables -A INPUT -s <IP address or network segment that can remotely access the
server> -j ACCEPT
For example, run the following commands to add 10.229.154.94 and 10.229.39.64/26 to
the whitelist:
# iptables -A INPUT -s 10.229.154.94 -j ACCEPT
NOTE
l After the blacklist is configured, only the IP addresses and network segments on the whitelist can
access the server.
l Ensure that the whitelist is configured before the blacklist. Otherwise, all IP addresses and
network segments are prohibited from accessing the server.
----End
Follow-up Procedure
Run the following commands to cancel the whitelist and blacklist:
# iptables -P INPUT ACCEPT
NOTE
In the preceding command, <IP address or network segment> refers to the IP address or network
segment added in Step 4.
Prerequisites
l You have obtained the IP address for the OSMU board. For detailed operations, see 27.3
Default Host Names and IP Addresses of Boards.
l The PuTTY.zip file has been downloaded to the PC by Huawei technical support
engineers from http://support.huawei.com and has been decompressed.
Huawei technical support engineers can quickly search for the tool package using its
name as the keyword after clicking Search by Category > Tools at http://
support.huawei.com.
l You have obtained the passwords for users osmuuser and root of the OSMU board. To
learn the initial passwords for users, see Default Users and Initial Passwords.
l You have obtained the IP address of the PC from which you want to log in to the OSMU
server.
Context
OSMU boards include the active OSMU board and standby OSMU board when the standby
OSMU board is deployed. The active OSMU board is installed in slot 1 of the first subrack
(XY-MPS-1-5-1). The standby OSMU board is installed in a subrack based on the service
deployment. For example, the standby OSMU board can be installed in slot 14 in the first
subrack (XY-MPS-1-5-14) or in the second subrack (XY-EPS-1-6-14).
Procedure
Step 1 Use PuTTY to log in to the OSMU board in SSH mode as osmuuser. For detailed operations,
see 26.1.1 Logging In to the Board by Using PuTTY.
Step 2 Run the following commands to add the IP address of the PC to the whitelist of the OSMU
server:
# cd /opt/osmu/tomcat/webapps/osmu/WEB-INF/
# vi web.xml
Find the following information in the file, and add the IP address of the PC next to the
param-value parameter.
NOTICE
l The value of the param-value parameter is empty by default, indicating that the ACL of
the OSMU web service is not set.
l You are allowed to add multiple IP addresses at a time. The IP addresses must be separated
by single-byte commas (,) and no space character is allowed.
l You are allowed to add an IP address segment. For example, if you want to enable all PCs
whose IP addresses are between 10.67.140.0 and 10.67.150.255 to access the OSMU
server, add 10.67.140-150.0-255 next to the param-value parameter.
l If you want to enable the PC to access the OSMU server through one or more proxy
servers, you need to add the IP addresses of the PC and the proxy servers to the whitelist
of the OSMU server.
10.67.53.52 and IP addresses are between 10.67.140.0 and 10.67.150.255 are used as an
example in the following part. You can replace them based on site requirements.
<filter>
<filter-name>ClientIpFilter</filter-name>
<filter-class>imap.vts.osmu.servlet.ClientIpFilter</filter-class>
<init-param>
<param-name>IPList</param-name>
<param-value>10.67.53.52,10.67.140-150.0-255</param-value>
</init-param>
</filter>
# rcosmu restart
When the following information is displayed, the OSMU service has been started. Otherwise,
contact Huawei technical support.
Starting OSMU service: done
----End
Context
l In the non-single-server system, you need to perform related operations only on the
active server or master server.
l For an ATAE cluster online remote HA system, you need to perform related operations at
the active site.
l If the proxy function of the U2000 server is disabled, the following ports are disabled:
6000, 6001, 6002, 6003, 6006, 6007, 6008, 6010, 6021, 7000, 7001, 7007, 7011, and
7021
After these ports are disabled, LMT functions based on the proxy function of the U2000
server are affected. For details about the impact, see U2000 Communication Matrix.
Procedure
Step 1 Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
~> su - root
Password: Password of root
Step 3 Run the following commands to check whether the proxy function of the U2000 server is
disabled.
# . /opt/oss/server/svc_profile.sh
# cd /opt/oss/server/rancn/tools/ProxyTools
# ./U2000ProxyAdm.sh query
l If the system displays the following information, the proxy function of the U2000 server
is disabled.
The proxy function disabled
l If the system displays the following information, the proxy function of the U2000 server
is enabled.
The proxy function enabled
Step 4 Enable or disable the proxy function of the U2000 server as required.
l To disable the proxy function of the U2000 server, run the following command:
# ./U2000ProxyAdm.sh disable
If the system displays Disabled proxy function successfully..., the
proxy function of the U2000 server is disabled. Otherwise, contact Huawei technical
support.
l To enable the proxy function of the U2000 server, run the following command:
# ./U2000ProxyAdm.sh enable
If the system displays Enabled proxy function successfully..., the
proxy function of the U2000 server is enabled. Otherwise, contact Huawei technical
support.
----End
26.1.39 Updating the ACL for Internal Ports on the U2000 Server
After security hardening is performed on internal ports on the U2000 server, other products or
tools can update the internal port whitelist to set trust relationships with the U2000 server for
accessing the internal ports on the server.
Context
l In the non-single-server system, you need to perform related operations only on the
active server or master server.
l In the ATAE cluster online remote HA system, perform operations in this section only on
the master server at both the active and standby sites.
Procedure
Step 1 Run the following commands to check whether security hardening has been performed for
internal ports of the U2000 server:
1. Use PuTTY to log in to the U2000 server in SSH mode as user ossuser.
NOTE
The public IP address of the U2000 board at the standby site in an ATAE cluster online remote HA
system is unavailable. When performing operations at the standby site, log in to the U2000 board
using either of the following two modes:
– Log in to the OSMU of the standby site, and then log in to the U2000 board through the
KVM of the OSMU.
– Use PuTTY to log in to the OSMU board at the standby site in SSH mode as user osmuuser,
switch to user root, run the ssh command to switch to the U2000 board using the private IP
address of the board at the standby site.
2. Run the following command to switch to user root.
~> su - root
3. Run the following command to check the security hardening for internal ports of the
U2000 server:
# . /opt/oss/server/svc_profile.sh
– If the system displays the following information, security hardening has been
performed for internal ports of the U2000 server. Perform security unhardening for
the service port by referring to 8.8 Performing Security Hardening/Unhardening
for Internal Ports of the U2000 Server and perform Step 2.
The security hardening rules have been set for internal ports on the OSS
server.
– If the system displays the following information, security hardening has not been
performed for internal ports of the U2000 server. Then, proceed with Step 2.
The security hardening rules have not been set for internal ports on the
OSS server.
Step 2 Perform the following operations to update the internal port whitelist of the U2000 server.
After security hardening are performed on the ports, only the IP addresses in the U2000
whitelist can access these ports.
1. Run the following command to exit user root:
# exit
2. Run the vi command to change the IP addresses saved in the internal port whitelist.
~> cd /opt/oss/server/etc/conf
~> vi iplist.cfg
NOTE
In file iplist.cfg, you can enter an IP address in each line or enter multiple IP addresses in one line.
If you enter multiple IP addresses in one line, separate them with a comma (,). The example is as
follows:
10.10.10.1,10.10.10.2
10.10.10.100,10.10,10.101
After editing the file, press Esc, and then run the :wq! command to save the file and exit
the vi editor.
3. Run the following command to update the whitelist:
~> . /opt/oss/server/svc_profile.sh
If the system displays information similar to the preceding, the whitelist between is
updated successfully. Otherwise, contact Huawei technical support engineers.
Step 3 Performing security hardening for internal ports of the U2000 server. For detailed operations,
see 8.8 Performing Security Hardening/Unhardening for Internal Ports of the U2000
Server.
----End
Possible Causes
The SIGReportSwitch switch on the eNodeB is turned off.
In eRAN11.1 and later, the SIGReportSwitch switch is provided for eNodeBs and is used to
enable or disable the SIG log reporting function. This switch is turned on by default. When
this switch is turned on, the eNodeB is able to receive subscription and reports cell trace data.
If the eNodeB becomes faulty, maintenance personnel may turn off this switch to protect
eNodeB services. After this switch is turned off, the eNodeB no longer reports cell trace data
or receives subscription.
Fault Diagnosis
On the U2000 client, issue the specified MML command to the eNodeB encountering this
problem to query the status of the SIGReportSwitch switch.
l If this switch is turned off, contact NE maintenance engineers to check whether it can be
turned on. After it is turned on, issue the subscription again, and check whether the
eNodeB reports cell trace data properly. If the problem persists, contact Huawei technical
support.
l If this switch is turned on, the problem is caused by other reasons. In this case, contact
Huawei technical support.
Procedure
1. On the U2000 client, choose Topology > Main Topology (traditional style);
alternatively, double-click Topo View in Application Center and choose Topology >
Main Topology (application style).
2. In the navigation tree, right-click the eNodeB encountering the subscription or data
reporting failure, and choose MML Command from the shortcut menu.
The MML Command window is displayed.
3. In the Command (F5) text box, enter DSP ENODEBCHROUTPUTCTRL. Click
Exec to query the value of SIGReportSwitch.
The value of SIGReportSwitch is displayed in the command output area box.
– If the command output contains SIG Report Switch = Off, this switch is
turned off.
Contact NE maintenance engineers to check whether it can be turned on. To turn on
this switch, enter SET ENODEBCHROUTPUTCTRL in the Command (F5) text
box, set SIGReportSwitch to ON (on), and click Exec.
If the command output contains Operation succeeded., the
SIGReportSwitch switch has been turned on. Issue the subscription again, and
check whether the eNodeB reports cell trace data properly. If the eNodeB reports
cell trace data properly, the problem has been resolved. Otherwise, contact Huawei
technical support.
– If the command output contains SIG Report Switch = On, this switch is
turned on. In this case, the problem is caused by other reasons. Contact Huawei
technical support.
Prerequisites
l You have logged in to the OSMU using a web browser. For details, see 26.2.5 Logging
In to the OSMU by Using a Web Browser.
l U2000 services are running properly.
Context
The device asset information includes:
l Device name
l Version information of all software installed on the ATAE board (include Trace Server,
Linux, VERITAS Volume Manager, VERITAS Cluster Software)
l Usage of licenses for common northbound interfaces
Procedure
Step 1 Check the board status by performing the following operations:
1. In the left pane of the OSMU window, expand the Service System navigation tree and
choose Service Management > Board Services.
2. On the Board Services tab page, check the status of the boards whose asset information
you want to collect.
The status of the boards whose asset information you want to collect must be in the
Standby or Normal state.
Step 2 In the left pane of the OSMU window, expand the Device Management navigation tree and
choose Device Information > Device Asset Information.
Step 3 Click Collect under the main operation area. In the displayed dialog box, click OK. The
Collect device asset information_YYYYMMDDhhmmssXXX task is added in the
centralized task management list. You can view the execution progress of the task in the
Centralized Task Management area.
l If the collection task is successful or part of the device asset information is collected, the
device asset information file name is displayed in the form of hyperlink in the main
operation area. Otherwise, no information is displayed.
l All the collected files are packed into a zip package. The files are named in the format of
CollectAssetInfo_YYYYMMDDhhmmssXXX.zip. YYYY indicates year. MM indicates
month. DD indicates day. hh indicates hour. mm indicates minute. ss indicates second.
XXX indicates millisecond. For example, the device asset information file collected at 15:
25: 25 on September 1, 2011 is named in the format of
CollectAssetInfo_20110901152525302.zip.
NOTE
Step 4 Click the hyperlink of the device asset information file name. Click Save in the displayed File
Downloading dialog box. After setting a save path, click Save.
NOTE
Select Select all, and click Delete. You can delete all the device asset files in the main operation area.
Step 5 Import the collected information into the Integrated Business Management System (IBMS).
For detailed operations, see Guide to Preparing NMS Archives. Contact Huawei technical
support engineers to obtain this guide.
NOTE
If the Trace Server is co-deployed with the U2000 in the ATAE cluster system, after
CollectAssetInfo_YYYYMMDDhhmmssXXX.zip decompressed, please import the collected
information of U2000 and Trace Server into IBMS together.
----End
Procedure
Step 1 You have to take required actions for issues that arise when you log in to the OSMU through
Internet Explorer.
If... Then...
If... Then...
On the Service System 1. In the navigation tree of the OSMU, choose Device
in the navigation tree of Management > Device Information > Details to check and
the OSMU, choose record the public IP address of the U2000 master service
U2000 management board.
tool node. The expected 2. On the menu bar of Internet Explorer, choose Tools >
operation GUI is not Internet options.
displayed on the opened
window. 3. In the dialog box, choose Security > Trusted sites and click
Sites.
4. In the displayed dialog box, do not select Require server
verification (https:) for all sites in this zone.
5. Enter the public IP address of the U2000 master service
board. Then, click Add.
Check whether the public IP address of the U2000 master
service board is listed in the Websites list box. If the IP
address exists, the operation is successful; if the IP address
does not exist, add the IP address again.
6. Click Close.
7. In the Internet Options dialog box, click OK to close the
dialog box.
8. On the Service System in the navigation tree of the OSMU,
choose U2000 management tool node to open the operation
GUI again.
In most cases, the operation GUI will be displayed on the
opened window. If the GUI is still not displayed, check
whether the added IP address is correct. If the problem
persists, contact Huawei technical support.
NOTICE
To run Internet Explorer 9.0 on Windows 7, choose Start > All Programs, right-click
Internet Explorer, and choose Run as administrator from the shortcut menu.
2. On the menu bar of Internet Explorer, choose View > Zoom, and set Zoom to 100%.
3. On the menu bar of Internet Explorer, choose Tools > Compatibility View Settings.
4. In the displayed Compatibility View Settings dialog box, select Display all websites in
Compatibility View, and click Close.
5. On the menu bar of Internet Explorer, choose Tools > Internet options.
6. In the displayed Internet Options dialog box, set parameters on the following tab pages,
and click OK.
a. On the General tab page, click Settings in the Browsing history area. In the
displayed dialog box, set Check for newer versions of stored pages to Every time
I visit the webpage, and click OK.
b. On the Security tab page, click Internet, and then click Custom level, set
Miscellaneous > Display mixed content to Enable, and click OK. In the displayed
dialog box, click Yes.
c. On the Privacy tab page, set the privacy level to Low, and click Apply.
d. On the Connections tab page, click LAN settings. Do not select Use a proxy
server for your LAN, and click OK.
e. On the Advanced tab page, perform the following operations and click Apply.
n Deselect Warn about certificate address mismatch, Use SSL 2.0, Use SSL
3.0, and Use TLS 1.0 under Security.
n Select Use TLS 1.1 and Use TLS 1.2 under Security.
NOTE
The secure protocol in the configuration file and Internet Explorer must be modified at the same
time. For details, see setting SSL protocols of OSMU web services in ATAE Cluster System
Product Documentation.
The security certificate expired or has not taken Click Continue, input username
effect. Are you sure you want to continue? and password to log in to the
OSMU, no further action is
required.
2. Click on
the right of the address bar of
Internet Explorer.
3. In the displayed dialog box,
click View certificates.
4. Perform Step 4 to Step 5.
4. Click Next. After confirming that the certificate has been imported, click Finish.
5. In the displayed Security Warning dialog box, click Yes. When the system displays The
import was successful., click OK.
6. In the Certificate dialog box, click OK to close the dialog box.
Step 5 Close all Internet Explorer web pages, restart Internet Explorer, and log in to the OSMU.
In most cases, the following problems will not arise: A security certificate message or a
security alert message is displayed or the GUI elements are displayed incompletely.
----End
Procedure
Step 1 Log in to the Windows operating system as a member of the Administrators user group and
start Firefox.
NOTICE
To run Firefox on Windows 7, choose Start > All Programs, right-click Mozilla Firefox, and
choose Run as administrator from the shortcut menu.
Step 3 Add the public IP address of the U2000 master service board to the security exception dialog
box of Firefox.
1. On the main menu of Firefox, choose Tools > Options.
2. In the displayed Options dialog box, select Advanced and click the Encryption tab. On
the displayed Encryption tab page, click View Certificates.
3. In the displayed Certificate Manager dialog box, click the Servers tab. On the
displayed Servers tab page, click Add Exception.
4. In the displayed Add Security Exception dialog box, enter https://Public IP address of
the U2000 master service board:31123 and click Get Certificate. Then, click Confirm
Security Exception and click OK twice.
Step 4 Use the following address and log in to the OSMU as OSMU web user with its password
again.
If the web browser displays a message shown in Figure 26-9, click Add Exception. Then, in
the displayed dialog box, click Confirm Security Exception.
----End
Symptom
When the IP address of the client is on the same network segment as that of the U2000 server
and the client is properly connected to the U2000 server, accessing the web-based U2000
services fails, such as the login Web page fails to be displayed or a function fails to be
executed.
For example, when you access the web-based U2000 services by performing the following
operations, the login Web page fails to be displayed:
Possible Causes
This problem may be caused by the proxy server settings of the Web browser. When the
configured proxy server cannot connect to the required Web site through the browser, the
proxy server fails to forward a request. As a result, visiting a Web site using the browser fails.
Fault Diagnosis
If the proxy server is configured as the domain name or IP address of the U2000 server, the
proxy server settings need to be canceled. If the proxy server is not configured as the domain
name or IP address of the U2000 server, add the domain name or IP address of the U2000
server to the proxy server exception list.
Procedure
l To handle the problem in the Internet Explorer, perform the following operations:
a. In the Internet Explorer browser of U2000 client, choose Tools > Internet Options.
The Internet Options dialog box is displayed.
b. Click the Connections tab.
c. Click LAN Settings. The Local Area Network(LAN) Settings dialog box is
displayed.
d. In the Proxy server area, check whether the Use a proxy server for your LAN
(These settings will not apply to dial-up or VPN connections) option is selected.
n If the proxy server is configured as the domain name or IP address of the
U2000 server, deselect the Use a proxy server for your LAN (These settings
will not apply to dial-up or VPN connections) option.
n If the proxy server is not configured as the domain name or IP address of the
U2000 server, perform e through g.
e. Click Advanced. The Proxy Settings dialog box is displayed.
f. In the Exceptions area, add the domain name or IP address of the U2000 server to
the proxy server exception list.
For example, if the IP address of the U2000 server is 10.144.72.90, type
10.144.72.90 in the Exceptions area, as shown in Figure 26-10.
g. Click OK.
l To handle the problem in the Firefox browser, perform the following operations:
a. In the Firefox browser of U2000 client, choose Tools > Options. The Options
dialog box is displayed.
b. Click Advanced.
c. Click the Network tab.
d. In the Connection area, click Settings. The Connection Settings dialog box is
displayed.
n If the proxy server is configured as the domain name or IP address of the
U2000 server, select No proxy.
n If the proxy server is not configured as the domain name or IP address of the
U2000 server, select Manual proxy configuration.
Then, select No Proxy for, and add the domain name or IP address of the
U2000 server to the proxy server exception list.
e. Click OK.
----End
26.2.4 Solving the Problem that the U2000 Web Page Cannot be
Opened
Symptom
This section provides the solution to a failure in opening the U2000 web page. Generally, if
the U2000 client and server are on the same network segment and they are communicating
with each other properly, the login web page is displayed when you access to web-based
U2000 services. After a successful login, however, the U2000 web page may not be
displayed.
For example, when you perform one of the following operations, the U2000 web page may
not be displayed:
l Open the web page for installing the U2000 client.
http://IP address of the U2000 server/cau or https://IP address of the U2000 server/cau
l Log in to the NIC.
https://IP address of the U2000 server:31040/nic
Possible Causes
l The Citrix access solution is used on the live network. In this solution, Windows Server
2003 has been installed on the Citrix server and the default security level for Internet
Explorer is high. As a result, you cannot open the U2000 web page on the Citrix client.
l Windows Server 2003 has been installed on the PC running the U2000 client and the
default security level for Internet Explorer is high. As a result, you cannot open the
U2000 web page on the client.
Procedure
Step 1 Add the logical IP address of the U2000 server to the list of trusted sites on Internet Explorer.
1. On the menu bar of Internet Explorer, choose Tools > Internet Options.
2. In the displayed Internet Options dialog box, click Security.
3. Click Trusted sites and Sites in sequence.
4. In Add this Web site to the zone, type the logical IP address of the U2000 server. Then,
click Add.
----End
Prerequisites
l You have obtained the IP address for the OSMU board. For detailed operations, see 27.3
Default Host Names and IP Addresses of Boards.
l The communication between the PC and the OSMU board is normal.
l You have obtained the name and password for OSMU web user for logging in to the
OSMU. To learn the initial passwords for users, see Default Users and Initial Passwords.
Context
l If you have set the access control list (ACL) by referring to 26.1.37 Setting the ACL of
the OSMU Web Service (Optional), you can log in to the OSMU properly only when
the IP address of the PC is included in the ACL. Therefore, you need to ensure that the
IP address of the PC is included in the OSMU web service ACL.
l If you have set the SSL protocol by referring to Setting SSL Protocols of OSMU Web
Services, you can log in to the OSMU properly only when the browser supports the
preset SSL protocol. Therefore, you need to ensure that the browser supports the preset
SSL protocol and related information has been set.
l The PC configuration and web browser version must meet the following requirements:
– The RAM size is 1 GB or above.
– Internet Explorer 8.0, Internet Explorer 9.0, Internet Explorer 10.0, Internet
Explorer 11.0, Firefox ESR 10.x, Firefox ESR 17.x, Firefox ESR 24.x, or Firefox
ESR 31.x have been installed on the PC.
– The operating system version is Microsoft Windows 7 Professional.
NOTICE
l If you have entered incorrect accounts, passwords or verification codes for eight
consecutive times, the IP address for logging in to the OSMU will be locked for 10
minutes. 10 minutes later, you are allowed to use the IP address to log in again.
l If the IP address has been locked, you can ask the administrator to unlock the IP address
by restarting the OSMU service.
l If the dialog box to change the default password of OSMU web user is displayed, modify
the user's password.
To improve security of users' passwords, set passwords based on the following rules:
l A password must contain 8 to 30 characters.
l A password must contain at least one uppercase letter.
l A password must contain at least one lowercase letter.
l A password must contain at least one digit.
l A password must contain at least one special character ~ ! @ # $ % ^ & *
( ) - _ = + | { } [ ] ; : " \ ' , < . > / ?
l A password must not be the same as the user name or the reverse order of the user
name.
l A password cannot contain three or more consecutive characters that are the same
(for example, AAA and 111).
Procedure
l Type the following website in the Address bar of the browser on the PC and press Enter.
Then, log in to the OSMU as an OSMU web user.
https://<public IP address of the OSMU server>:30088/osmu or https://<private IP
address of the OSMU server>:30084/osmu
NOTE
l The OSMU server has a private IP address and a public IP address. When you log in to the
OSMU by using the private IP address of the OSMU server, the PC must be connected to the
base network port on the RTM of the switching board through a network cable. You are
advised to log in to the OSMU by using the private IP address of the OSMU server only in
scenarios where the public IP address of the OSMU server is not set or when a network
failure occurs. For details about the IP address planning of the OSMU server, see 27.3
Default Host Names and IP Addresses of Boards.
l If the OSMU login window is not displayed after you type the preceding website in the
address bar of the browser and press Enter, perform the following operations:
l If you use Internet Explorer to access the OSMU, perform the operations described in
26.2.1 Setting Internet Explorer. If the problem persists, perform the operations
described in 26.1.4 Starting the OSMU Service.
l If the OSMU login window is not displayed after you use Mozilla Firefox to access the
OSMU, perform the operations described in 26.1.4 Starting the OSMU Service.
l If a message indicating that the website is insecure is displayed on the browser after login to
the OSMU, solve the problem by referring to 26.2.1 Setting Internet Explorer or 26.2.2
Setting Firefox.
----End
Prerequisites
The U2000 client and server are connected properly, and the server works properly.
Context
l The default port number of the server is 31039. Do not change it in normal conditions.
Otherwise, you cannot log in to the U2000 client.
l The U2000 server provides the default user account admin. User admin has all
operation rights, and the password is Changeme_123 by default. After you successfully
log in to the U2000 client for the first time, change the password immediately.
l By default, you log in to the U2000 client in Secure Sockets Layer (SSL) mode. You can
switch to the common mode. If the SSL mode is used, data is encrypted and transmitted
between the client and server. If the common mode is used, data is not encrypted. To
ensure data transmission security, you are advised to use the SSL mode.
l By default, if you do not log in to the U2000 client for more than 60 days, your account
automatically changes to the suspend state except that you are an U2000 user.
l The user with the rights of the security administrator group can click a hibernated
account in the navigation tree in the Security Management window on the U2000, and
then set Disable user account to No on the Details tab to enable this account.
l It is not recommended to run the clients of two different versions on the same PC.
Procedure
Step 1 Start the U2000 client.
Step 2 In the Login dialog box, perform the following operations to select a server where you want
to log in:
l If the server list does not exist:
Step 3 In the Login dialog box, enter the user name and password.
NOTE
l If the U2000 server is initially installed, the default password of user admin is Changeme_123.
After login, change the default password of user admin to ensure system security.
l The password of user admin is stored on the U2000 server. This password is set to Changeme_123
only when the U2000 server but not the U2000 client is initially installed.
l If the user name and password are correct, the Loading dialog box is displayed, indicating the
loading progress.
l If the user name or password is incorrect, the Information dialog box is displayed with the message
login failed. Please enter the correct user name and password.
l If the password is about to expire, the system prompts you to change the password before expiration.
l If the license is about to expire, the system notifies you of the expiration date.
l If you use a temporary license, you are prompted to apply for a commercial license.
l It takes about 30 seconds to 50 seconds to load software when the client logs in to the server. If the
client does not log in to the server for a long time, contact Huawei technical support.
----End
Procedure
Step 1 Exit the U2000 client.
Step 2 Perform the following operations to uninstall the U2000 client software:
Step 3 Use the uninstallation tool U2000 to uninstall the client software.
1. Choose Start > All Programs > iManager U2000 MBB Client > Uninstall Client.
2. In the displayed Confirm dialog box, click Yes.
3. When the uninstallation is complete, click Finished to close the dialog box.
A dialog box is displayed, prompting you to delete the installation directory, click Close
to close the dialog box.
4. Delete the relevant U2000 installation directory.
----End
Procedure
Step 1 Choose Start > Run, enter the command cmd, and then press Enter.
java -version
l When the system displays information similar to the following example, java version
indicates the JRE version installed on the PC.
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) Client VM (build 24.71-b01, mixed mode, sharing)
NOTE
If 64-bit is showed after the Java HotSpot(TM) means that the JRE version is not 32-bit and
sholud be reinstalled.
l If the system displays a message indicating that the command is not found, it indicates
that no JRE is installed. You can obtain the required JRE version from the Internet or in
the U2000 client web installation window.
----End
Symptom
When users query performance measurement results on the U2000 client, the following
information is displayed.
Possible Causes
1. The network connection is abnormal. Check whether the network connection is normal.
Then, check whether the network connection between the U2000 client and the master
and slave servers is normal. If the routes between the U2000 client and the master and
slave servers are not configured properly, modify the route settings by referring to 2.2
Setting the Routes of the U2000 Server.
2. Some U2000 services are not running properly. Check whether the U2000 services are
running properly. For detailes, see 4.1 Checking the U2000 Service Status.
3. If the problem persists after the preceding operations are performed, contact Huawei
technical support.
Prerequisites
l The identity certificate of the PKCS#12 type (with file name extension .p12) and its
password are obtained.
l Trust certificates with the .cer file name extension are obtained. The certificates include
the rootCA.cer certificate issued by the root certification authorities, and the
subCA1.cer and subCA2.cer certificates issued by the intermediate certification
authorities.
Context
The certificate of the U2000 client can be deployed on a browser. After the U2000 client is
installed, the certificate is available in the corresponding path. You can deploy the preset
certificate before a new certificate is applied. Certificate files deployed on a client are saved
in the client installation directory \client\client\style\defaultstyle\conf\ssl. The save paths
for certificate files are the same on the U2000 server. For details, see 9.4 Certificate Save
Path and Naming Conventions. To improve system security, apply for and deploy the new
certificate in a timely manner.
Procedure
Step 1 Perform the following operations according to the browser type.
The following describes how to deploy certificates on Windows Internet Explorer 8.0 and
Firefox 17. There are various browser types and versions. If you encounter a problem during
configuration, view the online help of the browser.
Browser Operation
The Open dialog box is displayed after you click Browse. The .p12 identify certificate is
displayed after you select Personal Information or All Files from the File name drop-down list
in the Open dialog box.
8. Click Next.
9. In the Certificate Import Wizard dialog box, enter the password of the identity
certificate and click Next.
NOTE
If the ID certificate of the U2000 client is selected, enter the password Changeme_123 for the
ID certificate. If another certificate is selected, enter the password based on the actual situations.
10. In the Certificate Import Wizard dialog box, retain the default settings of Certificate
Store, and click Next.
The message Completing the Certificate Import Wizard is displayed in
the Certificate Import Wizard dialog box.
11. Click Finish.
12. The import was successful is displayed in the Certificate Import Wizard
dialog box, click OK.
The following describes how to deploy a rootCA.cer trust certificate. If you need to deploy the
subCA1.cer and subCA2.cer trust certificates, click the Intermediate Certification Authorities
tab.
5. Click Import.
6. In the Certificate Import Wizard dialog box, click Next.
7. In the Certificate Import Wizard dialog box, click Browse and select a .cer certificate.
8. Click Next.
9. In the Certificate Import Wizard dialog box, retain the default settings of Certificate
Store, and click Next.
The message Completing the Certificate Import Wizard is displayed in
the Certificate Import Wizard dialog box.
10. Click Finish.
11. Read the information in the Security Warning dialog box carefully to have a full
understanding of risks. Then click Yes.
NOTE
The Security Warning dialog box is displayed when you deploy the certificate issued by only the
root certification authorities. If you click the Intermediate Certification Authorities tab and
deploy the certificates issued by the intermediate certification authorities, this dialog box is not
displayed in Step 3.4.
12. The import was successful is displayed in the Certificate Import Wizard
dialog box, click OK.
6. Click Import.
7. In the Certificate File to Import dialog box, select a .p12 identity certificate.
8. In the Password Entry Dialog dialog box, enter the password of the identity certificate
and click OK.
NOTE
If the ID certificate of the U2000 client is selected, enter the password Changeme_123 for the
ID certificate. If another certificate is selected, enter the password based on the actual situations.
9. In the Alert dialog box, click OK.
10. In the Certificates Manager window, click OK.
Step 5 Deploy trust certificates on Firefox 17.
The methods for deploying the rootCA.cer certificate and the subCA1.cer and subCA2.cer
certificates are the same.
1. On the menu bar of Firefox 17, choose Tools > Options.
2. In the Options window, click Advanced.
3. Click the Encryption tab.
4. In Certificates, click View Certificates.
5. In the Certificates Manager window, click the Authorities tab.
6. Click Import.
7. In the Select File containing CA certificate(s) to import dialog box, select a .cer trust
certificate.
8. In the Downloading Certificate dialog box, select Trust this CA to identify websites
and click OK.
NOTE
You can repeat Step 5.6 through Step 5.8 to import multiple certificate files. The following
information is displayed if you import a certificate that is already imported:
This certificate is already installed as a certificate authority.
9. In the Certificates Manager window, click OK.
----End
Procedure
l Change the advanced settings.
a. Log in to the Windows operating system as a member of the Administrators user
group and start Internet Explorer.
NOTICE
To run Internet Explorer 8.0 on Windows 7, choose Start > All Programs, right-
click Internet Explorer, and choose Run as administrator from the shortcut
menu.
b. On the menu bar of Internet Explorer, choose View > Zoom, and set Zoom to
100%.
c. On the menu bar of Internet Explorer, choose Tools > Internet Options.
d. In the Internet Options dialog box, click the Advanced tab.
e. On the Advanced tab page, select Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2
under the Security node.
f. Click OK.
g. Restart the browser.
l Set Internet Explorer parameters.
a. On the menu bar of Internet Explorer, choose Tools > Compatibility View
Settings.
b. In the displayed Compatibility View Settings dialog box, select Display all
websites in Compatibility View, and click OK.
c. On the menu bar of Internet Explorer, choose Tools > Internet Options.
d. In the displayed Internet Options dialog box, set parameters on the following tab
pages, and click OK.
i. On the General tab page, click Settings in the Browsing history area. In the
displayed dialog box, set Check for newer versions of stored pages to Every
time I visit the webpage, and click OK.
ii. On the Security tab page, click Internet, and then click Custom level, set
Miscellaneous > Display mixed content to Enable, and click OK. In the
displayed dialog box, click Yes.
iii. On the Privacy tab page, set the privacy level to Low, and click Apply.
iv. On the Connections tab page, click LAN settings. Do not select Use a Proxy
server for your LAN, and click OK.
v. On the Advanced tab page, do not select Security > Warn about certificate
address mismatch, and click Apply.
e. Restart the browser.
----End
Prerequisites
l You have obtained the IP address for the S3900 disk array.
l You have connected the PC and the S3900 disk array. For detailed operations, see 26.3.2
Connecting the PC and the S3900 Controller Enclosure.
l The PuTTY.zip file has been downloaded to the PC by Huawei technical support
engineers from http://support.huawei.com and has been decompressed.
Huawei technical support engineers can quickly search for the tool package using its
name as the keyword after clicking Search by Category > Tools at http://
support.huawei.com.
l You have obtained the password of user admin for the S3900 disk array. To learn the
initial passwords of users, see Default Users and Initial Passwords.
Procedure
Step 1 Double-click putty.exe on the PC to run PuTTY, as shown in Figure 26-11.
Step 2 Enter the IP address of the connected controller in Host Name (or IP address).
Step 4 In the Close window on exit: field, select Only on clean exit and click Open.
If the PuTTY Security Alert dialog box as shown in Figure 26-12, click Yes.
Step 5 When login as: is displayed, type the user name admin and press Enter.
When the information Last login: Wed Oct 31 11:59:36 2012 from <IP
address of the PC> is displayed, the login is successful.
----End
Prerequisites
l A serial cable or a network cable is available. One end of the serial cable uses the RJ45
connector and the other end uses the DB9 connector.
l A PC is available.
l You have powered on the S3900 controller enclosure. For detailed operations, see 1.1
Powering On the System in U2000 ATAE Cluster System Administrator Guide.
l The PuTTY.zip file has been downloaded to the PC by Huawei technical support
engineers from http://support.huawei.com and has been decompressed.
Huawei technical support engineers can quickly search for the tool package using its
name as the keyword after clicking Search by Category > Tools at http://
support.huawei.com.
Procedure
l (Recommended) Connect the PC and the S3900 controller enclosure using a network
cable.
a. Connect the network ports on the S3900 controller enclosure and PC using a
network cable based on the scenarios described in Table 26-12. Figure 26-13
shows the network ports on the S3900 controller enclosure.
Connect to controller A Insert one end of the network cable into the network
port on controller A and insert the other end of the
network cable into the network port on the PC.
Connect to controller B Insert one end of the network cable into the network
port on controller B and insert the other end of the
network cable into the network port on the PC.
b. Set the IP address and subnet mask of the PC to 192.168.128.48 and 255.255.255.0.
Ensure that the initial IP addresses of the PC and S3900 controller enclosure are on
the same network segment. To learn the initial IP addresses, see 27.6 Default IP
Addresses of the S3900 Storage System.
c. Run the following command on the PC to check whether the PC can communicate
properly with the S3900 controller enclosure:
ping <Initial IP address of the controller>
ping 192.168.128.101
l Connect the PC and the S3900 controller enclosure using a serial cable.
a. Connect the serial ports on the S3900 controller enclosure and PC using a serial
cable based on the scenarios described in Table 26-13. Figure 26-13 shows the
serial ports on the S3900 controller enclosure.
Connect to controller A Insert the RJ45 connector at one end of the serial
cable into the serial port on controller A and insert the
DB9 connector at the other end of the serial cable into
the serial port (COM1 or COM2) on the PC.
Connect to controller B Insert the RJ45 connector at one end of the serial
cable into the serial port on controller B and insert the
DB9 connector at the other end of the serial cable into
the serial port (COM1 or COM2) on the PC.
After the preceding operations are completed, the physical connection between the
PC and the S3900 controller enclosure is established.
b. Connect the S3900 Controller Enclosure through a serial port by using PuTTY.
i. Double-click putty.exe to start PuTTY.
ii. Choose Connection > Serial from the navigation tree in the left pane on
PuTTY. A dialog box for setting the serial port connection parameters is
displayed.
iii. In the dialog box, set the serial port connection parameters by referring to
Table 26-14.
Parameter Value
Serial line to Specify a serial port, for example, COM1, for the PC
connect to terminal to connect to the S3900 Controller Enclosure.
NOTE
The PC may contain several serial ports, and you can check
the name and number of the serial port by performing the
following procedures:
On a PC running on Windows 7 operating system, choose
Control Panel and locate Device Manager. In the displayed
Device Manager, choose Port to check the name and number
of the serial port.
Speed 115200
Data bits 8
Stop bits 1
Parity None
Parameter Value
iv. Choose Session from the navigation tree in the left pane. In the right pane,
choose Serial, and click Open.
The following information is displayed in the window of the PuTTY:
Storage Login:
----End
Prerequisites
l You have obtained the password for user admin of the S3900. To learn the initial
passwords for users, see Default Users and Initial Passwords.
l The PuTTY.zip file has been downloaded to the PC by Huawei technical support
engineers from http://support.huawei.com and has been decompressed.
Huawei technical support engineers can quickly search for the tool package using its
name as the keyword after clicking Search by Category > Tools at http://
support.huawei.com.
Procedure
Step 1 Connect the PC and the S3900 disk array. For detailed operations, see 26.3.2 Connecting the
PC and the S3900 Controller Enclosure.
Step 2 Perform the following operations by scenario.
If... Then...
You connect the PC and 1. 26.3.1 Using PuTTY to Log In to the S3900 Disk Array.
the S3900 disk array 2. Run the following command to check the disk array
using a network cable version:
admin:/>showupgradepkginfo -t 1
====================================================
====
Upgrade Package Information
----------------------------------------------------
----
Controller ID Package Version Package
Status
----------------------------------------------------
----
A V100R005C02SPC300 Running
B V100R005C02SPC300 Running
====================================================
====
If... Then...
You connect the PC and 1. Log in to the disk array controller as user admin with its
the S3900 disk array password.
using a serial cable When the following information is displayed, logging in to
the disk array controller is successful.
--------------------- Welcome
-----------------------
-----------------System
Information------------------
| System Name | SN_210235G6R8Z0B9000003
|
| Device Type | OceanStor S3900-M300
|
| Current System Mode | Double Controllers
Normal|
| Mirroring Link Status | Link Up
|
| Location |
|
| Time | 2013-03-11 07:51:09
|
| Device Serial Number | 210235G6R8Z0B9000003
|
| Product Version | V100R002C00
|
----------------------------------------------------
-
----End
Prerequisites
l You have obtained the password for user admin of the S3900. To learn the initial
passwords for users, see Default Users and Initial Passwords.
l The PuTTY.zip file has been downloaded to the PC by Huawei technical support
engineers from http://support.huawei.com and has been decompressed.
Huawei technical support engineers can quickly search for the tool package using its
name as the keyword after clicking Search by Category > Tools at http://
support.huawei.com.
l You have obtained the initial IP address and default planned IP address of the S3900
controller enclosure. For detailed operations, see 27.6 Default IP Addresses of the
S3900 Storage System.
Procedure
Step 1 Connect the PC and the S3900 disk array. For detailed operations, see 26.3.2 Connecting the
PC and the S3900 Controller Enclosure.
Change the initial IP address of There are two ways of connecting them:
controller A
l Connect the PC and controller B on the S3900 disk
array using a network cable.
l Connect the PC and any controller on the S3900
disk array using a serial cable.
Change the initial IP address of There are two ways of connecting them:
controller B
l Connect the PC and controller A on the S3900 disk
array using a network cable.
l Connect the PC and any controller on the S3900
disk array using a serial cable.
Step 2 Change the initial IP address of the S3900 controller enclosure by scenario.
If... Then...
You connect the PC and the 1. 26.3.1 Using PuTTY to Log In to the S3900 Disk
S3900 disk array using a Array.
network cable and want to 2. Run the following command to change the initial IP
change the initial IP address of address of controller A:
controller A admin:/> chgctrlip -c a -ip <default planned IP
address of controller A> -mask 255.255.248.0 -gw
192.168.128.1
NOTE
a indicates controller A, 255.255.248.0 indicates the
subnet mask, and 192.168.128.1 indicates the IP address of
the gateway.
When the following information is displayed, enter y
to confirm.
Are you sure to continue?(y/n)
Controller IP
----------------------------------------------
---------------------------------------------
Controller ID IP Address
Mask Gateway MAC
Address
----------------------------------------------
---------------------------------------------
A 192.168.128.203
255.255.248.0 192.168.128.1
20:0b:c7:9c:cc:75
B 192.168.128.204
255.255.248.0 192.168.128.1
20:0b:c7:9c:fd:1e
==============================================
=============================================
If... Then...
You connect the PC and the 1. Log in to the disk array controller as user admin
S3900 disk array using a serial with its password.
cable and want to change the When the following information is displayed,
initial IP address of controller A logging in to the disk array controller is successful.
The values of Device Type and Product Version
differ from one type of disk array controller to
another based on actual disk array configuration.
--------------------- Welcome
-----------------------
-----------------System
Information------------------
| System Name |
SN_210235G6R8Z0B9000003 |
| Device Type | OceanStor S3900-
M300 |
| Current System Mode | Double Controllers
Normal|
| Mirroring Link Status | Link
Up |
| Location
| |
| Time | 2013-03-11
07:51:09 |
| Device Serial Number |
210235G6R8Z0B9000003 |
| Product Version |
V100R002C00 |
----------------------------------------------
-------
If... Then...
NOTE
If the IP address of the controller is not changed to the
planned IP address, perform the preceding step again. If
the inconsistency persists, contact Huawei technical
support.
==============================================
=============================================
Controller IP
----------------------------------------------
---------------------------------------------
Controller ID IP Address
Mask Gateway MAC
Address
----------------------------------------------
---------------------------------------------
A 192.168.128.203
255.255.248.0 192.168.128.1
20:0b:c7:9c:cc:75
B 192.168.128.204
255.255.248.0 192.168.128.1
20:0b:c7:9c:fd:1e
==============================================
=============================================
If... Then...
You connect the PC and the 1. 26.3.1 Using PuTTY to Log In to the S3900 Disk
S3900 disk array using a Array.
network cable and want to 2. Run the following command to change the initial IP
change the initial IP address of address of controller B:
controller B admin:/> chgctrlip -c b -ip <default planned IP
address of controller B> -mask 255.255.248.0 -gw
192.168.128.1
NOTE
b indicates controller B, 255.255.248.0 indicates the
subnet mask, and 192.168.128.1 indicates the IP address of
the gateway.
When the following information is displayed, enter y
to confirm.
Are you sure to continue?(y/n)
Controller IP
----------------------------------------------
---------------------------------------------
Controller ID IP Address
Mask Gateway MAC
Address
----------------------------------------------
---------------------------------------------
A 192.168.128.203
255.255.248.0 192.168.128.1
20:0b:c7:9c:cc:75
B 192.168.128.204
255.255.248.0 192.168.128.1
20:0b:c7:9c:fd:1e
==============================================
=============================================
If... Then...
You connect the PC and the 1. Log in to the disk array controller as user admin
S3900 disk array using a serial with its password.
cable and want to change the When the following information is displayed,
initial IP address of controller B logging in to the disk array controller is successful.
The values of Device Type and Product Version
differ from one type of disk array controller to
another based on actual disk array configuration.
--------------------- Welcome
-----------------------
-----------------System
Information------------------
| System Name |
SN_210235G6R8Z0B9000003 |
| Device Type | OceanStor S3900-
M300 |
| Current System Mode | Double Controllers
Normal|
| Mirroring Link Status | Link
Up |
| Location
| |
| Time | 2013-03-11
07:51:09 |
| Device Serial Number |
210235G6R8Z0B9000003 |
| Product Version |
V100R002C00 |
----------------------------------------------
-------
If... Then...
NOTE
If the IP address of the controller is not changed to the
planned IP address, perform the preceding step again. If
the inconsistency persists, contact Huawei technical
support.
==============================================
=============================================
Controller IP
----------------------------------------------
---------------------------------------------
Controller ID IP Address
Mask Gateway MAC
Address
----------------------------------------------
---------------------------------------------
A 192.168.128.203
255.255.248.0 192.168.128.1
20:0b:c7:9c:cc:75
B 192.168.128.204
255.255.248.0 192.168.128.1
20:0b:c7:9c:fd:1e
==============================================
=============================================
----End
27 Appendix
system, the master node starts all the U2000 processes, the slave nodes start some processes,
whereas the standby node does not run any U2000 process.
27.9 Trace Server altogether cluster deployment related explanation
If the U2000 is co-deployed with the Trace Server in an ATAE cluster system, the Trace
Server functions as a slave server of the U2000, then, you does not need the independent
maintenance Trace Server board, the related operate please refer to the U2000 maintenance
operate.
27.10 U2000 Database
The U2000 databases consist of the Sybase database, Oracle database and the U2000 server
database. This chapter describes only the U2000 server database. After the installation of the
U2000 server application software, the size of the U2000 server database is fixed.
NOTICE
Keep the passwords of the users mentioned in the U2000 system secure. A password cannot
be reset or found after being missing. When this happens, you need to reinstall the operating
system, database, or U2000 server software, which has great impact on the O&M.
l For details about the users created on U2000-related boards and their passwords, see
Table 27-1. For details about the user groups, shell resolution programs, and directories
of operating system users, see Table 27-2.
l For details about the users created for the OSMU board and their passwords, see Table
27-3.
l For details about the users created for the SMM board, FC module of the switching
board and S3900 disk array and their passwords, see Table 27-4.
l For details about the SNMPv3 protocol users and their private keys, see Table 27-5.
l For details about the VCS user created for the OGPU board and password, see Table
27-6.
l For details about the default password for the grub on the OSMU board and OGPU
board, see Table 27-7.
l OS users are created when the OS is installed. Because the login rights of these users are
restricted by the OS, you cannot use the OS users. To prevent the OS exception, deleting
these users is forbidden. Table 27-8 describes these OS users.
NOTICE
l The passwords of users in the U2000 system must be managed properly. To improve
system security, change the initial passwords set before product delivery.
l Change the passwords periodically (at an interval of 3 or 6 months) to improve system
security and avoid security risks, such as violent password cracking.
l For details about the policies of changing the initial passwords for operating system
users, see Policies on Passwords for Operating System Users.
l For details about the policies of changing the initial passwords for database users, see
Policies on Passwords for Database Users (Sybase) or Policies on Passwords for
Database Users (Oracle).
NOTICE
l The password of - in Table 27-1 indicates that the user is not created.
l A user is created only for the service boards or DB boards if no standby board exists.
l If a new version is deployed through upgrade, one can keep using the previous password.
User oracle
enables the
U2000 to install,
start, stop, and
Changeme_1 manage the
oracle oracle Oracle database.
23
Creation location:
on the DB boards
and standby DB
boards
User dbuser
enables the
U2000 to install,
Changeme_1 start, stop, and
dbuser - manage the
23
Sybase database.
Creation location:
on the DB boards
Operator of the
U2000. User
ossuser performs
routine operation
and maintenance
on the U2000
system. For
example, it can
Changeme_1 query system
ossuser -
23 status and back
up and restore the
system.
Creation location:
on the service
board and
standby service
board
User ftpuser is
used by the
U2000
applications to
perform software
Changeme_1 management and
ftpuser ftpuser file transfer.
23
Creation location:
on the service
board and
standby service
boards
User iscript is
created during
installation of the
U2000 server
software. User
iscript is the OS
Changeme_1 user for executing
iscript -
23 the iSStar script.
Creation location:
on the master
service board and
standby service
boards
User webuser is
created during
installation of the
U2000 server
software. User
webuser is the
OS user for
webuse Changeme_1 running the
-
r 23 tomcat and
apache.
Creation location:
on the master
service board and
standby service
board
SMDB
NOTE
For
V200R
011
that is
newly Changeme_1
emsems
installe 23
d, the
user
name
is
OMCS
MDB.
LOGD
B
NOTE
For
V200R
011
that is
newly Changeme_1
emsems
installe 23
d, the
user
name
is
OMC
LOGD
B.
OMCD Changeme_1
emsems
B 23
TOPO Changeme_1
-
DB 23
l The
default
password
is
Changem
e_123 for
a newly
deployed
V200R012
version.
l This user
is Used by a third-
automatica party system to
AutoCf CfgPwd lly created log in to the
g Ac and the northbound
password database.
must be
configured
during
database
interface
installatio
n for a
newly
deployed
V200R013
or later
version.
This user is
created when the
Sybase database
is installed. This
user is the
administrator of
the Sybase
database.
Creation location:
on the DB boards.
NOTE
Changeme_1 The database
sa - administrator sa is
23
created by default.
To prevent the
potential security
risk of the default
database
administrator
being spread,
users can
manually disable
the database
administrator and
create a new
database
administrator.
This user is
created when the
Sybase database
is installed. This
Changeme_1 user is the
sybuser - operation user of
23
the Sybase
database.
Creation location:
on the DB boards.
This user is an
operation user of
the redis
database. The
redis database is
installed with the
CME software.
l If the database
is Sybase
database, the
password of
the redis
database user
is the same as
that of the user
sybuser. If
Default you change
user of the password
the redis of user
database sybuser, the
(the password of
Changeme_1
redis - the redis
23
database database user
does not will be also
open changed.
this user l If the database
name) is Oracle
database, the
password of
the redis
database user
is the same as
that of the user
SYSTEM. If
you change
the password
of user
SYSTEM, the
password of
the redis
database user
will be also
changed.
Created during
installation of the
Sybase database.
User probe is an
internal user of
the Sybase, and
Sybase does not
Unknow disclose the
probe Unknown password. This
n
user is mainly
used for the two
phase commit
process of the
Remote
procedure call
(RPC) and
transaction.
guest,
usedb_user are
internal users of Not involved.
the Sybase
database, and
therefore cannot
be used to log in
to the Sybase
database system.
These two users
guest, can be used only
usedb_ None None for database
user authority
allocation and
management and
can identify the
database
administrators
and operation
users in different
databases (such as
master and
omcdb).
Created during
installation of the
U2000 server
software.
User proxyuser
is the web proxy
user. To increase For details, see
proxyus Change Changeme_1 system security, 11.3.4 Changing
Web proxy you must enter
er me_123 23 Web Proxy User
the web proxy Passwords.
user name and the
password for
authentication
when accessing
NEs over the web
using the U2000
server as a proxy.
NOTE
User usedb_user listed in Table 27-1 exists only in the Sybase 15.7 database. Other users exist in all
Sybase databases.
Table 27-3 Default users of the ATAE cluster system (OSMU board)
System or User Default Description How to Change
Device Name Password the Password
Admin@123
NOTE This user account is For details, see
You are created when the section Operation
prompted to OSMU server and Maintenance >
change the software is installed
default
Routine
and is used for Maintenance >
password upon
the first login to logging into the Security
the web-based OSMU through a Management >
OSMU web client for the web browser but not User Management
admin newly installed used for logging to
user > OSMU Web User
OSMU in the the OSMU board
version of
Management >
operating system. Changing the
V200R001C01
or later. You are Use the new name if Current User
not required to you changed the Password in ATAE
do so if the name of the default Cluster System
OSMU is Product
upgraded to
OSMU web user
V200R001C01 admin. Documentation.
or later.
Table 27-4 Default users of the ATAE cluster system (SMM board/switching board/S3900
disk array)
System or User Default Description How to Change
Device Name Password the Password
hwosta2.0
NOTICE
If a new version
is deployed This is the
through administrator of the
upgrade, one
SMM board
Operating can keep using For details, see 11.5
the previous operating system. It
system user Managing ATAE
root password. The is used to log in to
of the SMM Cluster System
initial password the operating system
board Devices Users.
for the user is of the SMM board
huaweiosta or and it can run all
hwosta2.0 in
commands.
OSMU
V200R001C00S
PC200 and
earlier versions.
hwosta2.0
NOTICE
l If a new
version is
deployed
through
upgrade, one
can keep
using the
previous
password.
The initial
password
for the user
is
huaweiosta
in OSMU
V200R001C
00SPC200
and earlier
versions. This user is used for
l To be authentication when
compatible the OSMU board
with the and SMM board
SNMP OSMU of communicate with
protocol earlier
root each other according
user of the versions,
passwords
to the SNMP
SMM board
of the protocol. It can run
SNMP users commands dedicated
on the to the SNMP
OSMU are protocol.
encrypted
using the
DES and
MD5
algorithms.
In OSTA2.0,
passwords
of the
SNMP users
on OSMU
V200R007C
01SPC302B
010 and
later are
encrypted
using the
HMAC-
SHA and
AES128
security
algorithms.
This is the
administrator of the
hwosta2.0 FC module's
root
NOTICE operating system. It
If a new version can run all
is deployed commands.
through
upgrade, one This is the
can keep using administrator of the
the previous FC module's
password. The
User of the admin initial password
operating system. It
FC module for the user is can run most query
of the password in and modification
switching OSMU commands.
V100R002C00S
board PC220 and This is the common
earlier versions. user of the FC
In module's operating
user V200R001C00
and
system. It can run
V200R001C01, only some query
the initial commands.
password is
Changeme_123 This is a reserved
. account of the FC
factory
module's operating
system.
admin is the
admin Admin@storage administrator of the
S3900 disk array.
Kaimse@storag
e
S3900 disk NOTICE This user is used to
array When the S3900 report fault alarm
disk array for from the S3900 disk
Kaimse V100R002C00S array to the OSMU
PC013 and
server using the
earlier versions,
the initial SNMPv3 protocol.
password for the
user is Kaimse.
Changeme_123
NOTICE
If a new version
is deployed
through
upgrade, one
can keep using This user manages
osmuuse the previous the S3900 disk array
r password. The
using the OSMU.
initial password
for the user is
osmuuser in
OSMU
V100R002C00S
PC200 and
earlier versions.
Changeme_123
NOTICE
If a new version
is deployed
through
upgrade, one
can keep using This user manages
osmumo the previous the disk array using
nitoruser password. The
the OSMU.
initial password
for the user is
osmumonitorus
er in OSMU
V100R002C00S
PC200 and
earlier versions.
To change the
password for this
_super_a Resets the password
Admin@revive user, apply for the
dmin for user admin.
reference material
from Huawei.
Table 27-6 ATAE cluster system default users (VCS installed on the OGPU board)
User Password Change
User Type Password Description
Name Reference
Table 27-7 ATAE cluster system default users (grub on the OSMU board and OGPU board)
User Password
User
Typ Password Description Change
Name
e Reference
at Not at is a user who has minimum permissions and is You are not
invol created automatically by the system. The user is advised to
ved used when tasks are scheduled in batches and has change the
been prohibited. However, the user cannot be password of the
deleted. user that has
been disabled. If
bin bin is a user who has minimum permissions and is you need to
created automatically by the system. The user is change the
used for managing binary file processes and has password, use
been prohibited. However, the user cannot be the passwd
deleted. command.
daemon daemon is a user who has minimum permissions
and is created automatically by the system. The
user is used for background processes and has
been prohibited. However, the user cannot be
deleted.
NOTE
Users ldap, named, polkituser, puppet, squid and uuidd listed in Table 27-8 exist only in the SUSE11
OS. Other users exist in both SUSE11 and SUSE10.
It is normal that the partition sizes you have queried have a deviation of -2 GB to 2 GB with the values
listed in the following table.
Table 27-9 Partitioning of OSMU board local disks (for initially installing OSMU
V200R002C20 and later versions)
Disk No. Partition Partition Size Description
Name
1 / 35 GB Root partition
/opt 40 GB -
/home 5 GB -
/tmp 20 GB -
/boot 1 GB -
Table 27-10 Partitioning of OSMU board local disks (for initially installing the OSMU whose
version is between V200R001C01 and V200R002C10)
Disk No. Partition Partition Size Description
Name
/boot 1 GB -
Table 27-11 Partitioning of OSMU board local disks (for initially installing OSMU
V200R001C00)
Disk No. Partition Partition Size Description
Name
/boot 1% -
1
swap 11% Swap partition
none 60% -
l BSS: The BSS has two controllers, and it consists of twelve 2000 GB disks or twenty-
four 600 GB disks. The BSS saves the backup data of the ATAE cluster system,
including the backup data of the OSMU and U2000 products.
NOTE
You can learn the capacity of a disk in the disk array by viewing the label at the top of the front
view of the hard disk.
Table 27-12 describes the number of MSSs, the number of BSSs, and the number of ESSs
that can be configured and the redundancy mode.
The switching boards are installed in slots 7 and 8 in each subrack. For the default IP addresses of the
switching boards, see 27.4 Default IP Addresses of Switching Boards.
NOTICE
l XY in label in the following description is a random number generated at delivery. You
need to select the cabinet, subrack, board, disk array, and cables with the same random
number for onsite installation. For example, in a cabinet having the label AB-MPRII-1, the
label of main processing subrack (MPS) is AB-MPS-1-5 and the label of the board in slot
1 is AB-MPS-1-5-1.
l OSMU boards include the active OSMU board and standby OSMU board when the
standby OSMU board is deployed. The active OSMU board is installed in slot 1 of the first
subrack (XY-MPS-1-5-1). The standby OSMU board is installed in a subrack based on the
service deployment. For example, the standby OSMU board can be installed in slot 14 in
the first subrack (XY-MPS-1-5-14) or in the second subrack (XY-EPS-1-6-14). In the latter
case, the OGPU board of the corresponding slot in Table 27-13 is standby OSMU board.
l You need to reset the public IP address of the OSMU board only when you commission
the ATAE cluster system for the first time. You do not need to reset it while deploying a
new U2000.
XY-
OSMU SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 1
board S1 28.100 48.0 101 55.0
-1
XY-
SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 2
S2 28.158 48.0 102 55.0
-2
XY-
SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 3
S3 28.159 48.0 103 55.0
-3
XY-
SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 4
S4 28.160 48.0 104 55.0
OGPU -4
board XY-
SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 5
S5 28.161 48.0 105 55.0
-5
XY-
SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 6
S6 28.162 48.0 106 55.0
-6
XY-
SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 9
S9 28.165 48.0 109 55.0
-9
XY-
SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 10
S10 28.166 48.0 110 55.0
-10
XY-
SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 11
S11 28.167 48.0 111 55.0
-11
XY-
SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 12
S12 28.168 48.0 112 55.0
-12
XY-
SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 13
S13 28.169 48.0 113 55.0
-13
XY-
SR5 192.168.1 255.255.2 10.10.10. 255.255.2
MPS-1-5 5 14
S14 28.170 48.0 114 55.0
-14
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 1
S1 28.171 48.0 115 55.0
-1
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 2
S2 28.172 48.0 116 55.0
-2
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 3
S3 28.173 48.0 117 55.0
-3
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 4
S4 28.174 48.0 118 55.0
-4
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 5
S5 28.175 48.0 119 55.0
-5
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 6
S6 28.176 48.0 120 55.0
-6
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 9
S9 28.179 48.0 123 55.0
-9
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 10
S10 28.180 48.0 124 55.0
-10
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 11
S11 28.181 48.0 125 55.0
-11
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 12
S12 28.182 48.0 126 55.0
-12
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 13
S13 28.183 48.0 127 55.0
-13
XY-
SR6 192.168.1 255.255.2 10.10.10. 255.255.2
EPS-1-6 6 14
S14 28.184 48.0 128 55.0
-14
Table 27-14 Planned default IP addresses of switching boards (Base switching plane)
Sub
rack Private IP Broadcast
SN Board Label Subnet Mask
Typ Address Address
e
8 XY-MPS-1-5-8 192.168.128.16
4
Sub
rack Private IP Broadcast
SN Board Label Subnet Mask
Typ Address Address
e
Table 27-15 Planned default IP addresses of switching boards (FC switching plane)
Sub
rack Private IP Broadcast
SN Board Label Subnet Mask
Typ Address Address
e
Table 27-16 Planned default IP addresses of switching boards (Fabric switching plane)
Sub
rack Private IP Broadcast
SN Board Label Subnet Mask
Typ Address Address
e
NOTICE
If an EPS is added for deploying a new U2000, you need to manually change IP addresses of
SMM boards in the added EPS by referring to Table 27-17. For details, see 26.1.19 Viewing
and Setting the IP Addresses for the SMM Board.
NOTE
eth1 and eth2 of each SMM board should be bound, and the resulting logical network interface is named
vbond0. For newly deployed devices, eth1 and eth2 of the SMM board are bound by default after
preinstallation; for the subracks that are introduced for new OSS product deployment or for capacity
expansion purpose, eth1 and eth2 of the SMM board must be manually bound onsite.
Controller A 192.168.128.101
Controller enclosure
Controller B 192.168.128.102
http://server IP address: Is used for logging in to the main window of the PRS
8010/prs management tool.
https://server IP address:
8449/prs
http://server IP address: Is used for logging in to the main window of the OSS
8090 Management Tool.
https://server IP address: NOTE
31123 You can also use https://OSMU IP address:31123 to access the main
window of the OSS Management Tool when switchover has not been
triggered for the two boards.
http://server IP address: Is used for logging in to the main window of the antenna
31038/ams management system.
https://server IP address:
31040/ams
http(s)://Server IP Displays the web-based OSS framework. The access uses the
address/jse reverse proxy rule provided by the Apache. The web address is
only invoked by software and does not support user access.
http(s)://Server IP Provides clients with the server RPC interfaces. The access
address/api uses the reverse proxy rule provided by the Apache. The web
address is only invoked by software and does not support user
access.
NOTE
l You are advised to use the web addresses that do not contain port numbers.
l The default communication mode of OSS server is SSL mode. When the OSS server is in the SSL
communication mode, you can use only HTTPS-based web addresses, for example, https://Server IP
address/hedex.
l When the OSS server is in the both or common communication mode, HTTPS-based access is
recommended.
l The Apache provides some proxy access modes as follows:
l The Apache provides the reverse proxy function on ports 80 and 443. For details about the
access paths, see the access paths that use the reverse proxy rule in the table above.
l The Apache provides the reverse proxy function on port 8080. When the OSS server is in the
non-SSL communication mode, the access path is http://Server IP address:8080/NE IP
address. When the OSS server is in the SSL communication mode, the access is unavailable.
l The Apache provides the forward proxy function on port 8080 to forward HTTP requests from
OSS clients to NEs.
system, the master node starts all the U2000 processes, the slave nodes start some processes,
whereas the standby node does not run any U2000 process.
Table 27-20 shows the names and functions of the tables in the bmsdb database.
Name Function
Name Function
Table 27-21 lists the names and functions of the tables in the cmedb database.
Table with the t_c_ Stores NE data in the current data area.
prefix
Table with the t_p_ Stores NE data in the planned data area.
prefix
Table with the t_ prefix Support table of the tool type, which stores NE data.
Table 27-22 lists the names and functions of the tables in the cmedb1 database.
Table with the t_c_ Stores NE data in the current data area.
prefix
Table with the t_p_ Stores NE data in the planned data area.
prefix
Table with the t_ prefix Support table of the tool type, which stores NE data.
Table 27-23 lists the names and functions of the tables in the cmedb2 database.
Table with the t_c_ Stores NE data in the current data area.
prefix
Table with the t_p_ Stores NE data in the planned data area.
prefix
Table with the t_ prefix Support table of the tool type, which stores NE data.
Table 27-24 lists the name and function of each table in the eamdb database.
Table 27-24 Name and function of each table in the eamdb database
Table Name Function
Table 27-25 Tables of the farsdb database and the corresponding functions
Table Name Function
Message type Task data table created dynamically, which records the signaling
name_task ID data of the message type corresponding to a task
Table 27-26 Tables of the fmdb database and the corresponding functions
Table Name Function
NOTE
The system automatically divides the tbl_alm_log and tbl_event_log tables according to the size of
alarms and events. For example, the fmdb database may contain multiple alarm log tables such as
tbl_alm_log_1 and tbl_alm_log_2.
The itfndb database is optional. It requires a disk space of at least 200 MB. Table 27-27 lists
the name and function of each table.
Table 27-27 Tables of the itfndb database and the corresponding functions
Table 27-28 lists the names and functions of the tables in the logdb database.
Table 27-28 Names and functions of the tables in the logdb database
In the ATAE cluster system, the omcdb database is deployed along with the CMGroup service
group. The omcdb database is deployed on the database node.
Table 27-29 lists the names and functions of the tables in the omcdb database.
Tables with moi_ as the prefix Records the information about MO examples.
Tables with nbmmlNe_ as the Records the information about the format of messages
prefix transferred between the NEs.
Tables with sm_ as the prefix Records the information about service data.
Processes with sm_ as the Records the processes of service AMG data.
prefix
Tables with ums_ as the prefix Record the information about error codes.
Tables with ne_ as the prefix Records the information about NE models.
Tables with omc_ as the prefix Records the data about network management.
Tables with rel_ as the prefix Records the associations between MOs.
tbl_OmcSslOption Records the SSL connection policy of the U2000 for NEs.
Counter tables
Compared with the data in other types of tables, the data in these tables is stable. Table 27-30
lists the name and function of each table.
Table 27-30 Counter information tables in the pmcomdb database and the corresponding
functions
Table Name Function
Template Tables
Template tables contain several tables that record measurement information. Table 27-31 lists
the name and function of each table.
Table 27-31 Template information tables in the pmcomdb database and the corresponding
functions
Table Name Function
Table 27-32 Function subsets and period tables in the pmcomdb database and their functions
Table Name Function
Other Table
Table 27-33 Function subsets and period tables in the pmcomdb database and their functions
Table Name Function
database is suspended and it cannot process any performance data from the NEs. Change the
number of saving days when the remaining space of the pmdb database is insufficient.
To calculate the number of days till when the data can be stored, perform the following steps:
1. Observe the usage of the pmdb database when the U2000 runs for half a month.
2. Calculate the space of the pmdb database used a day.
3. Calculate the number of days that the pmdb database lasts.
l Template Tables
l Function Subsets and Period Tables
Template Tables
Template tables record measurement information. Table 27-34 lists the name and function of
the table.
Table 27-34 Template tables in the pmdb database and their functions
Table 27-35 Function subset tables and period tables in the pmdb database and the
corresponding functions
Table 27-36 lists the names and functions of the tables in the smdb database.
Table 27-36 Tables of the smdb database and the corresponding functions
Table Name Function
The size of the sumdb database equals to one thirds of the size of the pmdb database. That is,
at least 4,500 MB database space is required.
Table 27-37 Name and function of each object type information table in the sumdb database
t_PmObjType Records the relation between the PRS object type and the
performance object type.
Table 27-38 Name and function of each system setting information table in the sumdb
database
Table 27-39 Name and function of each report information table in the sumdb database
t_TemplateObjInfo Records the basic information about the templates and the
objects.
In Table 27-40, fssName, ObjLevel, and XXX in the tables whose names begin with d_ can be
configured in the configuration file.
Table 27-40 Name and function of each performance result table in the sumdb database
Table 27-41 Tables of the swmdb database and the corresponding functions
Table Name Function
Table 27-42 Names and functions of the tables in the topodb database
Table Name Function
TSTempLoc Records the temporary table that stores the longitude and latitude
coordinates of the e-map.
TSTempPos Records the temporary table that stores the x-axis and y-axis
coordinates of common physical topology.
Table 27-43 Tables of the topodb database and the corresponding functions
Table Name Function
topo.db Stores topology view data, including borders, lines, and extension
information.
REMOTENOTICEUSE Relationship table for remote notification users and user groups
RMAP
Table 27-46 lists the names and functions of tables in the OMSSM database.