Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Installation Guide
This material is copyright. No part of this document may be reproduced in any form, stored in a retrieval system or transmitted without the prior written permission of Fastwire Limited. Commercial in Confidence Issued by Fastwire Pty. Ltd.
Trademarks
DiskSuite and Solaris are trademarks or registered trademarks of Sun Microsystems Inc. in the U.S. and other countries. UNIX is a registered registered trademark of The Open Group.
All other company and product names are trademarks or registered trademarks of their respective companies.
Contents
Purpose ................................................................................................................................................. 9 Audience ................................................................................................................................................ 9 Scope ..................................................................................................................................................... 9 Document Conventions ........................................................................................................................ 10 Related Documentation ....................................................................................................................... 10 Abbreviations and Acronyms ............................................................................................................... 11 Software Release ................................................................................................................................. 11 Chapter 1: Introduction .................................................................................................................... 13 Overview .............................................................................................................................................. 13 Important Information ........................................................................................................................... 13 Installation Knowledge .................................................................................................................. 13 Installation Personnel ................................................................................................................... 13 System Configuration ................................................................................................................... 13 Database Schemas ...................................................................................................................... 13 Release Compatibility ................................................................................................................... 14 Package Information ............................................................................................................................ 14 Solaris ........................................................................................................................................... 14 Linux ............................................................................................................................................. 14 System Requirements .......................................................................................................................... 15 Solaris ........................................................................................................................................... 15 Linux ............................................................................................................................................. 15 Processes and Scripts ......................................................................................................................... 15 Directories ............................................................................................................................................ 16 Users .................................................................................................................................................... 17 Redundancy ......................................................................................................................................... 17 Chapter 2: Pre-Installation ............................................................................................................... 19 Introduction .......................................................................................................................................... 19 Configuring File Descriptors ................................................................................................................. 20 Solaris ........................................................................................................................................... 20
Contents
openCA 4.3.8
Linux ............................................................................................................................................. 20 Chapter 3: Installing openCA Application ...................................................................................... 21 Introduction .......................................................................................................................................... 21 Before You Start ................................................................................................................................... 21 Installation ............................................................................................................................................ 21 Solaris ........................................................................................................................................... 21 Linux ............................................................................................................................................. 23 Chapter 4: Post-Installation .............................................................................................................. 25 Introduction .......................................................................................................................................... 25 Creating Databases ............................................................................................................................. 25 Licenses ............................................................................................................................................... 26 Solaris .................................................................................................................................................. 27 Configuring rsh/ssh ....................................................................................................................... 27 Linux .................................................................................................................................................... 27 Configuring SSH ........................................................................................................................... 27 Configuration Review ........................................................................................................................... 27 Startup ................................................................................................................................................. 27 Chapter 5: Uninstalling openCA Application .................................................................................. 29 Introduction .......................................................................................................................................... 29 Notes .................................................................................................................................................... 29 Uninstallation ........................................................................................................................................ 30 Solaris ........................................................................................................................................... 30 Linux ............................................................................................................................................. 32 Chapter 6: Installing openCA Patches ............................................................................................ 35 Introduction .......................................................................................................................................... 35 Notes .................................................................................................................................................... 35 Installation ............................................................................................................................................ 36 Solaris ........................................................................................................................................... 36 Linux ............................................................................................................................................. 37 Chapter 7: Uninstalling openCA Patches ....................................................................................... 39 Introduction .......................................................................................................................................... 39 Notes .................................................................................................................................................... 39 UnInstallation ....................................................................................................................................... 40 Solaris ........................................................................................................................................... 40 Linux ............................................................................................................................................. 42 Chapter 8: Subscriber Web Access ................................................................................................. 45 Package Information ............................................................................................................................ 45
May 2010
Installation Guide
Contents
System Requirements .......................................................................................................................... 45 Linux Red Hat Enterprise Linux 5 .............................................................................................. 45 Solaris 10 ...................................................................................................................................... 46 Processes and Scripts ......................................................................................................................... 46 Directories ............................................................................................................................................ 47 Users .................................................................................................................................................... 48 Solaris ........................................................................................................................................... 48 Installing openCA Subscriber Web Access .......................................................................................... 49 Installing openCA Subscriber Web Access on Linux .................................................................... 49 Installing openCA Subscriber Web Access on Solaris ................................................................. 52 Additional Steps for Installing openCA Subscriber Web Access on a Different Host ................... 55 Creating the Subscriber Web Database ....................................................................................... 56 Appendix A: Operating System Patches ........................................................................................ 57 Solaris Patches .................................................................................................................................... 57 Linux Patches ...................................................................................................................................... 58 Appendix B: Disk Partitioning and Mirroring ................................................................................. 59 Introduction .......................................................................................................................................... 59 Solaris .................................................................................................................................................. 59 Partitioning Disk Space ................................................................................................................. 59 Solaris Disk Mirroring .................................................................................................................... 60 Linux .................................................................................................................................................... 66 Partitioning Disk Space ................................................................................................................. 66 Appendix C: IP Network Configuration ........................................................................................... 67 Solaris IP Network Configuration ......................................................................................................... 67 Redundant Configuration .............................................................................................................. 67 Standalone Configuration ............................................................................................................. 68 Solaris Configuring IP Multipathing and Point to Point Connections ............................................ 68 Related Commands ...................................................................................................................... 78 Solaris Name Service Configuration ............................................................................................. 79 Solaris Configuration of /etc/hosts ................................................................................................ 79 Linux IP Network Configuration ........................................................................................................... 80 IBM Blade Center Redundant Configuration ................................................................................ 80 Linux Server Redundant Configuration with Ethernet Bonding .................................................... 81 Standalone Configuration ............................................................................................................. 81 Linux Name Service Configuration ............................................................................................... 82 Linux Disabling Network Routing .................................................................................................. 83 Ethernet Bonding on RedHat ES 5 ............................................................................................... 84 Appendix D: Network Time .............................................................................................................. 89
Contents
openCA 4.3.8
Configuring Network Time .................................................................................................................... 89 Solaris ........................................................................................................................................... 90 Linux ............................................................................................................................................. 91 Appendix E: Security ........................................................................................................................ 93 Introduction .......................................................................................................................................... 93 Solaris Security .................................................................................................................................... 93 Solaris Run level and network services ........................................................................................ 93 IP FILTER (Solaris) ....................................................................................................................... 95 Linux Security ....................................................................................................................................... 96 IP TABLES (Linux) ........................................................................................................................ 97 Appendix F: Solaris Configuring rsh ............................................................................................... 99 Configuring rsh Between Two Hosts .................................................................................................... 99 Appendix G: Configuring Floating Virtual IP ................................................................................ 101 Procedure for Configuring FVIP ......................................................................................................... 101 Configuring FVIP for Solaris ....................................................................................................... 101 Configuring FVIP for Linux .......................................................................................................... 104 Appendix H: Configuring SNMP Reporting .................................................................................. 109 Procedure for Configuring SNMP Alarms and Alerts ......................................................................... 109 Solaris and Linux ........................................................................................................................ 109 Appendix I: Example Linux Installation ........................................................................................ 111 Procedure for Installing Red Hat Enterprise Server ........................................................................... 111 Appendix J: IPTABLES Configuration File ................................................................................... 117 Overview ............................................................................................................................................ 117 Appendix K: IPFILTER Configuration File .................................................................................... 119 Overview ............................................................................................................................................ 119
May 2010
List of Procedures
Procedure 2-1: Configuring File Descriptors for Solaris ...................................................................... 20 Procedure 2-2: Configuring File Descriptors for Linux ........................................................................ 20 Procedure 3-1: Installing openCA on Solaris ...................................................................................... 21 Procedure 3-2: Installing openCA on Linux ......................................................................................... 23 Procedure 4-1: Creating Databases .................................................................................................... 25 Procedure 5-1: Uninstalling an openCA release from a Solaris Platform ........................................... 30 Procedure 5-2: Uninstalling an openCA release from a Linux Platform .............................................. 32 Procedure 6-1: Installing an openCA patch on a Solaris Platform ...................................................... 36 Procedure 6-2: Installing an openCA patch on a Linux Platform ........................................................ 37 Procedure 7-1: Uninstalling an openCA patch from a Solaris host ..................................................... 40 Procedure 7-2: Uninstalling an openCA patch from a Linux host ....................................................... 42 Procedure 8-1: Installing openCA Subscriber Web Access for Linux. ................................................ 49 Procedure 8-2: Installing openCA Subscriber Web Access for Solaris ............................................... 52 Procedure 8-3: Additional steps when installing openCA Subscriber Web Access on another host. . 55 Procedure A-1: Configuring Solaris Patches ....................................................................................... 57 Procedure A-2: Configuring Linux Patches ......................................................................................... 58 Procedure B-1: Copying Partitioning Information ................................................................................ 61 Procedure B-2: Configuring Disk Mirroring ......................................................................................... 64 Procedure C-1: Configuring Router Discovery .................................................................................... 70 Procedure C-2: Multipath Detection Timeout ...................................................................................... 72 Procedure C-3: Configuring IP Multipathing Targets .......................................................................... 74 Procedure C-4: Configuring a bonded interface .................................................................................. 85 Procedure D-1: NTP Configuration for Solaris .................................................................................... 90 Procedure D-2: NTP Configuration for Linux ...................................................................................... 91 Procedure E-1: Rules to add to the ipf.conf file for IP filtering. ........................................................... 95 Procedure E-2: Settings required when using IP tables as a firewall. ................................................. 97 Procedure F-1: Setting up rsh between two hosts .............................................................................. 99 Procedure G-1: Solaris Configuring the Floating Virtual IP addess (FVIP) ....................................... 101 Procedure G-2: Linux Configuring the Floating Virtual IP addess (FVIP) ......................................... 105
List of Procedures
openCA 4.3.8
Procedure H-1: Configuring SNMP Alarm and Alert Reporting ......................................................... 109 Procedure I-1: Sample RedHat Linux ES5 Installation Procedure .................................................... 111
May 2010
Purpose
The purpose of this document is to provide an installation guide for the openCallAgent (openCA).
Audience
The audience for this document is Fastwire customers who will be performing the installation. This audience is assumed to have the following experience and knowledge: Telecommunications network protocols and equipment Data communication networks, protocols and equipment UNIX or Linux, vi or text editor skills
Scope
This document includes the following information: Pre-installation requirements Installation of openCA
openCA 4.3.8
Document Conventions
The following formatting is used throughout this document to define certain text as having special meaning.
Convention Italics Description Used to identify A reference to another part of this manual or to other reference material. The result of performing a step in a procedure table. Text that should be typed with substitutions (for example, an instruction to type YourInitials would mean type your own initials instead of the text). Emphasis
Bold
Used to identify Menu names Menu options Field names Button names
Courier
Courier Bold
Used to identify: Commands Text that should be typed exactly as it appears (for example, an instruction to type YourInitials would mean type the text YourInitials exactly as it appears).
Related Documentation
openCallAgent 4.3.8 User Guide openCallAgent 4.3.8 Release Notes
Note:
Release Notes are specific to a particular release and patch level of openCA. For example, the openCallAgent 4.3.8 Release Notes pertain to release openCA-4.3.8 only.
10
May 2010
Installation Guide
Software Release
This document applies to release 4.3.8 of openCA.
11
openCA 4.3.8
12
May 2010
Chapter 1: Introduction
Overview
This guide contains general information about installing and configuring release 4.3.8 of the openCallAgent platform.
Important Information
This section highlights important details concerning this installation.
Installation Knowledge
Before you start the installation, ensure you understand the information in this section and have carefully studied the installation procedure.
Installation Personnel
Personnel who are familiar with Linux and UNIX operating system administration should perform the installation.
System Configuration
System configuration is carried out as a separate step to installation. See the configuration chapter of the openCallAgent 4.3.8 User Guide.
Database Schemas
All references to the configuration database imply a database created using the configuration database schema specified in the accompanying openCallAgent 4.3.8 Release Notes. For the purposes of this document, the configuration database schema pdmandblackwhite-1-schema is used as an example.
13
Introduction
openCA 4.3.8
Release Compatibility
The openCallAgent 4.3.8 Release Notes specify any compatibility between openCA4.3.8 and related products from Fastwire.
Package Information
The openCA-4.3.8 installation requires the OPENca package. Multiple versions of the OPENca package can coexist on the same system. In the installation directory, a current link points to the one that is currently active.
Solaris
When multiple versions of the OPENca package are installed, the system identifies them by names that follow the format OPENca.<n>, where <n> is greater than or equal to 2, for example OPENca.2. The pkg family of commands, for example pkgadd, pkgrm, and pkginfo are used to perform all operations concerning packages, for example addition, removal, retrieval of information.
Note:
When using pkg commands, it is important to know the exact version of the package you are working with.
Linux
When multiple versions of the OPENca package are installed, the system identifies them by names that follow the format OPENca-<w>.<x>.<y>, where <w> denotes the Release Number and <x.y> the Version. Use the rpm command to perform operations concerning packages on Linux systems.
Note:
When using the rpm command, it is important to know the exact version of the package you are working with.
14
May 2010
Installation Guide
Introduction
System Requirements
openCA has the following system requirements:
Solaris
openCA runs on Sun servers that use Solaris 10. See Appendix A: Operating System Patches for more information on the operating system. Installation requires 2.8 GB of disk space in /opt
Linux
openCA has been tested on IBM Blade machines using RedHat Enterprise Linux ES 5, running in 32-bit kernel mode. See Appendix A: Operating System Patches for more information on the operating system. Installation requires 2.8 GB of disk space in /opt
The openCA application has the following scripts: FVIP ca ca_configure.pl ca_mmi ca_ps.rsh ca_ps.ssh
15
Introduction
openCA 4.3.8
Directories
Install openCA in the /opt directory. The directory structure created during installation follows the convention shown below: /opt/OPENca version version version current
x/ y/ z/ -> version z
Note:
Up to 20 versions of the OPENca package can be present on a machine at any one time, if enough disk space is available.
16
May 2010
Installation Guide
Introduction
Contents log files Call Agent ProcessManager process list files FVIP ProcessManager process list files configuration database ProcessManager process list files
Note:
Users
The OPENca package installs its own user, otcaop, who owns the OPENca software. This user is added when OPENca is first installed, and is removed when the last release of OPENca is removed.
Note:
When you remove the last release of OPENca, the otcaop user must be inactive, i.e. no processes, including logins, can be running as otcaop.
You must set the otcaop password after it is created. The removal of otcaop also results in the removal of its home directory; however, the contents of the home directory are automatically backed up to /tmp before removal.
Note:
/tmp is cleared on reboot. Therefore, if you want to save this backup, move it to a safe area.
Redundancy
The openCA-4.3.8 release can be installed in either a standalone or a redundant configuration. In a redundant configuration, openCA is installed on two machines. In a standalone configuration, openCA is installed on only one machine.
The installation instructions in the following chapters are apply for both configurations.
17
Introduction
openCA 4.3.8
18
May 2010
Chapter 2: Pre-Installation
Introduction
This chapter describes pre-installation procedures for openCA. 1. The openCA application must be able to find the addresses of both the local and remote machines in the installation; therefore, ensure that all host names and IP addresses of both hosts in the pair are specified in the /etc/hosts file on each host. For IP Network configuration, see Appendix C: IP Network Configuration. Further, if this installation is required to meet telecoms-standard High Availability / Fault Tolerant requirements, Fastwire recommends that you provide redundancy on all openCA hosts in terms of disk mirroring, partitioning and in the server/network configuration of each host (see Appendix B: Disk Partitioning and Mirroring and Appendix C: IP Network Configuration). A redundant openCA installation uses replicated databases, which require that the clocks on both hosts are synchronised. These clocks should be synchronised using the Network Time Protocol (NTP). For more information on how to configure NTP across openCA hosts, see Appendix D: Network Time.
2.
3.
19
Pre-Installation
openCA 4.3.8
Solaris
For any Solaris system, make the system configuration change shown in Procedure 2-1 on each openCA host. Step 1. 2. Action Log in as user root. Add the following lines to /etc/system. set rlim_fd_max = 10240 (sets the hard limit on file descriptors) set rlim_fd_cur = 256 (sets the soft limit on file descriptors) 3. Reboot the system for these changes to become active. Enter the following command: reboot
Procedure 2-1: Configuring File Descriptors for Solaris
Linux
For any Linux system, make the system configuration change shown in Procedure 2-2 on each openCA host. Step 1. 2. Action Log in as user root. Add the following lines to /etc/sysctl.conf # Increase system-wide file descriptor limit. fs.file-max = 10240 fs.inode-max = 40960 3. Reboot the system for these changes to become active. Enter the following command: reboot
Procedure 2-2: Configuring File Descriptors for Linux
20
May 2010
Introduction
This chapter contains instructions for installing the openCA application.
Note:
These instructions use an example openCA release, openCA-4.3.8, to demonstrate the installation.
Installation
Solaris
To install the openCA application, follow the steps in Procedure 3-1 on each host Step 1. 2. Action Log on as user root. Enter the following command to create a temporary directory: mkdir /opt/CA_INSTALL
Procedure 3-1: Installing openCA on Solaris (Sheet 1 of 2)
21
openCA 4.3.8
Step 3.
Action Enter the following commands to extract the release file from the CD: cd /opt/CA_INSTALL gzip -dc /cdrom/cdrom0/openCA-4.1.14.tar.gz | tar xvf
4.
Enter the following command to install the openCA-4.3.8 release: pkgadd -d . OPENca Answer 'y' to the questions presented.
5.
Enter the following command to set the password for otcaop: passwd otcaop Enter and confirm the password as prompted.
6.
Enter the following command to check that the openCA release is installed: /opt/OPENca/openCA-4.3.8/bin/ca_report The following is an example of the text that appears: oca01# /opt/OPENca/openCA-4.3.8/bin/ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number : openCA-4.3.8 <-- current Package Identifier : OPENca -------------------------------
7.
You may need to install a patch for this release. Refer to the openCallAgent 4.3.8 Release Notes for details of any patches associated with this release. If it is necessary to install a patch, see Chapter 6: Installing openCA Patches for instructions on how to install a patch.
8.
After installing openCA and any necessary patches, install the openCA configuration files. The ca_configure.pl script copies the configuration files from their installation area (the skel subdirectory) to their operational area (the etc subdirectory), updating them for your configuration. Enter the following command as user otcaop to perform this task: /opt/OPENca/openCA-4.3.8/bin/ca_configure.pl Answer prompts for each question. A default value may be provided within square brackets [] and can be accepted by pressing enter. Note: If the Subscriber Web Service is not installed, Web Database questions can be skipped by pressing enter.
22
May 2010
Installation Guide
Linux
To install the openCA application, follow the steps in Procedure 3-2 on each host. Step 1. 2. Action Log on as user root. Enter the following command to create a temporary directory: mkdir /opt/CA_INSTALL 3. Enter the following commands to extract the release file from the CD: cd /opt/CA_INSTALL cp /cdrom/cdrom0/openCA-4.3.8-1.i686.rpm 4. Enter the following command to install the openCA-3.1 release: rpm -i openCA-4.3.8-1.i686.rpm 5. Enter the following command to set the password for otcaop: passwd otcaop Enter and confirm the password as prompted. 6. Enter the following command to check that the openCA release is installed: /opt/OPENca/openCA-4.3.8/bin/ca_report The following is an example of the text that appears: oca01# /opt/OPENca/openCA-4.3.8/bin/ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number : openCA-4.3.8 <-- current Package Identifier : OPENca-4.3.8-1 7. You may need to install a patch for this release. Refer to the openCallAgent 4.3.8 Release Notes for details of any patches associated with this release. If it is necessary to install a patch, see Chapter 6: Installing openCA Patches for instructions on how to install a patch.
Procedure 3-2: Installing openCA on Linux (Sheet 1 of 2)
23
openCA 4.3.8
Step 8.
Action After installing openCA and any necessary patches, install the openCA configuration files. The ca_configure.pl script copies the configuration files from their installation area (the skel subdirectory) to their operational area (the etc subdirectory), updating them for your configuration. Enter the following command as user otcaop to perform this task: /opt/OPENca/openCA-4.3.8/bin/ca_configure.pl Answer prompts for each question. A default value may be provided within square brackets [] and can be accepted by pressing enter. Note: If the Subscriber Web Service is not installed, Web Database questions can be skipped by pressing enter.
24
May 2010
Chapter 4: Post-Installation
Introduction
This chapter describes post-installation procedures for openCA.
Creating Databases
After the openCA software is installed, you must create a new configuration database. A redundant system has two databases, the main_master and the alternative_master. A standalone system only has a main_master. Follow the steps in Procedure 4-1.
Step Action
1. 2.
Log on to the first server as user otcaop. Confirm the location of the database is correct by checking the SDF_Replica.database.path entry in the file /opt/OPENca/current/openCallAgent.conf. Enter the following command to create the main master database: create_db main_master Sample output from create_db command: Creating main master configuration database using schema /opt/OPENca/current/schema/pdmandblackwhite-1schema.Linux.so... Established "SDF-pdmandblackwhite.R0" setup_tsacdb_replica: OK. main master configuration database /opt/OPENca/openCA4.3.8/SDF/SDF-pdmandblackwhite.R0 created.
3.
25
Post-Installation
openCA 4.3.8
Step
Action
4.
For a standalone system, database creation is complete. Continue this procedure only for a redundant system.
5. 6.
For a redundant system, log on to the second server as user otcaop. On the second server, confirm the location of the database is correct by checking the SDF_Replica.database.path entry in the file /opt/OPENca/current/openCallAgent.conf. On the second server, enter the following command to create the alternative master database: create_db alternative_master Sample output from create_db command: Creating alternative master configuration database using schema /opt/OPENca/current/schema/pdmandblackwhite-1schema.Linux.so... Established "SDF-pdmandblackwhite.R1" setup_tsacdb_replica: OK. alternative master configuration database /opt/OPENca/openCA4.3.8/SDF/SDF-pdmandblackwhite.R1 created.
7.
For more information on how to perform this task, refer to the "Creating Databases" section in Chapter 2 : "System Management of the openCallAgent 4.3.8 User Guide.
Licenses
openCA licence files are issued separately. The license file should be copied to the /etc/calicense.dat or other location specified in the openCallAgent.conf configuration file. Refer to Chapter 2 : System Management of the openCallAgent 4.3.8 User Guide for more details on openCA licenses.
26
May 2010
Installation Guide
Post-Installation
Solaris
Configuring rsh/ssh
During install the ca_ps script is created as a link to ca_ps.rsh. The ca_ps.rsh script uses remote shell (rsh) to open a shell on the other host in an openCA redundant configuration so as it can list the running processes on that host. Another script, ca_ps.ssh, is provided to perform exactly the same task as ca_ps.rsh, except it uses secure shell (ssh) rather than rsh to open a shell on the other host. ca_ps may be linked to either of these scripts depending on whether rsh or ssh is the preferred option for opening shells on the Call Agent hosts. For the ca_ps.rsh and ca_ps.ssh scripts to operate properly in a redundant configuration, the user otcaop must be able to open either a remote shell (rsh) or a secure shell (ssh), without providing a password, from one openCA host to another. To configure rsh, see Appendix F: Solaris Configuring rsh. If ssh is the preferred option, it must be installed and configured. A number of ssh configuration options are available and the most suitable option must be decided by the System Administrator. For more information on ca_ps.rsh and ca_ps.ssh, refer to Chapter 3 in the openCallAgent 4.3.8 User Guide.
Linux
Configuring SSH
The system supports ssh in its default configuration only. For information on how to configure ssh, refer to the Linux System Administration guide.
Configuration Review
After the openCA software is installed and before the openCA application is started, operators should review the configuration files for correctness. See the openCallAgent 4.3.8 User Guide for configuration information.
Startup
After the configuration files have been verified, the application can be started. See the openCallAgent 4.3.8 User Guide for information about starting and stopping openCA.
27
Post-Installation
openCA 4.3.8
28
May 2010
Introduction
This chapter contains instructions for removing the openCA software from a host.
Note:
These instructions use example openCA releases to demonstrate how an openCA platform may be uninstalled.
Notes
Before uninstalling an openCA release, all its running processes, including its configuration database, must first be shut down.
29
openCA 4.3.8
Uninstallation
Solaris
To remove an openCA installation, follow the steps in Procedure 5-1 on each host. Step 1. 2. Action Log on as user root. Enter the following command to list all installed openCA releases and patches: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------3. If any patches have been applied to the openCA release that you wish to uninstall, you must uninstall them before removing the openCA release. For information on removing openCA patches, see Chapter 7: Uninstalling openCA Patches. 4. In this example, the openCA-1.3.7 release will be removed. Enter the following command to remove this release: pkgrm OPENca.2 Answer 'y' to the questions presented.
Procedure 5-1: Uninstalling an openCA release from a Solaris Platform (Sheet 1 of 2)
30
May 2010
Installation Guide
Step 5.
Action Enter the following command to verify that the openCA-1.3.7 release has been removed: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------: openCA-4.3.8 : OPENca.4 : : openCA-4.3.8.2 : OPENcaP <-- current
31
openCA 4.3.8
Linux
To remove an openCA installation, follow the steps in Procedure 5-2 on each host. Step 1. 2. Action Log on as user root. Enter the following command to list all installed openCA releases and patches: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier : openCA-1.3.7 : OPENca-1.3.7-1
Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------3.
: openCA-4.3.8.1 : OPENca-4.3.8-1 :
<-- current
: openCA-4.3.8.2 : OPENcaP-4.3.8.2-1
If any patches have been applied to the openCA release that you wish to uninstall, you must uninstall them before removing the openCA release. For information on removing openCA patches, see Chapter 7: Uninstalling openCA Patches.
4.
In this example, the openCA-1.3.7 release will be removed. Enter the following command to remove this release: rpm -e OPENca-1.3.7-1 Answer 'y' to the questions presented.
32
May 2010
Installation Guide
Step 5.
Action Enter the following command to verify that the openCA-1.3.7 release has been removed: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------: openCA-4.3.8 <-- current : OPENca-4.3.8-1 : : openCA-4.3.8.2 : OPENcaP-4.3.8.2-1
33
openCA 4.3.8
34
May 2010
Introduction
This chapter contains instructions for installing openCA patches.
Note:
These instructions use an example openCA patch, openCA-4.3.8.2, to demonstrate how to install an openCA patch.
Notes
Patches are cumulative, e.g. openCA-4.3.8.3 contains fixes from both openCA-4.3.8.1 and openCA-4.3.8.2. It is not possible to install a patch to a release that is running. For instructions on how to stop a release, see Chapter 2 : System Management, in the openCallAgent 4.3.8 User Guide.
35
openCA 4.3.8
Installation
Solaris
To install an openCA patch, follow the steps in Procedure 6-1 on each host. Step 1. 2. Action Log on as user root. Enter the following command to create a temporary directory: mkdir /opt/CA_INSTALL 3. Enter the following commands to extract the openCA-4.3.8.2 patch file from the CD: cd /opt/CA_INSTALL gzip -dc /cdrom/cdrom0/openCA-4.3.8.2.tar.gz | tar xvf 4. Enter the following command to install the patch: pkgadd -d . OPENcaP Answer 'y' to the questions presented. 5. Enter the following command to check that the patch is installed: ca_report The following is an example of the text that appears. In this example the patch which has been installed is openCA-4.3.8.2. oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------Procedure 6-1: Installing an openCA patch on a Solaris Platform
36
May 2010
Installation Guide
Linux
To install an openCA patch, follow the steps in Procedure 6-2 on each host. Step 1. 2. Action Log on as user root. Enter the following command to create a temporary directory: mkdir /opt/CA_INSTALL 3. Enter the following commands to extract the openCA-4.1.1.2patch file from the CD: cd /opt/CA_INSTALL cp /cdrom/cdrom0/OPENcaP-4.3.8.2-1.i686.rpm . 4. Enter the following command to install the patch: rpm -i OPENcaP-4.3.8.2-1.i686.rpm 5. Enter the following command to check that the patch is installed: ca_report The following is an example of the text that appears. In this example the patch which has been installed is openCA-4.3.8.2. oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------Procedure 6-2: Installing an openCA patch on a Linux Platform
37
openCA 4.3.8
38
May 2010
Introduction
This chapter contains instructions for removing openCA patches.
Note:
These instructions use example openCA releases and patches to demonstrate how to remove an openCA patch.
Notes
It is not possible to uninstall a patch for an openCA release that is running. For instructions on how to stop a release, see See Chapter 2 : System Management, in the openCallAgent 4.3.8 User Guide. Patches must be uninstalled in reverse order, e.g. openCA-4.3.8.3 must be removed before openCA-4.3.8.2, which must in turn be removed before openCA-4.3.8.1.
39
openCA 4.3.8
UnInstallation
Solaris
To uninstall an openCA patch, follow the steps in Procedure 7-1 on each host. Step 1. 2. Action Log on as user root. Enter the following command to list all installed openCA releases and patches: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier Patch Number Patch Identifier ------------------------------3. In this example, the openCA-4.3.8.2 patch will be removed. Enter the following command to remove this patch: pkgrm OPENcaP.2 Answer 'y' to the questions presented.
Procedure 7-1: Uninstalling an openCA patch from a Solaris host (Sheet 1 of 2)
: openCA-1.3.7 : OPENca.2 : openCA-4.3.8 : OPENca.4 : : openCA-4.3.8.1 : OPENcaP : openCA-4.3.8.2 : OPENcaP.2 <-- current
40
May 2010
Installation Guide
Step 4.
Action Enter the following command to check that the openCA-4.3.8.2 patch has been removed: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------: openCA-1.3.7 : OPENca.2 : openCA-4.3.8 : OPENca.4 : : openCA-4.3.8.1 : OPENcaP <-- current
41
openCA 4.3.8
Linux
To uninstall an openCA patch, follow the steps in Procedure 7-2 on each host. Step 1. 2. Action Log on as user root. Enter the following command to list all installed openCA releases and patches: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier Patch Number Patch Identifier ------------------------------3. In this example, the openCA-4.3.8.2 patch will be removed. Enter the following command to remove this patch: rpm -e OPENcaP-4.3.8.2-1
Procedure 7-2: Uninstalling an openCA patch from a Linux host (Sheet 1 of 2)
: openCA-1.3.7 : OPENca-1.3.7-1 : openCA-4.3.8 <-- current : OPENca-4.3.8-1 : : openCA-4.3.8.1 : OPENcaP-4.3.8.1-1 : openCA-4.3.8.2 : OPENcaP-4.3.8.2-1
42
May 2010
Installation Guide
Step 4.
Action Enter the following command to check that the openCA-4.3.8.2 patch has been removed: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------: openCA-1.3.7 : OPENca-1.3.7-1 : openCA-4.3.8 <-- current : OPENca-4.3.8-1 : : openCA-4.3.8.1 : OPENcaP-4.3.8.1-1
43
openCA 4.3.8
44
May 2010
Package Information
The OPENca-SUBWEB package (openCA Subscriber Web Access) provides subscribers with access to openCA through a Web interface. You can install this package on the same server as openCA, but for production environments Fastwire recommend that you install it on a separate server.
System Requirements
The OPENca-SUBWEB installation requires approximately 3.5 M of disk space in /opt.
If installing with rpm -i commands, after installing the postgresql packages you must run the initdb command. If installing using yum, the initdb command is not required, as yum will have run it.
45
openCA 4.3.8
Solaris 10
The following packages must be installed on the host prior to installing OPENcaSUBWEB. These packages are normally included to Solaris 10 default installation.
Prerequisite Package SUNWapch2r SUNWapch2u SUNWpostgr-83-server SUNWopensslr SUNWperl584core SUNWperl584usr SUNWpmdbdpg SUNWpmdbi Description The Apache HTTP server program Version 2 (root components) The Apache HTTP Server Version 2 (usr components) PostgreSQL database server OpenSSL (Root) Perl 5.8.4 (core) Perl 5.8.4 (non-core) The DBI PostgreSQL Interface for Perl Perl Database Independent Interface
46
May 2010
Installation Guide
Directories
The directory structure created by the installation of OPENca-SUBWEB follows the convention shown below: /opt/OPENca/openCA-4.3.8/apache/ The current link identifies the version that is presently active. The directories and files shown in are created under the above installation directory:
Directory/File bin Contents cgi-bin conf sub_configure.pl subscriber access service configuration script apachectl Apache web server startup script (Linux only) sub_createdb.pl PostgreSQL web database creation script dbconfig.sql PostgreSQL web database initialization script postgres_configure.pl PostgreSQL web database configuration script
Source scripts to be run by the apache web server. httpd.conf Web server configuration file ssl.conf SSL configuration file postgresql.conf, pg_hba.conf PostgreSQL server configuration file server.crt, server.csr, server.key Self-signed SSL certificate files
htdocs skel
index.html, CSS tables, images, java script, .htaccess Original subscriber access, apache web server, postgresql database and ssl configuration. (Solaris Only) Apache run directory to create httpd.pid file.
run
47
openCA 4.3.8
Platform Linux
Solaris
/etc/apache2
Linux
/var/lib/pgsql/data/post gresql.conf /var/postgres/8.3/data/ postgresql.conf /var/lib/pgsql/data/ pg_hba.conf /var/postgres/8.3/data/ pg_hba.conf /opt/OPENca/current/ apache/logs /opt/OPENca/current/ apache/modules
Solaris
Linux
/opt/OPENca/current/apache/conf/ pg_hba.conf
Solaris
Solaris
/var/apache2/logs
Solaris
/usr/apache2/libexec
Users
OPENca-SUBWEB installs its own user, otcaop, if that user has not yet been created by the OPENca package. Similarly, removal of the OPENca-SUBWEB package also removes the otcaop user if no OPENca packages remain installed. OPENca-SUBWEB uses the PostgreSQL database to save subscriber service data.This PostgreSQL database is operated by the postgres user, which is created automatically during the installation of the postgresql-server package. You must set the password for the postgres user.
Solaris
Installation of the OPENca-SUBWEB package, add configuration for the otcaop user to /etc/user_attr to allow otcaop to assume the postgres role.
48
May 2010
Installation Guide
In either case, see Installing openCA Subscriber Web Access on Linux on page 49 or Installing openCA Subscriber Web Access on Solaris on page 52 depending on your operating system. If installing on a non-openCA host, also see Additional Steps for Installing openCA Subscriber Web Access on a Different Host on page 55.
Ensure the PostgreSQL service is configured: ls -l /var/lib/pgsql/data If the directory is empty, run initdb as the postgres user: initdb
3.
4.
5.
Enter the following command to set the password for otcaop: passwd otcaop
6.
Enter the following command to set the password for postgres: passwd postgres
7.
Procedure 8-1: Installing openCA Subscriber Web Access for Linux. (Sheet 1 of 3)
49
openCA 4.3.8
Step 8.
Action As user otcaop, run the sub_configure.pl script to install the necessary scripts and configuration files. This script performs the following actions: a. Copies the scripts and configuration files from the installation area: /opt/OPENca/openCA-4.3.8/apache/skel directory to their operational area: /opt/OPENca/openCA-4.3.8/apache/conf. Edits files in the operational area from your installation selections. Installs links at /etc/init.d and /var/lib/pgsql/data. (Optionally) Generates temporary Self-Signed Certificates for secure Web access (Optionally) Creates and configures the Subscriber Web Database
b. c. d. e.
It uses the default /opt/OPENca/current/apache/bin/dbconfig.sql schema to initialize the newly-created database. Note: Do not create the Subscriber Web Database using this script if you intend to restore the database with imported contents. To run sub_configure.pl, enter the following commands: cd /opt/OPENca/openCA-4.3.8/apache/bin ./sub_configure.pl You will be prompted to answer questions. Where available, you may select the default value shown in [] brackets by pressing the Enter key. [root@rhel-a bin]# ./sub_configure.pl Enter version to be configured[openCA-4.3.8]: Changing to user otcaop Enter the name of this host[rhel-a]: Enter IP address of peer OpenCA: 10.1.1.95 Enter WEB Database host name or IP address: 127.0.0.1 Enter the name of the WEB Database[subdb-rhel-a]: PostreSQL and APACHE server configuration has been changed. Make sure to restart the services. Would you like to generate self-signed SSL certificates: yes/no?[yes]: 9. (Optional) If you did not create a Subscriber Web Database in Step 8 and you intend to import data from a different database, create one now by running the following script as the postgres user: ./sub_createdb.pl -n <database_name> -f <db_dump.sql> Note: db_dump.sql is an output from the following command, when it is run on a database to be re-stored: pg_dump -Fc --format=p --file= db_dump.sql <database_name>
Procedure 8-1: Installing openCA Subscriber Web Access for Linux. (Sheet 2 of 3)
50
May 2010
Installation Guide
Step 10.
Action (Optional) If you created the Subscriber Web Database in step 8 or 9, as the postgres user check that the database was created and initialized successfully using the following command: psql -l The output should show the newly created subscriber database in the List of Databases.
11.
Run or re-run the Apache service by performing the following steps: a. b. Stop any running apache instances: service apachectl stop Ensure sure that current points to the newly-installed version of OPENca-SUBWEB: ls -l /opt/OPENca/ c. Sometimes the pass phrase prompt can be inconvenient, especially when you want Apache to startup automatically on boot without user intervention. To disable the pass phrase, as the otcaop user, decrypt the server.key: cd /opt/OPENca/current/apache/conf mv server.key server.key.orig openssl rsa -in server.key.orig -out server.key d. If current points to the previous version, update it: rm /opt/OPENca/current ln -s /opt/OPENca/<new_version> /opt/OPENca/current e. Start the HTTP daemon: service apachectl start
12.
Re-start the PostgreSQL database service to apply the updated configuration: service postgresql restart
13.
Procedure 8-1: Installing openCA Subscriber Web Access for Linux. (Sheet 3 of 3)
51
openCA 4.3.8
3.
Enter the following commands to extract the release from CD: cd /opt/CA_INSTALL cp /cdrom/cdrom0/ openCA-SUBWEB-<version>.tar.gz .
4.
Enter the following command to unzip and untar the package: gzip -dc openCA-SUBWEB-<version>.tar.gz | tar xvf -
5.
6.
Enter the following command to set the password for otcaop: passwd otcaop Enter and confirm the password as prompted.
7.
Enter the following command to set the password for postgres: passwd postgres Enter and confirm the password as prompted.
8.
Enable the PostgreSQL service: svcadm enable postgresql_83:default_32bit This creates PostgreSQL default configuration files in /var/postgres/8.3/data.
Procedure 8-2: Installing openCA Subscriber Web Access for Solaris (Sheet 1 of 3)
52
May 2010
Installation Guide
Step 9.
Action As user otcaop, run the sub_configure.pl script to install the necessary scripts and configuration files. This script performs the following actions: a. Copies the scripts and configuration files from the installation area: /opt/OPENca/openCA-4.3.8/apache/skel directory to their operational area: /opt/OPENca/openCA-4.3.8/apache/conf Edits these files in the operational area to match your input Installs links at /etc/init.d and /var/lib/pgsql/data (Optionally) Generates temporary Self-Signed Certificates for secure Web access (Optionally) Creates and configures the Subscriber Web Database
b. c. d. e.
To run sub_configure.pl, enter the following command: cd /opt/OPENca/openCA-4.3.8/apache/bin ./sub_configure.pl You will be prompted to answer questions. Where available, you may select the default value shown in [] brackets by pressing the Enter key. When prompted to enter a pass phrase for /opt/OPENca/openCA4.3.8/apache/conf/server.key, enter any phrase and re-enter the same phrase at each of the following prompts for the server key. Remember the pass phrase, as you may need to provide it later. 10. (Optional) If you did not create a Subscriber Web Database in Step 8 and you intend to import data from a different database, create one now by running the following script as the postgres user: ./sub_createdb.pl -n <database_name> -f <db_dump.sql> Note: db_dump.sql is an output from the following command, when it is run on a database to be re-stored: pg_dump -Fc --format=p --file= db_dump.sql <database_name> 11. (Optional) If you created the Subscriber Web Database in step 10 or 11, as the postgres user check that the database was created and initialized successfully using the following command: psql -l The output should show the newly created subscriber database in the List of Databases. 12. Re-start the PostgreSQL database service to apply the updated configuration: svcadm disable postgresql_83:default_32bit svcadm enable postgresql_83:default_32bit
Procedure 8-2: Installing openCA Subscriber Web Access for Solaris (Sheet 2 of 3)
53
openCA 4.3.8
Step 13.
Action Run or re-run the Apache service by performing the following steps: a. b. Stop any running apache instances: svcadm disable apache2 Ensure that current points to the newly-installed version of OPENcaSUBWEB: ls -l /opt/OPENca/ c. If current points to a previous version, update it using the following commands: rm /opt/OPENca/current ln -s /opt/OPENca/<new_version> /opt/OPENca/current d. As the otcaop user decrypt the server.key, removing the requirement for a pass phrase on each re-start of the Apache service: cd /opt/OPENca/current/apache/conf mv server.key server.key.orig /usr/sfw/bin/openssl rsa -in server.key.org -out server.key e. f. As the root user, start the HTTP daemon: svcadm enable apache2 Check that the Apache service has started successfully: svcs | grep apache2 The output should be similar to the following: online 15:33:55 svc:/network/http:apache2
14.
Procedure 8-2: Installing openCA Subscriber Web Access for Solaris (Sheet 3 of 3)
54
May 2010
Installation Guide
Additional Steps for Installing openCA Subscriber Web Access on a Different Host
If you are installing openCA Subscriber Web Access on a separate (non-openCA) host, perform the following additional configuration steps after installation. Step 0. Action Before you begin, ensure: You have access to the root account on each openCA host. You have installed OPENca-SUBWEB on the current (non-openCA host) for your operating system: Installing openCA Subscriber Web Access on Linux (page 49) or Installing openCA Subscriber Web Access on Solaris (page 52).
1.
As the root user, edit the configuration file /opt/OPENca/current/etc/openCallAgent.conf on each openCA host: a. b. Set the ViaTCP.listenhostIP parameter of the Subscriber Database package to the FVIP IP address. Set the ViaTCP.remotehostIP parameter of the Subscriber Database package to the IP address of the (non-openCA) host running the Subscriber Access Web Service.
2.
PostgreSQL database uses the /opt/OPENca/openCA4.3.8/apache/conf/pg_hba.conf file installed on the Subscriber Access Web Service host to authenticate clients connecting to the database. The file has the following default settings that connect to the database using UNIXdomain sockets or local loopback TCP/IP connections: local all all trust host all all 127.0.0.1/32 trust Edit the file to provide both openCA servers with access to the database. Substitute: #host all all >>OpenCA Peer IP Address<</32 trust with the following lines: host all all <OpenCA-1 IP Address>/32 trust host all all <OpenCA-2 IP Address>/32 trust
3.
Edit the /opt/OPENca/openCA-4.3.8/apache/cgi-bin/sub/configMap.pm file on the Subscriber Access Service host. Set the SubDB_HOST parameter to the FVIP IP address of openCA: SubDB_HOST => '<OpenCA FVIP IP Address>',
Procedure 8-3: Additional steps when installing openCA Subscriber Web Access on another host.
55
openCA 4.3.8
Note:
The db_dump.sql file is an output of the following command when run on a database to be restored pg_dump -Fc --format=p --file= db_dump.sql <database_name>
For information on how to restore the database using a custom archived format, refer to the openCallAgent 4.3.8 User Guide. Running the sub_createdb.pl script prompts you with the following questions: Enter the name of the Subscriber Database to be created[subdb-ibm1]: Enter version to be configured[openCA-version]:
56
May 2010
Solaris Patches
Solaris patches, as specified in the openCallAgent 4.3.8 Release Notes, should be applied to the system before installation. You can get information on the patches from Sun Microsystems at the SunSolve web site (http://sunsolve.sun.com/). On most systems, follow Procedure A-1. Step 1. Action Download and the Patch Cluster recommended in the openCallAgent 4.3.8 Release Notes from SunSolve (or Solaris maintenance CD). Search SunSolve for the patches for each individual Solaris feature required by openCA (for example, IP Multipathing and multicast). Use the showrev command to verify that each patch is present on the system and to check the revision number. If a particular patch is not present on the system, or a newer revision of the patch is required, download the latest revision of the patch from SunSolve. Use the patchadd command to add the patch to the system. When all patches have been added to the system, reboot the system for the new patches to take effect.
2. 3. 4. 5. 6.
Note:
Maintaining patch levels is an important (and ongoing) part of Solaris system administration. It is recommended that operators include patch level management in their system administration policies and procedures.
57
openCA 4.3.8
Linux Patches
Liunx patches, as specified in the openCallAgent 4.3.8 Release Notes, should be applied to the system before installation. On most systems, follow Procedure A-2. Step 1. 2. Action Download and install the recommended service pack from Red Hat Use the rpm command to add the patch to the system.
Note:
Maintaining patch levels is an important (and ongoing) part of system administration. It is recommended that operators include patch level management in their system administration policies and procedures.
58
May 2010
Introduction
This appendix contains information about how openCA hosts should be configured to meet High Availability / Fault Tolerance (redundancy) requirements in the following areas: Disk mirroring Disk partitioning Disk configuration
Note:
You must perform this configuration before installing the openCA software.
Solaris
Partitioning Disk Space
Note: You must install openCA on a UFS partition. It will not work on a ZFS partition.
The configuration is two mirrored disks. (i.e. four disks altogether, two 18 GB disks and two 36 GB disks). The two external disks are mirrored against the two internal disks. Disk 1 : 18 GB
/ swap mirroring (meta-db) /var 512 MB 4 GB 10 MB 2 GB
59
openCA 4.3.8
/usr /opt
5 GB 9.5 GB
Disk 2 : 36 GB
/CDR /logs mirroring (meta-db) 33 GB 2 GB 10 MB
Note:
Procedure B-1 has fewer partiitons than would normally be used in an openCA deployment.
60
May 2010
Installation Guide
Step 1.
Action Enter format The following is an example of the screen that appears: Searching for disks...done AVAILABLE DISK SELECTIONS: 0. c0t0d0 <SUN18G cyl 7506 alt 2 hd 19 sec 248> /pci@1f,4000/scsi@3/sd@0,0 1. c0t1d0 <SUN18G cyl 7506 alt 2 hd 19 sec 248> /pci@1f,4000/scsi@3/sd@1,0 Specify disk (enter its number):
2.
At the format prompt, enter 1. The following is an example of the screen that appears: selecting c0t1d0 [disk formatted] FORMAT MENU: disk type partition current format repair label analyze defect backup verify save inquiry volname !<cmd> quit
select a disk select (define) a disk type select (define) a partition table describe the current disk format and analyze the disk repair a defective sector write label to the disk surface analysis defect list management search for backup labels read and display labels save new disk/partition definitions show vendor, product and revision set 8-character volume name execute <cmd>, then return
61
openCA 4.3.8
Step 3.
Action At the format prompt, enter p. The following is an example of the screen that appears: PARTITION MENU: 0 1 2 3 4 5 6 7 select modify name print label !<cmd> quit change `0' partition change `1' partition change `2' partition change `3' partition change `4' partition change `5' partition change `6' partition change `7' partition select a predefined table modify a predefined partition table name the current table display the current table write partition map and label to the disk execute <cmd>, then return
4.
At the partition prompt, enter p. The following is an example of the screen that appears: Current partition table (original): Total disk cylinders available: 7506 + 2 (reserved cylinders) Part 0 1 2 3 4 5 6 7 Tag unassigned swap backup unassigned unassigned unassigned unassigned unassigned Flag wm wu wm wm wm wm wm wm Cylinders 0 0-222 0-7505 0 0 0 0 0 Size 0 513.07MB 16.86GB 0 0 0 0 0 Blocks (0/0/0) 0 (223/0/0) 1050776 (7506/0/0) 35368272 (0/0/0) 0 (0/0/0) 0 (0/0/0) 0 (0/0/0) 0 (0/0/0) 0
5.
At the partition prompt, enter s. The following is an example of the screen that appears: 0. original 1. original Specify table (enter its number)[1]:
6.
62
May 2010
Installation Guide
Step 7.
Action At the partition prompt, enter p. The following is an example of the screen that appears: Current partition table (original): Total disk cylinders available: 7506 + 2 (reserved cylinders) Part 0 1 2 3 4 5 6 7 Tag root swap backup unassigned var usr unassigned unassigned Flag wm wu wm wm wm wm wm wm Cylinders 1781-2003 0-1780 0-7505 2004-2008 2009-2899 2900-3359 0 3360-7505 Size 513.07MB 4.00GB 16.86GB 11.50MB 2.00GB 1.03GB 0 9.32GB Blocks (223/0/0) 1050776 (1781/0/0) 8392072 (7506/0/0) 35368272 (5/0/0) 23560 (891/0/0) 4198392 (460/0/0) 2167520 (0/0/0) 0 (4146/0/0) 19535952
8.
At the partition prompt, enter l. The following prompt appears: Ready to label disk, continue?
9. 10.
At the prompt, enter y. At the partition prompt, enter q. The following is an example of the screen that appears: FORMAT MENU: disk type partition current format repair label analyze defect backup verify save inquiry volname !<cmd> quit select a disk select (define) a disk type select (define) a partition table describe the current disk format and analyze the disk repair a defective sector write label to the disk surface analysis defect list management search for backup labels read and display labels save new disk/partition definitions show vendor, product and revision set 8-character volume name execute <cmd>, then return
11.
63
openCA 4.3.8
When the system comes back up, /etc/vfstab will be as follows: #device device mount FS fsck #to mount to fsck point type pass # #/dev/dsk/c1d0s2 /dev/rdsk/c1d0s2 /usr ufs fd /dev/fd fd no /proc /proc proc no /dev/dsk/c0t0d0s1 swap /dev/md/dsk/d0 /dev/md/rdsk/d0 / ufs 1 /dev/dsk/c0t0d0s6 /dev/rdsk/c0t0d0s6 /usr /dev/dsk/c0t0d0s5 /dev/rdsk/c0t0d0s5 /var /dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /opt /dev/dsk/c0t1d0s6 /dev/rdsk/c0t1d0s6 /logs /dev/dsk/c0t1d0s7 /dev/rdsk/c0t1d0s7 /CDR swap /tmp tmpfs yes 3. Edit /etc/vfstab as follows. #device device mount FS fsck mount mount #to mount to fsck point type pass at boot options # fd /dev/fd fd no /proc /proc proc no /dev/md/dsk/d1 swap no /dev/md/dsk/d0 /dev/md/rdsk/d0 / ufs 1 no /dev/md/dsk/d3 /dev/md/rdsk/d3 /usr ufs 1 no /dev/md/dsk/d2 /dev/md/rdsk/d2 /var ufs 1 no /dev/md/dsk/d4 /dev/md/rdsk/d4 /opt ufs 2 yes /dev/md/dsk/d5 /dev/md/rdsk/d5 /logs ufs 2 yes /dev/md/dsk/d6 /dev/md/rdsk/d6 /CDR ufs 2 yes swap /tmp tmpfs yes Procedure B-2: Configuring Disk Mirroring (Sheet 1 of 2)
no no 1 1 2 2 2
64
May 2010
Installation Guide
Step 4. 5.
Action Reboot the system. When the system restarts, enter the following to attach the mirror copies: # # # # # # # metattach metattach metattach metattach metattach metattach metattach d0 d1 d2 d3 d4 d5 d6 d20 d21 d22 d23 d24 d25 d26
The mirrors update automatically. 6. To check the status or progress of mirrors, use the metastat command.
65
openCA 4.3.8
References
For more detailed information, refer to the Solstice DiskSuite 4.2.1 User's Guide and Solstice DiskSuite 4.2.1 Reference Guide. Also refer to the following Solaris man pages: man metadb man metainit man metaroot man lockfs man md.tab man metastat
Linux
Fastwire recommend you run the Linux version of openCA with the following minimum hardware and software components: IBM Blade Server 2 CPU (i686) 2 * 36GB Disks. Red Hat Enterprise Linux ES 5.2
66
May 2010
P2P connection
CA 1 Redundancy Network
multipathing
CA 2
multipathing
Call VLAN
The Redundancy network consists of two point-to-point (P2P) connections. Crossover cables are required for each connection between the two servers. Multipathing is NOT configured on these network connections. Multipathing is used only for connections to the Call VLAN.
67
IP Network Configuration
openCA 4.3.8
Standalone Configuration
In a standalone configuration on Solaris, there is no redundancy network to configure. The openCA host connects to the call VLAN over a pair of physical interface ports configured for IP multipathing. The openCA servers should be setup as shown below.
CA
multipathing
Call VLAN
Note:
You must reboot the server for this command to take effect.
68
May 2010
Installation Guide
IP Network Configuration
For a redundant configuration, allocate IP addresses (different subnet to the mulipathing network) for the P2P devices. One IP address for each physical interface (in this case, qfe1 and qfe3)
Update the /etc/hosts file with the IP addresses defined above. Fastwire recommend you use the following naming convention: hostname: The primary (virtual) IP address of the machine. hostname-interface: The IP address of each physical interface on the machine. hostname-backup: The backup (virtual) IP address of the machine.
69
IP Network Configuration
openCA 4.3.8
Note:
Ensure that physical interface cards are cabled correctly and that IP addresses are assigned to the appropriate interfaces.
Note:
You must reboot the server for this command to take effect, unless the IP driver parameter ip_forwarding is set to zero using the ndd /dev/ip command.
1.
Create the rdisc file in /etc/init.d See Contents of /etc/init.d/rdisc on page 71.
2.
Enter the following command to allow execute permission on the file: chmod 755 /etc/init.d/rdisc
3.
To test the script, start the router discover daemon by entering the following command: /etc/init.d/rdisc start
4.
Enter the following command to create a hard link to this file in /etc/rc2.d. ln /etc/init.d/rdisc /etc/rc2.d/S70rdisc
By default, the router discovery daemon will not start if there are routes defined in the /etc/defaultrouter file. Procedure C-1 ensures that the router discovery daemon will start under all circumstances.
70
May 2010
Installation Guide
IP Network Configuration
Contents of /etc/init.d/rdisc
#!/bin/sh # # If parameter 1 is "start" then check if the router discovery # daemon, in.rdisc, is running and if not, start it. If parameter 1 # is "stop" then stop in.rdisc # case "$1" in 'start') if [ -x /usr/bin/pgrep ] then /usr/bin/pgrep -x -u 0 in.rdisc >/dev/null 2>&1 || \ /usr/sbin/in.rdisc -f >/dev/msglog 2>&1 else logger Cannot execute /usr/bin/pgrep, in.rdisc not started. fi ;; 'stop') /usr/bin/pkill -x -u 0 in.rdisc ;; *) echo "Usage: $0 { start | stop }" ;; esac exit 0
71
IP Network Configuration
openCA 4.3.8
Contents of /etc/hostname.hme0
oca01-hme0 netmask + broadcast + \ group call-control deprecated -failover up \ addif oca01 netmask + broadcast + failover up
Contents of /etc/hostname.qfe0
oca01-qfe0 netmask + broadcast + \ group call-control deprecated -failover up \ addif oca01-backup netmask + broadcast + failover up
Contents of /etc/hostname.qfe1
oca01-qfe1 netmask + destination oca02-qfe1
Contents of /etc/hostname.qfe3
oca01-qfe3 netmask + destination oca02-qfe3
This configuration will place interface hme0 and hme1 in an IP Multipathing group known as production and the interfaces qfe1 and qfe3 as P2P connections for the Redundancy network. The addif command creates the virtual interfaces used by the IP Multipathing daemon (in.mpathd). These virtual interfaces have the failover flag indicating that they will fail over in the event of an interface failure. Reboot the server for the multipathing changes to take effect.
72
May 2010
Installation Guide
IP Network Configuration
Step 4.
Action To check that in.mpathd is running, enter the following command: ps -ef | grep in.mpathd
5.
Monitor the file /var/adm/messages for messages from the IP Multipathing daemon.
If you get a large number of messages as shown below, you may need to increase the FAILURE_DETECTION_TIME:
Jan 18 15:16:55 osg01 in.mpathd[32]: [ID 398532 daemon.error] Cannot meet requested failure detection time of 6000 ms on (inet hme0) new failure detection time is 6368 ms
If you're still seeing a large number of these messages and the FAILURE_DETECTION_TIME is above 6 seconds, notify Customer Support. Other openCA parameters may have to be adjusted to support this FAILURE_DETECTION_TIME.
73
IP Network Configuration
openCA 4.3.8
1.
Configure the IP address of the default router for the local network in the /etc/defaultrouter file (as normal). For example, where CSS devices are used, the IP address of the default router is typically the redundant interface address in the local network that was configured on both CSS devices. In this example, 203.194.24.11.
2.
Select a subnet address that is not used in the network or which is not accessible from the local network (for example, 192.168.254.0). Determine the local interface IP addresses of the local redundant gateway devices. For example: 203.194.24.9 is the IP address of interface e2 on CSS01 in the local network 203.194.24.10 is the IP address of interface e2 on CSS02 in the local network
3.
4.
Configure a static route to the network selected in Step 2 to the interface IP address on each redundant gateway device. In this example: # route add 192.168.254.0 203.194.24.9 # route add 192.168.254.0 203.194.24.10
5.
To verify the correct operation of IP Multipathing after the change in Step 4, enter the following command: # snoop d <interface> icmp Where <interface> is the interface on the local network (for example, hme0, qfe0 and so forth). Look for periodic ICMP echo request for three addresses. In this example, 203.194.24.9, 203.194.24.10 and 203.194.24.11.
74
May 2010
Installation Guide
IP Network Configuration
To verify the P2P connections ping the far end of the connection (i.e. from oca01). ping 10.10.10.2 and get a response: 10.10.10.2 is alive
Troubleshooting IP Multipathing
In the example in below, hme0 will be failed.
Sep 21 12:10:40 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : No response from Ethernet network : Link down -- cable problem? Sep 21 12:10:48 oca01 in.mpathd[4698]: [ID 533792 daemon.error] NIC failure dete cted on hme0 Sep 21 12:10:48 oca01 in.mpathd[4698]: [ID 832587 daemon.error] Successfully fai led over from NIC hme0 to NIC qfe0 Sep 21 12:10:51 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : No response from Ethernet network : Link down -- cable problem?
The message log shows that the interface failure is detected almost immediately. Then, within FAILURE_DETECTION_TIME, the IP Multipathing daemon (in.mpathd) fails over the primary (virtual) IP address to hme1.
75
IP Network Configuration
openCA 4.3.8
The ifconfig command shows how IP Multipathing handles the interface failure. Interface hme0 is labelled FAILED and the primary (virtual) IP address that was virtual interface hme0:1 on hme0 has moved to virtual interface hme1:2 on hme1. The server will not respond to 203.194.24.1 (the IP address assigned to the physical interface hme0) but will respond to the remaining three IP address, 203.194.24.2, 203.194.24.3 and 203.194.24.4.
# ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 hme0: flags=19040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,F AILED> mtu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bc qfe0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> m tu 1500 index 3 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bd qfe0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 203.194.24.3 netmask ffffff00 broadcast 203.194.24.255 qfe0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255 qfe1: flags=1000851<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 10.10.10.1 --> 10.10.10.2 netmask ffffff00 qfe3: flags=1000851<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 10.10.10.3 --> 10.10.10.4 netmask ffffff00
The messages below are generated when hme0 is repaired. The output of ifconfig will return to that shown in Verifying Operation of IP Multipathing and P2P Connections on page 75.
Sep ver Sep 100 Sep ted Sep led 21 12:12:06 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : External Transcei Selected. 21 12:12:06 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : Auto-Negotiated Mbps Full-Duplex Link Up 21 12:12:50 oca01 in.mpathd[4698]: [ID 218011 daemon.error] NIC repair detec on hme0 21 12:12:50 oca03 in.mpathd[4698]: [ID 620804 daemon.error] Successfully fai back to NIC hme0
76
May 2010
Installation Guide
IP Network Configuration
The message log shows that the interface failure is detected almost immediately. Then, within FAILURE_DETECTION_TIME, the IP Multipathing daemon (in.mpathd) fails over the backup (virtual) IP address to hme0. The ifconfig command shows how IP Multipathing handles the interface failure. Interface hme1 is labelled FAILED and the backup (virtual) IP address that was virtual interface hme1:1 on hme1 has moved to virtual interface hme0:2 on hme0. The server will not respond to 203.194.24.2 (the IP address assigned to the physical interface qfe0) but will respond to the remaining three IP address, 203.194.24.1, 203.194.24.3 and 203.194.24.4.
# ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 hme0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> m tu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bc hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255 hme0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.3 netmask ffffff00 broadcast 203.194.24.255 qfe0: flags=19040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,F AILED> mtu 1500 index 3 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bd
The following example shows the messages generated when hme1 is repaired. The output of ifconfig will return to that shown in Verifying Operation of IP Multipathing and P2P Connections on page 75.
Sep ver Sep 100 Sep ted Sep led 21 12:08:27 oca01 hme: [ID 786680 kern.notice] SUNW,hme1 : External Transcei Selected. 21 12:08:27 oca01 hme: [ID 786680 kern.notice] SUNW,hme1 : Auto-Negotiated Mbps Full-Duplex Link Up 21 12:09:12 oca01 in.mpathd[4698]: [ID 218011 daemon.error] NIC repair detec on qfe0 21 12:09:12 oca01 in.mpathd[4698]: [ID 620804 daemon.error] Successfully fai back to NIC qfe0
77
IP Network Configuration
openCA 4.3.8
Related Commands
The two main daemons required for correct operation of IP Multipathing are: /usr/sbin/in.rdisc (router discovery daemon) /sbin/in.mpathd (IP Multipathing daemon)
The following commands let you see whether these daemons (for example, in.mpathd) are running: /usr/bin/pgrep in.mpathd /bin/ps -ef | grep in.mpathd
The pgrep command returns the process ID of the process, if the process is running (scheduled). If the process is not running, pgrep will return nothing. The grep command performs a operation on the list of running (scheduled) processes. The netstat -rn command shows the current routing table on the server (see below). In this case, the best route to network 192.168.16.0 is through interface hme0:1, which is the primary (virtual) IP address (192.168.16.20).
# netstat -rn Routing Table: IPv4 Destination ------------------203.194.24.0 203.194.24.0 203.194.24.0 203.194.24.0 224.0.0.0 10.10.10.2 10.10.10.4 default 127.0.0.1
Gateway Flags ------------------ ----203.194.24.3 U 203.194.24.4 U 203.194.24.2 U 203.194.24.1 U 203.194.24.4 U 10.10.10.1 UH 10.10.10.3 UH 203.194.24.11 UG 127.0.0.1 UH
Ref ----1 1 1 1 1 1 1 1 23
Use Interface -------- --------12 qfe0:1 2 hme0:1 0 qfe0 0 hme0 0 hme0:1 0 qfe1 0 qfe3 367 696581 lo0
78
May 2010
Installation Guide
IP Network Configuration
Each entry in the /etc/hosts should take the following form: IP_address hostname [alternate hostname] For example, to register a remote host called oca02, with a primary IP address of 203.194.24.19 and a backup IP address of 203.194.24.18, the following entries would need to be inserted in /etc/hosts: 203.194.24.8 oca02 alt-name-4-oca02 203.194.24.7 oca02-backup
79
IP Network Configuration
openCA 4.3.8
Thereafter, if we ping or telnet oca02 (or alt-name-4-oca02), all communications will be with the remote IP address 203.194.24.8, whereas if we ping or telnet oca02-backup, all communications will be with the remote IP address 203.194.24.7.
CA 1
CA 2
BladeCenter IP Backbone
Call VLAN
80
May 2010
Installation Guide
IP Network Configuration
CA 1
CA 2
SW 1
ISL
SW 2
Call VLAN
Standalone Configuration
In a standalone Linux configuration the openCA host is directly connected to the call VLAN over a single network interface as shown in the diagram below.
openCA
Call VLAN
81
IP Network Configuration
openCA 4.3.8
Each entry in the /etc/hosts should take the following form: IP_address hostname [alternate hostname] For example, to register a remote host called oca02, with a primary IP address of 203.194.24.8, the following entry would need to be inserted in /etc/hosts: 203.194.24.8 oca02 Thereafter, if we ping or telnet oca02, all communications will be with the remote IP address 203.194.24.8. Finally, process logging, CDR storing, and listening for H323 connections will also usually occur on the same host as openCA is running. Therefore, loghost, myCDR, myASP, and myH323Listener should be added to the entry for the local Call Agent.
82
May 2010
Installation Guide
IP Network Configuration
Note:
Ensure that physical interface cards are cabled correctly and that IP addresses are assigned to the appropriate interfaces.
83
IP Network Configuration
openCA 4.3.8
CA 1
CA 2
SW 1
ISL
SW 2
Call VLAN
Note:
Ethernet bonding is not configured if IBM Blade Center Redundant Configuration is used.
84
May 2010
Installation Guide
IP Network Configuration
bond0 is the name of the virtual bonded interface to be created eth0 is the first slave interface eth1 is the second slave interface 203.194.24.118 is to be assigned to the bonded interface
The configuration proceeds as described in Procedure C-4. Step 1. Action As user root, change directory to /etc/sysconfig/network-scripts and create the interface configuration file for the bonding interface ifcfg-bond0. It should contain the following lines: DEVICE=bond0 BONDING_OPTS="mode=active-backup miimon=100" BOOTPROTO=static ONBOOT=YES NETWORK=203.194.24.0 NETMASK=255.255.255.0 IPADDR=203.194.24.118 USERCTL=no 2. Create (or edit if it already exists) the interface config file ifcfg-eth0 as follows: DEVICE=eth0 HWADDR=<MAC address> BOOTPROTO=none ONBOOT=yes MASTER=bond0 SLAVE=yes USERCTL=no 3. Create (or edit if it already exists) the interface config file ifcfg-eth1 as follows: DEVICE=eth1 HWADDR=<MAC address> BOOTPROTO=none ONBOOT=yes MASTER=bond0 SLAVE=yes USERCTL=no
Procedure C-4: Configuring a bonded interface (Sheet 1 of 2)
85
IP Network Configuration
openCA 4.3.8
Step 4.
Action Enable the loading of the bonding ethernet kernel module with the correct options by editing the fine /etc/modprobe.conf and adding the following lines. alias bond0 bonding
5.
The server should be rebooted for the changes to take effect. reboot
6.
After reboot there should be a bond0 interface. The bond0 interface should be the MASTER interface. Whilst eth0 and eth1 should be SLAVE interfaces. Enter the following command to view the configuration of the network interface cards: ifconfig -a bond0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet addr:10.70.80.60 Bcast:10.70.80.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:64291620 errors:0 dropped:0 overruns:0 frame:0 TX packets:13654588 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:0 RX bytes:3083505453 (2.8 GiB) TX bytes:3472883492 (3.2 GiB) eth0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING NOARP SLAVE MULTICAST MTU:1500 Metric:1 RX packets:29667303 errors:0 dropped:0 overruns:0 frame:0 TX packets:4443221 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2581088162 (2.4 GiB) TX bytes:1780952642 (1.6 GiB) eth1 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:34624320 errors:0 dropped:0 overruns:0 frame:0 TX packets:9211375 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:1000 RX bytes:502417582 (479.1 MiB) TX bytes:1691932738 (1.5 GiB) Interrupt:209 Base address:0xe000
86
May 2010
Installation Guide
IP Network Configuration
cat /proc/net/bonding/bond0
87
IP Network Configuration
openCA 4.3.8
88
May 2010
Note:
89
Network Time
openCA 4.3.8
Solaris
Procedure D-1 contains the Solaris NTP configuration procedure. For more information, refer to the XNTPD manual page (man xntpd). Step 1. 2. Action Log in as root. Create the NTP configuration file: /etc/inet/ntp.conf. # @(#)ntp.conf 1.5 99/09/21 SMI # # /etc/inet/ntp.conf # # An example file that could be copied over to /etc/inet/ntp.conf. # server 203.194.28.160 server 203.194.28.161 enable monitor driftfile /var/ntp/ntp.drift statsdir /var/ntp/ntpstats/ #filegen peerstats file peerstats type day enable #filegen loopstats file loopstats type day enable #filegen clockstats file clockstats type day enable #keys /etc/inet/ntp.keys #trustedkey 10 #requestkey 0 #controlkey 0 In the example above, 203.194.28.160 and 203.194.28.161 are the primary and secondary NTP servers. Note: In the example above, statistics are disabled in order to avoid the creation of a large number of files. 3. 4. Use the date command to set the time correctly. Start the ntp service by entering: svcadm enable ntp
Procedure D-1: NTP Configuration for Solaris (Sheet 1 of 2)
90
May 2010
Installation Guide
Network Time
Step 5.
Action Enter the ntpq -p command to check the status of the synchronisation. When there is a * next to the NTP server, the time is synchronised between hosts. The following is an example of the response: % ntpq -p remote refid st t when *oca01 .LCL. 1 - 13 poll 64 reach 377 delay 0.40 offset 0.017 disp 1.05
For more information, refer to the XNTPD manual page (man xntpd).
Linux
Procedure D-2 contains the Linux NTP configuration procedure to use if NTP has not already been enabled at installation time (see Procedure D-1 for information on how to configure NTP at install time). For more information, refer to the NTPD manual page (man ntpd). Step 1. 2. Action Log in as root. Edit the NTP Servers file: /etc/ntp.conf. server 203.194.28.160 server 203.194.28.161 In the example above, 203.194.28.160 and 203.194.28.161 are the primary and secondary NTP servers. 3. 4. Use the date command to set the time correctly. Start the xntpd daemon by entering: /etc/init.d/ntpd start 5. Enter the ntpq -p command to check the status of the synchronisation. When there is a * next to the NTP server, the time is synchronised between hosts. The following is an example of the response: % ntpq -p remote refid st t when *oca01 .LCL. 1 - 13
Procedure D-2: NTP Configuration for Linux
Note:
For more information, refer to the NTPD manual page (man ntpd).
91
Network Time
openCA 4.3.8
92
May 2010
Appendix E: Security
Introduction
By default, Both Solaris 10 an Linux have services enabled that are not required by openCA. Some of these services may have security implications, so it is good practice to disable any service that is not specifically required. This section identifies the startup scripts and services that have been proven surplus to openCA requirements.
Solaris Security
Solaris Run level and network services
Solaris Disabling unnecessary services
The /etc/rc2.d and /etc/rc3.d directories contain scripts that are executed at boot time or when the run level is changed. Some of these scripts start services not required by openCA. The following tables define scripts that can be disabled on an openCA host.
/etc/rc2.d Enabled K06mipagent K07dmi K07snmpdx K16apache K28nfs.server S20sysetup S47asppp S71ldap.client Disabled _K06mipagent.NOTUSED _K07dmi.NOTUSED _K07snmpdx.NOTUSED _K16apache.NOTUSED _K28nfs.server.NOTUSED _S20sysetup.NOTUSED _S47asppp.NOTUSED _S71ldap.client.NOTUSED
93
Security
openCA 4.3.8
/etc/rc2.d Enabled S71rpc S71sysid.sys S72autoinstall S72slpd S73cachefs.daemon S73nfs.client S74autofs S80lp S80PRESERVE S80spc S85power S90wbem S99dtlogin Disabled _S71rpc.NOTUSED _S71sysid.sys.NOTUSED _S72autoinstall.NOTUSED _S72slpd.NOTUSED _S73cachefs.daemon.NOTUSED _S73nfs.client.NOTUSED _S74autofs.NOTUSED _S80lp.NOTUSED _S80PRESERVE.NOTUSED _S80spc.NOTUSED _S85power.NOTUSED _S90wbem.NOTUSED _S99dtlogin.NOTUSED
/etc/rc3.d Enabled S15nfs.server S50apache S76snmpdx S77dmi S80mipagent Disabled _ S15nfs.server.NOTUSED _S50apache.NOTUSED _S76snmpdx.NOTUSED _S77dmi.NOTUSED _S80mipagent.NOTUSED
94
May 2010
Installation Guide
Security
IP FILTER (Solaris)
Fastwire recommends that you turn IP filters off and use an external firewall. If your environment requires the use of IP filter, add the rules shown in Procedure E-1 to the /etc/ipf/ipf.conf file. Step 1. Action Allow TCP and UDP between the peers:
@1 pass in log quick proto tcp from <peer_address>/32 to <self_address>/32 @3 pass in log quick proto udp from <peer_address>/32 to <self_address>/32
2.
3.
Allow NTP:
@5 pass in log quick from <ntp_server_subnet>/24 port=123 to <self_address>/32 port=123 @6 pass in log quick from <openca_subnet>/24 to 224.0.1.1/32
4.
Allow DNS:
@7 pass in log quick from <openca_subnet>/24 to 224.0.0.251/32
5.
6.
Allow SIP:
@13 pass in log quick proto udp from any to <fvip_address>/32 port=5060 keep state
7.
Allow H323:
@15 pass in log quick from any to 224.0.1.141/32 port = 1718 keep state @16 pass in log quick proto udp from any to <openca_subnet>/24 port = 1719 keep state @17 pass in log quick proto tcp from any to <fvip_address>/24 port = 1720 keep state @19 pass in log quick proto tcp from <h323_gw_address> to <fvip_address>/32 keep state
8.
Procedure E-1: Rules to add to the ipf.conf file for IP filtering. (Sheet 1 of 2)
95
Security
openCA 4.3.8
Step 9.
10.
11.
Reset ipfilter when the above modifications are complete (ipf -D; ipf -E; ipf -f /etc/ipf/ipf.conf):
Procedure E-1: Rules to add to the ipf.conf file for IP filtering. (Sheet 2 of 2)
Linux Security
The following services can be turned off on Linux hosts: cups iptables sendmail autofs arptables_jf
For information on how turn off these services, consult the Linux manual pages for the chkconfig command. For example, to turn off a service, log on as root and enter the following: chkconfig --levels 23456 <service> off
96
May 2010
Installation Guide
Security
IP TABLES (Linux)
Fastwire recommends you turn IP tables off and instead use an external firewall. If your environment requires IP tables, however, add the rules shown in Procedure E-2 to the /etc/sysconfig/iptables configuration file. These settings are required when using IP tables as a firewall. Step 1. Action Allow ICMP:
-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type 11 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -s <openca_subnet>/24 -d <openca_subnet>/24 -j ACCEPT
2.
3.
4.
5.
6.
7.
8.
Allow H323:
-A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT ACCEPT -A RH-Firewall-1-INPUT tcp -j ACCEPT -d 224.0.1.141/32 -p udp --dport 1718 -j ACCEPT -p udp --dport 1719 -j ACCEPT -d <fvip_address>/32 -p tcp --dport 1720 -j -s <h323_gw_address>/32 -d <fvip_address>/32 -p
97
Security
openCA 4.3.8
Step 9.
10.
98
May 2010
Note:
Step 1. 2. 3.
Action On machine A, put all the IP addresses of machine B (both virtual and physical) into /etc/hosts with unique hostnames. On machine A, put the hostnames (as defined in step 1) of machine B into /etc/hosts.equiv. On machine A, add entries for each of the hostnames of machine B plus username, i.e. <machine_B_hostname> <username> into the .rhosts file of <username>. As a security measure, ensure the permissions for the .rhosts file are as follows: # ls -al .rhosts -rw------- 1 otcaop otcaop 48 Feb 6 13:06 .rhosts
4.
5.
99
openCA 4.3.8
100
May 2010
Note:
101
openCA 4.3.8
Step 2.
Action The new FVIP interface requires an IP address, so allocate a new IP address, on the same subnet as the signalling interface chosen in the previous step. In our example we choose 203.194.24.132 as our FVIP address.
3.
As user root, edit /etc/hosts and add an entry for this new FVIP IP address. In our example the following entry is added: 203.194.24.132 ocafvip
Additionally if the FVIP IP address is to be used for H323 calls, the myH323Listener listener entry should also be added to the FVIP adddress (and removed from any other address): 203.194.24.132 ocafvip myH323Listener
Note: The myH323Listener must be placed after the ocafvip name in the above example. 4. As user otcaop, edit /opt/OPENca/openCA-4.3.8/etc/fvip.conf and make the following configuration changes in the FVip package: peer.host = <other_host> network.ipaddress = <fvip_address> network.interface = <fvip_interface> network.interface2 = <alternative_fvip_interface> In our example, if this procedure was being carried out on host ibmblade1, these entries would be configured as follows: peer.host = oca02 network.ipaddress = ocafvip network.interface = hme0 network.interface2 = qfe0 5. For the configuration change made in the previous step to take effect, the machine must be either rebooted or the script started. As user root, execute the following command to reboot the machine: reboot or /etc/init.d/fvip_control stop /etc/init.d/fvip_control start
Procedure G-1: Solaris Configuring the Floating Virtual IP addess (FVIP) (Sheet 2 of 3)
102
May 2010
Installation Guide
Step 6.
Action Once the host has rebooted, check that the new FVIP interface has been created by executing the following command as user root: ifconfig -a In our example the output is as shown in FVIP interface created sample output (Solaris) on page 104. A new logical interface, hme0:2, has been created using the ocafvip IP address (203.194.24.132).
Procedure G-1: Solaris Configuring the Floating Virtual IP addess (FVIP) (Sheet 3 of 3)
In the example above: hme0, qfe0, qfe1 and qfe3 are all physical interfaces hme0 and qfe0 are the physical interfaces used for signalling (specifying an IP multipathing group call-control) qfe1 and qfe3 are the physical interfaces used for redundancy (specifying an IP multipathing group redundancy) lo0 is the loopback interface hme0:1, qfe0:1 are logical interfaces
103
openCA 4.3.8
Note:
For the purposes of clairty, this procedure includes an example. In this example the openCA pair is made up of hosts oca01 and oca02. Ethernet Bonding is assumed to be configured as described in Linux IP Network Configuration.
104
May 2010
Installation Guide
Step 1.
Action Identify the physical network interface on which you want to configure the logical FVIP interface. Note: You must choose one of the signalling (call-control) interfaces, i.e. not an interface which is being used for redundancy. Enter the following command to view the network interface card configurations.
ifconfig -a
Example output is shown in Procedure G-2. In this example, we choose the bond0 signalling interface on which to put our logical FVIP interface. Once configured, the logical interface will be designated bond0:1 because it is the first logical interface on bond0. 2. The bond0 interface can be used only if Ethernet Bonding is configured. For a description of how to configure Ethernet Bonding, see Linux IP Network Configuration on page 80. We will assume that Ethernet Bonding is configured. Otherwise, you should use the eth0 interface. 3. The new FVIP interface requires an IP address, so allocate a new IP address on the same subnet as the signalling interface chosen in the previous step. In our example, we choose 203.194.24.5 as our FVIP address. 4. As user root, edit /etc/hosts and add an entry for this new FVIP IP address. In our example the following entry is added: 203.194.24.5 ocafvip
Additionally if the FVIP IP address is to be used for H323 calls then the myH323Listener listener entry should also be added to the FVIP adddress (and removed from any other address): 203.194.24.132 ocafvip myH323Listener
Procedure G-2: Linux Configuring the Floating Virtual IP addess (FVIP) (Sheet 1 of 2)
105
openCA 4.3.8
Step 5.
Action As user otcaop, edit /opt/OPENca/openCA-4.3.8/etc/fvip.conf and ensure the following configuration exists in the FVip package: peer.host = <other_host> network.ipaddress = <fvip_address> network.interface = <fvip_logical_interface> network.broadcast = <fvip_broadcast_address> network.netmask = <fvip_netmask> In our example, if this procedure was being carried out on host ibmblade1, these entries would be configured as follows: peer.host = oca02 network.ipaddress network.interface network.broadcast network.netmask = = ocafvip = bond0:1 = 203.194.24.255 255.255.255.0
6.
For the configuration change made in the previous step to take effect, the machine must be either rebooted or the script started. As user root, execute the following command to reboot the machine: reboot or /etc/init.d/fvip_control stop /etc/init.d/fvip_control start
7.
Once the host has rebooted or the script started, check that the new FVIP interface has been created by executing the following command as user root: ifconfig -a Example output is shown in Example network interface card configurations (Linux) on page 107. A new logical interface has been created, bond0:1, using our ocafvip IP address (203.194.24.5). This is the FVIP interface.
8.
Check that the FVIP address has been disabled until the active call agent takes control of the FVIP address. Use the following command as user root: /etc/init.d/fvip_control status Example output is shown in Example check that the FVIP address has been disabled on page 108. When the active call agent takes over the FVIP address, the rules mentioned above are deleted from the (ARP and IP) tables.
Procedure G-2: Linux Configuring the Floating Virtual IP addess (FVIP) (Sheet 2 of 2)
106
May 2010
Installation Guide
eth0
eth1
lo
In the example above: bond0 is the bonding interface eth0, eth1 are physical interfaces, slaved to bond0 lo0 is the loopback interface ignore the sit0 interface
107
openCA 4.3.8
bond0:1
Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet addr:203.194.24.132 Bcast:10.70.80.255 Mask:255.255.255.0 UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING NOARP SLAVE MULTICAST MTU:1500 Metric:1 RX packets:29223621 errors:0 dropped:0 overruns:0 frame:0 TX packets:4443221 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2551847261 (2.3 GiB) TX bytes:1780952642 (1.6 GiB) Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:33834209 errors:0 dropped:0 overruns:0 frame:0 TX packets:8844690 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:1000 RX bytes:366503731 (349.5 MiB) TX bytes:1482541306 (1.3 GiB) Interrupt:209 Base address:0xe000
eth0
eth1
destination 203.194.24.5
destination
Chain OUTPUT (policy ACCEPT 24G packets, 1334G bytes) pkts bytes target prot opt in out source destination 5655 3770K DROP all -- * * 203.194.24.5 0.0.0.0/0 =================== ARP tables ==================== Chain IN (policy ACCEPT 736K packets, 21M bytes) pkts bytes target in out source-ip destination-ip source-hw destination-hw hlen op hrd pro 1 28 DROP * * 0.0.0.0/0 203.194.24.5 00/00 00/00 any 0000/0000 0000/0000 0000/0000 Chain OUT (policy ACCEPT 13306 packets, 373K bytes) pkts bytes target in out source-ip source-hw destination-hw hlen op Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target in out source-ip source-hw destination-hw hlen op
108
May 2010
109
openCA 4.3.8
Step 3.
Action Configure the SNMP destinations. Set the AlarmManager.Destination parameter to a space-separated list of (one or more) destinations to which SNMP traps are to be sent. Specify each destinations using any of the following formats: <hostname> <hostname>:<port> <IP address> <IP address>:<port> If you do not specify a port, the standard SNMP trap port 162 is used. A destination may be a third-party SNMP management application or an SNMP trap distribution agent, running on the same or a different server. To specify the same server, use localhost as the <hostname>, for example: AlarmManager.Destination = localhost manager.mydomain:2162 10.70.12.219
4.
The SNMP Management Application may require knowledge of the enterprise OID defined for Fastwire. If so, ensure it is configured as: 1.3.6.1.4.1.5373. The procedure for configuring the enterprise OID may be different for each SNMP Management Application. Refer to your SNMP Management Application documentation for information on how to configure the enterprise OID.
5.
The SNMP Management Application may require access to the Management Information Base ("MIB") files that specify the contents of the SNMP Alarm and Alert reports. The MIB files are located in /opt/OPENca/current/skel/ mib_core.txt ot_mib.txt oca_mib.txt The procedure for configuring the MIB files may be different for each SNMP Management Application. Refer to your SNMP Management Application documentation for information on how to configure the MIB files.
110
May 2010
4.
111
openCA 4.3.8
Step 8.
Action Select Create custom layout in the dropdown box. Click the Review and modify partitioning layout tick box. Select [NEXT]. The Disk Partitioning Setup screen should appear.
9.
Set up the required disk partitions, including any required disk mirroring. For IBM Blade Center installations, hardware disk mirroring should be used. Consult the Blade Center documentation for information on how to set up hardware disk mirroring.
10.
Select [NEXT]. If existing partitions are being reformatted, the Format Warnings dialog box appears.
11.
Verify that the information is correct, then select [Format]. The next screen is the Boot Loader Configuration screen. The default values for the information on this screen should already be correct.
12.
13.
For each network interface (for example eth0, eth1): Select [EDIT] to edit the interface. Manually set IP Address and Network parameters.
14.
15.
Select the timezone from the graphical map. Ensure the System Clock uses UTC box is selected, then select [NEXT]. The Root Password screen should appear.
16.
Set the root password, then select [NEXT]. The Reading Package Information ... message should appear, then the Package Installation screen.
17.
Select the Software Development tick box. Select [NEXT]. The Click next to begin Installation screen is displayed.
18.
112
May 2010
Installation Guide
Step 19.
Action Select [CONTINUE] to continue with the installation. Insert Disks as required.
20.
When the Linux Installation is complete, select [REBOOT]. After a short time the Welcome screen appears.
21.
22.
Select Yes, I agree to the licence agreement Select [FORWARD]. The Firewall screen should appear.
23.
Select Firewall Disabled. Select [FORWARD]. A warning Dialog box appears asking whether the firewall really should be disabled.
24.
25.
Select SELinux Setting "Disabled". Select [FORWARD]. A warning Dialog box appears, informing a Reboot will again be required after setup is completed.
26.
27.
28.
Select the Network Time Protocol tab. Enable Network Time Protocol. Add NTP Servers as required. Select [FORWARD]. The install process attempts to contact the NTP servers added, then the Set Up Software Updates screen appears.
29.
After deciding whether to register, select [FORWARD]. The Finish Updates Setup screen appears.
113
openCA 4.3.8
Step 30.
31.
Do not create a user. Select [FORWARD]. A warning Dialog box appears, encouraging you to create a user. Do not.
32.
33.
34.
Select [FINISH]. A warning dialog box appears, saying that the system must now reboot.
35.
36. 37.
Login as root. Place Installation CDROM #3 (or the Installation DVD) in the drive. RHEL 5.2 should automatically mount it.
38.
Go into the Server directory and install arptables and openssl using the following commands: rpm -i arptables_jf-0.0.8-8.i386.rpm rpm -i openssl1097a-0.9.7a-9.el5_2.1.i386.rpm
39.
To check what services are running, use the command. # chkconfig --list
114
May 2010
Installation Guide
Step 40.
Action Turn off any unnecessary services using the command: chkconfig --levels 23456 <service> off for each of the following <service> iptables sendmail autofs arptables_jf cups
Note: Turning off iptables is optional. If you retain them, see IP TABLES (Linux) on page 97 for filtering rule recommendations. 41. If you wish to turn off the loading of the graphical interface, edit the /etc/inittab file. Change from: id:5:initdefault to id:3:initdefault REBOOT for this to take effect. 42. Limits (user limits) Check the /etc/profile file to see if cores are allowed for users. Ensure the following line starts with a #, for example: # ulimit -S -c 0 > /dev/null 2>&1 Ensure hard and soft limits for core files are set in /etc/security/limits.conf: * * * * * * * * hard soft hard soft hard soft hard soft core core stack stack memlock memlock rss rss 4000000 4000000 1024000 10240 4096000 102400 4096000 4096000
115
openCA 4.3.8
Step 43.
Action Check /etc/sysconfig/network to ensure network settings are as expected. There should be entries for: NETWORKING=yes HOSTNAME=<hostname> GATEWAY=<gateway>
44.
Check /etc/resolv.conf to ensure settings are as expected. There may be entries for nameserver, but should not be any for search. For example: nameserver <nameserver address>
116
May 2010
Overview
Below is an example of the /etc/sysconfig/iptables file on an openCA host. In this example openCA runs on IP addresses 10.70.80.108 and 10.70.80.109, with fvip on IP address 10.70.80.95. The subnet mask is 255.255.255.0.
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type 11 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -s 10.70.80.0/24 -d 10.70.80.0/24 -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m addrtype --dst-type BROADCAST -j ACCEPT -A RH-Firewall-1-INPUT -m addrtype --dst-type MULTICAST -j ACCEPT -A RH-Firewall-1-INPUT -s 10.70.80.109/32 -d 10.70.80.108/32 -p tcp -j ACCEPT -A RH-Firewall-1-INPUT -s 10.70.80.109/32 -d 10.70.80.108/32 -p udp -j ACCEPT -A RH-Firewall-1-INPUT -s 10.70.0.0/24 -d 10.70.80.108/32 -p tcp --sport 123 -dport 123 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.70.80.0/24 -d 224.0.1.1/32 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.70.80.0/24 -d 224.0.0.251/32 -j ACCEPT -A RH-Firewall-1-INPUT -d 10.70.80.108/32 -p udp --dport 5060 -j ACCEPT -A RH-Firewall-1-INPUT -d 10.70.80.110/32 -p udp --dport 5060 -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.1.141/32 -p udp --dport 1718 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 1719 -j ACCEPT -A RH-Firewall-1-INPUT -d 10.70.80.108/32 -p tcp --dport 1720 -j ACCEPT -A RH-Firewall-1-INPUT -d 10.70.80.110/32 -p tcp --dport 1720 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.79.104.12/32 -d 10.70.80.108/32 -p tcp -j ACCEPT -A RH-Firewall-1-INPUT -s 10.79.104.12/32 -d 10.70.80.110/32 -p tcp -j ACCEPT
117
openCA 4.3.8
-A RH-Firewall-1-INPUT ACCEPT -A RH-Firewall-1-INPUT j ACCEPT -A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT ACCEPT -A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT COMMIT
-s 10.70.80.0/24 -d 10.70.80.108/32 -p tcp --dport 5432 -j -s 10.70.80.0/24 -d 10.70.80.108/32 -p tcp --dport 12345 -d -s -s -s 10.70.80.108/32 -p tcp --dport 443 -j ACCEPT 10.70.80.210/32 -p 132 -j ACCEPT 10.70.80.10/32 -p 132 -j ACCEPT 10.70.80.210/32 -p udp --sport 2427 --dport 2727 -j
118
May 2010
Overview
Below is an example of the /etc/ipf/ipf.conf file for an openCA host. In this example, openCA runs on IP addresses 10.70.80.100 and 10.70.80.100, with fvip on IP address 10.70.80.95. The subnet mask is 255.255.255.0.
@1 block in log all # TCP between the peers (covers SDF, FVIP, Redundancy) @2 pass in log quick proto tcp from 10.70.80.100/32 to 10.70.80.90/32 # UDP between the peers @3 pass in log quick proto udp from 10.70.80.100/32 to 10.70.80.90/32 # Local Loopback @4 pass in log quick on lo0 # NTP @5 pass in log quick from 10.70.0.0/24 port=123 to 10.70.80.90/32 port=123 @6 pass in log quick from 10.70.80.0/24 to 224.0.1.1/32 # DNS @7 pass in log quick from 10.70.80.0/24 to 224.0.0.251/32 # SSH @8 pass in log quick proto tcp from 10.70.80.0/24 to 10.70.80.90/32 port = 22 keep state @9 pass in log quick proto udp from 10.70.80.10/32 to 10.70.80.90/32 keep state @10 pass in log quick proto tcp from 10.70.80.10/32 to 10.70.80.90/32 keep state # Multicast & Broadcast (MMI) @11 pass in log quick from 10.70.80.0/24 to 239.255.0.133/32 @12 pass in log quick from 10.70.80.0/24 to 10.70.80.255 # SIP @13 pass in log quick proto udp from any to 10.70.80.90/32 port=5060 keep state @14 pass in log quick proto udp from any to 10.70.80.95/32 port=5060 keep state # H323 @15 pass in log quick from any to 224.0.1.141/32 port = 1718 keep state @16 pass in log quick proto udp from any to 10.70.80.0/24 port = 1719 keep state
119
openCA 4.3.8
in in in in
any to 10.70.80.90/24 port = 1720 keep state any to 10.70.80.95/24 port = 1720 keep state 10.79.104.12 to 10.70.80.90/32 keep state 10.79.104.12 to 10.70.80.95/32 keep state
# WebDB @21 pass in log quick proto tcp from 10.70.80.0/24 to 10.70.80.90/32 port=5432 keep state @22 pass in log quick proto tcp from 10.70.80.0/24 to 10.70.80.90/32 port=12345 keep state @23 pass in log quick proto tcp from any to 10.70.80.90/32 port=443 keep state # OPENca @24 pass in log quick proto icmp from any to any icmp-type 0 keep state @25 pass in log quick proto icmp from any to any icmp-type 11 keep state @26 pass in log quick proto icmp from 10.70.80.0/24 to 10.70.80.0/24 keep state # SG-s/ MGW-s @27 pass in log quick @28 pass in log quick @29 pass in log quick @30 pass in log quick @31 pass in log quick 10.70.80.90/32 port = @32 pass in log quick @33 pass in log quick 10.70.80.95/32 port = @34 pass in log quick
proto 132 proto 132 proto 132 proto 132 proto udp 2727 keep proto udp proto udp 2727 keep proto udp
from 10.70.80.210/32 to 10.70.80.90/32 keep state from 10.70.80.10/32 to 10.70.80.90/32 keep state from 10.70.80.210/32 to 10.70.80.95/32 keep state from 10.70.80.10/32 to 10.70.80.95/32 keep state from 10.70.80.210/32 port = 2427 to state from 10.70.80.10/32 to 10.70.80.90/32 keep state from 10.70.80.210/32 port = 2427 to state from 10.70.80.10/32 to 10.70.80.95/32 keep state
120
May 2010