OpenCA Installation Guide-V4.3.8

openCallAgent 4.3.
Installation Guide
4.3.8 Release May 2010 ABN 42 056 010 121
This material is copyright. No part of this document may be reproduced in any form, stored in a retrieval system or transmitted without the prior written permission of Fastwire Limited. Commercial in Confidence Issued by Fastwire Pty. Ltd.
Trademarks
DiskSuite and Solaris are trademarks or registered trademarks of Sun Microsystems Inc. in the U.S. and other countries. UNIX is a registered registered trademark of The Open Group.
All other company and product names are trademarks or registered trademarks of their respective companies.
Contents
Purpose ................................................................................................................................................. 9 Audience ................................................................................................................................................ 9 Scope ..................................................................................................................................................... 9 Document Conventions ........................................................................................................................ 10 Related Documentation ....................................................................................................................... 10 Abbreviations and Acronyms ............................................................................................................... 11 Software Release ................................................................................................................................. 11 Chapter 1: Introduction .................................................................................................................... 13 Overview .............................................................................................................................................. 13 Important Information ........................................................................................................................... 13 Installation Knowledge .................................................................................................................. 13 Installation Personnel ................................................................................................................... 13 System Configuration ................................................................................................................... 13 Database Schemas ...................................................................................................................... 13 Release Compatibility ................................................................................................................... 14 Package Information ............................................................................................................................ 14 Solaris ........................................................................................................................................... 14 Linux ............................................................................................................................................. 14 System Requirements .......................................................................................................................... 15 Solaris ........................................................................................................................................... 15 Linux ............................................................................................................................................. 15 Processes and Scripts ......................................................................................................................... 15 Directories ............................................................................................................................................ 16 Users .................................................................................................................................................... 17 Redundancy ......................................................................................................................................... 17 Chapter 2: Pre-Installation ............................................................................................................... 19 Introduction .......................................................................................................................................... 19 Configuring File Descriptors ................................................................................................................. 20 Solaris ........................................................................................................................................... 20
Fastwire Pty Ltd
Contents
openCA 4.3.8
Linux ............................................................................................................................................. 20 Chapter 3: Installing openCA Application ...................................................................................... 21 Introduction .......................................................................................................................................... 21 Before You Start ................................................................................................................................... 21 Installation ............................................................................................................................................ 21 Solaris ........................................................................................................................................... 21 Linux ............................................................................................................................................. 23 Chapter 4: Post-Installation .............................................................................................................. 25 Introduction .......................................................................................................................................... 25 Creating Databases ............................................................................................................................. 25 Licenses ............................................................................................................................................... 26 Solaris .................................................................................................................................................. 27 Configuring rsh/ssh ....................................................................................................................... 27 Linux .................................................................................................................................................... 27 Configuring SSH ........................................................................................................................... 27 Configuration Review ........................................................................................................................... 27 Startup ................................................................................................................................................. 27 Chapter 5: Uninstalling openCA Application .................................................................................. 29 Introduction .......................................................................................................................................... 29 Notes .................................................................................................................................................... 29 Uninstallation ........................................................................................................................................ 30 Solaris ........................................................................................................................................... 30 Linux ............................................................................................................................................. 32 Chapter 6: Installing openCA Patches ............................................................................................ 35 Introduction .......................................................................................................................................... 35 Notes .................................................................................................................................................... 35 Installation ............................................................................................................................................ 36 Solaris ........................................................................................................................................... 36 Linux ............................................................................................................................................. 37 Chapter 7: Uninstalling openCA Patches ....................................................................................... 39 Introduction .......................................................................................................................................... 39 Notes .................................................................................................................................................... 39 UnInstallation ....................................................................................................................................... 40 Solaris ........................................................................................................................................... 40 Linux ............................................................................................................................................. 42 Chapter 8: Subscriber Web Access ................................................................................................. 45 Package Information ............................................................................................................................ 45
May 2010
Installation Guide
Contents
System Requirements .......................................................................................................................... 45 Linux Red Hat Enterprise Linux 5 .............................................................................................. 45 Solaris 10 ...................................................................................................................................... 46 Processes and Scripts ......................................................................................................................... 46 Directories ............................................................................................................................................ 47 Users .................................................................................................................................................... 48 Solaris ........................................................................................................................................... 48 Installing openCA Subscriber Web Access .......................................................................................... 49 Installing openCA Subscriber Web Access on Linux .................................................................... 49 Installing openCA Subscriber Web Access on Solaris ................................................................. 52 Additional Steps for Installing openCA Subscriber Web Access on a Different Host ................... 55 Creating the Subscriber Web Database ....................................................................................... 56 Appendix A: Operating System Patches ........................................................................................ 57 Solaris Patches .................................................................................................................................... 57 Linux Patches ...................................................................................................................................... 58 Appendix B: Disk Partitioning and Mirroring ................................................................................. 59 Introduction .......................................................................................................................................... 59 Solaris .................................................................................................................................................. 59 Partitioning Disk Space ................................................................................................................. 59 Solaris Disk Mirroring .................................................................................................................... 60 Linux .................................................................................................................................................... 66 Partitioning Disk Space ................................................................................................................. 66 Appendix C: IP Network Configuration ........................................................................................... 67 Solaris IP Network Configuration ......................................................................................................... 67 Redundant Configuration .............................................................................................................. 67 Standalone Configuration ............................................................................................................. 68 Solaris Configuring IP Multipathing and Point to Point Connections ............................................ 68 Related Commands ...................................................................................................................... 78 Solaris Name Service Configuration ............................................................................................. 79 Solaris Configuration of /etc/hosts ................................................................................................ 79 Linux IP Network Configuration ........................................................................................................... 80 IBM Blade Center Redundant Configuration ................................................................................ 80 Linux Server Redundant Configuration with Ethernet Bonding .................................................... 81 Standalone Configuration ............................................................................................................. 81 Linux Name Service Configuration ............................................................................................... 82 Linux Disabling Network Routing .................................................................................................. 83 Ethernet Bonding on RedHat ES 5 ............................................................................................... 84 Appendix D: Network Time .............................................................................................................. 89
Fastwire Pty Ltd
Contents
openCA 4.3.8
Configuring Network Time .................................................................................................................... 89 Solaris ........................................................................................................................................... 90 Linux ............................................................................................................................................. 91 Appendix E: Security ........................................................................................................................ 93 Introduction .......................................................................................................................................... 93 Solaris Security .................................................................................................................................... 93 Solaris Run level and network services ........................................................................................ 93 IP FILTER (Solaris) ....................................................................................................................... 95 Linux Security ....................................................................................................................................... 96 IP TABLES (Linux) ........................................................................................................................ 97 Appendix F: Solaris Configuring rsh ............................................................................................... 99 Configuring rsh Between Two Hosts .................................................................................................... 99 Appendix G: Configuring Floating Virtual IP ................................................................................ 101 Procedure for Configuring FVIP ......................................................................................................... 101 Configuring FVIP for Solaris ....................................................................................................... 101 Configuring FVIP for Linux .......................................................................................................... 104 Appendix H: Configuring SNMP Reporting .................................................................................. 109 Procedure for Configuring SNMP Alarms and Alerts ......................................................................... 109 Solaris and Linux ........................................................................................................................ 109 Appendix I: Example Linux Installation ........................................................................................ 111 Procedure for Installing Red Hat Enterprise Server ........................................................................... 111 Appendix J: IPTABLES Configuration File ................................................................................... 117 Overview ............................................................................................................................................ 117 Appendix K: IPFILTER Configuration File .................................................................................... 119 Overview ............................................................................................................................................ 119
May 2010
List of Procedures
Procedure 2-1: Configuring File Descriptors for Solaris ...................................................................... 20 Procedure 2-2: Configuring File Descriptors for Linux ........................................................................ 20 Procedure 3-1: Installing openCA on Solaris ...................................................................................... 21 Procedure 3-2: Installing openCA on Linux ......................................................................................... 23 Procedure 4-1: Creating Databases .................................................................................................... 25 Procedure 5-1: Uninstalling an openCA release from a Solaris Platform ........................................... 30 Procedure 5-2: Uninstalling an openCA release from a Linux Platform .............................................. 32 Procedure 6-1: Installing an openCA patch on a Solaris Platform ...................................................... 36 Procedure 6-2: Installing an openCA patch on a Linux Platform ........................................................ 37 Procedure 7-1: Uninstalling an openCA patch from a Solaris host ..................................................... 40 Procedure 7-2: Uninstalling an openCA patch from a Linux host ....................................................... 42 Procedure 8-1: Installing openCA Subscriber Web Access for Linux. ................................................ 49 Procedure 8-2: Installing openCA Subscriber Web Access for Solaris ............................................... 52 Procedure 8-3: Additional steps when installing openCA Subscriber Web Access on another host. . 55 Procedure A-1: Configuring Solaris Patches ....................................................................................... 57 Procedure A-2: Configuring Linux Patches ......................................................................................... 58 Procedure B-1: Copying Partitioning Information ................................................................................ 61 Procedure B-2: Configuring Disk Mirroring ......................................................................................... 64 Procedure C-1: Configuring Router Discovery .................................................................................... 70 Procedure C-2: Multipath Detection Timeout ...................................................................................... 72 Procedure C-3: Configuring IP Multipathing Targets .......................................................................... 74 Procedure C-4: Configuring a bonded interface .................................................................................. 85 Procedure D-1: NTP Configuration for Solaris .................................................................................... 90 Procedure D-2: NTP Configuration for Linux ...................................................................................... 91 Procedure E-1: Rules to add to the ipf.conf file for IP filtering. ........................................................... 95 Procedure E-2: Settings required when using IP tables as a firewall. ................................................. 97 Procedure F-1: Setting up rsh between two hosts .............................................................................. 99 Procedure G-1: Solaris Configuring the Floating Virtual IP addess (FVIP) ....................................... 101 Procedure G-2: Linux Configuring the Floating Virtual IP addess (FVIP) ......................................... 105
Fastwire Pty Ltd
List of Procedures
openCA 4.3.8
Procedure H-1: Configuring SNMP Alarm and Alert Reporting ......................................................... 109 Procedure I-1: Sample RedHat Linux ES5 Installation Procedure .................................................... 111
May 2010
About this Guide
Purpose
The purpose of this document is to provide an installation guide for the openCallAgent (openCA).
Audience
The audience for this document is Fastwire customers who will be performing the installation. This audience is assumed to have the following experience and knowledge: Telecommunications network protocols and equipment Data communication networks, protocols and equipment UNIX or Linux, vi or text editor skills
Scope
This document includes the following information: Pre-installation requirements Installation of openCA
This document is not intended to replace training.
Fastwire Pty Ltd
About this Guide
openCA 4.3.8
Document Conventions
The following formatting is used throughout this document to define certain text as having special meaning.
Convention Italics Description Used to identify A reference to another part of this manual or to other reference material. The result of performing a step in a procedure table. Text that should be typed with substitutions (for example, an instruction to type YourInitials would mean type your own initials instead of the text). Emphasis
Bold
Used to identify Menu names Menu options Field names Button names
Courier
Used to identify: Package names Command response
Courier Bold
Used to identify: Commands Text that should be typed exactly as it appears (for example, an instruction to type YourInitials would mean type the text YourInitials exactly as it appears).
Related Documentation
openCallAgent 4.3.8 User Guide openCallAgent 4.3.8 Release Notes
Note:
Release Notes are specific to a particular release and patch level of openCA. For example, the openCallAgent 4.3.8 Release Notes pertain to release openCA-4.3.8 only.
10
May 2010
Installation Guide
About this Guide
Abbreviations and Acronyms

The table below define the abbreviations and acronyms used throughout this manual.
Acronym AS ASP CIC DPC FVIP ISUP IP NI NIF OPC RC RK SCCP SEP SS7 SCTP SG SGP SIO SP SSN STP Definition Application Server Application Server Process Circuit Identification Code Destination Point Code Floating Virtual IP ISDN User Part Internet Protocol Network Indicator Nodal Interworking Function Originating Point Code Routing Context Routing Key Signalling Connection Control Part Signalling End Point Signalling System No 7 Network Stream Control Transmission Protocol Signalling Gateway Signalling Gateway Process Service Indicator Octet Signalling Point SCCP Subsystem Number Signalling Transfer Point
Software Release
This document applies to release 4.3.8 of openCA.
Fastwire Pty Ltd
11
About this Guide
openCA 4.3.8
12
May 2010
Chapter 1: Introduction
Overview
This guide contains general information about installing and configuring release 4.3.8 of the openCallAgent platform.
Important Information
This section highlights important details concerning this installation.
Installation Knowledge
Before you start the installation, ensure you understand the information in this section and have carefully studied the installation procedure.
Installation Personnel
Personnel who are familiar with Linux and UNIX operating system administration should perform the installation.
System Configuration
System configuration is carried out as a separate step to installation. See the configuration chapter of the openCallAgent 4.3.8 User Guide.
Database Schemas
All references to the configuration database imply a database created using the configuration database schema specified in the accompanying openCallAgent 4.3.8 Release Notes. For the purposes of this document, the configuration database schema pdmandblackwhite-1-schema is used as an example.
Fastwire Pty Ltd
13
Introduction
openCA 4.3.8
Release Compatibility
The openCallAgent 4.3.8 Release Notes specify any compatibility between openCA4.3.8 and related products from Fastwire.
Package Information
The openCA-4.3.8 installation requires the OPENca package. Multiple versions of the OPENca package can coexist on the same system. In the installation directory, a current link points to the one that is currently active.
Solaris
When multiple versions of the OPENca package are installed, the system identifies them by names that follow the format OPENca.<n>, where <n> is greater than or equal to 2, for example OPENca.2. The pkg family of commands, for example pkgadd, pkgrm, and pkginfo are used to perform all operations concerning packages, for example addition, removal, retrieval of information.
Note:
When using pkg commands, it is important to know the exact version of the package you are working with.
Linux
When multiple versions of the OPENca package are installed, the system identifies them by names that follow the format OPENca-<w>.<x>.<y>, where <w> denotes the Release Number and <x.y> the Version. Use the rpm command to perform operations concerning packages on Linux systems.
Note:
When using the rpm command, it is important to know the exact version of the package you are working with.
14
May 2010
Installation Guide
Introduction
System Requirements
openCA has the following system requirements:
Solaris
openCA runs on Sun servers that use Solaris 10. See Appendix A: Operating System Patches for more information on the operating system. Installation requires 2.8 GB of disk space in /opt
Linux
openCA has been tested on IBM Blade machines using RedHat Enterprise Linux ES 5, running in 32-bit kernel mode. See Appendix A: Operating System Patches for more information on the operating system. Installation requires 2.8 GB of disk space in /opt
Processes and Scripts

The openCA application has the following processes: ApplicationMonitor CDR_Distributor NameService ProcessManager TCAPRouter fvip ocammi openCallAgent tsacdb_server
The openCA application has the following scripts: FVIP ca ca_configure.pl ca_mmi ca_ps.rsh ca_ps.ssh
Fastwire Pty Ltd
15
Introduction
openCA 4.3.8
ca_report ca_setrelease create_db run_db sdf
Directories
Install openCA in the /opt directory. The directory structure created during installation follows the convention shown below: /opt/OPENca version version version current
x/ y/ z/ -> version z
The current link identifies the version that is currently active.
Note:
Up to 20 versions of the OPENca package can be present on a machine at any one time, if enough disk space is available.
The openCA installation creates the directories listed in Table 1-1.

Directory bin etc help lib patch schema skel util /opt/openCallAgent/alarms /opt/openCallAgent/statistics /opt/openCallAgent/operations Contents compiled executables operational configuration files (empty on install) MMI help files shared libraries used by patching mechanism configuration database schema files original configuration files database utilities alarms statistics operations log
Table 1-1: Directories created by installation of the OPENca package (Sheet 1 of 2)
16
May 2010
Installation Guide
Introduction
Directory /opt/openCallAgent/log /var/run/ca /var/run/fvip /var/run/sdf
Contents log files Call Agent ProcessManager process list files FVIP ProcessManager process list files configuration database ProcessManager process list files
Table 1-1: Directories created by installation of the OPENca package (Sheet 2 of 2)
Note:
These directories are created in /opt/OPENca/openCA-4.3.8 unless specified otherwise.
Users
The OPENca package installs its own user, otcaop, who owns the OPENca software. This user is added when OPENca is first installed, and is removed when the last release of OPENca is removed.
Note:
When you remove the last release of OPENca, the otcaop user must be inactive, i.e. no processes, including logins, can be running as otcaop.
You must set the otcaop password after it is created. The removal of otcaop also results in the removal of its home directory; however, the contents of the home directory are automatically backed up to /tmp before removal.
Note:
/tmp is cleared on reboot. Therefore, if you want to save this backup, move it to a safe area.
Redundancy
The openCA-4.3.8 release can be installed in either a standalone or a redundant configuration. In a redundant configuration, openCA is installed on two machines. In a standalone configuration, openCA is installed on only one machine.
The installation instructions in the following chapters are apply for both configurations.
Fastwire Pty Ltd
17
Introduction
openCA 4.3.8
18
May 2010
Chapter 2: Pre-Installation
Introduction
This chapter describes pre-installation procedures for openCA. 1. The openCA application must be able to find the addresses of both the local and remote machines in the installation; therefore, ensure that all host names and IP addresses of both hosts in the pair are specified in the /etc/hosts file on each host. For IP Network configuration, see Appendix C: IP Network Configuration. Further, if this installation is required to meet telecoms-standard High Availability / Fault Tolerant requirements, Fastwire recommends that you provide redundancy on all openCA hosts in terms of disk mirroring, partitioning and in the server/network configuration of each host (see Appendix B: Disk Partitioning and Mirroring and Appendix C: IP Network Configuration). A redundant openCA installation uses replicated databases, which require that the clocks on both hosts are synchronised. These clocks should be synchronised using the Network Time Protocol (NTP). For more information on how to configure NTP across openCA hosts, see Appendix D: Network Time.
2.
3.
Fastwire Pty Ltd
19
Pre-Installation
openCA 4.3.8
Configuring File Descriptors

If this is the first installation of the openCA software, the default number of file descriptors allocated to users must be reset to provide a greater number of file descriptors.
Solaris
For any Solaris system, make the system configuration change shown in Procedure 2-1 on each openCA host. Step 1. 2. Action Log in as user root. Add the following lines to /etc/system. set rlim_fd_max = 10240 (sets the hard limit on file descriptors) set rlim_fd_cur = 256 (sets the soft limit on file descriptors) 3. Reboot the system for these changes to become active. Enter the following command: reboot
Procedure 2-1: Configuring File Descriptors for Solaris
Linux
For any Linux system, make the system configuration change shown in Procedure 2-2 on each openCA host. Step 1. 2. Action Log in as user root. Add the following lines to /etc/sysctl.conf # Increase system-wide file descriptor limit. fs.file-max = 10240 fs.inode-max = 40960 3. Reboot the system for these changes to become active. Enter the following command: reboot
Procedure 2-2: Configuring File Descriptors for Linux
20
May 2010
Chapter 3: Installing openCA Application
Introduction
This chapter contains instructions for installing the openCA application.
Note:
These instructions use an example openCA release, openCA-4.3.8, to demonstrate the installation.
Before You Start

Before you install the openCA software: Ensure that the support contact information is available to help you with the installation if needed. Ensure your machines conform to the disk mirroring and partitioning as defined in Appendix B: Disk Partitioning and Mirroring.
Installation
Solaris
To install the openCA application, follow the steps in Procedure 3-1 on each host Step 1. 2. Action Log on as user root. Enter the following command to create a temporary directory: mkdir /opt/CA_INSTALL
Procedure 3-1: Installing openCA on Solaris (Sheet 1 of 2)
Fastwire Pty Ltd
21
Installing openCA Application
openCA 4.3.8
Step 3.
Action Enter the following commands to extract the release file from the CD: cd /opt/CA_INSTALL gzip -dc /cdrom/cdrom0/openCA-4.1.14.tar.gz | tar xvf
4.
Enter the following command to install the openCA-4.3.8 release: pkgadd -d . OPENca Answer 'y' to the questions presented.
5.
Enter the following command to set the password for otcaop: passwd otcaop Enter and confirm the password as prompted.
6.
Enter the following command to check that the openCA release is installed: /opt/OPENca/openCA-4.3.8/bin/ca_report The following is an example of the text that appears: oca01# /opt/OPENca/openCA-4.3.8/bin/ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number : openCA-4.3.8 <-- current Package Identifier : OPENca -------------------------------
7.
You may need to install a patch for this release. Refer to the openCallAgent 4.3.8 Release Notes for details of any patches associated with this release. If it is necessary to install a patch, see Chapter 6: Installing openCA Patches for instructions on how to install a patch.
8.
After installing openCA and any necessary patches, install the openCA configuration files. The ca_configure.pl script copies the configuration files from their installation area (the skel subdirectory) to their operational area (the etc subdirectory), updating them for your configuration. Enter the following command as user otcaop to perform this task: /opt/OPENca/openCA-4.3.8/bin/ca_configure.pl Answer prompts for each question. A default value may be provided within square brackets [] and can be accepted by pressing enter. Note: If the Subscriber Web Service is not installed, Web Database questions can be skipped by pressing enter.
Procedure 3-1: Installing openCA on Solaris (Sheet 2 of 2)
22
May 2010
Installation Guide
Linux
To install the openCA application, follow the steps in Procedure 3-2 on each host. Step 1. 2. Action Log on as user root. Enter the following command to create a temporary directory: mkdir /opt/CA_INSTALL 3. Enter the following commands to extract the release file from the CD: cd /opt/CA_INSTALL cp /cdrom/cdrom0/openCA-4.3.8-1.i686.rpm 4. Enter the following command to install the openCA-3.1 release: rpm -i openCA-4.3.8-1.i686.rpm 5. Enter the following command to set the password for otcaop: passwd otcaop Enter and confirm the password as prompted. 6. Enter the following command to check that the openCA release is installed: /opt/OPENca/openCA-4.3.8/bin/ca_report The following is an example of the text that appears: oca01# /opt/OPENca/openCA-4.3.8/bin/ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number : openCA-4.3.8 <-- current Package Identifier : OPENca-4.3.8-1 7. You may need to install a patch for this release. Refer to the openCallAgent 4.3.8 Release Notes for details of any patches associated with this release. If it is necessary to install a patch, see Chapter 6: Installing openCA Patches for instructions on how to install a patch.
Procedure 3-2: Installing openCA on Linux (Sheet 1 of 2)
Fastwire Pty Ltd
23
openCA 4.3.8
Step 8.
Action After installing openCA and any necessary patches, install the openCA configuration files. The ca_configure.pl script copies the configuration files from their installation area (the skel subdirectory) to their operational area (the etc subdirectory), updating them for your configuration. Enter the following command as user otcaop to perform this task: /opt/OPENca/openCA-4.3.8/bin/ca_configure.pl Answer prompts for each question. A default value may be provided within square brackets [] and can be accepted by pressing enter. Note: If the Subscriber Web Service is not installed, Web Database questions can be skipped by pressing enter.
Procedure 3-2: Installing openCA on Linux (Sheet 2 of 2)
24
May 2010
Chapter 4: Post-Installation
Introduction
This chapter describes post-installation procedures for openCA.
Creating Databases
After the openCA software is installed, you must create a new configuration database. A redundant system has two databases, the main_master and the alternative_master. A standalone system only has a main_master. Follow the steps in Procedure 4-1.
Step Action
1. 2.
Log on to the first server as user otcaop. Confirm the location of the database is correct by checking the SDF_Replica.database.path entry in the file /opt/OPENca/current/openCallAgent.conf. Enter the following command to create the main master database: create_db main_master Sample output from create_db command: Creating main master configuration database using schema /opt/OPENca/current/schema/pdmandblackwhite-1schema.Linux.so... Established "SDF-pdmandblackwhite.R0" setup_tsacdb_replica: OK. main master configuration database /opt/OPENca/openCA4.3.8/SDF/SDF-pdmandblackwhite.R0 created.
3.
Procedure 4-1: Creating Databases (Sheet 1 of 2)
Fastwire Pty Ltd
25
Post-Installation
openCA 4.3.8
Step
Action
4.
For a standalone system, database creation is complete. Continue this procedure only for a redundant system.
5. 6.
For a redundant system, log on to the second server as user otcaop. On the second server, confirm the location of the database is correct by checking the SDF_Replica.database.path entry in the file /opt/OPENca/current/openCallAgent.conf. On the second server, enter the following command to create the alternative master database: create_db alternative_master Sample output from create_db command: Creating alternative master configuration database using schema /opt/OPENca/current/schema/pdmandblackwhite-1schema.Linux.so... Established "SDF-pdmandblackwhite.R1" setup_tsacdb_replica: OK. alternative master configuration database /opt/OPENca/openCA4.3.8/SDF/SDF-pdmandblackwhite.R1 created.
7.
Procedure 4-1: Creating Databases (Sheet 2 of 2)
For more information on how to perform this task, refer to the "Creating Databases" section in Chapter 2 : "System Management of the openCallAgent 4.3.8 User Guide.
Licenses
openCA licence files are issued separately. The license file should be copied to the /etc/calicense.dat or other location specified in the openCallAgent.conf configuration file. Refer to Chapter 2 : System Management of the openCallAgent 4.3.8 User Guide for more details on openCA licenses.
26
May 2010
Installation Guide
Post-Installation
Solaris
Configuring rsh/ssh
During install the ca_ps script is created as a link to ca_ps.rsh. The ca_ps.rsh script uses remote shell (rsh) to open a shell on the other host in an openCA redundant configuration so as it can list the running processes on that host. Another script, ca_ps.ssh, is provided to perform exactly the same task as ca_ps.rsh, except it uses secure shell (ssh) rather than rsh to open a shell on the other host. ca_ps may be linked to either of these scripts depending on whether rsh or ssh is the preferred option for opening shells on the Call Agent hosts. For the ca_ps.rsh and ca_ps.ssh scripts to operate properly in a redundant configuration, the user otcaop must be able to open either a remote shell (rsh) or a secure shell (ssh), without providing a password, from one openCA host to another. To configure rsh, see Appendix F: Solaris Configuring rsh. If ssh is the preferred option, it must be installed and configured. A number of ssh configuration options are available and the most suitable option must be decided by the System Administrator. For more information on ca_ps.rsh and ca_ps.ssh, refer to Chapter 3 in the openCallAgent 4.3.8 User Guide.
Linux
Configuring SSH
The system supports ssh in its default configuration only. For information on how to configure ssh, refer to the Linux System Administration guide.
Configuration Review
After the openCA software is installed and before the openCA application is started, operators should review the configuration files for correctness. See the openCallAgent 4.3.8 User Guide for configuration information.
Startup
After the configuration files have been verified, the application can be started. See the openCallAgent 4.3.8 User Guide for information about starting and stopping openCA.
Fastwire Pty Ltd
27
Post-Installation
openCA 4.3.8
28
May 2010
Chapter 5: Uninstalling openCA Application
Introduction
This chapter contains instructions for removing the openCA software from a host.
Note:
These instructions use example openCA releases to demonstrate how an openCA platform may be uninstalled.
Notes
Before uninstalling an openCA release, all its running processes, including its configuration database, must first be shut down.
Fastwire Pty Ltd
29
Uninstalling openCA Application
openCA 4.3.8
Uninstallation
Solaris
To remove an openCA installation, follow the steps in Procedure 5-1 on each host. Step 1. 2. Action Log on as user root. Enter the following command to list all installed openCA releases and patches: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------3. If any patches have been applied to the openCA release that you wish to uninstall, you must uninstall them before removing the openCA release. For information on removing openCA patches, see Chapter 7: Uninstalling openCA Patches. 4. In this example, the openCA-1.3.7 release will be removed. Enter the following command to remove this release: pkgrm OPENca.2 Answer 'y' to the questions presented.
Procedure 5-1: Uninstalling an openCA release from a Solaris Platform (Sheet 1 of 2)
: openCA-1.3.7 : OPENca.2 : openCA-4.3.8 : OPENca.4 : : openCA-4.3.8.2 : OPENcaP <-- current
30
May 2010
Installation Guide
Step 5.
Action Enter the following command to verify that the openCA-1.3.7 release has been removed: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------: openCA-4.3.8 : OPENca.4 : : openCA-4.3.8.2 : OPENcaP <-- current
Procedure 5-1: Uninstalling an openCA release from a Solaris Platform (Sheet 2 of 2)
Fastwire Pty Ltd
31
openCA 4.3.8
Linux
To remove an openCA installation, follow the steps in Procedure 5-2 on each host. Step 1. 2. Action Log on as user root. Enter the following command to list all installed openCA releases and patches: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier : openCA-1.3.7 : OPENca-1.3.7-1
Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------3.
: openCA-4.3.8.1 : OPENca-4.3.8-1 :
<-- current
: openCA-4.3.8.2 : OPENcaP-4.3.8.2-1
If any patches have been applied to the openCA release that you wish to uninstall, you must uninstall them before removing the openCA release. For information on removing openCA patches, see Chapter 7: Uninstalling openCA Patches.
4.
In this example, the openCA-1.3.7 release will be removed. Enter the following command to remove this release: rpm -e OPENca-1.3.7-1 Answer 'y' to the questions presented.
Procedure 5-2: Uninstalling an openCA release from a Linux Platform (Sheet 1 of 2)
32
May 2010
Installation Guide
Step 5.
Action Enter the following command to verify that the openCA-1.3.7 release has been removed: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------: openCA-4.3.8 <-- current : OPENca-4.3.8-1 : : openCA-4.3.8.2 : OPENcaP-4.3.8.2-1
Procedure 5-2: Uninstalling an openCA release from a Linux Platform (Sheet 2 of 2)
Fastwire Pty Ltd
33
openCA 4.3.8
34
May 2010
Chapter 6: Installing openCA Patches
Introduction
This chapter contains instructions for installing openCA patches.
Note:
These instructions use an example openCA patch, openCA-4.3.8.2, to demonstrate how to install an openCA patch.
Notes
Patches are cumulative, e.g. openCA-4.3.8.3 contains fixes from both openCA-4.3.8.1 and openCA-4.3.8.2. It is not possible to install a patch to a release that is running. For instructions on how to stop a release, see Chapter 2 : System Management, in the openCallAgent 4.3.8 User Guide.
Fastwire Pty Ltd
35
Installing openCA Patches
openCA 4.3.8
Installation
Solaris
To install an openCA patch, follow the steps in Procedure 6-1 on each host. Step 1. 2. Action Log on as user root. Enter the following command to create a temporary directory: mkdir /opt/CA_INSTALL 3. Enter the following commands to extract the openCA-4.3.8.2 patch file from the CD: cd /opt/CA_INSTALL gzip -dc /cdrom/cdrom0/openCA-4.3.8.2.tar.gz | tar xvf 4. Enter the following command to install the patch: pkgadd -d . OPENcaP Answer 'y' to the questions presented. 5. Enter the following command to check that the patch is installed: ca_report The following is an example of the text that appears. In this example the patch which has been installed is openCA-4.3.8.2. oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------Procedure 6-1: Installing an openCA patch on a Solaris Platform
: openCA-1.3.7 : OPENca.2 : openCA-4.3.8 : OPENca.4 : : openCA-4.3.8.2 : OPENcaP <-- current
36
May 2010
Installation Guide
Linux
To install an openCA patch, follow the steps in Procedure 6-2 on each host. Step 1. 2. Action Log on as user root. Enter the following command to create a temporary directory: mkdir /opt/CA_INSTALL 3. Enter the following commands to extract the openCA-4.1.1.2patch file from the CD: cd /opt/CA_INSTALL cp /cdrom/cdrom0/OPENcaP-4.3.8.2-1.i686.rpm . 4. Enter the following command to install the patch: rpm -i OPENcaP-4.3.8.2-1.i686.rpm 5. Enter the following command to check that the patch is installed: ca_report The following is an example of the text that appears. In this example the patch which has been installed is openCA-4.3.8.2. oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------Procedure 6-2: Installing an openCA patch on a Linux Platform
: openCA-1.3.7 : OPENca-1.3.7-1 : openCA-4.3.8 <-- current : OPENca-4.3.8-1 : : openCA-4.3.8.2 : OPENcaP-4.3.8.2-1
Fastwire Pty Ltd
37
openCA 4.3.8
38
May 2010
Chapter 7: Uninstalling openCA Patches
Introduction
This chapter contains instructions for removing openCA patches.
Note:
These instructions use example openCA releases and patches to demonstrate how to remove an openCA patch.
Notes
It is not possible to uninstall a patch for an openCA release that is running. For instructions on how to stop a release, see See Chapter 2 : System Management, in the openCallAgent 4.3.8 User Guide. Patches must be uninstalled in reverse order, e.g. openCA-4.3.8.3 must be removed before openCA-4.3.8.2, which must in turn be removed before openCA-4.3.8.1.
Fastwire Pty Ltd
39
Uninstalling openCA Patches
openCA 4.3.8
UnInstallation
Solaris
To uninstall an openCA patch, follow the steps in Procedure 7-1 on each host. Step 1. 2. Action Log on as user root. Enter the following command to list all installed openCA releases and patches: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier Patch Number Patch Identifier ------------------------------3. In this example, the openCA-4.3.8.2 patch will be removed. Enter the following command to remove this patch: pkgrm OPENcaP.2 Answer 'y' to the questions presented.
Procedure 7-1: Uninstalling an openCA patch from a Solaris host (Sheet 1 of 2)
: openCA-1.3.7 : OPENca.2 : openCA-4.3.8 : OPENca.4 : : openCA-4.3.8.1 : OPENcaP : openCA-4.3.8.2 : OPENcaP.2 <-- current
40
May 2010
Installation Guide
Step 4.
Action Enter the following command to check that the openCA-4.3.8.2 patch has been removed: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------: openCA-1.3.7 : OPENca.2 : openCA-4.3.8 : OPENca.4 : : openCA-4.3.8.1 : OPENcaP <-- current
Procedure 7-1: Uninstalling an openCA patch from a Solaris host (Sheet 2 of 2)
Fastwire Pty Ltd
41
openCA 4.3.8
Linux
To uninstall an openCA patch, follow the steps in Procedure 7-2 on each host. Step 1. 2. Action Log on as user root. Enter the following command to list all installed openCA releases and patches: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier Patch Number Patch Identifier ------------------------------3. In this example, the openCA-4.3.8.2 patch will be removed. Enter the following command to remove this patch: rpm -e OPENcaP-4.3.8.2-1
Procedure 7-2: Uninstalling an openCA patch from a Linux host (Sheet 1 of 2)
: openCA-1.3.7 : OPENca-1.3.7-1 : openCA-4.3.8 <-- current : OPENca-4.3.8-1 : : openCA-4.3.8.1 : OPENcaP-4.3.8.1-1 : openCA-4.3.8.2 : OPENcaP-4.3.8.2-1
42
May 2010
Installation Guide
Step 4.
Action Enter the following command to check that the openCA-4.3.8.2 patch has been removed: ca_report The following is an example of the text that appears: oca01# ca_report ------------------------------Fully Installed OPENca Releases ------------------------------Release Number Package Identifier Release Number Package Identifier Fully Applied Patches --------------------Patch Number Patch Identifier ------------------------------: openCA-1.3.7 : OPENca-1.3.7-1 : openCA-4.3.8 <-- current : OPENca-4.3.8-1 : : openCA-4.3.8.1 : OPENcaP-4.3.8.1-1
Procedure 7-2: Uninstalling an openCA patch from a Linux host (Sheet 2 of 2)
Fastwire Pty Ltd
43
openCA 4.3.8
44
May 2010
Chapter 8: Subscriber Web Access
Package Information
The OPENca-SUBWEB package (openCA Subscriber Web Access) provides subscribers with access to openCA through a Web interface. You can install this package on the same server as openCA, but for production environments Fastwire recommend that you install it on a separate server.
System Requirements
The OPENca-SUBWEB installation requires approximately 3.5 M of disk space in /opt.
Linux Red Hat Enterprise Linux 5

The following packages must be installed on the host prior to installing OPENcaSUBWEB: distcache apr postgresql-libs apr-util httpd mod_ssl perl-DBI perl-DBD-Pg postgresql postgresql-server
If installing with rpm -i commands, after installing the postgresql packages you must run the initdb command. If installing using yum, the initdb command is not required, as yum will have run it.
Fastwire Pty Ltd
45
Subscriber Web Access
openCA 4.3.8
Solaris 10
The following packages must be installed on the host prior to installing OPENcaSUBWEB. These packages are normally included to Solaris 10 default installation.
Prerequisite Package SUNWapch2r SUNWapch2u SUNWpostgr-83-server SUNWopensslr SUNWperl584core SUNWperl584usr SUNWpmdbdpg SUNWpmdbi Description The Apache HTTP server program Version 2 (root components) The Apache HTTP Server Version 2 (usr components) PostgreSQL database server OpenSSL (Root) Perl 5.8.4 (core) Perl 5.8.4 (non-core) The DBI PostgreSQL Interface for Perl Perl Database Independent Interface
Table 8-1: Solaris 10 packages that must be installed for OPENca-SUBWEB.
Processes and Scripts

openCA Subscriber Web Access uses Web Server (Apache2), Web Database (PostgreSQL) and openCA SDF Database to provide the subscribers with access to Call Log and Call Forward services. It includes the following scripts to configure the Subscriber Web Access service. sub_configure.pl sub_createdb.pl
46
May 2010
Installation Guide
Directories
The directory structure created by the installation of OPENca-SUBWEB follows the convention shown below: /opt/OPENca/openCA-4.3.8/apache/ The current link identifies the version that is presently active. The directories and files shown in are created under the above installation directory:
Directory/File bin Contents cgi-bin conf sub_configure.pl subscriber access service configuration script apachectl Apache web server startup script (Linux only) sub_createdb.pl PostgreSQL web database creation script dbconfig.sql PostgreSQL web database initialization script postgres_configure.pl PostgreSQL web database configuration script
Source scripts to be run by the apache web server. httpd.conf Web server configuration file ssl.conf SSL configuration file postgresql.conf, pg_hba.conf PostgreSQL server configuration file server.crt, server.csr, server.key Self-signed SSL certificate files
htdocs skel
index.html, CSS tables, images, java script, .htaccess Original subscriber access, apache web server, postgresql database and ssl configuration. (Solaris Only) Apache run directory to create httpd.pid file.
run
Table 8-2: OPENca-SUBWEB files and directories
In addition, the following links are installed system-wide.
Fastwire Pty Ltd
47
openCA 4.3.8
Platform Linux
Link /etc/init.d/apachectl etc/rc0.d/ K06apachectl /etc/rc1.d/ K06apachectl /etc/rc2.d/ K06apachectl /etc/rc3.d/S30apachectl
Source File Location /opt/OPENca/current/apache/bin/apachectl
Solaris
/etc/apache2
/opt/OPENca/current/apache/conf/http.conf /opt/OPENca/current/apache/conf/ssl.conf /opt/OPENca/current/apache/conf/ postgresql.conf
Linux
/var/lib/pgsql/data/post gresql.conf /var/postgres/8.3/data/ postgresql.conf /var/lib/pgsql/data/ pg_hba.conf /var/postgres/8.3/data/ pg_hba.conf /opt/OPENca/current/ apache/logs /opt/OPENca/current/ apache/modules
Solaris
Linux
/opt/OPENca/current/apache/conf/ pg_hba.conf
Solaris
Solaris
/var/apache2/logs
Solaris
/usr/apache2/libexec
Table 8-3: System-wide installed links
Users
OPENca-SUBWEB installs its own user, otcaop, if that user has not yet been created by the OPENca package. Similarly, removal of the OPENca-SUBWEB package also removes the otcaop user if no OPENca packages remain installed. OPENca-SUBWEB uses the PostgreSQL database to save subscriber service data.This PostgreSQL database is operated by the postgres user, which is created automatically during the installation of the postgresql-server package. You must set the password for the postgres user.
Solaris
Installation of the OPENca-SUBWEB package, add configuration for the otcaop user to /etc/user_attr to allow otcaop to assume the postgres role.
48
May 2010
Installation Guide
Installing openCA Subscriber Web Access

You can install the openCA Subscriber Web Access application on: Either of the redundant openCA servers, or A separate (non-openCA) connected server.
In either case, see Installing openCA Subscriber Web Access on Linux on page 49 or Installing openCA Subscriber Web Access on Solaris on page 52 depending on your operating system. If installing on a non-openCA host, also see Additional Steps for Installing openCA Subscriber Web Access on a Different Host on page 55.
Installing openCA Subscriber Web Access on Linux

Step 1. Action Before you begin, ensure: 2. You are logged into the server as user root. All pre-installation requirements described in System Requirements on page 45 are met.
Ensure the PostgreSQL service is configured: ls -l /var/lib/pgsql/data If the directory is empty, run initdb as the postgres user: initdb
3.
Ensure postgres is not running: service postgresql stop
4.
Enter the following command to install the package: rpm -i OPENca-SUBWEB-version-1.i686.rpm
5.
Enter the following command to set the password for otcaop: passwd otcaop
6.
Enter the following command to set the password for postgres: passwd postgres
7.
Start the PostgreSQL service: service postgresql start
Procedure 8-1: Installing openCA Subscriber Web Access for Linux. (Sheet 1 of 3)
Fastwire Pty Ltd
49
openCA 4.3.8
Step 8.
Action As user otcaop, run the sub_configure.pl script to install the necessary scripts and configuration files. This script performs the following actions: a. Copies the scripts and configuration files from the installation area: /opt/OPENca/openCA-4.3.8/apache/skel directory to their operational area: /opt/OPENca/openCA-4.3.8/apache/conf. Edits files in the operational area from your installation selections. Installs links at /etc/init.d and /var/lib/pgsql/data. (Optionally) Generates temporary Self-Signed Certificates for secure Web access (Optionally) Creates and configures the Subscriber Web Database
b. c. d. e.
It uses the default /opt/OPENca/current/apache/bin/dbconfig.sql schema to initialize the newly-created database. Note: Do not create the Subscriber Web Database using this script if you intend to restore the database with imported contents. To run sub_configure.pl, enter the following commands: cd /opt/OPENca/openCA-4.3.8/apache/bin ./sub_configure.pl You will be prompted to answer questions. Where available, you may select the default value shown in [] brackets by pressing the Enter key. [root@rhel-a bin]# ./sub_configure.pl Enter version to be configured[openCA-4.3.8]: Changing to user otcaop Enter the name of this host[rhel-a]: Enter IP address of peer OpenCA: 10.1.1.95 Enter WEB Database host name or IP address: 127.0.0.1 Enter the name of the WEB Database[subdb-rhel-a]: PostreSQL and APACHE server configuration has been changed. Make sure to restart the services. Would you like to generate self-signed SSL certificates: yes/no?[yes]: 9. (Optional) If you did not create a Subscriber Web Database in Step 8 and you intend to import data from a different database, create one now by running the following script as the postgres user: ./sub_createdb.pl -n <database_name> -f <db_dump.sql> Note: db_dump.sql is an output from the following command, when it is run on a database to be re-stored: pg_dump -Fc --format=p --file= db_dump.sql <database_name>
50
May 2010
Installation Guide
Step 10.
Action (Optional) If you created the Subscriber Web Database in step 8 or 9, as the postgres user check that the database was created and initialized successfully using the following command: psql -l The output should show the newly created subscriber database in the List of Databases.
11.
Run or re-run the Apache service by performing the following steps: a. b. Stop any running apache instances: service apachectl stop Ensure sure that current points to the newly-installed version of OPENca-SUBWEB: ls -l /opt/OPENca/ c. Sometimes the pass phrase prompt can be inconvenient, especially when you want Apache to startup automatically on boot without user intervention. To disable the pass phrase, as the otcaop user, decrypt the server.key: cd /opt/OPENca/current/apache/conf mv server.key server.key.orig openssl rsa -in server.key.orig -out server.key d. If current points to the previous version, update it: rm /opt/OPENca/current ln -s /opt/OPENca/<new_version> /opt/OPENca/current e. Start the HTTP daemon: service apachectl start
12.
Re-start the PostgreSQL database service to apply the updated configuration: service postgresql restart
13.
Test the subscriber database is accessible using an internet browser: https://<web_host_address>
Fastwire Pty Ltd
51
openCA 4.3.8
Installing openCA Subscriber Web Access on Solaris

Step 1. Action Before you begin, ensure: 2. You are logged into the server as user root. All pre-installation requirements described in System Requirements on page 45 are met
Enter the following command to create a temporary directory: mkdir /opt/CA_INSTALL
3.
Enter the following commands to extract the release from CD: cd /opt/CA_INSTALL cp /cdrom/cdrom0/ openCA-SUBWEB-<version>.tar.gz .
4.
Enter the following command to unzip and untar the package: gzip -dc openCA-SUBWEB-<version>.tar.gz | tar xvf -
5.
Enter the following command to install the package: pkgadd -d . OPENca-SUBWEB
6.
Enter the following command to set the password for otcaop: passwd otcaop Enter and confirm the password as prompted.
7.
Enter the following command to set the password for postgres: passwd postgres Enter and confirm the password as prompted.
8.
Enable the PostgreSQL service: svcadm enable postgresql_83:default_32bit This creates PostgreSQL default configuration files in /var/postgres/8.3/data.
Procedure 8-2: Installing openCA Subscriber Web Access for Solaris (Sheet 1 of 3)
52
May 2010
Installation Guide
Step 9.
Action As user otcaop, run the sub_configure.pl script to install the necessary scripts and configuration files. This script performs the following actions: a. Copies the scripts and configuration files from the installation area: /opt/OPENca/openCA-4.3.8/apache/skel directory to their operational area: /opt/OPENca/openCA-4.3.8/apache/conf Edits these files in the operational area to match your input Installs links at /etc/init.d and /var/lib/pgsql/data (Optionally) Generates temporary Self-Signed Certificates for secure Web access (Optionally) Creates and configures the Subscriber Web Database
b. c. d. e.
To run sub_configure.pl, enter the following command: cd /opt/OPENca/openCA-4.3.8/apache/bin ./sub_configure.pl You will be prompted to answer questions. Where available, you may select the default value shown in [] brackets by pressing the Enter key. When prompted to enter a pass phrase for /opt/OPENca/openCA4.3.8/apache/conf/server.key, enter any phrase and re-enter the same phrase at each of the following prompts for the server key. Remember the pass phrase, as you may need to provide it later. 10. (Optional) If you did not create a Subscriber Web Database in Step 8 and you intend to import data from a different database, create one now by running the following script as the postgres user: ./sub_createdb.pl -n <database_name> -f <db_dump.sql> Note: db_dump.sql is an output from the following command, when it is run on a database to be re-stored: pg_dump -Fc --format=p --file= db_dump.sql <database_name> 11. (Optional) If you created the Subscriber Web Database in step 10 or 11, as the postgres user check that the database was created and initialized successfully using the following command: psql -l The output should show the newly created subscriber database in the List of Databases. 12. Re-start the PostgreSQL database service to apply the updated configuration: svcadm disable postgresql_83:default_32bit svcadm enable postgresql_83:default_32bit
Fastwire Pty Ltd
53
openCA 4.3.8
Step 13.
Action Run or re-run the Apache service by performing the following steps: a. b. Stop any running apache instances: svcadm disable apache2 Ensure that current points to the newly-installed version of OPENcaSUBWEB: ls -l /opt/OPENca/ c. If current points to a previous version, update it using the following commands: rm /opt/OPENca/current ln -s /opt/OPENca/<new_version> /opt/OPENca/current d. As the otcaop user decrypt the server.key, removing the requirement for a pass phrase on each re-start of the Apache service: cd /opt/OPENca/current/apache/conf mv server.key server.key.orig /usr/sfw/bin/openssl rsa -in server.key.org -out server.key e. f. As the root user, start the HTTP daemon: svcadm enable apache2 Check that the Apache service has started successfully: svcs | grep apache2 The output should be similar to the following: online 15:33:55 svc:/network/http:apache2
14.
Test the subscriber database is accessible using an internet browser: https://<web_host_address>
54
May 2010
Installation Guide
Additional Steps for Installing openCA Subscriber Web Access on a Different Host
If you are installing openCA Subscriber Web Access on a separate (non-openCA) host, perform the following additional configuration steps after installation. Step 0. Action Before you begin, ensure: You have access to the root account on each openCA host. You have installed OPENca-SUBWEB on the current (non-openCA host) for your operating system: Installing openCA Subscriber Web Access on Linux (page 49) or Installing openCA Subscriber Web Access on Solaris (page 52).
1.
As the root user, edit the configuration file /opt/OPENca/current/etc/openCallAgent.conf on each openCA host: a. b. Set the ViaTCP.listenhostIP parameter of the Subscriber Database package to the FVIP IP address. Set the ViaTCP.remotehostIP parameter of the Subscriber Database package to the IP address of the (non-openCA) host running the Subscriber Access Web Service.
2.
PostgreSQL database uses the /opt/OPENca/openCA4.3.8/apache/conf/pg_hba.conf file installed on the Subscriber Access Web Service host to authenticate clients connecting to the database. The file has the following default settings that connect to the database using UNIXdomain sockets or local loopback TCP/IP connections: local all all trust host all all 127.0.0.1/32 trust Edit the file to provide both openCA servers with access to the database. Substitute: #host all all >>OpenCA Peer IP Address<</32 trust with the following lines: host all all <OpenCA-1 IP Address>/32 trust host all all <OpenCA-2 IP Address>/32 trust
3.
Edit the /opt/OPENca/openCA-4.3.8/apache/cgi-bin/sub/configMap.pm file on the Subscriber Access Service host. Set the SubDB_HOST parameter to the FVIP IP address of openCA: SubDB_HOST => '<OpenCA FVIP IP Address>',
Procedure 8-3: Additional steps when installing openCA Subscriber Web Access on another host.
Fastwire Pty Ltd
55
openCA 4.3.8
Creating the Subscriber Web Database

The OPENca-SUBWEB package uses the sub_createdb.pl script to create the Subscriber Web Database. If the sub_configure.pl step in the installation process was skipped or unsuccessful in creating the Web database, you must run the sub_createdb.pl script explicitly. If you are creating a brand new database, run the script below: . /sub_createdb.pl Otherwise, if you are restoring the database with previously created (plain-file) import data, run the script below: ./sub_createdb.pl -n <database_name> -f <db_dump.sql>
Note:
The db_dump.sql file is an output of the following command when run on a database to be restored pg_dump -Fc --format=p --file= db_dump.sql <database_name>
For information on how to restore the database using a custom archived format, refer to the openCallAgent 4.3.8 User Guide. Running the sub_createdb.pl script prompts you with the following questions: Enter the name of the Subscriber Database to be created[subdb-ibm1]: Enter version to be configured[openCA-version]:
56
May 2010
Appendix A: Operating System Patches
Solaris Patches
Solaris patches, as specified in the openCallAgent 4.3.8 Release Notes, should be applied to the system before installation. You can get information on the patches from Sun Microsystems at the SunSolve web site (http://sunsolve.sun.com/). On most systems, follow Procedure A-1. Step 1. Action Download and the Patch Cluster recommended in the openCallAgent 4.3.8 Release Notes from SunSolve (or Solaris maintenance CD). Search SunSolve for the patches for each individual Solaris feature required by openCA (for example, IP Multipathing and multicast). Use the showrev command to verify that each patch is present on the system and to check the revision number. If a particular patch is not present on the system, or a newer revision of the patch is required, download the latest revision of the patch from SunSolve. Use the patchadd command to add the patch to the system. When all patches have been added to the system, reboot the system for the new patches to take effect.
2. 3. 4. 5. 6.
Procedure A-1: Configuring Solaris Patches
Note:
Maintaining patch levels is an important (and ongoing) part of Solaris system administration. It is recommended that operators include patch level management in their system administration policies and procedures.
Fastwire Pty Ltd
57
Operating System Patches
openCA 4.3.8
Linux Patches
Liunx patches, as specified in the openCallAgent 4.3.8 Release Notes, should be applied to the system before installation. On most systems, follow Procedure A-2. Step 1. 2. Action Download and install the recommended service pack from Red Hat Use the rpm command to add the patch to the system.
Procedure A-2: Configuring Linux Patches
Note:
Maintaining patch levels is an important (and ongoing) part of system administration. It is recommended that operators include patch level management in their system administration policies and procedures.
58
May 2010
Appendix B: Disk Partitioning and Mirroring
Introduction
This appendix contains information about how openCA hosts should be configured to meet High Availability / Fault Tolerance (redundancy) requirements in the following areas: Disk mirroring Disk partitioning Disk configuration
Note:
You must perform this configuration before installing the openCA software.
Solaris
Partitioning Disk Space
Note: You must install openCA on a UFS partition. It will not work on a ZFS partition.
The configuration is two mirrored disks. (i.e. four disks altogether, two 18 GB disks and two 36 GB disks). The two external disks are mirrored against the two internal disks. Disk 1 : 18 GB
/ swap mirroring (meta-db) /var 512 MB 4 GB 10 MB 2 GB
Table B-1: 18 GB disk mirroring example
Fastwire Pty Ltd
59
Disk Partitioning and Mirroring
openCA 4.3.8
/usr /opt
5 GB 9.5 GB
Disk 2 : 36 GB
/CDR /logs mirroring (meta-db) 33 GB 2 GB 10 MB
Solaris Disk Mirroring

This section describes how to configure UFS mirrored disks.
Copying Partitioning Information

When mirroring drive 0 to drive 1, the partitioning information must be copied from drive 0 to drive 1 (see Procedure B-1).
Note:
Procedure B-1 has fewer partiitons than would normally be used in an openCA deployment.
60
May 2010
Installation Guide
Step 1.
Action Enter format The following is an example of the screen that appears: Searching for disks...done AVAILABLE DISK SELECTIONS: 0. c0t0d0 <SUN18G cyl 7506 alt 2 hd 19 sec 248> /pci@1f,4000/scsi@3/sd@0,0 1. c0t1d0 <SUN18G cyl 7506 alt 2 hd 19 sec 248> /pci@1f,4000/scsi@3/sd@1,0 Specify disk (enter its number):
2.
At the format prompt, enter 1. The following is an example of the screen that appears: selecting c0t1d0 [disk formatted] FORMAT MENU: disk type partition current format repair label analyze defect backup verify save inquiry volname !<cmd> quit
select a disk select (define) a disk type select (define) a partition table describe the current disk format and analyze the disk repair a defective sector write label to the disk surface analysis defect list management search for backup labels read and display labels save new disk/partition definitions show vendor, product and revision set 8-character volume name execute <cmd>, then return
Procedure B-1: Copying Partitioning Information (Sheet 1 of 3)
Fastwire Pty Ltd
61
openCA 4.3.8
Step 3.
Action At the format prompt, enter p. The following is an example of the screen that appears: PARTITION MENU: 0 1 2 3 4 5 6 7 select modify name print label !<cmd> quit change `0' partition change `1' partition change `2' partition change `3' partition change `4' partition change `5' partition change `6' partition change `7' partition select a predefined table modify a predefined partition table name the current table display the current table write partition map and label to the disk execute <cmd>, then return
4.
At the partition prompt, enter p. The following is an example of the screen that appears: Current partition table (original): Total disk cylinders available: 7506 + 2 (reserved cylinders) Part 0 1 2 3 4 5 6 7 Tag unassigned swap backup unassigned unassigned unassigned unassigned unassigned Flag wm wu wm wm wm wm wm wm Cylinders 0 0-222 0-7505 0 0 0 0 0 Size 0 513.07MB 16.86GB 0 0 0 0 0 Blocks (0/0/0) 0 (223/0/0) 1050776 (7506/0/0) 35368272 (0/0/0) 0 (0/0/0) 0 (0/0/0) 0 (0/0/0) 0 (0/0/0) 0
5.
At the partition prompt, enter s. The following is an example of the screen that appears: 0. original 1. original Specify table (enter its number)[1]:
6.
At the prompt, enter 0.
62
May 2010
Installation Guide
Step 7.
Action At the partition prompt, enter p. The following is an example of the screen that appears: Current partition table (original): Total disk cylinders available: 7506 + 2 (reserved cylinders) Part 0 1 2 3 4 5 6 7 Tag root swap backup unassigned var usr unassigned unassigned Flag wm wu wm wm wm wm wm wm Cylinders 1781-2003 0-1780 0-7505 2004-2008 2009-2899 2900-3359 0 3360-7505 Size 513.07MB 4.00GB 16.86GB 11.50MB 2.00GB 1.03GB 0 9.32GB Blocks (223/0/0) 1050776 (1781/0/0) 8392072 (7506/0/0) 35368272 (5/0/0) 23560 (891/0/0) 4198392 (460/0/0) 2167520 (0/0/0) 0 (4146/0/0) 19535952
8.
At the partition prompt, enter l. The following prompt appears: Ready to label disk, continue?
9. 10.
At the prompt, enter y. At the partition prompt, enter q. The following is an example of the screen that appears: FORMAT MENU: disk type partition current format repair label analyze defect backup verify save inquiry volname !<cmd> quit select a disk select (define) a disk type select (define) a partition table describe the current disk format and analyze the disk repair a defective sector write label to the disk surface analysis defect list management search for backup labels read and display labels save new disk/partition definitions show vendor, product and revision set 8-character volume name execute <cmd>, then return
11.
At the format prompt, enter q.
Fastwire Pty Ltd
63
openCA 4.3.8
Configuring Active Disk Mirroring

Procedure B-2 describes the steps to configure active disk mirroring on an openCA host. Step 1. Action Edit the md.tab file. See Example Edited md.tab file on page 65. This file resides in /etc/lvm. 2. Enter the following commands to activate the configuration. # # # # # metadb -af mddb01 metainit -af metaroot d0 lockfs -fa reboot
When the system comes back up, /etc/vfstab will be as follows: #device device mount FS fsck #to mount to fsck point type pass # #/dev/dsk/c1d0s2 /dev/rdsk/c1d0s2 /usr ufs fd /dev/fd fd no /proc /proc proc no /dev/dsk/c0t0d0s1 swap /dev/md/dsk/d0 /dev/md/rdsk/d0 / ufs 1 /dev/dsk/c0t0d0s6 /dev/rdsk/c0t0d0s6 /usr /dev/dsk/c0t0d0s5 /dev/rdsk/c0t0d0s5 /var /dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /opt /dev/dsk/c0t1d0s6 /dev/rdsk/c0t1d0s6 /logs /dev/dsk/c0t1d0s7 /dev/rdsk/c0t1d0s7 /CDR swap /tmp tmpfs yes 3. Edit /etc/vfstab as follows. #device device mount FS fsck mount mount #to mount to fsck point type pass at boot options # fd /dev/fd fd no /proc /proc proc no /dev/md/dsk/d1 swap no /dev/md/dsk/d0 /dev/md/rdsk/d0 / ufs 1 no /dev/md/dsk/d3 /dev/md/rdsk/d3 /usr ufs 1 no /dev/md/dsk/d2 /dev/md/rdsk/d2 /var ufs 1 no /dev/md/dsk/d4 /dev/md/rdsk/d4 /opt ufs 2 yes /dev/md/dsk/d5 /dev/md/rdsk/d5 /logs ufs 2 yes /dev/md/dsk/d6 /dev/md/rdsk/d6 /CDR ufs 2 yes swap /tmp tmpfs yes Procedure B-2: Configuring Disk Mirroring (Sheet 1 of 2)
mount mount at boot options 1 yes -
ufs ufs ufs ufs ufs -
no no 1 1 2 2 2
no no yes yes yes -
64
May 2010
Installation Guide
Step 4. 5.
Action Reboot the system. When the system restarts, enter the following to attach the mirror copies: # # # # # # # metattach metattach metattach metattach metattach metattach metattach d0 d1 d2 d3 d4 d5 d6 d20 d21 d22 d23 d24 d25 d26
The mirrors update automatically. 6. To check the status or progress of mirrors, use the metastat command.
Procedure B-2: Configuring Disk Mirroring (Sheet 2 of 2)
Example Edited md.tab file

# metainit & metadb utilities input file.# # Metadevice database entry:-# mddb01 -c 2 /dev/dsk/c0t0d0s3 /dev/dsk/c0t1d0s3 \ /dev/dsk/c1t10d0s3 /dev/dsk/c1t11d0s3# # Mirror configurations# # Mirror / partition d10 1 1 c0t0d0s0 d20 1 1 c1t10d0s0 d0 -m d10 # Mirror swap partition d11 1 1 c0t0d0s1 d21 1 1 c1t10d0s1 d1 -m d11 # Mirror /var partition d12 1 1 c0t0d0s4 d22 1 1 c1t10d0s4 d2 -m d12 # Mirror /usr partition d13 1 1 c0t0d0s5 d23 1 1 c1t10d0s5 d3 -m d13 # Mirror /opt partition d14 1 1 c0t0d0s7 d24 1 1 c1t10d0s7 d4 -m d14 # Mirror /logs partition d15 1 1 c0t1d0s6 d25 1 1 c1t11d0s6 d5 -m d15 # Mirror /CDR partition d16 1 1 c0t1d0s7 d26 1 1 c1t11d0s7 d6 -m d16 # End of configurations.
Fastwire Pty Ltd
65
openCA 4.3.8
References
For more detailed information, refer to the Solstice DiskSuite 4.2.1 User's Guide and Solstice DiskSuite 4.2.1 Reference Guide. Also refer to the following Solaris man pages: man metadb man metainit man metaroot man lockfs man md.tab man metastat
Linux
Fastwire recommend you run the Linux version of openCA with the following minimum hardware and software components: IBM Blade Server 2 CPU (i686) 2 * 36GB Disks. Red Hat Enterprise Linux ES 5.2
Partitioning Disk Space

The configuration shown assumes the system has been setup with a single mirrored disk. Some systems, for example the IBM BladeCenter, use hardware disk mirroring. For information on how to configure disk partitioning, consult the documentation supplied with the hardware and operating system distribution. Disk : 36 GB
/ swap /var /usr /opt /CDR /logs 512 MB 2 tImes available RAM 2 GB 1 GB 9.5 GB 10 GB 8 GB
Table B-3: 36 GB Disk Partitioning Example
66
May 2010
Appendix C: IP Network Configuration
Solaris IP Network Configuration

Redundant Configuration
For a redundant configuration on Solaris, there are two different IP networks associated with openCA hosts. One is the Call VLAN which is the IP connectivity for all external communication, the other network is the Redundancy network. The Redundancy network is used by a pair of servers to communicate with each other, to determine the active Call Agent and to pass synchronisation information. Each network requires its own pair of physical interface ports. The openCA servers should be setup as shown below.
P2P connection
CA 1 Redundancy Network
multipathing
CA 2
multipathing
Call VLAN
Figure C-1: Redundant openCA server setup configuration
The Redundancy network consists of two point-to-point (P2P) connections. Crossover cables are required for each connection between the two servers. Multipathing is NOT configured on these network connections. Multipathing is used only for connections to the Call VLAN.
Fastwire Pty Ltd
67
IP Network Configuration
openCA 4.3.8
Standalone Configuration
In a standalone configuration on Solaris, there is no redundancy network to configure. The openCA host connects to the call VLAN over a pair of physical interface ports configured for IP multipathing. The openCA servers should be setup as shown below.
CA
multipathing
Call VLAN
Figure C-2: Standalone openCA server setup configuration
Solaris Configuring IP Multipathing and Point to Point Connections

This section provides step-by-step instructions for the configuration of IP Multipathing and Point-to-Point connections. For more information on IP Multipathing, see: IP Network Multipathing Administration Guide at http://docs.sun.com/ IP Network Multipathing blueprint at http://www.sun.com/blueprints
Solaris Enabling Unique MAC Addresses

Ensure that unique MAC addresses are used for each network interface card. As user root, enter the eeprom command and look at the value of the local-mac-address parameter. If the value is false (the default), all network interface cards in the server use the same MAC address. If this is the case, you will not be able to connect two network interface cards to the same subnet and you will not be able to configure IP Multipathing. To set the correct eeprom value, enter the following command, eeprom local-mac-address?=true
Note:
You must reboot the server for this command to take effect.
68
May 2010
Installation Guide
Solaris Allocating IP Addresses

Allocate IP addresses (in the same subnet) for IP Multipathing. Allocate the following: One IP address for each physical interface (in this case, hme0 and hme1) One IP address to the primary (virtual) IP address of the machine One IP address to the backup (virtual) IP address of the machine
For a redundant configuration, allocate IP addresses (different subnet to the mulipathing network) for the P2P devices. One IP address for each physical interface (in this case, qfe1 and qfe3)
Update the /etc/hosts file with the IP addresses defined above. Fastwire recommend you use the following naming convention: hostname: The primary (virtual) IP address of the machine. hostname-interface: The IP address of each physical interface on the machine. hostname-backup: The backup (virtual) IP address of the machine.
An example /etc/hosts setup for a openCA host is provided below.

# # Internet host table # 127.0.0.1 localhost # openCA host oca01s IP addresses 203.194.24.1 oca01-hme0 203.194.24.2 oca01-qfe0 203.194.24.3 oca01-backup 203.194.24.4 oca01-kent-syd 10.10.10.1 oca01-qfe1 10.10.10.3 oca01-qfe3 # openCA host oca02s IP addresses 203.194.24.5 oca02-hme0 203.194.24.6 oca02-qfe0 203.194.24.7 oca02-backup 203.194.24.8 oca02-kent-syd 10.10.10.2 oca02-qfe1 10.10.10.4 oca02-qfe3 # Signalling Gateway host osg01s IP addresses 203.194.24.12 osg01-hme0 203.194.24.13 osg01-hme1 203.194.24.14 osg01-backup 203.194.24.15 osg01-kent-syd osg01 loghost
Fastwire Pty Ltd
69
openCA 4.3.8
# openSG host 203.194.24.16 203.194.24.17 203.194.24.18 203.194.24.19
osg02s IP addresses osg02-hme0 osg02-hme1 osg02-backup osg02-kent-syd osg02
Note:
Ensure that physical interface cards are cabled correctly and that IP addresses are assigned to the appropriate interfaces.
Solaris Disabling Network Routing

If the node will not be performing network routing (recommended), enter the following command: touch /etc/notrouter
Note:
You must reboot the server for this command to take effect, unless the IP driver parameter ip_forwarding is set to zero using the ndd /dev/ip command.
Solaris Configuring Router Discovery

To configure the router discovery daemon, follow the steps in Procedure C-1.
Step Action
1.
Create the rdisc file in /etc/init.d See Contents of /etc/init.d/rdisc on page 71.
2.
Enter the following command to allow execute permission on the file: chmod 755 /etc/init.d/rdisc
3.
To test the script, start the router discover daemon by entering the following command: /etc/init.d/rdisc start
4.
Enter the following command to create a hard link to this file in /etc/rc2.d. ln /etc/init.d/rdisc /etc/rc2.d/S70rdisc
Procedure C-1: Configuring Router Discovery
By default, the router discovery daemon will not start if there are routes defined in the /etc/defaultrouter file. Procedure C-1 ensures that the router discovery daemon will start under all circumstances.
70
May 2010
Installation Guide
Contents of /etc/init.d/rdisc
#!/bin/sh # # If parameter 1 is "start" then check if the router discovery # daemon, in.rdisc, is running and if not, start it. If parameter 1 # is "stop" then stop in.rdisc # case "$1" in 'start') if [ -x /usr/bin/pgrep ] then /usr/bin/pgrep -x -u 0 in.rdisc >/dev/null 2>&1 || \ /usr/sbin/in.rdisc -f >/dev/msglog 2>&1 else logger Cannot execute /usr/bin/pgrep, in.rdisc not started. fi ;; 'stop') /usr/bin/pkill -x -u 0 in.rdisc ;; *) echo "Usage: $0 { start | stop }" ;; esac exit 0
Solaris Configuring Network Interfaces

Update the configuration files for each network interface. This ensures that the IP Multipathing configuration survives a server reboot. Fastwire recommend that you keep a copy of the original configuration files and a copy of these configuration files with an IP Multipathing configuration. This allows a system administrator to change the configuration of the server very quickly if required. The following are examples: /etc/hostname.hme0 (current configuration for hme0) /etc/hostname.hme0.orig (original configuration of hme0) /etc/hostname.hme0.multipath (IP Multipathing configuration for hme0) /etc/hostname.qfe0 (current configuration of qfe0) /etc/hostname.qfe0.orig (original configuration of qfe0) /etc/hostname.qfe0.multipath (IP Multipathing configuration of qfe0) /etc/hostname.qfe1.p2p (P2P configuration of qfe1) /etc/hostname.qfe1 (current configuration of qfe1) /etc/hostname.qfe3.p2p (P2P configuration of qfe3) /etc/hostname.qfe3 (current configuration of qfe3)
Fastwire Pty Ltd
71
openCA 4.3.8
Contents of /etc/hostname.hme0
oca01-hme0 netmask + broadcast + \ group call-control deprecated -failover up \ addif oca01 netmask + broadcast + failover up
Contents of /etc/hostname.qfe0
oca01-qfe0 netmask + broadcast + \ group call-control deprecated -failover up \ addif oca01-backup netmask + broadcast + failover up
oca01-qfe1 netmask + destination oca02-qfe1
oca01-qfe3 netmask + destination oca02-qfe3
This configuration will place interface hme0 and hme1 in an IP Multipathing group known as production and the interfaces qfe1 and qfe3 as P2P connections for the Redundancy network. The addif command creates the virtual interfaces used by the IP Multipathing daemon (in.mpathd). These virtual interfaces have the failover flag indicating that they will fail over in the event of an interface failure. Reboot the server for the multipathing changes to take effect.
Solaris Setting Failure Detection Times

In the file /etc/default/mpathd, change the parameter FAILURE_DETECTION_TIME from 10000 milliseconds (10 seconds) to 6000 milliseconds (6 seconds). To change the multipath detection timeout, follow the steps in Procedure C-2. Step 1. 2. 3. Action Become root user. Edit /etc/default/mpathd and enter the new value for the FAILURE_DETECTION_TIME parameter, i.e. FAILURE_DETECTION_TIME=6000 Restart the daemon for this change to take effect. Either reboot the machine or send a SIGHUP to the IP Multipathing daemon process: kill -HUP process-ID-for-in.mpathd or pkill -HUP in.mpathd
Procedure C-2: Multipath Detection Timeout (Sheet 1 of 2)
72
May 2010
Installation Guide
Step 4.
Action To check that in.mpathd is running, enter the following command: ps -ef | grep in.mpathd
5.
Monitor the file /var/adm/messages for messages from the IP Multipathing daemon.
Procedure C-2: Multipath Detection Timeout (Sheet 2 of 2)
If you get a large number of messages as shown below, you may need to increase the FAILURE_DETECTION_TIME:
Jan 18 15:16:55 osg01 in.mpathd[32]: [ID 398532 daemon.error] Cannot meet requested failure detection time of 6000 ms on (inet hme0) new failure detection time is 6368 ms
If you're still seeing a large number of these messages and the FAILURE_DETECTION_TIME is above 6 seconds, notify Customer Support. Other openCA parameters may have to be adjusted to support this FAILURE_DETECTION_TIME.
FAILURE_DETECTION_TIME in the mpathd File

# #ident "@(#)mpathd.dfl 1.1 00/01/03 SMI" # # Time taken by mpathd to detect a NIC failure in ms. The minimum time # that can be specified is 100 ms. # FAILURE_DETECTION_TIME=6000 # # Failback is enabled by default. To disable failback turn off this option # FAILBACK=yes # # By default only interfaces configured as part of multipathing groups # are tracked. Turn off this option to track all network interfaces # on the system # TRACK_INTERFACES_ONLY_WITH_GROUPS=yes
Fastwire Pty Ltd
73
openCA 4.3.8
Configuring Probe Targets

IP Multipathing will dynamically select probe targets in the local network to determine the status of the interfaces in a particular IP Multipathing group. Although this mechanism works fine in simple networks where there is only a single default gateway out of the local area network, it is recommended that probe targets are seeded in situations where redundant gateways are used (for example, where redundant Cisco Content Services Switch (CSS) devices are configured as the default gateway). To determine whether this step is necessary, refer to the network diagram and deployment documentation for your installation.
Step Action
1.
Configure the IP address of the default router for the local network in the /etc/defaultrouter file (as normal). For example, where CSS devices are used, the IP address of the default router is typically the redundant interface address in the local network that was configured on both CSS devices. In this example, 203.194.24.11.
2.
Select a subnet address that is not used in the network or which is not accessible from the local network (for example, 192.168.254.0). Determine the local interface IP addresses of the local redundant gateway devices. For example: 203.194.24.9 is the IP address of interface e2 on CSS01 in the local network 203.194.24.10 is the IP address of interface e2 on CSS02 in the local network
3.
4.
Configure a static route to the network selected in Step 2 to the interface IP address on each redundant gateway device. In this example: # route add 192.168.254.0 203.194.24.9 # route add 192.168.254.0 203.194.24.10
5.
To verify the correct operation of IP Multipathing after the change in Step 4, enter the following command: # snoop d <interface> icmp Where <interface> is the interface on the local network (for example, hme0, qfe0 and so forth). Look for periodic ICMP echo request for three addresses. In this example, 203.194.24.9, 203.194.24.10 and 203.194.24.11.
Procedure C-3: Configuring IP Multipathing Targets
74
May 2010
Installation Guide
Verifying Operation of IP Multipathing and P2P Connections

Enter the following command to view the configuration of the network interface cards: ifconfig -a Using the example above, this command will yield the response below:
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 hme0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> m tu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bc hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255 qfe0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> m tu 1500 index 3 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.255 groupname production ether 8:0:20:f9:f2:bd qfe0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 203.194.24.3 netmask ffffff00 broadcast 204.194.24.255 qfe1: flags=1000851<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 10.10.10.1 --> 10.10.10.2 netmask ffffff00 qfe3: flags=1000851<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 10.10.10.3 --> 10.10.10.4 netmask ffffff00
To verify the P2P connections ping the far end of the connection (i.e. from oca01). ping 10.10.10.2 and get a response: 10.10.10.2 is alive
Troubleshooting IP Multipathing
In the example in below, hme0 will be failed.
Sep 21 12:10:40 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : No response from Ethernet network : Link down -- cable problem? Sep 21 12:10:48 oca01 in.mpathd[4698]: [ID 533792 daemon.error] NIC failure dete cted on hme0 Sep 21 12:10:48 oca01 in.mpathd[4698]: [ID 832587 daemon.error] Successfully fai led over from NIC hme0 to NIC qfe0 Sep 21 12:10:51 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : No response from Ethernet network : Link down -- cable problem?
The message log shows that the interface failure is detected almost immediately. Then, within FAILURE_DETECTION_TIME, the IP Multipathing daemon (in.mpathd) fails over the primary (virtual) IP address to hme1.
Fastwire Pty Ltd
75
openCA 4.3.8
The ifconfig command shows how IP Multipathing handles the interface failure. Interface hme0 is labelled FAILED and the primary (virtual) IP address that was virtual interface hme0:1 on hme0 has moved to virtual interface hme1:2 on hme1. The server will not respond to 203.194.24.1 (the IP address assigned to the physical interface hme0) but will respond to the remaining three IP address, 203.194.24.2, 203.194.24.3 and 203.194.24.4.
# ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 hme0: flags=19040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,F AILED> mtu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bc qfe0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> m tu 1500 index 3 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bd qfe0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 203.194.24.3 netmask ffffff00 broadcast 203.194.24.255 qfe0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255 qfe1: flags=1000851<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 10.10.10.1 --> 10.10.10.2 netmask ffffff00 qfe3: flags=1000851<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 10.10.10.3 --> 10.10.10.4 netmask ffffff00
The messages below are generated when hme0 is repaired. The output of ifconfig will return to that shown in Verifying Operation of IP Multipathing and P2P Connections on page 75.
Sep ver Sep 100 Sep ted Sep led 21 12:12:06 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : External Transcei Selected. 21 12:12:06 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : Auto-Negotiated Mbps Full-Duplex Link Up 21 12:12:50 oca01 in.mpathd[4698]: [ID 218011 daemon.error] NIC repair detec on hme0 21 12:12:50 oca03 in.mpathd[4698]: [ID 620804 daemon.error] Successfully fai back to NIC hme0
In the example below, hme1 will be failed.

Sep 21 12:07:32 oca01 hme: [ID 786680 kern.notice] SUNW,hme1 : No response from Ethernet network : Link down -- cable problem? Sep 21 12:07:40 oca01 in.mpathd[4698]: [ID 533792 daemon.error] NIC failure dete cted on qfe0 Sep 21 12:07:40 oca01 in.mpathd[4698]: [ID 832587 daemon.error] Successfully fai led over from NIC hme1 to NIC hme0
76
May 2010
Installation Guide
The message log shows that the interface failure is detected almost immediately. Then, within FAILURE_DETECTION_TIME, the IP Multipathing daemon (in.mpathd) fails over the backup (virtual) IP address to hme0. The ifconfig command shows how IP Multipathing handles the interface failure. Interface hme1 is labelled FAILED and the backup (virtual) IP address that was virtual interface hme1:1 on hme1 has moved to virtual interface hme0:2 on hme0. The server will not respond to 203.194.24.2 (the IP address assigned to the physical interface qfe0) but will respond to the remaining three IP address, 203.194.24.1, 203.194.24.3 and 203.194.24.4.
# ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 hme0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> m tu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bc hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255 hme0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.3 netmask ffffff00 broadcast 203.194.24.255 qfe0: flags=19040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,F AILED> mtu 1500 index 3 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bd
The following example shows the messages generated when hme1 is repaired. The output of ifconfig will return to that shown in Verifying Operation of IP Multipathing and P2P Connections on page 75.
Sep ver Sep 100 Sep ted Sep led 21 12:08:27 oca01 hme: [ID 786680 kern.notice] SUNW,hme1 : External Transcei Selected. 21 12:08:27 oca01 hme: [ID 786680 kern.notice] SUNW,hme1 : Auto-Negotiated Mbps Full-Duplex Link Up 21 12:09:12 oca01 in.mpathd[4698]: [ID 218011 daemon.error] NIC repair detec on qfe0 21 12:09:12 oca01 in.mpathd[4698]: [ID 620804 daemon.error] Successfully fai back to NIC qfe0
Fastwire Pty Ltd
77
openCA 4.3.8
Related Commands
The two main daemons required for correct operation of IP Multipathing are: /usr/sbin/in.rdisc (router discovery daemon) /sbin/in.mpathd (IP Multipathing daemon)
The following commands let you see whether these daemons (for example, in.mpathd) are running: /usr/bin/pgrep in.mpathd /bin/ps -ef | grep in.mpathd
The pgrep command returns the process ID of the process, if the process is running (scheduled). If the process is not running, pgrep will return nothing. The grep command performs a operation on the list of running (scheduled) processes. The netstat -rn command shows the current routing table on the server (see below). In this case, the best route to network 192.168.16.0 is through interface hme0:1, which is the primary (virtual) IP address (192.168.16.20).
# netstat -rn Routing Table: IPv4 Destination ------------------203.194.24.0 203.194.24.0 203.194.24.0 203.194.24.0 224.0.0.0 10.10.10.2 10.10.10.4 default 127.0.0.1
Gateway Flags ------------------ ----203.194.24.3 U 203.194.24.4 U 203.194.24.2 U 203.194.24.1 U 203.194.24.4 U 10.10.10.1 UH 10.10.10.3 UH 203.194.24.11 UG 127.0.0.1 UH
Ref ----1 1 1 1 1 1 1 1 23
Use Interface -------- --------12 qfe0:1 2 hme0:1 0 qfe0 0 hme0 0 hme0:1 0 qfe1 0 qfe3 367 696581 lo0
78
May 2010
Installation Guide
Solaris Name Service Configuration

The name service on each openCA host must be configured according to the following guidelines to ensure proper operation of the openCA application.
Name Service Switch Configuration

Solaris uses a number of databases for information about hosts, IP nodes, passwords, groups and so forth. This data can come from a variety of sources, for example, /etc/hosts (files), NIS, NIS+, DNS or LDAP. The name service switch configuration file (/etc/nsswitch.conf) specifies which information sources are used and their lookup order. For each openCA host, edit /etc/nsswitch.conf so that the hosts and services lines are as follows: hosts: files services: files For openCA hosts, only files should be used DNS, NIS, NIS+ and LDAP are not currently supported.
Solaris Configuration of /etc/hosts

The /etc/hosts file for any machine should contain the IP address/hostname pair for each host that users or applications on this machine may wish to refer to or communicate with by hostname. In other words, it effectively provides a lookup service which takes a hostname as an argument and returns the correct IP address for that hostname. Each openCA host should contain an entry for every IP address of: openCA hosts openSG hosts openVI hosts openSCP hosts media gateways and network access servers H.323 gateways
Each entry in the /etc/hosts should take the following form: IP_address hostname [alternate hostname] For example, to register a remote host called oca02, with a primary IP address of 203.194.24.19 and a backup IP address of 203.194.24.18, the following entries would need to be inserted in /etc/hosts: 203.194.24.8 oca02 alt-name-4-oca02 203.194.24.7 oca02-backup
Fastwire Pty Ltd
79
openCA 4.3.8
Thereafter, if we ping or telnet oca02 (or alt-name-4-oca02), all communications will be with the remote IP address 203.194.24.8, whereas if we ping or telnet oca02-backup, all communications will be with the remote IP address 203.194.24.7.
Linux IP Network Configuration

IBM Blade Center Redundant Configuration
The IBM Blade Center redundant configuration is two IBM Blade servers running in a IBM BladeCenter that is connected to the call VLAN. The configuration is shown in Figure C-3.
CA 1
CA 2
BladeCenter IP Backbone
Call VLAN
Figure C-3: IBM Blade Center redundant configuration
80
May 2010
Installation Guide
Linux Server Redundant Configuration with Ethernet Bonding

This configuration utilises ethernet bonding to provide network redundancy.
CA 1
CA 2
SW 1
ISL
SW 2
Call VLAN
Figure C-4: Linux Server Redundant Configuration with Ethernet Bonding
Standalone Configuration
In a standalone Linux configuration the openCA host is directly connected to the call VLAN over a single network interface as shown in the diagram below.
openCA
Call VLAN
Figure C-5: Standalone Linux configuration
Fastwire Pty Ltd
81
openCA 4.3.8
Linux Name Service Configuration

The name service on each openCA host must be configured according to the following guidelines to ensure proper operation of the openCA application.
Name Service Switch Configuration

Linux uses a number of databases for information about hosts, IP nodes, passwords, groups and so forth. This data can come from a variety of sources, for example, /etc/hosts (files), NIS, NIS+, DNS or LDAP. The name service switch configuration file (/etc/nsswitch.conf) specifies which information sources are used and their lookup order. For each openCA host, edit /etc/nsswitch.conf so that the hosts and services lines are as follows: hosts: files services: files
Linux Configuration of /etc/hosts

For openCA hosts, only files should be used DNS, NIS, NIS+ and LDAP are not currently supported. Each openCA host should contain an entry for every IP address of: openCA hosts Signalling Gateway hosts openSCP and openSDF hosts (if applicable) Media Gateways and Network Access Servers openVI hosts (if applicable) H.323 gateways (if applicable)
Each entry in the /etc/hosts should take the following form: IP_address hostname [alternate hostname] For example, to register a remote host called oca02, with a primary IP address of 203.194.24.8, the following entry would need to be inserted in /etc/hosts: 203.194.24.8 oca02 Thereafter, if we ping or telnet oca02, all communications will be with the remote IP address 203.194.24.8. Finally, process logging, CDR storing, and listening for H323 connections will also usually occur on the same host as openCA is running. Therefore, loghost, myCDR, myASP, and myH323Listener should be added to the entry for the local Call Agent.
82
May 2010
Installation Guide
An example of an openCA hosts /etc/hosts is provided below.

# # Internet host table # 127.0.0.1 localhost # openCA host oca01s IP address 203.194.24.118 oca01 loghost myASP myCDR # Fvip address. 203.194.24.5 ocafvip myH323Listener # openCA host oca02s IP address 203.194.24.119 oca02 # openSG host osg01s IP addresses 203.194.24.12 osg01
Note:
Ensure that physical interface cards are cabled correctly and that IP addresses are assigned to the appropriate interfaces.
Linux Disabling Network Routing

If the node will not be performing network routing (recommended), consult the documentation supplied with the operating system distribution for information on how to disable network routing. For RedHat Linux ES4, this can be done at install time.
Fastwire Pty Ltd
83
openCA 4.3.8
Ethernet Bonding on RedHat ES 5

Ethernet bonding provides equivalent functionality to the Solaris multipathing with two ethernet interfaces able to be linked as an activce/backup pair. In a redundant configuration, two physical ethernet interfaces are usually installed on each server. One interface on each server is then connected to each of two layer 2 ethernet switches as shown in Figure C-6.
CA 1
CA 2
SW 1
ISL
SW 2
Call VLAN
Figure C-6: Ethernet Bonding on RedHat ES 5
This provides interface redundancy and also facilitates switch redundancy.
Note:
Ethernet bonding is not configured if IBM Blade Center Redundant Configuration is used.
Configuring a Bonded Interface

The Linux bonding interfaces differ from Sun multipathing in that only a single IP interface is required. For the purposes of this discussion assume that:
84
May 2010
Installation Guide
bond0 is the name of the virtual bonded interface to be created eth0 is the first slave interface eth1 is the second slave interface 203.194.24.118 is to be assigned to the bonded interface
The configuration proceeds as described in Procedure C-4. Step 1. Action As user root, change directory to /etc/sysconfig/network-scripts and create the interface configuration file for the bonding interface ifcfg-bond0. It should contain the following lines: DEVICE=bond0 BONDING_OPTS="mode=active-backup miimon=100" BOOTPROTO=static ONBOOT=YES NETWORK=203.194.24.0 NETMASK=255.255.255.0 IPADDR=203.194.24.118 USERCTL=no 2. Create (or edit if it already exists) the interface config file ifcfg-eth0 as follows: DEVICE=eth0 HWADDR=<MAC address> BOOTPROTO=none ONBOOT=yes MASTER=bond0 SLAVE=yes USERCTL=no 3. Create (or edit if it already exists) the interface config file ifcfg-eth1 as follows: DEVICE=eth1 HWADDR=<MAC address> BOOTPROTO=none ONBOOT=yes MASTER=bond0 SLAVE=yes USERCTL=no
Procedure C-4: Configuring a bonded interface (Sheet 1 of 2)
Fastwire Pty Ltd
85
openCA 4.3.8
Step 4.
Action Enable the loading of the bonding ethernet kernel module with the correct options by editing the fine /etc/modprobe.conf and adding the following lines. alias bond0 bonding
5.
The server should be rebooted for the changes to take effect. reboot
6.
After reboot there should be a bond0 interface. The bond0 interface should be the MASTER interface. Whilst eth0 and eth1 should be SLAVE interfaces. Enter the following command to view the configuration of the network interface cards: ifconfig -a bond0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet addr:10.70.80.60 Bcast:10.70.80.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:64291620 errors:0 dropped:0 overruns:0 frame:0 TX packets:13654588 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:0 RX bytes:3083505453 (2.8 GiB) TX bytes:3472883492 (3.2 GiB) eth0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING NOARP SLAVE MULTICAST MTU:1500 Metric:1 RX packets:29667303 errors:0 dropped:0 overruns:0 frame:0 TX packets:4443221 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2581088162 (2.4 GiB) TX bytes:1780952642 (1.6 GiB) eth1 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:34624320 errors:0 dropped:0 overruns:0 frame:0 TX packets:9211375 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:1000 RX bytes:502417582 (479.1 MiB) TX bytes:1691932738 (1.5 GiB) Interrupt:209 Base address:0xe000
Procedure C-4: Configuring a bonded interface (Sheet 2 of 2)
Displaying a Bonded Interfaces Status

To display the current status of the bond0 bonded interface, use the following command:
86
May 2010
Installation Guide
cat /proc/net/bonding/bond0
Fastwire Pty Ltd
87
openCA 4.3.8
88
May 2010
Appendix D: Network Time
Configuring Network Time

openCA uses databases to store configuration data. In a redundant configuration, a replica of the database exists on each host. When configuration data is added or updated in one of the databases, that database automatically ensures that the new data is propagated to the other database replica. The replication mechanism requires that the clocks on each host are synchronised. Network Time Protocol (NTP) is used for this purpose.
Note:
NTP is not required in a standalone configuration with only a single database.
Fastwire Pty Ltd
89
Network Time
openCA 4.3.8
Solaris
Procedure D-1 contains the Solaris NTP configuration procedure. For more information, refer to the XNTPD manual page (man xntpd). Step 1. 2. Action Log in as root. Create the NTP configuration file: /etc/inet/ntp.conf. # @(#)ntp.conf 1.5 99/09/21 SMI # # /etc/inet/ntp.conf # # An example file that could be copied over to /etc/inet/ntp.conf. # server 203.194.28.160 server 203.194.28.161 enable monitor driftfile /var/ntp/ntp.drift statsdir /var/ntp/ntpstats/ #filegen peerstats file peerstats type day enable #filegen loopstats file loopstats type day enable #filegen clockstats file clockstats type day enable #keys /etc/inet/ntp.keys #trustedkey 10 #requestkey 0 #controlkey 0 In the example above, 203.194.28.160 and 203.194.28.161 are the primary and secondary NTP servers. Note: In the example above, statistics are disabled in order to avoid the creation of a large number of files. 3. 4. Use the date command to set the time correctly. Start the ntp service by entering: svcadm enable ntp
Procedure D-1: NTP Configuration for Solaris (Sheet 1 of 2)
90
May 2010
Installation Guide
Network Time
Step 5.
Action Enter the ntpq -p command to check the status of the synchronisation. When there is a * next to the NTP server, the time is synchronised between hosts. The following is an example of the response: % ntpq -p remote refid st t when *oca01 .LCL. 1 - 13 poll 64 reach 377 delay 0.40 offset 0.017 disp 1.05
Procedure D-1: NTP Configuration for Solaris (Sheet 2 of 2)
For more information, refer to the XNTPD manual page (man xntpd).
Linux
Procedure D-2 contains the Linux NTP configuration procedure to use if NTP has not already been enabled at installation time (see Procedure D-1 for information on how to configure NTP at install time). For more information, refer to the NTPD manual page (man ntpd). Step 1. 2. Action Log in as root. Edit the NTP Servers file: /etc/ntp.conf. server 203.194.28.160 server 203.194.28.161 In the example above, 203.194.28.160 and 203.194.28.161 are the primary and secondary NTP servers. 3. 4. Use the date command to set the time correctly. Start the xntpd daemon by entering: /etc/init.d/ntpd start 5. Enter the ntpq -p command to check the status of the synchronisation. When there is a * next to the NTP server, the time is synchronised between hosts. The following is an example of the response: % ntpq -p remote refid st t when *oca01 .LCL. 1 - 13
Procedure D-2: NTP Configuration for Linux
poll reach delay offset jitter 64 377 0.40 0.017 1.05
Note:
For more information, refer to the NTPD manual page (man ntpd).
Fastwire Pty Ltd
91
Network Time
openCA 4.3.8
92
May 2010
Appendix E: Security
Introduction
By default, Both Solaris 10 an Linux have services enabled that are not required by openCA. Some of these services may have security implications, so it is good practice to disable any service that is not specifically required. This section identifies the startup scripts and services that have been proven surplus to openCA requirements.
Solaris Security
Solaris Run level and network services
Solaris Disabling unnecessary services
The /etc/rc2.d and /etc/rc3.d directories contain scripts that are executed at boot time or when the run level is changed. Some of these scripts start services not required by openCA. The following tables define scripts that can be disabled on an openCA host.
/etc/rc2.d Enabled K06mipagent K07dmi K07snmpdx K16apache K28nfs.server S20sysetup S47asppp S71ldap.client Disabled _K06mipagent.NOTUSED _K07dmi.NOTUSED _K07snmpdx.NOTUSED _K16apache.NOTUSED _K28nfs.server.NOTUSED _S20sysetup.NOTUSED _S47asppp.NOTUSED _S71ldap.client.NOTUSED
Table E-1: Unnecessary services at run level 2 (Sheet 1 of 2)
Fastwire Pty Ltd
93
Security
openCA 4.3.8
/etc/rc2.d Enabled S71rpc S71sysid.sys S72autoinstall S72slpd S73cachefs.daemon S73nfs.client S74autofs S80lp S80PRESERVE S80spc S85power S90wbem S99dtlogin Disabled _S71rpc.NOTUSED _S71sysid.sys.NOTUSED _S72autoinstall.NOTUSED _S72slpd.NOTUSED _S73cachefs.daemon.NOTUSED _S73nfs.client.NOTUSED _S74autofs.NOTUSED _S80lp.NOTUSED _S80PRESERVE.NOTUSED _S80spc.NOTUSED _S85power.NOTUSED _S90wbem.NOTUSED _S99dtlogin.NOTUSED
Table E-1: Unnecessary services at run level 2 (Sheet 2 of 2)
/etc/rc3.d Enabled S15nfs.server S50apache S76snmpdx S77dmi S80mipagent Disabled _ S15nfs.server.NOTUSED _S50apache.NOTUSED _S76snmpdx.NOTUSED _S77dmi.NOTUSED _S80mipagent.NOTUSED
Table E-2: Unnecessary services at run level 3
94
May 2010
Installation Guide
Security
IP FILTER (Solaris)
Fastwire recommends that you turn IP filters off and use an external firewall. If your environment requires the use of IP filter, add the rules shown in Procedure E-1 to the /etc/ipf/ipf.conf file. Step 1. Action Allow TCP and UDP between the peers:
@1 pass in log quick proto tcp from <peer_address>/32 to <self_address>/32 @3 pass in log quick proto udp from <peer_address>/32 to <self_address>/32
2.
Allow local loopback: @4 pass in log quick on lo0
3.
Allow NTP:
@5 pass in log quick from <ntp_server_subnet>/24 port=123 to <self_address>/32 port=123 @6 pass in log quick from <openca_subnet>/24 to 224.0.1.1/32
4.
Allow DNS:
@7 pass in log quick from <openca_subnet>/24 to 224.0.0.251/32
5.
Allow Multicast & Broadcast (MMI & Alarms)

@11 pass in log quick from <openca_subnet>/24 to 239.255.0.133/32 @12 pass in log quick from <openca_subnet>/24 to 10.70.80.255
6.
Allow SIP:
@13 pass in log quick proto udp from any to <fvip_address>/32 port=5060 keep state
7.
Allow H323:
@15 pass in log quick from any to 224.0.1.141/32 port = 1718 keep state @16 pass in log quick proto udp from any to <openca_subnet>/24 port = 1719 keep state @17 pass in log quick proto tcp from any to <fvip_address>/24 port = 1720 keep state @19 pass in log quick proto tcp from <h323_gw_address> to <fvip_address>/32 keep state
8.
Allow Subscriber Web Access:

@21 pass in log quick proto tcp from <openca_subnet_address>/24 to <self_address>/32 port=5432 keep state @22 pass in log quick proto tcp from <openca_subnet_address>/24 to <self_address>/32 port=12345 keep state @23 pass in log quick proto tcp from any to <self_address>/32 port=443 keep state
Procedure E-1: Rules to add to the ipf.conf file for IP filtering. (Sheet 1 of 2)
Fastwire Pty Ltd
95
Security
openCA 4.3.8
Step 9.
Action Allow ICMP:

@24 pass in log quick proto icmp from any to any icmp-type 0 keep state @25 pass in log quick proto icmp from any to any icmp-type 11 keep state @26 pass in log quick proto icmp from <openca_subnet_address>/24 to <openca_subnet_address>/24 keep state
10.
Allow ISUP and MGCP communication:

@27 pass in log quick proto 132 from <signaling_gw_address>/32 to <self/fvip_address>/32 keep state @31 pass in log quick proto udp from <media_gw_address>/32 port = 2427 to <self/fvip_address>/32 port = 2727 keep state
11.
Reset ipfilter when the above modifications are complete (ipf -D; ipf -E; ipf -f /etc/ipf/ipf.conf):
Procedure E-1: Rules to add to the ipf.conf file for IP filtering. (Sheet 2 of 2)
For an example ipf.conf file, see Appendix K: IPFILTER Configuration File.
Linux Security
The following services can be turned off on Linux hosts: cups iptables sendmail autofs arptables_jf
For information on how turn off these services, consult the Linux manual pages for the chkconfig command. For example, to turn off a service, log on as root and enter the following: chkconfig --levels 23456 <service> off
96
May 2010
Installation Guide
Security
IP TABLES (Linux)
Fastwire recommends you turn IP tables off and instead use an external firewall. If your environment requires IP tables, however, add the rules shown in Procedure E-2 to the /etc/sysconfig/iptables configuration file. These settings are required when using IP tables as a firewall. Step 1. Action Allow ICMP:
-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type 11 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -s <openca_subnet>/24 -d <openca_subnet>/24 -j ACCEPT
2.
Allow local loopback:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
3.
Allow Broadcast and Multicast to support MMI:

-A RH-Firewall-1-INPUT -m addrtype --dst-type BROADCAST -j ACCEPT -A RH-Firewall-1-INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
4.
Allow TCP/UDP connections between the redundant peer hosts:

-A RH-Firewall-1-INPUT -s <peer_address>/32 -d <self_address>/32 -p tcp -j ACCEPT -A RH-Firewall-1-INPUT -s <peer_address>/32 -d <self_address>/32 -p udp -j ACCEPT
5.
Allow NTP communication:

-A RH-Firewall-1-INPUT -s <ntp_server_subnet>/24 -d <self_address>/32 -p tcp --sport 123 --dport 123 -j ACCEPT -A RH-Firewall-1-INPUT -s <openca_subnet>/24 -d 224.0.1.1/32 -j ACCEPT
6.
Allow DNS communication:

-A RH-Firewall-1-INPUT -s <openca_subnet>/24 -d 224.0.0.251/32 -j ACCEPT
7.
Accept SIP requests:

-A RH-Firewall-1-INPUT -d <fvip_address>/32 -p udp --dport 5060 -j ACCEPT
8.
Allow H323:
-A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT ACCEPT -A RH-Firewall-1-INPUT tcp -j ACCEPT -d 224.0.1.141/32 -p udp --dport 1718 -j ACCEPT -p udp --dport 1719 -j ACCEPT -d <fvip_address>/32 -p tcp --dport 1720 -j -s <h323_gw_address>/32 -d <fvip_address>/32 -p
Procedure E-2: Settings required when using IP tables as a firewall. (Sheet 1 of 2)
Fastwire Pty Ltd
97
Security
openCA 4.3.8
Step 9.
Action Allow Subscriber WEB Access:

-A RH-Firewall-1-INPUT -s <openca_subnet>/24 -d <self_address>/32 -p tcp --dport 5432 -j ACCEPT -A RH-Firewall-1-INPUT -s <openca_subnet>/24 -d <self_address>/32 -p tcp --dport 12345 -j ACCEPT -A RH-Firewall-1-INPUT -d <self_address>/32 -p tcp --dport 443 -j ACCEPT
10.
Allow ISUP amd MGCP Signalling:

-A RH-Firewall-1-INPUT -s <signaling_gw_address>/32 -p 132 -j ACCEPT -A RH-Firewall-1-INPUT -s <media_gw_address>/32 -p udp --sport 2427 -dport 2727 -j ACCEPT
Procedure E-2: Settings required when using IP tables as a firewall. (Sheet 2 of 2)
For example IP tables, see Appendix J: IPTABLES Configuration File.
98
May 2010
Appendix F: Solaris Configuring rsh
Configuring rsh Between Two Hosts

Procedure F-1 lists the steps to enable a particular user to remote shell (rsh), without password verification, between two hosts (A and B). Linux installations do not use RSH by default.
Note:
Procedure F-1 lets ca_ps.rsh function correctly in a redundant configuration.
Step 1. 2. 3.
Action On machine A, put all the IP addresses of machine B (both virtual and physical) into /etc/hosts with unique hostnames. On machine A, put the hostnames (as defined in step 1) of machine B into /etc/hosts.equiv. On machine A, add entries for each of the hostnames of machine B plus username, i.e. <machine_B_hostname> <username> into the .rhosts file of <username>. As a security measure, ensure the permissions for the .rhosts file are as follows: # ls -al .rhosts -rw------- 1 otcaop otcaop 48 Feb 6 13:06 .rhosts
4.
5.
Repeat steps 1 to 4 for machine B.
Procedure F-1: Setting up rsh between two hosts
Fastwire Pty Ltd
99
Solaris Configuring rsh
openCA 4.3.8
100
May 2010
Appendix G: Configuring Floating Virtual IP
Procedure for Configuring FVIP

A redundant openCA call agent pair may be contacted using a single virtual IP address. This virtual IP address is held by the active call agent. If the standby call agent becomes active, the virtual IP address is passed to the newly active call agent. This virtual IP address is said to float between the call agent hosts and is therefore referred to as a floating virtual IP address (FVIP).
Note:
FVIP is not required in a standalone openCA configuration.
Configuring FVIP for Solaris

Procedure G-1 lists the steps used to configure an FVIP on a call agent host. This procedure must be carried out on each call agent host in a redundant pair. For illustrative purposes this procedure includes an example. In this example the call agent pair is made up of hosts oca01 and oca02. Step 1. Action Identify the physical network interface on which you want to configure the logical FVIP interface. Note: You must choose one of the signalling (call-control) interfaces, i.e. not an interface which is being used for redundancy. Enter the following command to view network interface card configurations: ifconfig -a Example output is shown in Example network interface card configurations (Solaris) on page 103. In this example, we choose the hme0 physical signalling interface for the logical FVIP interface. The other physical interface in the "callcontrol" group, qfe0, will be used as an alternative interface if hme0 fails.
Procedure G-1: Solaris Configuring the Floating Virtual IP addess (FVIP) (Sheet 1 of 3)
Fastwire Pty Ltd
101
Configuring Floating Virtual IP
openCA 4.3.8
Step 2.
Action The new FVIP interface requires an IP address, so allocate a new IP address, on the same subnet as the signalling interface chosen in the previous step. In our example we choose 203.194.24.132 as our FVIP address.
3.
As user root, edit /etc/hosts and add an entry for this new FVIP IP address. In our example the following entry is added: 203.194.24.132 ocafvip
Additionally if the FVIP IP address is to be used for H323 calls, the myH323Listener listener entry should also be added to the FVIP adddress (and removed from any other address): 203.194.24.132 ocafvip myH323Listener
Note: The myH323Listener must be placed after the ocafvip name in the above example. 4. As user otcaop, edit /opt/OPENca/openCA-4.3.8/etc/fvip.conf and make the following configuration changes in the FVip package: peer.host = <other_host> network.ipaddress = <fvip_address> network.interface = <fvip_interface> network.interface2 = <alternative_fvip_interface> In our example, if this procedure was being carried out on host ibmblade1, these entries would be configured as follows: peer.host = oca02 network.ipaddress = ocafvip network.interface = hme0 network.interface2 = qfe0 5. For the configuration change made in the previous step to take effect, the machine must be either rebooted or the script started. As user root, execute the following command to reboot the machine: reboot or /etc/init.d/fvip_control stop /etc/init.d/fvip_control start
102
May 2010
Installation Guide
Step 6.
Action Once the host has rebooted, check that the new FVIP interface has been created by executing the following command as user root: ifconfig -a In our example the output is as shown in FVIP interface created sample output (Solaris) on page 104. A new logical interface, hme0:2, has been created using the ocafvip IP address (203.194.24.132).
Example network interface card configurations (Solaris)

lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 hme0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED, IPv4,NOFAILOVER> mtu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-control hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255 qfe0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED, IPv4,NOFAILOVER> mtu 1500 index 4 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.127 groupname call-control qfe0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 203.194.24.3 netmask ffffff00 broadcast 203.194.24.127 qfe1: flags=9040843<UP,POINTOPOINT,RUNNING,MULTICAST, DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 5 inet 10.10.10.1 --> 10.10.10.2 netmask ffffff00 qfe3: flags=1000843<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 10.10.10.3 --> 10.10.10.4 netmask ffffff00
In the example above: hme0, qfe0, qfe1 and qfe3 are all physical interfaces hme0 and qfe0 are the physical interfaces used for signalling (specifying an IP multipathing group call-control) qfe1 and qfe3 are the physical interfaces used for redundancy (specifying an IP multipathing group redundancy) lo0 is the loopback interface hme0:1, qfe0:1 are logical interfaces
Fastwire Pty Ltd
103
openCA 4.3.8
FVIP interface created sample output (Solaris)

lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 hme0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-control hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255 hme0:2: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.132 netmask ffffff00 broadcast 203.194.24.255 qfe0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 4 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.127 groupname call-control qfe0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 203.194.24.3 netmask ffffff00 broadcast 203.194.24.127 qfe1: flags=9040843<UP,POINTOPOINT,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 5 inet 10.10.10.1 --> 10.10.10.2 netmask ffffff00 qfe3: flags=1000843<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 10.10.10.3 --> 10.10.10.4 netmask ffffff00
Configuring FVIP for Linux

Procedure G-2 lists the steps used to configure an FVIP on a call agent host. This procedure must be carried out on each call agent host in a redundant pair.
Note:
FVIP is not required in a standalone call agent configuration.
For the purposes of clairty, this procedure includes an example. In this example the openCA pair is made up of hosts oca01 and oca02. Ethernet Bonding is assumed to be configured as described in Linux IP Network Configuration.
104
May 2010
Installation Guide
Step 1.
Action Identify the physical network interface on which you want to configure the logical FVIP interface. Note: You must choose one of the signalling (call-control) interfaces, i.e. not an interface which is being used for redundancy. Enter the following command to view the network interface card configurations.
ifconfig -a
Example output is shown in Procedure G-2. In this example, we choose the bond0 signalling interface on which to put our logical FVIP interface. Once configured, the logical interface will be designated bond0:1 because it is the first logical interface on bond0. 2. The bond0 interface can be used only if Ethernet Bonding is configured. For a description of how to configure Ethernet Bonding, see Linux IP Network Configuration on page 80. We will assume that Ethernet Bonding is configured. Otherwise, you should use the eth0 interface. 3. The new FVIP interface requires an IP address, so allocate a new IP address on the same subnet as the signalling interface chosen in the previous step. In our example, we choose 203.194.24.5 as our FVIP address. 4. As user root, edit /etc/hosts and add an entry for this new FVIP IP address. In our example the following entry is added: 203.194.24.5 ocafvip
Additionally if the FVIP IP address is to be used for H323 calls then the myH323Listener listener entry should also be added to the FVIP adddress (and removed from any other address): 203.194.24.132 ocafvip myH323Listener
Procedure G-2: Linux Configuring the Floating Virtual IP addess (FVIP) (Sheet 1 of 2)
Fastwire Pty Ltd
105
openCA 4.3.8
Step 5.
Action As user otcaop, edit /opt/OPENca/openCA-4.3.8/etc/fvip.conf and ensure the following configuration exists in the FVip package: peer.host = <other_host> network.ipaddress = <fvip_address> network.interface = <fvip_logical_interface> network.broadcast = <fvip_broadcast_address> network.netmask = <fvip_netmask> In our example, if this procedure was being carried out on host ibmblade1, these entries would be configured as follows: peer.host = oca02 network.ipaddress network.interface network.broadcast network.netmask = = ocafvip = bond0:1 = 203.194.24.255 255.255.255.0
6.
For the configuration change made in the previous step to take effect, the machine must be either rebooted or the script started. As user root, execute the following command to reboot the machine: reboot or /etc/init.d/fvip_control stop /etc/init.d/fvip_control start
7.
Once the host has rebooted or the script started, check that the new FVIP interface has been created by executing the following command as user root: ifconfig -a Example output is shown in Example network interface card configurations (Linux) on page 107. A new logical interface has been created, bond0:1, using our ocafvip IP address (203.194.24.5). This is the FVIP interface.
8.
Check that the FVIP address has been disabled until the active call agent takes control of the FVIP address. Use the following command as user root: /etc/init.d/fvip_control status Example output is shown in Example check that the FVIP address has been disabled on page 108. When the active call agent takes over the FVIP address, the rules mentioned above are deleted from the (ARP and IP) tables.
Procedure G-2: Linux Configuring the Floating Virtual IP addess (FVIP) (Sheet 2 of 2)
106
May 2010
Installation Guide
Example network interface card configurations (Linux)

bond0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet addr:203.194.24.118 Bcast:10.70.80.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:63057826 errors:0 dropped:0 overruns:0 frame:0 TX packets:13287903 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:0 RX bytes:2918350604 (2.7 GiB) TX bytes:3263492140 (3.0 GiB) Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING NOARP SLAVE MULTICAST MTU:1500 Metric:1 RX packets:29223621 errors:0 dropped:0 overruns:0 frame:0 TX packets:4443221 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2551847261 (2.3 GiB) TX bytes:1780952642 (1.6 GiB) Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:33834209 errors:0 dropped:0 overruns:0 frame:0 TX packets:8844690 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:1000 RX bytes:366503731 (349.5 MiB) TX bytes:1482541306 (1.3 GiB) Interrupt:209 Base address:0xe000 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2922845 errors:0 dropped:0 overruns:0 frame:0 TX packets:2922845 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1524791007 (1.4 GiB) TX bytes:1524791007 (1.4 GiB)
eth0
eth1
lo
In the example above: bond0 is the bonding interface eth0, eth1 are physical interfaces, slaved to bond0 lo0 is the loopback interface ignore the sit0 interface
FVIP interface created sample output (LInux)

bond0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet addr:203.194.24.5 Bcast:10.70.80.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:63057826 errors:0 dropped:0 overruns:0 frame:0 TX packets:13287903 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:0 RX bytes:2918350604 (2.7 GiB) TX bytes:3263492140 (3.0 GiB)
Fastwire Pty Ltd
107
openCA 4.3.8
bond0:1
Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet addr:203.194.24.132 Bcast:10.70.80.255 Mask:255.255.255.0 UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING NOARP SLAVE MULTICAST MTU:1500 Metric:1 RX packets:29223621 errors:0 dropped:0 overruns:0 frame:0 TX packets:4443221 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2551847261 (2.3 GiB) TX bytes:1780952642 (1.6 GiB) Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:33834209 errors:0 dropped:0 overruns:0 frame:0 TX packets:8844690 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:1000 RX bytes:366503731 (349.5 MiB) TX bytes:1482541306 (1.3 GiB) Interrupt:209 Base address:0xe000
eth0
eth1
Example check that the FVIP address has been disabled

=================== IP tables ==================== Chain INPUT (policy ACCEPT 29G packets, 1565G bytes) pkts bytes target prot opt in out source 0 0 DROP all -- * * 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source
destination 203.194.24.5
destination
Chain OUTPUT (policy ACCEPT 24G packets, 1334G bytes) pkts bytes target prot opt in out source destination 5655 3770K DROP all -- * * 203.194.24.5 0.0.0.0/0 =================== ARP tables ==================== Chain IN (policy ACCEPT 736K packets, 21M bytes) pkts bytes target in out source-ip destination-ip source-hw destination-hw hlen op hrd pro 1 28 DROP * * 0.0.0.0/0 203.194.24.5 00/00 00/00 any 0000/0000 0000/0000 0000/0000 Chain OUT (policy ACCEPT 13306 packets, 373K bytes) pkts bytes target in out source-ip source-hw destination-hw hlen op Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target in out source-ip source-hw destination-hw hlen op
destination-ip hrd pro
destination-ip hrd pro
108
May 2010
Appendix H: Configuring SNMP Reporting
Procedure for Configuring SNMP Alarms and Alerts

If SNMP Reporting of Alarms and Alerts is required, you must provide a suitable thirdparty SNMP Management Application. Part of the installation depends on the Management Application chosen.
Solaris and Linux

Step 1. Action Open the configuration file: /opt/OPENca/current/etc/CA_ApplicationMonitor.conf 2. In the CA_ApplicationMonitor.conf file, find the package SNMP. if SNMP is required, set the parameter AlarmManager.Required to 1 if SNMP is not required, set the parameter AlarmManager.Required to 0 and perform no further steps in this procedure.
Procedure H-1: Configuring SNMP Alarm and Alert Reporting (Sheet 1 of 2)
Fastwire Pty Ltd
109
Configuring SNMP Reporting
openCA 4.3.8
Step 3.
Action Configure the SNMP destinations. Set the AlarmManager.Destination parameter to a space-separated list of (one or more) destinations to which SNMP traps are to be sent. Specify each destinations using any of the following formats: <hostname> <hostname>:<port> <IP address> <IP address>:<port> If you do not specify a port, the standard SNMP trap port 162 is used. A destination may be a third-party SNMP management application or an SNMP trap distribution agent, running on the same or a different server. To specify the same server, use localhost as the <hostname>, for example: AlarmManager.Destination = localhost manager.mydomain:2162 10.70.12.219
4.
The SNMP Management Application may require knowledge of the enterprise OID defined for Fastwire. If so, ensure it is configured as: 1.3.6.1.4.1.5373. The procedure for configuring the enterprise OID may be different for each SNMP Management Application. Refer to your SNMP Management Application documentation for information on how to configure the enterprise OID.
5.
The SNMP Management Application may require access to the Management Information Base ("MIB") files that specify the contents of the SNMP Alarm and Alert reports. The MIB files are located in /opt/OPENca/current/skel/ mib_core.txt ot_mib.txt oca_mib.txt The procedure for configuring the MIB files may be different for each SNMP Management Application. Refer to your SNMP Management Application documentation for information on how to configure the MIB files.
Procedure H-1: Configuring SNMP Alarm and Alert Reporting (Sheet 2 of 2)
110
May 2010
Appendix I: Example Linux Installation
Procedure for Installing Red Hat Enterprise Server

Procedure I-1 is provided for information purposes only. It is not intended to be a replacement the RedHat product documentation. For information on how to install the Linux Operating system, consult the documentation provided with Linux installation. Step 1. Action Insert Installation Disk 1 Select [ENTER] to install or upgrade in graphical mode. 2. 3. Select [SKIP] CD media testing The installation program anaconda should start. After a short period of time, the Welcome screen is displayed. Select [NEXT]. The Language selection screen should appear. Select the required language. For example English. 5. Select [NEXT]. The keyboard selection screen should appear. Select the required keyboard. For example US English. 6. Select [NEXT]. The "Installation Number" dialogue box will appear. 7. Enter the installation number, or, click the Skip entering Installation Number button, then select [OK]. If you clicked the Skip entering Installation Number button, a new dialog box appears and you will need to select [SKIP] again. The Disk Partitioning Setup screen should appear.
Procedure I-1: Sample RedHat Linux ES5 Installation Procedure (Sheet 1 of 6)
4.
Fastwire Pty Ltd
111
Example Linux Installation
openCA 4.3.8
Step 8.
Action Select Create custom layout in the dropdown box. Click the Review and modify partitioning layout tick box. Select [NEXT]. The Disk Partitioning Setup screen should appear.
9.
Set up the required disk partitions, including any required disk mirroring. For IBM Blade Center installations, hardware disk mirroring should be used. Consult the Blade Center documentation for information on how to set up hardware disk mirroring.
10.
Select [NEXT]. If existing partitions are being reformatted, the Format Warnings dialog box appears.
11.
Verify that the information is correct, then select [Format]. The next screen is the Boot Loader Configuration screen. The default values for the information on this screen should already be correct.
12.
Select [NEXT]. The Network Configuration screen should appear.
13.
For each network interface (for example eth0, eth1): Select [EDIT] to edit the interface. Manually set IP Address and Network parameters.
14.
Select [NEXT]. The Timezone Selection screen should appear.
15.
Select the timezone from the graphical map. Ensure the System Clock uses UTC box is selected, then select [NEXT]. The Root Password screen should appear.
16.
Set the root password, then select [NEXT]. The Reading Package Information ... message should appear, then the Package Installation screen.
17.
Select the Software Development tick box. Select [NEXT]. The Click next to begin Installation screen is displayed.
18.
Select [NEXT]. The "Required Install Media" dialog box is displayed.
112
May 2010
Installation Guide
Step 19.
Action Select [CONTINUE] to continue with the installation. Insert Disks as required.
20.
When the Linux Installation is complete, select [REBOOT]. After a short time the Welcome screen appears.
21.
Select [FORWARD]. The Licence Agreement screen should appear.
22.
Select Yes, I agree to the licence agreement Select [FORWARD]. The Firewall screen should appear.
23.
Select Firewall Disabled. Select [FORWARD]. A warning Dialog box appears asking whether the firewall really should be disabled.
24.
Select [YES]. The SELinux screen appears.
25.
Select SELinux Setting "Disabled". Select [FORWARD]. A warning Dialog box appears, informing a Reboot will again be required after setup is completed.
26.
Select [YES]. The KDump screen will appear.
27.
Select [FORWARD]. The Date and Time screen should appear.
28.
Select the Network Time Protocol tab. Enable Network Time Protocol. Add NTP Servers as required. Select [FORWARD]. The install process attempts to contact the NTP servers added, then the Set Up Software Updates screen appears.
29.
After deciding whether to register, select [FORWARD]. The Finish Updates Setup screen appears.
Fastwire Pty Ltd
113
openCA 4.3.8
Step 30.
Action Select [FORWARD]. The Create User screen appears.
31.
Do not create a user. Select [FORWARD]. A warning Dialog box appears, encouraging you to create a user. Do not.
32.
Select [Continue]. The Sound Card screen should appear.
33.
Select [FORWARD]. The Additional CDs screen appears.
34.
Select [FINISH]. A warning dialog box appears, saying that the system must now reboot.
35.
Select [OK]. After a short time the login screen appears.
36. 37.
Login as root. Place Installation CDROM #3 (or the Installation DVD) in the drive. RHEL 5.2 should automatically mount it.
38.
Go into the Server directory and install arptables and openssl using the following commands: rpm -i arptables_jf-0.0.8-8.i386.rpm rpm -i openssl1097a-0.9.7a-9.el5_2.1.i386.rpm
39.
To check what services are running, use the command. # chkconfig --list
114
May 2010
Installation Guide
Step 40.
Action Turn off any unnecessary services using the command: chkconfig --levels 23456 <service> off for each of the following <service> iptables sendmail autofs arptables_jf cups
Note: Turning off iptables is optional. If you retain them, see IP TABLES (Linux) on page 97 for filtering rule recommendations. 41. If you wish to turn off the loading of the graphical interface, edit the /etc/inittab file. Change from: id:5:initdefault to id:3:initdefault REBOOT for this to take effect. 42. Limits (user limits) Check the /etc/profile file to see if cores are allowed for users. Ensure the following line starts with a #, for example: # ulimit -S -c 0 > /dev/null 2>&1 Ensure hard and soft limits for core files are set in /etc/security/limits.conf: * * * * * * * * hard soft hard soft hard soft hard soft core core stack stack memlock memlock rss rss 4000000 4000000 1024000 10240 4096000 102400 4096000 4096000
REBOOT for this to take effect

Fastwire Pty Ltd
115
openCA 4.3.8
Step 43.
Action Check /etc/sysconfig/network to ensure network settings are as expected. There should be entries for: NETWORKING=yes HOSTNAME=<hostname> GATEWAY=<gateway>
44.
Check /etc/resolv.conf to ensure settings are as expected. There may be entries for nameserver, but should not be any for search. For example: nameserver <nameserver address>
116
May 2010
Appendix J: IPTABLES Configuration File
Overview
Below is an example of the /etc/sysconfig/iptables file on an openCA host. In this example openCA runs on IP addresses 10.70.80.108 and 10.70.80.109, with fvip on IP address 10.70.80.95. The subnet mask is 255.255.255.0.
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type 11 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -s 10.70.80.0/24 -d 10.70.80.0/24 -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m addrtype --dst-type BROADCAST -j ACCEPT -A RH-Firewall-1-INPUT -m addrtype --dst-type MULTICAST -j ACCEPT -A RH-Firewall-1-INPUT -s 10.70.80.109/32 -d 10.70.80.108/32 -p tcp -j ACCEPT -A RH-Firewall-1-INPUT -s 10.70.80.109/32 -d 10.70.80.108/32 -p udp -j ACCEPT -A RH-Firewall-1-INPUT -s 10.70.0.0/24 -d 10.70.80.108/32 -p tcp --sport 123 -dport 123 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.70.80.0/24 -d 224.0.1.1/32 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.70.80.0/24 -d 224.0.0.251/32 -j ACCEPT -A RH-Firewall-1-INPUT -d 10.70.80.108/32 -p udp --dport 5060 -j ACCEPT -A RH-Firewall-1-INPUT -d 10.70.80.110/32 -p udp --dport 5060 -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.1.141/32 -p udp --dport 1718 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 1719 -j ACCEPT -A RH-Firewall-1-INPUT -d 10.70.80.108/32 -p tcp --dport 1720 -j ACCEPT -A RH-Firewall-1-INPUT -d 10.70.80.110/32 -p tcp --dport 1720 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.79.104.12/32 -d 10.70.80.108/32 -p tcp -j ACCEPT -A RH-Firewall-1-INPUT -s 10.79.104.12/32 -d 10.70.80.110/32 -p tcp -j ACCEPT
Fastwire Pty Ltd
117
IPTABLES Configuration File
openCA 4.3.8
-A RH-Firewall-1-INPUT ACCEPT -A RH-Firewall-1-INPUT j ACCEPT -A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT ACCEPT -A RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT COMMIT
-s 10.70.80.0/24 -d 10.70.80.108/32 -p tcp --dport 5432 -j -s 10.70.80.0/24 -d 10.70.80.108/32 -p tcp --dport 12345 -d -s -s -s 10.70.80.108/32 -p tcp --dport 443 -j ACCEPT 10.70.80.210/32 -p 132 -j ACCEPT 10.70.80.10/32 -p 132 -j ACCEPT 10.70.80.210/32 -p udp --sport 2427 --dport 2727 -j
-s 10.70.80.10/32 -p udp -j ACCEPT -j REJECT --reject-with icmp-host-prohibited
118
May 2010
Appendix K: IPFILTER Configuration File
Overview
Below is an example of the /etc/ipf/ipf.conf file for an openCA host. In this example, openCA runs on IP addresses 10.70.80.100 and 10.70.80.100, with fvip on IP address 10.70.80.95. The subnet mask is 255.255.255.0.
@1 block in log all # TCP between the peers (covers SDF, FVIP, Redundancy) @2 pass in log quick proto tcp from 10.70.80.100/32 to 10.70.80.90/32 # UDP between the peers @3 pass in log quick proto udp from 10.70.80.100/32 to 10.70.80.90/32 # Local Loopback @4 pass in log quick on lo0 # NTP @5 pass in log quick from 10.70.0.0/24 port=123 to 10.70.80.90/32 port=123 @6 pass in log quick from 10.70.80.0/24 to 224.0.1.1/32 # DNS @7 pass in log quick from 10.70.80.0/24 to 224.0.0.251/32 # SSH @8 pass in log quick proto tcp from 10.70.80.0/24 to 10.70.80.90/32 port = 22 keep state @9 pass in log quick proto udp from 10.70.80.10/32 to 10.70.80.90/32 keep state @10 pass in log quick proto tcp from 10.70.80.10/32 to 10.70.80.90/32 keep state # Multicast & Broadcast (MMI) @11 pass in log quick from 10.70.80.0/24 to 239.255.0.133/32 @12 pass in log quick from 10.70.80.0/24 to 10.70.80.255 # SIP @13 pass in log quick proto udp from any to 10.70.80.90/32 port=5060 keep state @14 pass in log quick proto udp from any to 10.70.80.95/32 port=5060 keep state # H323 @15 pass in log quick from any to 224.0.1.141/32 port = 1718 keep state @16 pass in log quick proto udp from any to 10.70.80.0/24 port = 1719 keep state
Fastwire Pty Ltd
119
IPFILTER Configuration File
openCA 4.3.8
@17 @18 @19 @20
pass pass pass pass
in in in in
log log log log
quick quick quick quick
proto proto proto proto
tcp tcp tcp tcp
from from from from
any to 10.70.80.90/24 port = 1720 keep state any to 10.70.80.95/24 port = 1720 keep state 10.79.104.12 to 10.70.80.90/32 keep state 10.79.104.12 to 10.70.80.95/32 keep state
# WebDB @21 pass in log quick proto tcp from 10.70.80.0/24 to 10.70.80.90/32 port=5432 keep state @22 pass in log quick proto tcp from 10.70.80.0/24 to 10.70.80.90/32 port=12345 keep state @23 pass in log quick proto tcp from any to 10.70.80.90/32 port=443 keep state # OPENca @24 pass in log quick proto icmp from any to any icmp-type 0 keep state @25 pass in log quick proto icmp from any to any icmp-type 11 keep state @26 pass in log quick proto icmp from 10.70.80.0/24 to 10.70.80.0/24 keep state # SG-s/ MGW-s @27 pass in log quick @28 pass in log quick @29 pass in log quick @30 pass in log quick @31 pass in log quick 10.70.80.90/32 port = @32 pass in log quick @33 pass in log quick 10.70.80.95/32 port = @34 pass in log quick
proto 132 proto 132 proto 132 proto 132 proto udp 2727 keep proto udp proto udp 2727 keep proto udp
from 10.70.80.210/32 to 10.70.80.90/32 keep state from 10.70.80.10/32 to 10.70.80.90/32 keep state from 10.70.80.210/32 to 10.70.80.95/32 keep state from 10.70.80.10/32 to 10.70.80.95/32 keep state from 10.70.80.210/32 port = 2427 to state from 10.70.80.10/32 to 10.70.80.90/32 keep state from 10.70.80.210/32 port = 2427 to state from 10.70.80.10/32 to 10.70.80.95/32 keep state
120
May 2010

OpenCA Installation Guide-V4.3.8

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

OpenCA Installation Guide-V4.3.8

Caricato da

Copyright:

Formati disponibili

openCallAgent 4.3.

4.3.8 Release May 2010 ABN 42 056 010 121

Fastwire Pty Ltd

Fastwire Pty Ltd

Fastwire Pty Ltd

About this Guide

This document is not intended to replace training.

Fastwire Pty Ltd

About this Guide

Used to identify: Package names Command response

About this Guide

Abbreviations and Acronyms

Fastwire Pty Ltd

About this Guide

Fastwire Pty Ltd

Processes and Scripts

Fastwire Pty Ltd

ca_report ca_setrelease create_db run_db sdf

The current link identifies the version that is currently active.

The openCA installation creates the directories listed in Table 1-1.

Table 1-1: Directories created by installation of the OPENca package (Sheet 1 of 2)

Directory /opt/openCallAgent/log /var/run/ca /var/run/fvip /var/run/sdf

Table 1-1: Directories created by installation of the OPENca package (Sheet 2 of 2)

These directories are created in /opt/OPENca/openCA-4.3.8 unless specified otherwise.

Fastwire Pty Ltd

Fastwire Pty Ltd

Configuring File Descriptors

Chapter 3: Installing openCA Application

Before You Start

Fastwire Pty Ltd

Installing openCA Application

Procedure 3-1: Installing openCA on Solaris (Sheet 2 of 2)

Installing openCA Application

Fastwire Pty Ltd

Installing openCA Application

Procedure 3-2: Installing openCA on Linux (Sheet 2 of 2)

Procedure 4-1: Creating Databases (Sheet 1 of 2)

Fastwire Pty Ltd

Procedure 4-1: Creating Databases (Sheet 2 of 2)

Fastwire Pty Ltd

Chapter 5: Uninstalling openCA Application

Fastwire Pty Ltd

Uninstalling openCA Application

: openCA-1.3.7 : OPENca.2 : openCA-4.3.8 : OPENca.4 : : openCA-4.3.8.2 : OPENcaP <-- current

Uninstalling openCA Application

Procedure 5-1: Uninstalling an openCA release from a Solaris Platform (Sheet 2 of 2)

Fastwire Pty Ltd

Uninstalling openCA Application

Procedure 5-2: Uninstalling an openCA release from a Linux Platform (Sheet 1 of 2)

Uninstalling openCA Application

Procedure 5-2: Uninstalling an openCA release from a Linux Platform (Sheet 2 of 2)

Fastwire Pty Ltd

Uninstalling openCA Application

Chapter 6: Installing openCA Patches

Fastwire Pty Ltd

Installing openCA Patches

: openCA-1.3.7 : OPENca.2 : openCA-4.3.8 : OPENca.4 : : openCA-4.3.8.2 : OPENcaP <-- current

Installing openCA Patches

: openCA-1.3.7 : OPENca-1.3.7-1 : openCA-4.3.8 <-- current : OPENca-4.3.8-1 : : openCA-4.3.8.2 : OPENcaP-4.3.8.2-1

Fastwire Pty Ltd

Installing openCA Patches

Chapter 7: Uninstalling openCA Patches

Fastwire Pty Ltd