No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Connecting the Agile Controller-Campus to eSight Through HTTPS in the CloudVPN Scenario

Connecting the Agile Controller-Campus to eSight Through HTTPS in the CloudVPN Scenario

Principles

Before installation and commissioning engineers commission the interconnection between eSight and the Agile Controller-Campus, they must understand the interconnection principles.

The principle of the eSight devices is as follows:

  1. After the connection between eSight and Agile Controller-Campus is configured, eSight actively synchronizes vFW device information from the Agile Controller-Campus and creates NEs through the SNMP protocol based on the synchronized device IP address and SNMP parameter settings in the SNMP configuration file on eSight.
  2. After new devices are added to or devices are removed from the Agile Controller-Campus, it automatically synchronizes the device information changes to eSight. NEs are created on or deleted from eSight synchronously. When SNMP parameters are modified on devices, you need to manually modify the parameters on eSight.

Importing Certificates and Private Keys

When eSight is connected to the Agile Controller-Campus, you need to import the Agile Controller-Campus certificate to eSight and import the eSight certificate to the Agile Controller-Campus, implementing bidirectional authentication.

Prerequisites

You have obtained the IP address, port number, northbound user name, password, and certificate used to log in to the Agile Controller-Campus if eSight needs to connect to the Agile Controller-Campus.

Procedure

  1. Export the trust certificate of the Agile Controller-Campus.

    For details, see the CloudVPN@AC-Campus Product Documentation.

  2. Perform the following operations on the eSight node to import the trust certificate file of the Agile Controller-Campus. (In a two-node system, the certificate needs to be imported on both the active and standby nodes.)

    • In the Linux environment, log in to the eSight server as the root user and perform the following operations:
      NOTE:

      After the operating system security hardening is complete, perform the following operations:

      1. Log in to the eSight server as the ossuser user.
      2. Run the following command to switch to the root user:

        su - root

        When the following information is displayed, enter the password of the root user and press Enter.

        Password:
      1. Copy the certificate file trusted by the Agile Controller-Campus to the /opt/eSight/AppBase/etc/cloudvpn/certificate directory and run the following commands to import the certificate to the eSight certificate store:

        cd /opt/eSight/AppBase/etc/cloudvpn/certificate

        /opt/eSight/AppBase/jre/bin/keytool -keystore trust.jks -import -file server.crt -alias ac

        In the commands, server.crt is the name of the certificate trusted by the Agile Controller-Campus and ac is the alias of the imported certificate in the eSight certificate store.

      2. Enter the certificate store password as prompted and press y to confirm the password.
        Enter Password:
        NOTE:

        The default password of the certificate store is Changeme_123.

      3. Change the owner.

        cd /opt/eSight/AppBase/etc/cloudvpn/certificate/

        chown ossuser:ossgroup trust.jks

        chmod 640 trust.jks

    • In the Windows environment, log in to the eSight server as a system administrator.
      1. Copy the certificate file trusted by the Agile Controller-Campus to the eSight installation directory eSight\AppBase\etc\cloudvpn\certificate and run the following command to import the certificate to the eSight certificate store:

        keytool -keystore trust.jks -import -file server.crt -alias ac

        In the command, server.crt is the name of the certificate trusted by the Agile Controller-Campus and ac is the alias of the imported certificate in the certificate store.

      2. Enter the certificate store password as prompted and press y to confirm the password.
        Enter Password:
        NOTE:

        The default password of the certificate store is Changeme_123.

  3. Perform the following operations on the eSight node to generate the eSight certificate in the certificate directory. (Perform this operation on both the active and standby nodes.)

    • In the Linux environment, log in to the eSight node as the root user and perform the following operations:
      NOTE:

      After the operating system security hardening is complete, perform the following operations:

      1. Log in to the eSight server as the ossuser user.
      2. Run the following command to switch to the root user:

        su - root

        When the following information is displayed, enter the password of the root user and press Enter.

        Password:
      1. Run the following command to generate a certificate in the CloudVPN certificate directory:

        /opt/eSight/mttools/tools/jks2pfx/openssl pkcs12 -export -clcerts -in /opt/eSight/AppBase/etc/certificate/application/ca/ca.crt -inkey /opt/eSight/AppBase/etc/certificate/application/ca/private/ca.key -out /opt/eSight/AppBase/etc/cloudvpn/certificate/client.p12

        In the command, /opt/eSight/ is the default eSight installation directory. Change it based on the site requirements.

      2. Enter the certificate store password and generate the certificate password as prompted.
        Enter pass phrase for /opt/eSight/AppBase/etc/certificate/application/ca/private/ca.key:
        Enter Export Password:
        Verifying - Enter Export Password:
        NOTE:

        The default password of the certificate store is Changeme_123.

      3. Change the file owner.

        cd /opt/eSight/AppBase/etc/cloudvpn/certificate/

        chown ossuser:ossgroup client.p12

        chmod 640 client.p12

    • In the Windows environment, log in to the eSight server as a system administrator.
      1. Run the following command to generate a certificate in the CloudVPN certificate directory:

        D:\eSight\mttools\tools\jks2pfx\openssl pkcs12 -export -clcerts -in D:\eSight\AppBase\etc\certificate\application\ca\ca.crt -inkey D:\eSight\AppBase\etc\certificate\application\ca\private\ca.key -out D:\eSight\AppBase\etc\cloudvpn\certificate\client.p12

        In the command, D:\eSight\ is the default eSight installation directory. Change it based on the site requirements.

      2. Enter the certificate store password and generate the certificate password as prompted.
        Enter pass phrase for D:\eSight\AppBase\etc\certificate\application\ca\private\ca.key:
        Enter Export Password:
        Verifying - Enter Export Password:
        NOTE:

        The default password of the certificate store is Changeme_123.

  4. Import the eSight certificate to the Agile Controller-Campus.

    • Certificate directory in the Linux environment

      /opt/eSight/AppBase/etc/certificate/application/ca/ca.crt

      In the directory, /opt/eSight/ is the default eSight installation directory. Obtain the certificate from the actual directory.

    • Certificate directory in the Windows environment

      D:\eSight\AppBase\etc\certificate\application\ca\ca.crt

      In the directory, D:\eSight\ is the default eSight installation directory. Obtain the certificate from the actual directory.

    For details, see the CloudVPN@AC-Campus Product Documentation.

Setting Parameters for Connecting eSight and the Agile Controller-Campus

By modifying the configuration file when installing eSight or after installing eSight, you can enable or disable the function of connecting eSight to the Agile Controller-Campus.

Prerequisites

You have obtained the IP address, port number, northbound user name, and password used to log in to the Agile Controller-Campus if eSight needs to connect to the Agile Controller-Campus.

Context

If you set the interconnection parameters when installing eSight, eSight can connect to the Agile Controller-Campus.

Procedure

  1. Log in to the eSight server. In the Windows environment, log in as a system administrator. In the Linux environment, log in as the ossuser user.
  2. Modify the settings for connecting eSight to the Agile Controller-Campus. (In a two-node cluster, you need to modify the configuration file on both the active and standby nodes.)

    1. Open the config.properties file.
      • In the Linux environment, run the following command and press i to enter the editing mode:

        vi /opt/eSight/AppBase/etc/cloudvpn/config.properties

      • In the Windows environment, open the config.properties file in eSight/AppBase/etc/cloudvpn/ using the text editor.
    2. Change the values of AC-B_IP, AC-B_Port, AC-B_Username, and AC-B_Password.
      AC-B_IP=Northbound IP address of the Agile Controller-Campus
      AC-B_Port=Northbound port number of the Agile Controller-Campus
      AC-B_Username=Northbound user name used to log in to the Agile Controller-Campus
      AC-B_Password=Encrypted northbound user password used to log in to the Agile Controller-Campus
      NOTE:

      Set the value of AC-B_Password to the encrypted password. For details about how to encrypt the password for logging in to the Agile Controller-Campus, see How Is an Encrypted Password Generated by Using the Encryption Tool?.

      • Set the preceding parameters to enable the connection between eSight and the Agile Controller-Campus.
      • If eSight is not connected to the Agile Controller-Campus, leave the preceding parameters empty.
    3. Change the values of KeyStorePwd and TrustStorePwd if the passwords of the private key file and certificate store are changed.
      KeyStorePwd=private key file password
      TrustStorePwd=certificate store password
      NOTE:

      The KeyStorePwd and TrustStorePwd parameters have been set to the default password Changeme_123.

    4. In Windows, exit and save the file. In Linux, press Esc to exit the editing mode and run the :wq command to save and exit the file.

  3. (Optional) If you do not want to use eSight to manage devices on the Agile Controller-Campus, remove the synchronized devices from eSight according to How Do I Delete Devices Synchronized from the Agile Controller-Campus to eSight.
  4. Restart eSight to make the configuration take effect.

Modifying SNMP Parameters

Before connecting eSight to the Agile Controller-Campus, you need to obtain the device SNMP parameters (only the SNMPv3 version is supported) and write these parameters to the eSight configuration file. After SNMP parameters are modified, you need to restart the two-node cluster system to make the configuration take effect. After the modification, eSight will create NEs based on the new SNMP parameters.

Context

Table 12-8 describes the SNMP parameters. The SNMP parameters listed in Table 12-8 will be automatically synchronized to devices managed by the Agile Controller-Campus after the eSight two-node cluster is restarted.

Table 12-8 SNMP parameter description

Parameter

Description

Whether It Can Be Modified

Port

SNMP port number. Port 161 is used by default.

Yes

Timeout

SNMP protocol timeout interval, in milliseconds. The value ranges from 1s to 10s, and the default value is 3000 ms.

Yes

Retry

Number of SNMP retry attempts. The default value is 3.

Yes

SecurityName

Security user name used to add devices managed by the Agile Controller-Campus to eSight.

Yes

AuthenticationMode

Protocol used for message authentication. HMAC_MD5 and HMAC_SHA are supported. The default value is HMAC_SHA. If the parameter is not specified, None is used.

The SHA protocol is recommended for its higher security than MD5.

Yes

AuthenticationPwd

You need to set the authentication password if the value of AuthenticationMode is set to HMAC_SHA or HMAC_MD5.

This password is used by eSight to access devices.

Set it to the encrypted password generated using the encryption tool.

Yes

PrivacyMode

Encryption protocol used for data encapsulation. The following two protocols are supported:

  • CBC_DES: a data encryption standard using an international encryption algorithm and with the key length of 56 characters
  • AES_128: an advanced encryption standard with the key length of 128 characters

The AES_128 protocol is recommended for its higher security than CBC_DES. The default value is AES_128. If the parameter is not specified, None is used.

Yes

PrivacyPwd

You need to set the data encryption password if the value of PrivacyMode is set to AES_128 or CBC_DES.

This password is used by eSight to access devices.

Set it to the encrypted password generated using the encryption tool. It is recommended that the password be different from the authentication password.

Yes

NOTE:

To change the authentication and data encryption passwords, go to 2 in Procedure. Otherwise, skip this step. To ensure system security, it is recommended that you change the passwords periodically. The recommended period is 90 days.

Procedure

  1. Log in to the eSight server. In the Windows environment, log in as a system administrator. In the Linux environment, log in as the ossuser user.
  1. Obtain the encrypted password according to How Is an Encrypted Password Generated by Using the Encryption Tool?.
  1. Modify the SNMP parameters on the eSight server. (In a two-node cluster system, you need to modify the configuration file on both the active and standby servers.)

    1. Open the acbsnmpconf.properties file.
      • In the Linux environment, run the following command and press i to enter the editing mode:

        vi /opt/eSight/AppBase/etc/cloudvpn/acbsnmpconf.properties

      • In the Windows environment, open the acbsnmpconf.properties file in eSight/AppBase/etc/cloudvpn/ using the text editor.
    2. Modify the SNMP parameters according to Table 12-8.
    3. In Windows, exit and save the file. In Linux, press Esc to exit the editing mode and run the :wq command to save and exit the file.

  1. Restart eSight to make the configuration take effect.

Changing the Supported Device Types

If the device types that are managed by the Agile Controller-Campus and can be added to eSight are changed, change the supported device types on eSight accordingly.

Context

Table 12-9 describes the supported device types.

Table 12-9 Supported device types

Device

Device Type

AC-B_DeviceType4vFW

Eudemon1000E-V1

Eudemon1000E-V2

Eudemon1000E-V4

Eudemon1000E-V8

Procedure

  1. Log in to the eSight server. In the Windows environment, log in as a system administrator. In the Linux environment, log in as the ossuser user.
  2. Modify the supported device types. (In a two-node cluster system, you need to modify the configuration file on both the active and standby servers.)

    1. Open the config.properties file.
      • In the Linux environment, run the following command and press i to enter the editing mode:

        vi /opt/eSight/AppBase/etc/cloudvpn/config.properties

      • In the Windows environment, open the file using the text editor.
    2. Set the value of AC-B_DeviceType4vFW to the supported device types.
      AC-B_DeviceType4vFW=Eudemon1000E-V1,Eudemon1000E-V2,Eudemon1000E-V4,Eudemon1000E-V8
    3. In Windows, exit and save the file. In Linux, press Esc to exit the editing mode and run the :wq command to save and exit the file.

  3. Restart eSight to make the configuration take effect.

Modifying the Period for Synchronizing the vFW Information

This section describes how to modify the period for eSight to proactively synchronize the vFW information from the Agile Controller-Campus.

Context

By manually modifying the configuration file, you can modify the period for eSight to proactively synchronize the vFW information from the Agile Controller-Campus. The default synchronization period is 24 hours.

Procedure

  1. Log in to the eSight server. In the Windows environment, log in as a system administrator. In the Linux environment, log in as the ossuser user.
  2. Modify the synchronization period. (In a two-node cluster system, you need to modify the configuration file on both the active and standby nodes.)

    1. Open the interval.properties file.
      • In the Linux environment, run the following command and press i to enter the editing mode:

        vi /opt/eSight/AppBase/etc/cloudvpn/interval.properties

      • In the Windows environment, open the file using the text editor.
    2. Change the value of sync_interval to the new synchronization period. The unit is minute.
      sync_interval = 30
    3. In Windows, exit and save the file. In Linux, press Esc to exit the editing mode and run the :wq command to save and exit the file.

  3. Verify that the configuration takes effect on eSight five minutes later.

FAQs

This section describes frequently asked questions (FAQs) you may encounter during the commissioning process.

What Can I Do If eSight Fails to Communicate with vFWs on the Agile Controller-Campus

Symptom

After eSight is connected to the Agile Controller-Campus, the SNMP parameters are modified on devices. Consequently, eSight fails to communicate with devices managed by the Agile Controller-Campus.

Probable Causes

After eSight is connected to the Agile Controller-Campus, SNMP parameters on the device are provided by eSight. After the SNMP parameters of devices are modified, eSight will not automatically check whether the SNMP parameters are correct. Therefore, eSight fails to communicate with devices managed by the Agile Controller-Campus.

Solution

Modify the SNMP parameters according to Modifying SNMP Parameters.

How Is an Encrypted Password Generated by Using the Encryption Tool?

Question

How is an encrypted password generated on the eSight server by using the encryption tool?

Answer

  1. Log in to the eSight server. In the Windows environment, log in as a system administrator. In the Linux environment, log in as the ossuser user.
  2. Obtain the ciphertext of the new password.

    1. Start the encryption tool.
      • In the Linux environment, run the following commands on the eSight server:

        cd /opt/eSight/AppBase/tools/bmetool/encrypt

        ./encrypt.sh 0

      • In the Windows environment, access the disk partition where the eSight installation directory is located (such as drive D), and invoke the following CMD commands:

        cd eSight\AppBase\tools\bmetool\encrypt

        encrypt.bat 0

    2. Enter the new password and press Enter if the following information is displayed:
      New Password:
    3. Enter the new password again and press Enter if the following information is displayed:
      Reenter New Password:

      The system displays the encrypted password. Record the password.

How Do I Delete Devices Synchronized from the Agile Controller-Campus to eSight

Question

After being synchronized from the Agile Controller-Campus to eSight, devices of the Agile Controller-Campus do not need to be managed by eSight. How can I delete these synchronized devices?

Answer

  1. Log in to eSight as the admin user.
  2. Choose Resource > Network > Equipment > Network Device.
  3. On the Network Device page, select the devices managed by the Agile Controller-Campus and choose More > Delete.

Translation
Download
Updated: 2019-09-07

Document ID: EDOC1100011877

Views: 315430

Downloads: 637

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next