No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00SPC200, 300, and 500 Operation Guide 09

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Setting Protocol Parameters for Unified Communications Devices

Setting Protocol Parameters for Unified Communications Devices

Setting Protocol Parameters for IADs

Set protocol parameters on IADs so that the IADs can properly connect to the eSight.

Context

  • By default, the IADs (IAD101, IAD102, IAD104, IAD132, IAD196, IAD208 and IAD1224) support Telnet. IAD104, IAD132, IAD196 and IAD1224 support SSH.

    Exercise caution when using Telnet because it may bring security risks.

  • By default, the eSight domain name ucems.huawei.com is configured on IADs.
  • If a DNS server exists on the network, configure the mapping between the eSight domain name and the IP address on the DNS server.
  • If no DNS server is available on the network and IADs are added in the automatic discovery mode, configure the IP address of the eSight by referring to Procedure.
  • By default, all IADs support SNMPv2c for reporting alarms.

    Exercise caution when using SNMPv2c because it may bring security risks.

    An SNMPv2c user is configured by default for each IAD before delivery.

  • IAD1224 supports SNMPv3 from V300R001C07SPC200, and IAD104, IAD132 and IAD196 support SNMPv3 from V300R002C01.
    NOTE:

    If an IAD supports SNMPv3, use SNMPv3 because it has high security.

    An SNMPv3 user is configured by default for IAD104, IAD132, IAD196 and IAD1224 before delivery. You can add IADs as the SNMPv3 user or configure this user according to Procedure before adding IADs. The default parameter settings are:

    • Security Name: SNMPV3
    • Authentication Mode: SHA
    • Encryption Type: CBC_DES

      Exercise caution when using CBC_DES because it may bring security risks.

Procedure

NOTE:
  • You do not need to configure the eSight IP address on the IAD if an IAD is not added in automatic discovery mode.
  • To automatically discover IADs, you need to configure the eSight address in the IADs.
  1. Use the remote tool to log in to the IAD using SSH or Telnet.

    Exercise caution when using Telnet because it may bring security risks. You are advised to use SSH. The SSH protocol with an earlier version has security risks. You are advised to use the SSH protocol of the latest version.

    The SSH protocol with an earlier version has security risks. You are advised to use the SSH protocol of the latest version.

    NOTE:
    • You are advised to use the latest SSH. In the global IAD configuration mode, run the terminal ssh_user command to modify the user name and password of SSH.
    • For more login modes, see the IAD Product Documentation.

  2. Enter the global configuration mode for the IAD.

    ==You need to enter the information in bold.=========================================
    User name:root 
    User password: admin or huawei123
    TERMINAL>  
    TERMINAL>enable 
    TERMINAL#configure terminal 
    TERMINAL(config)# 
    ============================================================

  3. Set the eSight IP address on the IAD.

    If you enable NAT traversal, you should take the translated IP address as the IP address of eSight.

    • eSight is single-node cluster system or local two-node cluster system.
      NOTE:

      The eSight local two-node cluster provides only one IP address externally. Therefore, you only need to specify a value for primary.

      For example, if the IP address of the eSight server is 192.168.3.240, run the following command:

      nms primary 192.168.3.240

    • eSight is two-node cluster system.

      For example, if the IP address of the primary eSight server is 192.168.3.240, and the IP address of the standby eSight server is 192.168.3.241, run the following command:

      nms primary 192.168.3.240 secondary 192.168.3.241

  4. Set communication parameters between IADs and the eSight.

    • If the default SNMPv2c protocol is used for communication:

      nms getcom Read community setcom Write community trapcom Trap community trapport Listening port number

      • Read community: Public@123
      • Write community: Private@123
      • Trap community: Public@123
      • Listening port: 10162 for the Linux operating system and 162 (default value) for the Windows operating system.
    • If IAD104, IAD132, IAD196, and IAD1224 use SNMPv3 for communication:
      NOTE:

      If an IAD supports SNMPv3, use SNMPv3 because it has high security. To set the SNMPv3 protocol, run the nms snmp v3 command.

      snmpv3-agent group groupname privacy

      Here, privacy means authentication and encryption.

      snmpv3-agent usm-user username groupname authentication-mode sha Authentication password privacy-mode des56 Encryption password

      • Authentication Mode: SHA
      • Authentication Password: Huawei@123
      • Encryption Type: CBC_DES

        Exercise caution when using CBC_DES because it may bring security risks.

      • Encryption Password: Huawei@123
      • When alarms are reported to eSight installed on the Linux operating system through the SNMP protocol, the trap port of the IAD must be set to 10162.

        nms trapport 10162

      • When eSight installs on Windows, you are advised to use the default value 162.

  5. Set the handshake parameters.

    nms handshake switch on interval 30

    By default, the IAD sends a handshake message to the eSight at an interval of 30 seconds to ensure that IAD information is the latest on the eSight.

  6. View the state of the IAD registered on the eSight.

    display nms

    the config is IP 
    ---------------------------------------------------------------- 
      type                            IP address      status 
      primary                         192.168.3.240   normal 
      secondary                       <unconfig>      unconfiged 
    ---------------------------------------------------------------- 
     
    get community   : public 
    set community   : private 
    trap community  : public 
    trap port       : 10162 
    nms access value: Enable 
    register nms ip : 192.168.3.240 
    register state  : succeed 
    handshake       : on 
    handshake time  : 30 S 
    register switch : on 
    snmp version    : v3

  7. Configure the FTPS service of IADs.

    By default, the following versions of IADs use the FTPS service:

    • IAD101, IAD102, and IAD208: No version supports the FTPS service
    • IAD104: V300R002C01 or later
    • IAD132: V300R002C01 or later
    • IAD196: V300R002C01 or later
    • IAD1224: V300R001C07SPC200, IAD1224 V300R002C01, or later

    If an IAD does not support the FTPS service, enable the FTP service for the IAD.

    Exercise caution when using FTP because it may bring security risks.

    Ensure that the configured port number does not conflict with any existing port number used in the system; otherwise, the service may malfunction.

    To enable the FTP service, perform the following operations:

    Log in to the eSight server as administrator user, and configure the parameter <param name="enable"> of <config name="ftp"> in eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml as true, and configure the parameter IAD.FTPSorFTP in eSight installation directory/AppBase/etc/uc/config.properties as FTP. Restart the eSight server.

    Modify the FTP service port.

    • Linux operating system: Modify the FTP service port to 31921.
      NOTE:

      If the eSight is two-node cluster system, you need perform the following steps on both nodes.

      1. Query the redirection port.

        iptables -t nat -L PREROUTING

      2. Delete the redirection port.

        iptables -t nat -D PREROUTING {fill in number which is according with the rules}

        {fill in number which is according with the rules} is the row number of the 14001 redirection port.

      3. Add the FTP service redirection port.

        iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDIRECT --to-port 31921

    • Windows OS: Modify the FTP service port as 21.

      Log in to the eSight server as the Administrator user, and configure the parameter listenerPort of <config name="ftp"> area in eSight installation directory\AppBase\sysagent\etc\sysconf\svcbase\med_node_1_svc.xml as 21, modify the parameter UC.FTPS.PORT in eSight installation directory\AppBase\etc\uc\config.properties as 14001. Restart the eSight server.

    To enable the FTPS service, perform the following operations:

    An IAD uses port 21 for the FTPS service. Before enabling the FTPS service for the IAD, disable the FTP service. The two services use the same port. If they are both enabled, the file server cannot work. If network or IT devices are also deployed, they will behave unexpectedly if the FTP service is disabled. In this case, the FTP service is recommended.

    Log in to the eSight server as the administrator, and set <param name="enable"> of <config name="ftp"> in eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml to false.

    1. Getting root certificate esightRootCA.pem from directory eSight installation directory/AppBase/etc/certificate.
    2. Upload the root certificate manually.

      If the esight.keystore.sftp certificate file on the eSight is modified, you need to generate and upload the esightRootCA.pem certificate again.

      Upload root certificate to IAD in TFTP or FTP mode.

      NOTE:

      Place the root certificate on the FTP or TFTP server, ensure that communication between the IAD and the FTP or TFTP server is normal and the FTP or TFTP service is enabled.

      For details, see How to Use FTP/TFTP Tool in IAD Product Documentation.

      Log in to the IAD device as the administrator user.

      If IAD has old certificate, you need to execute the undo ftps_rootcert command to delete it first, and then upload the new root certificate.

      • Upload the FTPS root certificate by the TFTP server.

        load ftps_rootcert tftp IP address of the TFTP server Name of the FTPS root certificate

      • Upload the FTPS root certificate by the FTP server.

        load ftps_rootcert ftp IP address of the FTP server User name of the FTP server Password Name of the FTPS root certificate

        Example: load ftps_rootcert ftp 192.168.1.152 iad huawei esightRootCA.pem

    3. Modify the IAD time which is consistent with eSight time.

      time xx:xx:xx xx-xx-xx

    4. Restart the IAD device.
    5. Configure the FTPS service of eSight.

      Log in to the eSight server as an administrator. In the eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/ent_uc_med_node_svc.xml file, set implicitSsl to false, <param name="enable"> of <config name="ftps"> to true, <param name="keystoreFileName"> of<config name="ftps"> to etc/certificate/esight.keystore.ftps, <param name="ssl.protocol"> of <config name="ftps"> to TLSv1,TLSv1.1,TLSv1.2, and<param name="includeCipherSuites"> of <config name="ftps"> to TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA.

      • The IAD requires the TLSv1 protocol, which has security risks. Exercise caution when selecting the TLSv1 protocol.
      • The IAD requires the TLS_RSA_WITH_AES_128_CBC_SHA256 and TLS_RSA_WITH_AES_128_CBC_SHA algorithm suites. These two algorithm suites are insecure and have security risks. Exercise caution when selecting them.
    6. Enable the FTPS service.

      Log in to the eSight server as administrator user, and configure the parameter IAD.FTPSorFTP in eSight installation directory/AppBase/etc/uc/config.properties as FTPS. Change jdk.tls.disabledAlgorithms=SSLv3 in the configuration file eSight installation directory/AppBase/jre/lib/security/java.security to #jdk.tls.disabledAlgorithms=SSLv3. Restart the eSight server.

      Exercise caution when using SSLv3 because it may bring security risks.

    7. Modify the FTPS service port.
      • Linux operating system: Modify the FTPS redirection port to 14001.
        NOTE:

        The default FTPS redirection port is 31921.

        If the eSight is two-node cluster system, you need perform the following steps on both nodes.

        1. Query the redirection port.

          iptables -t nat -L PREROUTING

        2. Delete the redirection port.

          iptables -t nat -D PREROUTING {fill in number which is according with the rules}

          {fill in number which is according with the rules} is the row number of the 31921 redirection port.

        3. Add the FTPS service redirection port.

          iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDIRECT --to-port 14001

      • Windows OS: Modify the FTPS service port as 21.

        Log in to the eSight server as the Administrator user, change the value of listenerPort to 21 in eSight installation directory\AppBase\sysagent\etc\sysconf\svcbase \ent_uc_med_node_svc.xml, and restart the eSight server.

  8. (Optional) Configure Network Address Translation (NAT).

    If you enable NAT traversal, the FTPS service becomes unavailable. The Configuration Backup and Restore, SIP User Info Backup and Restore and Upgrading IADs function under Software Management becomes invalid for IADs.

    If you need the Configuration Backup and Restore, SIP User Info Backup and Restore, and Upgrading IADs function under Software Management are valid for IADs, you can use FTP service. Exercise caution when using FTP because it may bring security risks.

    • You do not need to perform the following operations if the IP address of the eSight can directly communicate with devices.
    • Perform the following operations if the IP address of the eSight cannot directly communicate with devices.

    The mappings between IP addresses and ports have been configured on the onsite firewall, switch, or router. Ensure that device IP addresses (or translated IP addresses) can communicate with the translated eSight IP address.

    1. Log in to the eSight server as the ossuser user.
    2. Open the config.properties file.

      cd eSight installation directory/AppBase/etc/uc

      vi config.properties

      Add the following statement to the file:

      NATIP=192.168.3.39:10.135.36.198/192.168.3.111:10.137.96.92
      • In 192.168.3.39:10.135.36.198, 192.168.3.39 indicates the original eSight IP address, and 10.135.36.198 indicates the translated IP address.
      • If the eSight is deployed in two-node cluster mode or has multiple network adapters, a mapping must be configured between each original IP address and translated IP address. Use a slash (/)to separate every two mappings.
      NOTE:

      After editing the configuration file, you do not need to restart the eSight> server. The system automatically updates every 1 minute. The configuration file automatically takes effect after the update.

  9. (Optional) Set the large capacity management parameter for IADs.

    When the number of managed IADs is larger than 500, you are advised to set the large capacity management parameter to reduce the load of the eSight server and ensure proper running of eSight.

    1. Log in to the eSight server as the ossuser user.
    2. Open the config.properties file.

      cd eSight installation directory/AppBase/etc/uc

      vi config.properties

      Add the following statement to the file:

      iad.big.capacity=true
      NOTE:

      After editing the configuration file, you do not need to restart the eSight> server. The system automatically updates every 1 minute. The configuration file automatically takes effect after the update.

Setting Protocol Parameters for IP PBXs

Set protocol parameters on IP PBXs so that the IP PBXs can properly connect to the eSight.

Prerequisites

The user name and password have been configured for IP PBXs.

Context

The protocols used by IP PBXs to connect to the eSight vary depending on IP PBX models. For details, see Table 13-2.

Table 13-2 Description of protocols used by IP PBXs to connect to the eSight

Device Model

Versions That Support Telnet

Versions That Support Telnet and SSH (SSH Recommended)

U1910, U1911, U1930, U1960, U1980 and U1981

-

V100R001C01 or later

SoftCo5500, SoftCo5816, and SoftCo9500

V100R003C01SPC200 or earlier

V100R003C01SPC200 or later

  • If Telnet is disabled on an IP PBX, the eSight uses the SSH protocol to connect to the IP PBX.
  • If Telnet is enabled on an IP PBX, the eSight can use SSH or Telnet to connect to the IP PBX.

    Exercise caution when using Telnet because it may bring security risks. You are advised to use SSH.

    The SSH protocol with an earlier version has security risks. You are advised to use the SSH protocol of the latest version.

    If multiple types of IP PBXs are available on the network, Telnet is preferred.

  • The U1911, U1960 and U1981 report alarms using Telnet or SNMPv3. Telnet is used by default. The version of the IP PBXs is V100R001C01SPC200 or a later version.

    If you need to use SNMPv3, log in to eSight server as the root user and change the value of ippbx.alarm.type to SNMP in <eSight installation directory>/AppBase/etc/uc/config.properties.

    Restart the eSight after updating the configurations. The procedure is as follows: Run the ./shutdown.sh command in eSight installation directory/bin to stop the eSight, and run the ./startup.sh command to start the eSight.

Procedure

  1. Use the Telnet tool to log in to the IP PBX using SSH.

    Exercise caution when using Telnet because it may bring security risks. You are advised to use SSH.

    The SSH protocol with an earlier version has security risks. You are advised to use the SSH protocol of the latest version.

    NOTE:

    If a model of IP PBXs does not support SSH, use Telnet to log in.

  2. Access the configuration mode on the IP PBX.

    ==You need to enter the information in bold.=========================================
    [.login    .] Login:>admin 
    [.password .] Password:>huawei123
    [.result   .] succeed 
    [%eSpace U1960]>enable 
    [.password .] Password:>huawei123
    [.result   .] succeed 
    [%eSpace U1960(config)]# 
    ============================================================

  3. Enable or disable the Telnet protocol.

    • If an IP PBX can use only the Telnet protocol to communicate with the eSight, run the [%eSpace U1960(config)]#config telnet switch on command to enable the Telnet protocol.
    • If an IP PBX can use both the Telnet protocol and the SSH protocol to communicate with eSight, you are advised to run the [%eSpace U1960(config)]#config telnet switch off command to disable the Telnet protocol to ensure system security.

  4. Query the whitelist of the IP PBX.

    1. Run the following command to check whether the whitelist is enabled:

      show trust loginip switch

    2. If on is displayed, the whitelist is enabled. Run the following command to check whether the whitelist contains the eSight IP address:

      show trust loginip

    3. If the whitelist does not contain the eSight IP address, run the following command to add the eSight IP address segment to the whitelist:

      config add trust loginip startip eSight start IP address endip eSight end IP address

  5. Set IP PBX parameters.

    • Set the parameters of Telnet or SSH. For details, see Table 13-3.
      Table 13-3 Key parameter description

      Parameter

      Description

      Setting

      SSH User

      User name for logging in to the device through SSH.

      Set this parameter based on the site requirements.

      You can run the config modify sshuser name username password password command on the IP PBX to modify the user name and password.

      SSH Password

      Password for logging in to the device through SSH.

      Login Name

      User name for entering the view mode of the device.

      Set this parameter based on the site requirements.

      You can run the config add cliuser name username loginpassword loginpassword enablepassword enablepassword command on the IP PBX to add a new user.

      Login Password

      Password for entering the view mode of the device.

      Set this parameter based on the site requirements.

      You can run the config modify loginpassword command on the IP PBX to change the password.

      Enable Password

      Password for entering the configuration mode of the device.

      Set this parameter based on the site requirements.

      You can run the config modify enablepassword command on the IP PBX to change the password.

    • If SNMP is used, refer to the flowing steps:
      1. Add the eSight IP address to the whitelist.

        config add snmp manager ip eSight IP address

      2. Add SNMP user groups.

        For example, to add a user group V3 whose security mode is privacy, run the following command:

        config add snmp group name V3 securitymode privacy

        Table 13-4 SNMP user group parameter description

        Parameter

        Description

        Setting

        group name

        User group name.

        -

        securitymode

        Security mode.

        The options are as follows:

        • noauth: no authentication and no encryption.
        • authentication: authentication without encryption.
        • privacy: authentication with encryption.
        NOTICE:

        Security risks exist if this parameter is set to noauth or authentication. You are advised to set this parameter to privacy.

      3. Add SNMP users.

        For example, to add an SNMP user and the IP address of the eSight server is 10.10.10.10, run the following command:

        config add snmp user name SNMP notifyname SNMPV3 targetip 10.10.10.10 groupname V3 authmode sha authpassword huawei123 privacymode aes privacypassword huawei123

        Table 13-5 SNMP user parameter description

        Parameter

        Description

        Setting

        user name

        User security name.

        When adding IP PBX on the eSight, ensure that the security user name is the same as the value of this parameter.

        notifyname

        Notify name.

        The name can be customized.

        targetip

        Destination IP address.

        Set this parameter to the IP address of the eSight server.

        groupname

        User group name.

        Set this parameter to the value of group name that is specified when the SNMP user group is added.

        authmode

        Authentication mode. This parameter is required only when the value of securitymode is authentication or privacy.

        Set this parameter to md5 or sha.

        NOTICE:

        Security risks exist if this parameter is set to md5. You are advised to set this parameter to sha.

        When adding IP PBX on the eSight, ensure that the authentication mode is the same as the value of this parameter.

        authpassword

        Authentication password. This parameter is required only when the value of securitymode is authentication or privacy.

        When adding IP PBX on the eSight, ensure that the authentication password is the same as the value of this parameter.

        NOTICE:

        The value of authpassword must be a string of 1 to 32 characters that contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters. In addition, the password must not be a string of repeated sub-strings, for example, ABABABAB, ABCABCABC, and ABCDABCD.

        privacymode

        Encryption type. This parameter is required only when the value of securitymode is privacy.

        Set this parameter to des or aes.

        NOTICE:

        Security risks exist if this parameter is set to des. You are advised to set this parameter to aes.

        When adding IP PBX on the eSight, ensure that the encryption type is the same as the value of this parameter.

        privacypassword

        Encryption password. This parameter is required only when the value of securitymode is privacy.

        When adding IP PBX on the eSight, ensure that the encryption password is the same as the value of this parameter.

        NOTICE:

        The value of privacypassword must be a string of 1 to 32 characters that contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters. In addition, the password must not be a string of repeated sub-strings, for example, ABABABAB, ABCABCABC, and ABCDABCD.

        Run the [%eSpace U1960(config)]#show snmp user information command to check whether the configured SNMP user information is correct.

      4. Enable SNMP.

        [%eSpace U1960(config)]#config snmp switch enable

      5. Configure the eSight IP address segment that can be trusted by IP PBXs.

        [%eSpace U1960(config)]#config add trust server ip address 192.168.3.0/24

        In the command, 192.168.3.0/24 is the IP address segment of the eSight server. Change the IP address segment based on the site requirements.

        Run the [%eSpace U1960(config)]#show trust server information command to check whether the configured SNMP user information is correct.

  6. Configure the FTPS service of IP PBXs.

    By default, IP PBXs use the FTPS service. At the same time, the TFTP service is also enabled on IP PBXs. The eSight automatically checks whether an IP PBX supports the FTPS service.

    • If an IP PBX supports the FTPS service, the FTPS service is used for communication.
    • If an IP PBX does not support the FTPS service, the TFTP service is used for communication.

    The following versions of IP PBXs support the FTPS service:

    • U1910, U1930 and U1980: V100R001C01SPC100B018 or later
    • U1911 and U1960: V100R001C01B012 or later
    • U1981: All versions support the FTPS service
    • SoftCo 5500 and SoftCo 9500: V100R003C01SPC400 or later
    • Softco 5816: No version supports the FTPS service

    If an IP PBX does not support the FTPS service, enable the TFTP service for the IP PBX.

    Exercise caution when using TFTP because it may bring security risks.

    Ensure that the configured port number does not conflict with any existing port number used in the system; otherwise, the service may malfunction.

    To enable the TFTP service, perform the following operations:

    Log in to the eSight server as administrator user, and change the parameter <param name="enable"> of <config name="tftpServer"> in eSight installation directory/AppBase/etc/conffile/tftpconfig.xml to true, change the value of ippbx.ftps.enable in the eSight installation directory/AppBase/etc/uc/config.properties configuration file to false. Restart the eSight server.

    Modify the TFTP service port.

    • Linux operating system:
      NOTE:

      If the eSight is two-node cluster system, you need perform the following steps on both nodes.

      iptables -t nat -A PREROUTING -p udp --dport 69 -j REDIRECT --to-port 32182

      In this command, 69 is the port number on the device, and 32182 is the mapped port number on eSight, which is the same as <param name="listenerPort">32182</param> in the tftpconfig.xml file in the eSight installation directory/AppBase/etc/conffile directory.

    • Windows operating system: The default port number is 69 on eSight and the device. You do not need to modify the port number.

    To enable the FTPS service, perform the following operations:

    An IP PBX uses port 21 for the FTPS service. Before enabling the FTPS service for the IP PBX, disable the FTP service. The two services use the same port. If they are both enabled, the file server cannot work. If network or IT devices are also deployed, they will behave unexpectedly if the FTP service is disabled. In this case, the TFTP service is recommended.

    Log in to the eSight server as the administrator, and set <param name="enable"> of <config name="ftp"> in eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml to false.

    1. Getting root certificate esightRootCA.pem from directory eSight installation directory/AppBase/etc/certificate.

      If the esight.keystore.sftp certificate file on the eSight is modified, you need to generate and upload the esightRootCA.pem certificate again.

    2. Upload FTPS root certificate to the IP PBX device.
      1. Log in to LMT, and add the IP PBX device.
      2. Configure the parameter hostip of IP PBX as the IP address of LMT.

        config system hostip IP address of LMT

      3. Configure TFTP upload path.

        config tftp_ftps path type other name /read/

      4. Open TFTP server path.

        Path is LMT installation directory\tftp.

      5. Put FTPS root certificate in the directory read of TFTP server, and rename it as webrootcert.pem.
      6. Upload FTPS root certificate to the IP PBX device.

        config download file webrootcrt mode tftp

      7. Save data.

        save

      8. Restart the device.

        reboot

    3. Configure the FTPS service of eSight.

      Log in to the eSight server as the root user and modify the eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml file to set implicitSsl to false, <param name="enable"> of <config name="ftps"> to true, and <param name="ssl.protocol"> of <config name="ftps"> to TLSv1,TLSv1.1,TLSv1.2.

      Exercise caution when using TLSv1 because it may bring security risks.

      The TLSv1 protocol must be used for IP PBX.

    4. Enable the FTPS service.

      Log in to the eSight server as the administrator user, and change the parameter <param name="enable"> of <config name="tftpServer"> in eSight installation directory/AppBase/etc/conffile/tftpconfig.xml to false, change the value of ippbx.ftps.enable in the eSight installation directory/AppBase/etc/uc/config.properties configuration file to true, change jdk.tls.disabledAlgorithms=SSLv3 in the configuration file eSight installation directory/AppBase/jre/lib/security/java.security to #jdk.tls.disabledAlgorithms=SSLv3, and restart the eSight server.

      Exercise caution when using SSLv3 because it may bring security risks.

    5. Modify the FTPS service port.
      • Linux operating system: Modify the FTPS redirection port to 31923.
        NOTE:

        The default FTPS redirection port is 31921.

        If the eSight is two-node cluster system, you need perform the following steps on both nodes.

        1. Query the redirection port.

          iptables -t nat -L PREROUTING

        2. Delete the redirection port.

          iptables -t nat -D PREROUTING {fill in number which is according with the rules}

          {fill in number which is according with the rules} is the row number of the 31921 redirection port.

        3. Add the FTPS service redirection port.

          iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDIRECT --to-port 31923

      • Windows OS: Modify the FTPS service port as 21.

        Log in to the eSight server as the Administrator user, set listenerPort of <config name="ftps"> area in eSight installation directory\AppBase\sysagent\etc\sysconf\svcbase\med_node_1_svc.xml to 21, and restart the eSight server.

  7. (Optional) Configure information for the user and password when an old version IP PBX is used to ensure that the eSight management functions can work.

    The old versions indicate SoftCo5500, SoftCo5816, and SoftCo9500 of V100R001 and V100R002.

    1. Obtain the user name and password for logging in to the IP PBX.
      NOTE:

      Obtain the user name and password from onsite engineers.

    2. Log in to the eSight server as the ossuser user.
    3. Open the config.properties file.

      cd eSight installation directory/AppBase/etc/uc/

      vi config.properties

      The following information is displayed:

      ippbx.oldVersion.loginName=User name

      ippbx.oldVersion.password=Encryptedpassword

      The encrypted password is the value that is obtained by encrypting the user name and password of the IP PBX using the encryption tool. For details about encryption, see "Security Maintenance > Password Change > Changing the eSight System User Password > Changing the Collaborations Passwords" in the Maintenance Guide.

      If the user name and password of the IP PBX are admin14 and Changeme@123 respectively, the encryption command is as follows:

      cd eSight installation directory/AppBase/tools/bmetool/encrypt

      ./encrypt.sh 0

      When the following information is displayed, type admin14Changeme@123 and press Enter:

      please input the password: 
      Please input the password again: 
      NOTE:

      After editing the configuration file, you do not need to restart the eSight> server. The system automatically updates every 1 minute. The configuration file automatically takes effect after the update.

  8. (Optional) Configure Network Address Translation (NAT).

    If you enable NAT traversal, the FTPS service becomes unavailable. The Manual Restoration function under Configuration Backup and Restore and the Load patches function under Patch Management become invalid for IP PBXs.

    If you need the Manual Restoration function under Configuration Backup and Restore and the Load patches function under Patch Management are valid for IP PBXs, you can use TFTP service. Exercise caution when using TFTP because it may bring security risks.

    • You do not need to perform the following operations if the IP address of the eSight can directly communicate with devices.
    • Perform the following operations if the IP address of the eSight cannot directly communicate with devices.

    The mappings between IP addresses and ports have been configured on the onsite firewall, switch, or router. Ensure that device IP addresses (or translated IP addresses) can communicate with the translated eSight IP address.

    1. Log in to the eSight server as the root user.
    2. Open the config.properties file.

      cd eSight installation directory/AppBase/etc/uc

      vi config.properties

      Add the following statement to the file:

      NATIP=192.168.3.39:10.135.36.198/192.168.3.111:10.137.96.92

      • In 192.168.3.39:10.135.36.198, 192.168.3.39 indicates the original eSight IP address, and 10.135.36.198 indicates the translated IP address.
      • If the eSight is deployed in two-node cluster mode or has multiple network adapters, a mapping must be configured between each original IP address and translated IP address. Use a slash (/)to separate every two mappings.
      NOTE:

      After editing the configuration file, you do not need to restart the eSight> server. The system automatically updates every 1 minute. The configuration file automatically takes effect after the update.

Setting Protocol Parameters for Agent

The Agent server sends alarms to the eSight through the uniform operation and maintenance agent (UOA) server. Therefore, you need to configure UOA server connection information on the Agent server, and add the Agent server's alarm resource package on the UOA server.

Prerequisite

The UOA server has been installed and is running properly.

Configuration on the UOA Server

  1. Log in to the UOA server as the uoa user.
  2. Stop the UOA service.

    cd $UOA_Server/shell

    uoa_stop.sh

  3. Obtain the eSpace_Agent_UOA.zip file from the IPCCV200R001C60_PUBLIC.zip > UOA.zip directory, decompress the file, and perform the following operations:

    1. Copy the files in alarm/ to the $UOA_Server/alarm/ directory.
    2. Copy the files in templates/ to the $UOA_Server/templates/ directory.

      The Agent server and ICS server share a template file. If the template file has been uploaded for one of them, you do not need to upload it again for the other.

      NOTE:
      • Ensure that the UOA user has the read, write, and execute permissions on the copied files.
      • In the preceding directories, $UOA_Server is the installation directory of the UOA server.

  4. Set the IP address of the Agent server in the $UOA_Server/cfg/system/adapter.acl file. The configuration results are displayed in bold as follows:

    10.10.10.116
    NOTE:

    When you need to configure multiple IP addresses, separate them in different lines.

  5. Start the UOA service.

    cd $UOA_Server/shell

    uoa_start.sh

Configuration on the Agent Server

  1. Log in to the Agent server as the elpis user.
  2. Open the /home/elpis/tomcat7/webapps/agentgateway/WEB-INF/config/uoa.properties file using the vi editor and configure the parameters by referring to Table 13-6. The configuration results are displayed in bold as follows:

    ##################################UOA Config ######################## 
    #UOA Alarm Switch: ON or OFF 
    uoa.switch = on 
    #If the path is an absolute path, the log is initialized to the absolute path.  
    #If the path is a relative path, the log is initialized to the current directory\relative path directory. 
    #If the value is null, the log is initialized to the current directory. 
    uoa.uoaLogPath = ${catalina.home}/logs/agentgateway/agentgateway_UOA_oamlib.log 
    #The alarm file is stored in the $ buffer directory/alarm directory. 
    uoa.uoaAlarmBufferPath = ${catalina.home}/logs/uoa 
    uoa.uoaBufferSize = 1000 
    #UOA Server Ip 
    uoa.uoaServerIP = 10.10.10.10 
    #the port added 6 based on AppOMListenPort  
    uoa.uoaServerPort = 6706 
    #UOA binding Local IP address for application side 
    uoa.moduleIP = 10.10.10.116 
    uoa.modulePort = 0 
     
     
    # Module Version 
    uoa.moduleVersion=V200R001 
     
     
    # Element Type for Agent Gateway 
    uoa.netEleType.agentGateway=30521 
    # Element Name for Agent Gateway 
    uoa.netEleName.agentGateway=eSpace Agent Desktop 
    # Element Id for Agent Gateway 
    uoa.netEleId.agentGateway=3052100 
    # Module Type for Agent Gateway 
    uoa.moduleType.agentGateway=3052102 
    # Module Name for Agent Gateway 
    uoa.moduleName.agentGateway=eSpace Agent Gateway
    Table 13-6 Parameter description

    Parameter

    Description

    uoa.switch

    Indicates whether to enable the UOA alarm function. The value on indicates yes and off indicates no.

    uoa.uoaServerIP/uoa.uoaServerPort

    uoa.uoaServerIP indicates the IP address of the server where the UOA is installed. uoa.uoaServerPort indicates the number of the port connected to applications. The value of uoa.uoaServerPort equals to 6 plus the port number of the UOA for listening applications.

    uoa.moduleIP

    Indicates the IP address of the Agent server.

  3. Restart the Agent service.

Setting Protocol Parameters for ICS

The ICS server sends alarms to the eSight through the uniform operation and maintenance agent (UOA) server. Therefore, you need to configure UOA server connection information on the ICS server, and add the ICS server's alarm resource package on the UOA server.

Prerequisite

The UOA server has been installed and is running properly.

Configuration on the UOA Server

  1. Log in to the UOA server as the uoa user.
  2. Stop the UOA service.

    cd $UOA_Server/shell

    uoa_stop.sh

  3. Obtain the eSpace_Agent_UOA.zip file from the IPCCV200R001C60_PUBLIC.zip > UOA.zip directory, decompress the file, and perform the following operations:

    1. Copy the files in alarm/ to the $UOA_Server/alarm/ directory.
    2. Copy the files in templates/ to the $UOA_Server/templates/ directory.

      The Agent server and ICS server share a template file. If the template file has been uploaded for one of them, you do not need to upload it again for the other.

      NOTE:
      • Ensure that the UOA user has the read, write, and execute permissions on the copied files.
      • In the preceding directories, $UOA_Server is the installation directory of the UOA server.

  4. Set the IP address of the ICS server in the $UOA_Server/cfg/system/adapter.acl file. The configuration results are displayed in bold as follows:

    10.10.10.130
    NOTE:

    When you need to configure multiple IP addresses, separate them in different lines.

  5. Start the UOA service.

    cd $UOA_Server/shell

    uoa_start.sh

Configuration on the ICS Server

  1. Log in to the ICS server as the prometheus user.
  2. Open the /home/prometheus/tomcat7/webapps/icsgateway/WEB-INF/config/uoa.properties file using the vi editor and configure the parameters by referring to Table 13-7. The configuration results are displayed in bold as follows:

    ##################################UOA Config ######################## 
    #UOA Alarm Switch: on of off 
    uoa.switch = on 
    #If the path is an absolute path, the log is initialized to the absolute path.  
    #If the path is a relative path, the log is initialized to the current directory\relative path directory. 
    #If the value is null, the log is initialized to the current directory. 
    uoa.uoaLogPath = ${catalina.home}/logs/icsgateway/icsgateway_UOA_oamlib.log 
    #The alarm file is stored in the $ buffer directory/alarm directory. 
    uoa.uoaAlarmBufferPath = ${catalina.home} 
    uoa.uoaBufferSize = 1000 
    #UOA Server Ip 
    uoa.uoaServerIP = 10.10.10.10 
    #the port added 6 based on AppOMListenPort 
    uoa.uoaServerPort = 6706 
    #UOA binding Local IP address for application side 
    uoa.moduleIP = 10.10.10.130 
    uoa.modulePort = 0 
     
     
    # Module Version 
    uoa.moduleVersion=V200R001 
     
     
    # Element Type for ICS Gateway 
    uoa.netEleType.icsGateway=30521 
    # Element Name for ICS Gateway 
    uoa.netEleName.icsGateway=eSpace Agent Desktop 
    # Element Id for ICS Gateway 
    uoa.netEleId.icsGateway=3052100 
    # Module Type for ICS Gateway 
    uoa.moduleType.icsGateway=3052103 
    # Module Name for ICS Gateway 
    uoa.moduleName.icsGateway=eSpace ICS Gateway     
    Table 13-7 Parameter description

    Parameter

    Description

    uoa.switch

    Indicates whether to enable the UOA alarm function. The value on indicates yes and off indicates no.

    uoa.uoaServerIP/uoa.uoaServerPort

    uoa.uoaServerIP indicates the IP address of the server where the UOA is installed. uoa.uoaServerPort indicates the number of the port connected to applications. The value of uoa.uoaServerPort equals to 6 plus the port number of the UOA for listening applications.

    uoa.moduleIP

    Indicates the IP address of the ICS server.

  3. Restart the ICS service.

Setting Protocol Parameters for DataStation

The DataStation sends alarms to the eSight through the uniform operation and maintenance agent (UOA) server. Therefore, you need to configure UOA server connection information on the DataStation, and add the DataStation's alarm resource package on the UOA server.

Prerequisite

The UOA server has been installed and is running properly.

Configuration on the UOA Server

  1. Log in to the UOA server as the uoa user.
  2. Stop the UOA service.

    cd $UOA_Server/shell

    uoa_stop.sh

  3. Obtain the datastation_UOA.zip file from the IPCCV200R001C60_PUBLIC.zip > UOA.zip directory, decompress the file, and perform the following operations:

    1. Copy the files in alarm/ to the $UOA_Server/alarm/ directory.
    2. Copy the files in templates/ to the $UOA_Server/templates/ directory.
      NOTE:
      • Ensure that the UOA user has the read, write, and execute permissions on the copied files.
      • In the preceding directories, $UOA_Server is the installation directory of the UOA server.

  4. Set the IP address of the DataStation server in the $UOA_Server/cfg/system/adapter.acl file. The configuration results are displayed in bold as follows:

    10.10.10.131
    NOTE:

    When you need to configure multiple IP addresses, separate them in different lines.

  5. Start the UOA service.

    cd $UOA_Server/shell

    uoa_start.sh

Configuration on the DataStation Server

  1. Log in to the DataStation server as the root user.
  2. Change the encoding format of alarmid_map to unix.

    cd {DataStation_home}/bin

    In the preceding command, {DataStation_home} indicates the DataStation installation directory.

    mac2unix alarmid_map

  3. Open the {DataStation_home}/bin/DSParameters.txt file using the vi editor and configure the parameters. The configuration results are displayed in bold as follows:

    uoa_enable = yes 
    send_alarm = yes 
    uoa_server_ip = 10.10.10.10 
    uoa_server_port = 6700 
    uoa_local_ip = 10.10.10.131 
    uoa_local_port = 32675
    Table 13-8 Parameter description

    Parameter

    Description

    uoa_enable

    Indicates whether to enable the UOA alarm function. The value on indicates yes and off indicates no.

    send_alarm

    Indicates whether to send alarms to the UOA. Two options are available: on (enable) and off (disable).

    uoa_server_ip/uoa_server_port

    uoa_server_ip indicates the IP address of the server where the UOA is installed. uoa_server_port indicates the number of the port connected to applications. The value of uoa_server_port is the port number of the UOA for listening applications.

    uoa_local_ip/uoa_local_port

    uoa_local_ip indicates the IP address of the DataStation server. uoa_local_port indicates the number of an available port on the DataStation server.

    NOTE:

    After the alarm function is enabled, the following alarms take effect by default:

    • FTP disconnection alarm
    • Database disconnection alarm

    To make other alarms take effect, enable them in the {DataStation_home}/bin/DSParameters.txt file and restart the DataStation service.

  4. Restart the DataStation service.

Setting Protocol Parameters for CMS (TestTool mode)

The CMS server sends alarms to the eSight through the UOA server. Therefore, you need to configure UOA server connection information on the CMS server, and add the CMS server's alarm resource package on the UOA server.

Prerequisite

The UOA server is running properly.

Context

The CMS (TestTool mode) consists of the CMS Client, CMS Gateway, and Agent Gateway components. You need to configure the three components separately.

Configuration on the UOA Server

  1. Log in to the UOA server as the uoa user.
  2. Stop the UOA service.

    cd $UOA_Server/shell

    uoa_stop.sh

  3. Obtain the eSpace_CMS_UOA.zip file from the IPCCV200R001C60_PUBLIC.zip > UOA.zip directory, decompress the file, and perform the following operations:

    1. Copy the files in alarm/ to the $UOA_Server/alarm/ directory.
    2. Copy the files in templates/ to the $UOA_Server/templates/ directory.
      NOTE:
      • Ensure that the UOA user has the read, write, and execute permissions on the copied files.
      • In the preceding directories, $UOA_Server is the installation directory of the UOA server.

  4. Obtain the eSpace_Agent_UOA.zip file from the IPCCV200R001C60_PUBLIC.zip > UOA.zip directory, decompress the file, and perform the following operations:

    1. Copy the files in alarm/ to the $UOA_Server/alarm/ directory.
    2. Copy the files in templates/ to the $UOA_Server/templates/ directory.
      NOTE:
      • Ensure that the UOA user has the read, write, and execute permissions on the copied files.
      • In the preceding directories, $UOA_Server is the installation directory of the UOA server.

  5. Set the IP address of the CMS server in the $UOA_Server/cfg/system/adapter.acl file.

    The configuration results are displayed in bold as follows: As the CMS Client, CMS Gateway, and Agent Gateway share an external IP address, only one IP address needs to be configured here.

    10.10.10.118
    NOTE:

    When you need to configure multiple IP addresses, separate them in different lines.

  6. Start the UOA service.

    cd $UOA_Server/shell

    uoa_start.sh

Configuration on the CMS Server

  1. Log in to the CMS server as the CMS installation user.
  2. Configure the CMS Client to automatically report alarms.

    1. Go to /home/cms/tomcat7/webapps/cmsclient/WEB-INF/classes, open the bme.properties file, and determine whether to enable UOA connection.
      ... 
      uoa.connected.on-off=on 
      ...
      Table 13-9 Parameter description

      Parameter

      Description

      uoa.connected.on-off

      Indicates whether to enable UOA connection. The options are as follows:

      • on: enable
      • off: disable
    2. Access the /home/cms/tomcat7/webapps/cmsclient/WEB-INF/classes directory and configure parameters, such as UOA Server IP, UOA Port, and CMS localIP in the bme.basic.properties file.
      #the address of UOA,cannot be 127.0.0.1,nonsupport asterisk wildcard 
      om.global.agentIP = 10.10.10.10 
      #the port of UOA,default value is 6706,nonsupport asterisk wildcard 
      om.global.agentPort = 6706 
      #local ip address ,cannot be 127.0.0.1,nonsupport asterisk wildcard 
      om.global.localIP = 10.10.10.118 
      #local binding port ,default value is 0 
      om.global.localPort=0 
      #local binding port ,default value is 0 
      om.global.localPort=0 
      #host name 
      om.global.hostName=X00204706 
      #module configuration, the meaning of name is module name, the meaning of index is module priority 
      om.module.name=CMS 
      om.module.index=1 
      #module is need register default is:true 
      om.module.isNeedRegister=true 
      #module type 
      om.module.moduleType=3051201 
      #module version 
      om.module.moduleVer=V200R001 
      #1-single model 2-double machine hot spare 3-double machine hot spare 4-cluster model 
      om.module.workingMode=1 
      #1-primary  2-backup.while workingMode=2 effect 
      om.module.workStatus=1 
      #net element name 
      om.module.netEleName=CMS 
      #attach net element id 
      om.module.netEleID=30512 
      #while WorkingMode=2,fill in double machine fluctuate ip address.while WorkingMode=1,fill in local ip address. 
      om.module.IP = 172.16.5.128
      Table 13-10 Parameter description

      Parameter

      Description

      om.global.agentIP/om.global.agentPort

      om.global.agentIP indicates the IP address of the server where the UOA is installed. om.global.agentPort indicates the number of the port connected to applications. The value of om.global.agentPort equals to 6 plus the port number of the UOA for listening applications.

      om.global.localIP

      Indicates the CMS server IP address.

      om.module.IP

      • For the CMS single-node system, set om.module.IP to the CMS server IP address.
      • For the CMS two-node cluster, set om.module.IP to the floating IP address.

  3. Configure the CMS Gateway to automatically report alarms.

    1. Open the /home/cms/tomcat7/webapps/cmsgateway/WEB-INF/config/uoa.propertiesfile using the vi editor and configure the parameters by referring to Table 13-11. The configuration results are displayed in bold as follows:
      #UOA Alarm Switch: ON or OFF 
      uoa.switch = ON 
      #If the path is an absolute path, the log is initialized to the absolute path.  
      #If the path is a relative path, the log is initialized to the current directory\relative path directory. 
      #If the value is null, the log is initialized to the current directory. 
      uoa.uoaLogPath = ${catalina.home}/logs/cmsgateway/cmsgateway_UOA_oamlib.log 
      #The alarm file is stored in the $ buffer directory/alarm directory. 
      uoa.uoaAlarmBufferPath = ${catalina.home}/logs/uoa 
      uoa.uoaBufferSize = 1000 
      #UOA Server Ip 
      uoa.uoaServerIP = 10.10.10.10 
      #the port added 6 based on AppOMListenPort  
      uoa.uoaServerPort = 6706 
      #UOA binding Local IP address for application side 
      uoa.moduleIP = 10.10.10.118 
      uoa.modulePort = 0 
       
      # Module Version 
      uoa.moduleVersion=V200R001
      Table 13-11 Parameter description

      Parameter

      Description

      uoa.uoaServerIP/uoa.uoaServerPort

      om.global.agentIP indicates the IP address of the server where the UOA is installed. om.global.agentPort indicates the number of the port connected to applications. The value of om.global.agentPort equals to 6 plus the port number of the UOA for listening applications.

      om.module.IP

      • For the CMS single-node system, set om.module.IP to the CMS server IP address.
      • For the CMS two-node cluster, set om.module.IP to the floating IP address.

  4. Configure the Agent Gateway to automatically report alarms.

    1. Open the /home/elpis/tomcat7/webapps/agentgateway/WEB-INF/config/uoa.properties file using the vi editor and configure the parameters by referring to Table 13-12. The configuration results are displayed in bold as follows:
      #UOA Alarm Switch: ON or OFF 
      uoa.switch = ON 
      #If the path is an absolute path, the log is initialized to the absolute path.  
      #If the path is a relative path, the log is initialized to the current directory\relative path directory. 
      #If the value is null, the log is initialized to the current directory. 
      uoa.uoaLogPath = ${catalina.home}/logs/agentgateway/agentgateway_UOA_oamlib.log 
      #The alarm file is stored in the $ buffer directory/alarm directory. 
      uoa.uoaAlarmBufferPath = ${catalina.home}/logs/uoa 
      uoa.uoaBufferSize = 1000 
      #UOA Server Ip 
      uoa.uoaServerIP = 10.10.10.10 
      #the port added 6 based on AppOMListenPort  
      uoa.uoaServerPort = 6706 
      #UOA binding Local IP address for application side 
      uoa.moduleIP = 10.10.10.118 
      uoa.modulePort = 0 
       
      # Module Version 
      uoa.moduleVersion=V200R001     
      Table 13-12 Parameter description

      Parameter

      Description

      uoa.uoaServerIP/uoa.uoaServerPort

      om.global.agentIP indicates the IP address of the server where the UOA is installed. om.global.agentPort indicates the number of the port connected to applications. The value of om.global.agentPort equals to 6 plus the port number of the UOA for listening applications.

      om.module.IP

      • For the CMS single-node system, set om.module.IP to the CMS server IP address.
      • For the CMS two-node cluster, set om.module.IP to the floating IP address.

  5. Restart the CMS service.

Setting Protocol Parameters for CMS (RestWebservice mode)

The CMS server sends alarms to the eSight through the UOA server. Therefore, you need to configure UOA server connection information on the CMS server, and add the CMS server's alarm resource package on the UOA server.

Prerequisite

The UOA server is running properly.

Configuration on the UOA Server

  1. Log in to the UOA server as the uoa user.
  2. Stop the UOA service.

    cd $UOA_Server/shell

    uoa_stop.sh

  3. Obtain the eSpace_CMS_UOA.zip file from the IPCCV200R001C60_PUBLIC.zip > UOA.zip directory, decompress the file, and perform the following operations:

    1. Copy the files in alarm/ to the $UOA_Server/alarm/ directory.
    2. Copy the files in templates/ to the $UOA_Server/templates/ directory.
      NOTE:
      • Ensure that the UOA user has the read, write, and execute permissions on the copied files.
      • In the preceding directories, $UOA_Server is the installation directory of the UOA server.

  4. Set the IP address of the CMS server in the $UOA_Server/cfg/system/adapter.acl file. The configuration results are displayed in bold as follows:

    10.10.10.118
    NOTE:

    When you need to configure multiple IP addresses, separate them in different lines.

  5. Start the UOA service.

    cd $UOA_Server/shell

    uoa_start.sh

Configuration on the CMS Server

  1. Log in to the CMS server as the CMS installation user.
  2. Open the /home/cms/tomcat7/webapps/cmsgateway/WEB-INF/config/uoa.propertiesfile using the vi editor and configure the parameters by referring to Table 13-13. The configuration results are displayed in bold as follows:

    #UOA Alarm Switch: ON or OFF 
    uoa.switch = on 
    #If the path is an absolute path, the log is initialized to the absolute path.  
    #If the path is a relative path, the log is initialized to the current directory\relative path directory. 
    #If the value is null, the log is initialized to the current directory. 
    uoa.uoaLogPath = ${catalina.home}/logs/cmsgateway/cmsgateway_UOA_oamlib.log 
    #The alarm file is stored in the $ buffer directory/alarm directory. 
    uoa.uoaAlarmBufferPath = ${catalina.home}/logs/uoa 
    uoa.uoaBufferSize = 1000 
    #UOA Server Ip 
    uoa.uoaServerIP = 10.10.10.10 
    #the port added 6 based on AppOMListenPort  
    uoa.uoaServerPort = 6706 
    #UOA binding Local IP address for application side 
    uoa.moduleIP = 10.10.10.118 
    uoa.modulePort = 0 
     
    # Module Version 
    uoa.moduleVersion=V200R001
    Table 13-13 Parameter description

    Parameter

    Description

    uoa.uoaServerIP/uoa.uoaServerPort

    uoa.uoaServerIP indicates the IP address of the server where the UOA is installed. uoa.uoaServerPort indicates the number of the port connected to applications. The value of uoa.uoaServerPort equals to 6 plus the port number of the UOA for listening applications.

    om.module.IP

    • For the CMS single-node system, set om.module.IP to the CMS server IP address.
    • For the CMS two-node cluster, set om.module.IP to the floating IP address.

  3. Restart the CMS service.

Setting Protocol Parameters for EDS

The EDS server sends alarms to the eSight through the uniform operation and maintenance eds (UOA) server. Therefore, you need to configure UOA server connection information on the EDS server, and add the EDS server's alarm resource package on the UOA server.

Prerequisite

The UOA server has been installed and is running properly.

Configuration on the UOA Server

  1. Log in to the UOA server as the uoa user.
  2. Stop the UOA service.

    cd $UOA_Server/shell

    uoa_stop.sh

  3. Obtain the EDS_UOA.zip file from the IPCCV200R001C60_PUBLIC.zip > UOA.zip directory, decompress the file, and perform the following operations:

    1. Copy the files in alarm/ to the $UOA_Server/alarm/ directory.
    2. Copy the files in templates/ to the $UOA_Server/templates/ directory.
      NOTE:
      • Ensure that the UOA user has the read, and write permissions on the copied files.
      • In the preceding directories, $UOA_Server is the installation directory of the UOA server.

  4. Set the IP address of the EDS server in the $UOA_Server/cfg/system/adapter.acl file. The configuration results are displayed in bold as follows:

    10.10.10.182
    NOTE:

    When you need to configure multiple IP addresses, separate them in different lines.

  5. Start the UOA service.

    cd $UOA_Server/shell

    uoa_start.sh

Configuration on the EDS Server

  1. Log in to the EDS server as the eds user.
  2. Open the /home/eds/tomcat7/webapps/eds/WEB-INF/conf file using the vi editor and configure the parameters. The configuration results are displayed in bold as follows:

     
    # uoa config 
    uoa.flag            = on 
    uoa.serverIp        = 10.10.10.10 
    uoa.serverPort      = 6706 
    uoa.moduleIp        = 10.10.10.182 
    uoa.modulePort      = 0
    Table 13-14 Parameter description

    Parameter

    Description

    uoa.flag

    Indicates whether to enable the UOA alarm information. The value on indicates yes and off indicates no.

    uoa.serverIp/uoa.serverPort

    A combination of the IP address of the UOA server and the port number that the UOA server uses to connect to the Agent. The port number is 6 plus the port number that the UOA server uses to listen on the EDS.

    uoa.moduleIp

    A combination of the IP address of the EDS server.

  3. Restart the EDS service.

Setting Protocol Parameters for U2900s

If an non-admin user is used, you must register a new user on U2900 and assign NE and operation rights to the user.

Adding an LMT User

  1. Log in to the LMT client as the administrator user.
  2. Add a user.

    1. Click System > Security.
    2. In the window that is displayed, right-click User and choose New.
    3. In the dialog box that is displayed, enter the user name and password of the new user, and choose Account valid forever and Password valid forever.
    4. Click Apply.

    For details about the procedure, see Figure 13-1.

    Figure 13-1 Adding a user on the LMT client

    The user is added. The admin1 user is displayed in the window on the right.

  3. Assign the NE right to the user.

    1. Right-click the new user admin1 and choose Authorized ME.
    2. In the dialog box that is displayed, click Add.
    3. In the dialog box that is displayed, choose UAP and click OK.

    For details about the procedure, see Figure 13-2.

    Figure 13-2 Assigning the NE right to the user

  4. Assign the operation right to the user.

    1. Right-click the new user admin1 and choose Authorized Operation.
    2. In the dialog box that is displayed, click Add.
    3. In the drop-down list box, set ME ID, Command Group Name and Managed Object Group to ALL.
    4. Click OK.

    For details about the procedure, see Figure 13-3.

    Figure 13-3 Assigning the operation right to the user

Setting Protocol Parameters for UMSs

Set protocol parameters on UMSs so that the UMSs can properly connect to the eSight.

Procedure

  • For Movius UMSs, perform the following operations:
  1. Log in to the UMS server as the root user.
  2. Configure SNMP user information if the SNMPv3 protocol is used.

    1. Stop the SNMP service.

      stop snmp

    2. Create an SNMPv3 user.

      net-snmp-create-v3-user -a password username

      In the command, username is the SNMP user to be created, and password is the MD5 authentication protocol password for the user.

      Be cautious to use HMAC_MD5 because it may bring security risks.

      Assume that the user name and authentication password are movius and M0vius@123 respectively.

       
      adding the following line to /var/net-snmp/snmpd.conf: 
         createUser SNMP MD5 "M0vius@123" AES 
      adding the following line to /usr/local/share/snmp/snmpd.conf: 
         rwuser movius
    3. Start the SNMP service.

      start snmp

  3. Configure UMS alarm reporting information.

    1. Switch to the directory where the movius-onms.properties file is stored.

      cd /opt/opennms/etc

      vi movius-onms.properties

       trap_ip=10.137.96.93      <-----------IP address of the eSight server.
      trap_port=162      <-----------Port number.
      version=3      <-----------SNMP protocol version.
      security-name=movius      <-----------Security name. 
      auth-passphrase=M0vius@123      <-----------Authentication key. 
      auth-protocol=MD5      <-----------Authentication protocol. 
      privacy-passphrase=M0vius@123      <-----------Private key. 
      privacy-protocol=AES      <-----------Private protocol.
      #NOAUTH_NOPRIV = 1;AUTH_NOPRIV = 2;AUTH_PRIV = 3; 
      security-level=1

      Be cautious to use HMAC_MD5 because it may bring security risks.

    2. Restart the OpenNMS.

      stop opennms

      start opennms

  • For eSpace UMSs, perform the following operations:
  1. Log in to the UMS system through the browser as the user admin.
  2. In the navigation tree, choose System > Nms manage > Nms server config.

  3. Click Add, and set related parameters in the displayed Add group dialog box to create a SNMPV3 user.

    NOTE:

    You are recommended to set the Auth type to SHA, and the Privacy type to AES.

  4. Click Save, and click ok in the displayed dialog box.
  5. In the navigation tree, choose System > Nms manage > Nms server config.

  6. Set related parameters, and click Save, and click ok in the displayed dialog box.

    NOTE:
    • If the eSight is two-node cluster system, you need to set Prepare eSight address.
    • Set Group name list to the SNMPV3 user created in 3.

  7. Click load config, and click ok in the displayed dialog box.

Setting Protocol Parameters for VCLOG

Set protocol parameters on VCLOGs so that the VCLOGs can properly connect to the eSight.

Procedure

  1. Log in to the VCLOG server as the Administrator user.
  2. Start SNMP Service.

    1. Choose Start > Run and enter services.msc. The Service window is displayed.
    2. Right-click the SNMP Service service, and choose Start.

  3. Click the Trap tab and add the public community in the SNMP Service Properties (SIPSERVER0) dialog box.
  4. Click Security tab and grant the Read only permission to the public community.
  5. Choose Start > Huawei Recording > HWLogDiagnostics > Alarm Server.
  6. Add email addresses in the HWLog Diagnostic-Server Side dialog box, as shown in Figure 13-4.

    Figure 13-4 Configuring email addresses

  7. Click Level.
  8. Click Snmp in the Alarm Level dialog box.
  9. Set parameters in Set Parameter. Table 13-15 describes the parameters.

    Table 13-15 SNMP parameters

    Parameter

    Description

    Ip Address

    IP address of the eSight server.

    Community

    Community name. Set this parameter based on the site requirements.

    Send Port

    SNMP port for sending mails. Set this parameter based on the site requirements.

    Receive Port

    SNMP port for receiving mails. Set this parameter based on the site requirements.

Setting Protocol Parameters for SBCs (SX Series)

To enable the SBC (SX-series) to connect to eSight, you need to set protocol parameters on the SBC (SX-series).

Background

  • The eSight domain name ucems.huawei.com has been configured for the SBC (SX-series) before delivery.
  • If a DNS server exists on the network, configure the mapping between the eSight domain name and the IP address on the DNS server, without performing steps in Procedure.
  • If no DNS exists on the network, configure the server URL by referring Procedure.

Procedure

  1. Log in to the web page of the SBC (SX Series).

    1. Type the SBC (SX Series) IP address in the address box, and press Enter.
    2. Log in to the SBC (SX Series).

  2. Configure the server URL.

    1. Choose Advance in the main menu.
    2. In Server, enter the IP address corresponding to the TR-069 service on the eSight.
      • You are suggested to use HTTPS protocol for higher security requirements. Enter https://IP address of the eSight server: 32237/tr069SBC/services/acs .
      • In the case of lower security requirements, enter http://IP address of the eSight server:32236/tr069SBC/services/acs.

        Exercise caution when using HTTP because it may bring security risks.

Follow-up Procedure

To use the HTTP protocol, you must manually modify the related files in the eSight installation directory.

HTTP has security risks. Exercise caution when you use it.

  • Modify the supportSBCHttp=false item in the config.properties file in the AppBase\etc\uc\ directory under the eSight installation directory to supportSBCHttp=true.
  • In the webserver.roa.inst.xml file in the /opt/eSight/AppBase/etc/iemp.framework/ directory, add the eSight IP address and port number.

    In <webserver name="tr069SBC"></webserver>, add the following content:

    <connector name="Tr069HttpPort" type="http"> 
    <property name="ip" value="@{ENT_HOSTIP}" /> //Replace @{ENT_HOSTIP} with the eSight IP address, such as 10.10.134.120.
    <property name="port" value="32236" /> 
    </connector>

Restart eSight after the modification.

Setting Device Protocol Parameters for the EC3.0 ECS

Set protocol parameters on devices involved in the EC3.0 ECS so that you can use the eSight to manage EC3.0 ECS devices.

Prerequisites

The EC3.0 ECS devices are running properly.

Configuring the Whitelist

  1. Log in to the UOA server as the uoa user.
  2. Edit the UOA configuration file.

    su - uoa

    cd $UOA_RUN_ROOT/cfg/system

    vi adapter.acl

    Add the eSight IP address to the end of the adapter.acl file.

  3. Restart the UOA server.

Setting Protocol Parameters for the CGP Server

To ensure that eSight can normally manage the CGP server, you need to set protocol parameters on the CGP server.

Prerequisites

The CGP server runs normally.

Procedure

  1. Log in to HUAWEI Operation & Maintenance System as the admin user.
  2. Run the ADD SNMPUSER command to create a user, for which Authentication protocol and Private protocol are not NULL and the protocol version is V3.

Setting Protocol Parameters for a CSP Device

To ensure that eSight can normally manage a CSP device, you need to set protocol parameters on the CSP device.

Prerequisites

The CSP server is running properly.

Procedure

  1. Log in to the portal of a CSP device.
  2. Choose System > SNMP from the main menu.
  3. Click Change Passwords in the Operation column of an SNMP user and change the user password.

    NOTE:

    By default, both the authentication password and encryption password are r1+@z(9Ho3b.

Translation
Download
Updated: 2019-09-12

Document ID: EDOC1100044378

Views: 72802

Downloads: 378

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next