How Do I Do If eSight Cannot Be Accessed Through NAT Mapping

Question

How do I do if eSight cannot be accessed through NAT mapping?

Answer

In an HA system, operations in this section need to be performed only on the active node.

1. Modify the esightsso.ssoclient.ext.xml file.

   File path: eSight installation directory\AppBase\etc\oms.sso\ext\esightsso.ssoclient.ext.xml

   Add the following information to the servers section in the file. If the servers section does not exist, create it.

   In a local HA system, replace 10.120.50.118 with the floating IP address. In other systems, replace 10.120.50.118 with the system IP address of the eSight server.

   <config name="server"> 
       <param name="entryAddressMapping">Public network IP address</param> 
       <param name="name">10.120.50.118:8087</param> 
       <param name="public">https://Public network IP address:31942/sso</param> 
       <param name="private">http://10.120.50.118:8087/sso</param> 
       <param name="logout">https://Public network IP address:31942/sso/logout</param> 
   </config>

   Example:

   <?xml version="1.0" encoding="UTF-8"?> 
   <config name="oms"> 
       <config name="sso"> 
           <config name="client"> 
               <param name="enabled">true</param> 
               <param name="isShowWhiteListPage">true</param> 
           </config> 
           <config name="servers"> 
               <config name="server">                
               <param name="entryAddressMapping">Public network IP address</param>                
               <param name="name">10.120.50.118:8087</param>                
               <param name="public">https://Public network IP address:31942/sso</param>                
               <param name="private">http://10.120.50.118:8087/sso</param>               
               <param name="logout">https://Public network IP address:31942/sso/logout</param>           
           </config> 
           </config> 
       </config> 
   </config>

2. Modify the esightsso.sso.ext.xml file to add the public IP address to the client-trusted-ip section.

   File path: eSight installation directory\AppBase\etc\oms.sso\ext\esightsso.sso.ext.xml

   If the esightsso.sso.ext.xml file does not contain the client-trusted-ip section, go to Step 3. If the file contains the client-trusted-ip section, skip Step 3.

   <param name="client-trusted-ip">10.120.50.118,Public network IP address</param>

3. Modify the sso.xml file to add the public IP address to the client-trusted-ip section.

   File path: eSight installation directory\AppBase\etc\oms.sso\sso.xml

   <param name="client-trusted-ip">10.120.50.118,Public network IP address</param>

4. Check eSight installation directory\AppBase\etc\iemp.esight\roa_ext_esight.properties.
   • If http.host.white.list exists and the value is * (for example, http.host.white.list=*), no further action is required.
   • If http.host.white.list exists but the value is not *, add the public IP address to the end of http.host.white.list.

   Example: http.host.white.list=10.120.50.118:31943,10.120.50.118:8080,10.120.50.118:31942,10.120.50.118:32020, Public network IP address:31943, Public network IP address:8080, Public network IP address:31942, Public network IP address:32020

5. Check eSight installation directory\mttools\etc\iemp.esight\roa_ext_esight.properties.
   • If http.host.white.list exists and the value is * (for example, http.host.white.list=*), no further action is required.
   • If http.host.white.list exists but the value is not *, add the public IP address to the end of http.host.white.list, for example, http.host.white.list=10.120.50.118:31945,10.120.50.118:8088,10.120.50.118:31942, Public network IP address:31945, Public network IP address:8088, Public network IP address:31942

6. Change the HedEx settings as follows:
   • Add the following information to the eSight installation directory\AppBase\etc\iemp.esight\oms_ext_esight.xml file:

     Set the param name="lib" field to enterprise_en.

     <config name="hedex">
      <param name="url">https://Public IP address:31943/hedex</param>
      <!-- Documentationpackage ID -->
      <param name="lib">enterprise_en</param>
     </config>

   • Add the eSight installation directory\mttools\etc\iemp.esight\oms_ext_esight.xml file. The file content is as follows:

     Set the param name="lib" field to mttools_en.

     <?xml version="1.0" encoding="UTF-8"?>
     <config name="oms"> 
       <config name="hedex">
              <param name="url">https://Public IP address:31945/hedex</param>
              <!-- Documentation package ID-->
              <param name="lib">mttools_en</param> 
       </config>
     </config>

   • Change the owner of the eSight installation directory\mttools\etc\iemp.esight\oms_ext_esight.xml file to ossuser:ossgroup.

     # cd /opt/eSight/mttools/etc/iemp.esight/

     # chown ossuser:ossgroup oms_ext_esight.xml

7. Restart the eSight service.

   In the single-node system scenario, run the following commands to restart the eSight service:

   1. Log in to the eSight server as the ossuser user. For the preset password, see the eSight User List released with the version (Support: https://support.huawei.com/carrier/docview!docview?nid=DOC1100890341; Support-E: https://support.huawei.com/enterprise/en/doc/EDOC1100227876).
   2. Run the following commands to stop the eSight service:

      cd /opt/eSight/bin

      ./shutdown.sh

      Are you sure you want to stop the system? (Please enter y or n):     

      Enter y and press Enter.

   3. Run the following commands to start the eSight service:

      cd /opt/eSight/bin

      ./startup.sh

   In the two-node cluster scenario, run the following commands to restart the eSight service:

   1. Log in to the standby eSight server as the ossuser user.
   2. Run the following commands to stop eSight:

      cd /opt/ommha/ha/bin

      ./stop.sh

   3. Log in to the active eSight server as the ossuser user.
   4. Run the following commands to stop eSight:

      cd /opt/ommha/ha/bin

      ./stop.sh

   5. Log in to the active eSight server as the ossuser user.
   6. Run the following commands to start eSight:

      cd /opt/ommha/ha/bin

      ./start.sh

   7. Log in to the standby eSight server as the ossuser user.
   8. Run the following commands to start eSight:

      cd /opt/ommha/ha/bin

      ./start.sh

8. Map ports 8080, 31942, 31943, 8088, and 31945 of the public IP address to ports 8080, 31942, 31943, 8088, and 31945 of the system IP address of eSight, respectively.

   Take the USG firewall as an example. Log in to the USG firewall and run the following commands:

   For details, see the firewall product documentation of the corresponding version. The commands may vary slightly according to the version.

   [device]system-view
   <device>nat server for_eSight_1 protocol tcp global Public network IP address 8080 inside 10.120.50.118 8080 no-reverse
   <device>nat server for_eSight_1 protocol tcp global Public network IP address 31942 inside 10.120.50.118 31942 no-reverse
   <device>nat server for_eSight_1 protocol tcp globalPublic network IP address 31943 inside 10.120.50.118 31943 no-reverse
   <device>nat server for_eSight_1 protocol tcp global Public network IP address 8088 inside 10.120.50.118 8088 no-reverse
   <device>nat server for_eSight_1 protocol tcp globalPublic network IP address 31945 inside 10.120.50.118 31945 no-reverse

   If the port number set during eSight installation is not 8080, you need to replace 8080 in the commands with the port number set during eSight installation. In the commands, for_eSight_1 is the server name, and 10.120.50.118 is the eSight system IP address.