Coriant TNMS 14.1 10

TNMS
14.1 10
Coriant TNMS
Installation Manual (IMN, Windows)
Issue: 5
Issue date: July 2014
A50023-K2035-X040-05-76D1
Coriant is continually striving to reduce the adverse environmental

effects of its products and services. We would like to encourage you as
our customers and users to join us in working towards a cleaner, safer
environment. Please recycle product packaging and follow the recommendations for power use and proper disposal of our products and their
components.
The information in this document is subject to change without notice and describes only the
product defined in the introduction of this documentation. This documentation is intended for the
use of Coriant customers only for the purposes of the agreement under which the document is
submitted, and no part of it may be used, reproduced, modified or transmitted in any form or
means without the prior written permission of Coriant. The documentation has been prepared to
be used by professional and properly trained personnel, and the customer assumes full responsibility when using it. Coriant welcomes customer comments as part of the process of continuous development and improvement of the documentation.
The information or statements given in this documentation concerning the suitability, capacity,
or performance of the mentioned hardware or software products are given "as is" and all liability
arising in connection with such hardware or software products shall be defined conclusively and
finally in a separate agreement between Coriant and the customer. However, Coriant has made
all reasonable efforts to ensure that the instructions contained in the document are adequate
and free of material errors and omissions. Coriant will, if deemed necessary by Coriant, explain
issues which may not be covered by the document. Coriant will correct errors in this documentation as soon as possible.
IN NO EVENT WILL CORIANT BE LIABLE FOR ERRORS IN THIS DOCUMENTATION OR
FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT,
INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO
LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR
DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN
IT.
This documentation and the product it describes are considered protected by copyrights and
other intellectual property rights according to the applicable laws.
Other product names mentioned in this document may be trademarks of their respective
owners, and they are mentioned for identification purposes only.
Copyright Coriant 2014. All rights reserved.
Important Notice on Product Safety

This product may present safety risks due to laser, electricity, heat, and other sources
of danger.
Only trained and qualified personnel may install, operate, maintain or otherwise handle
this product and only after having carefully read the safety information applicable to this
product.
The safety information is provided in the Safety Information section in the "Legal, Safety
and Environmental Information" part of this document or documentation set.
The same text in German:
Wichtiger Hinweis zur Produktsicherheit

Von diesem Produkt knnen Gefahren durch Laser, Elektrizitt, Hitzeentwicklung oder
andere Gefahrenquellen ausgehen.
Installation, Betrieb, Wartung und sonstige Handhabung des Produktes darf nur durch
geschultes und qualifiziertes Personal unter Beachtung der anwendbaren Sicherheitsanforderungen erfolgen.
Die Sicherheitsanforderungen finden Sie unter Sicherheitshinweise im Teil Legal,
Safety and Environmental Information dieses Dokuments oder dieses Dokumentationssatzes.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Table of Contents
This document has 96 pages.
Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Structure of this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Symbols and conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Available documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Online Help system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Manual (UMN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installation Manual (IMN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade Manual (UPMN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
11
11
12
12
13
13
13
13
13
2
2.1
2.2
2.2.1
2.3
2.4
2.5
Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Component delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Supported Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Prerequisites by component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
BIOS configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
15
15
16
17
17
18
3
3.1
3.2
3.3
3.4
3.5
3.6
3.7
Server operating system configuration . . . . . . . . . . . . . . . . . . . . . . . . .

Integrated Lights-Out (iLO) management console. . . . . . . . . . . . . . . . .
Disk configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HP service pack installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Medium configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Large configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disk partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
19
19
19
20
20
20
21
4
4.1
4.2
4.3
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.5
4.6
4.7
Initial system configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual memory configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audit policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FTP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing Internet Information Services in Windows Server 2008 . . . . .
Configuring the FTP Service in Windows Server 2008 . . . . . . . . . . . . .
Installing Internet Information Services in Windows 7 . . . . . . . . . . . . . .
Configuring the FTP Service in Windows 7 . . . . . . . . . . . . . . . . . . . . . .
Domain Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Hosts configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dynamic Port range configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
23
23
24
25
25
26
26
27
27
27
28
Software prerequisites installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
A50023-K2035-X040-05-76D1
5.1
5.2
5.3
5.4
5.5
5.5.1
5.6
5.6.1
5.6.2
5.6.3
5.7
5.7.1
5.7.2
5.7.3
5.7.4
5.8
5.9
Adobe Reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
User Account Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
MSXML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
MS.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Uninstalling Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
OSI Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Installing OSI Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring OSI stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Uninstalling OSI stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
CopSSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Installing CopSSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Configuring CopSSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
CopSSH Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
CopSSH Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
NTI third-party software installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6
6.1
6.2
6.3
TNMS installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Full installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Installation of separate components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
About the automatic priority updates installation . . . . . . . . . . . . . . . . . . 45
7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
7.10
7.11
7.12
Post-installation procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Starting services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Starting a Client session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Logging in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Default username and password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Changing the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Terminating a Client session. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Single Sign-on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Standby server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
License keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Internet Explorer configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Connection timeout configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Importing a public certificate from IOC Online Planning (IOC OP) . . . . . 50
8
8.1
8.2
8.2.1
8.2.2
8.3
8.3.1
8.3.2
8.3.3
8.3.4
Backup and restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

General description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Overview of the Backup and Restore interfaces. . . . . . . . . . . . . . . . . . . 52
Interactive mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Non-interactive mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Backup procedures through the command line . . . . . . . . . . . . . . . . . . . 53
Backing up the Oracle database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Backing up the TNMS database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Backing up the LDAP (OpenDS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Backing up the TNMS database and the LDAP (OpenDS) simultaneously
55
Automating the Backup procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
8.3.5
A50023-K2035-X040-05-76D1
8.4
8.5
8.5.1
8.5.2
8.5.3
8.5.4
Backup procedures through the TNMS client . . . . . . . . . . . . . . . . . . . . 57

Recovery & Restore procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Recovering the Oracle database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Restoring the TNMS database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Restoring the LDAP (OpenDS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Restoring the TNMS database and the LDAP (OpenDS) simultaneously .
61
Upgrade to TNMS 14.1 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
10
10.1
10.1.1
10.1.2
10.1.3
10.2
10.3
TNMS and TNMS Core working together . . . . . . . . . . . . . . . . . . . . . . .

Configuring common hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a Common Netserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a Common Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a Common standby server . . . . . . . . . . . . . . . . . . . . . . . . .
Importing data from TNMS Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Important note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
TNMS uninstallation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
12
12.1
12.2
12.2.1
12.2.2
12.2.3
12.2.4
12.2.5
12.2.6
12.2.7
12.2.8
12.2.9
12.2.10
12.2.11
12.2.12
12.3
12.3.1
12.3.2
12.4
12.4.1
12.4.2
12.4.3
12.4.4
12.5
12.6
12.6.1
Security hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Physical and hardware hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Operating System hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft Windows security patches . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disable and delete unnecessary accounts . . . . . . . . . . . . . . . . . . . . . .
Uninstall unnecessary applications and roles . . . . . . . . . . . . . . . . . . . .
Configure Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disable unnecessary shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disable Remote Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows Error Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Digitally signed communications (Local Security Policy) . . . . . . . . . . . .
Minimize system services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Access/Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reduce passive FTP port range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Networking and firewall configuration . . . . . . . . . . . . . . . . . . . . . . . . . .
List of ports to open in the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to configure the Windows firewall . . . . . . . . . . . . . . . . . . . . . . . . .
OEM Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
JBoss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CopSSH (SFTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TNMS Maintenance Packages and Workaround Updates . . . . . . . . . .
User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restricting the specified files permissions . . . . . . . . . . . . . . . . . . . . . .
65
65
68
70
70
70
71
75
75
75
75
75
76
76
76
77
77
78
78
78
80
81
81
82
89
89
89
89
90
90
90
90
92
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
A50023-K2035-X040-05-76D1
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
A50023-K2035-X040-05-76D1
List of Figures
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13
Figure 14
Figure 15
A50023-K2035-X040-05-76D1
"Local Security Settings - Audit Policy" window. . . . . . . . . . . . . . . . . . . 24

How to set the TNMS installer to run with administrator rights in Windows
7 and Windows Server 2008.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Backup & Restore console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Changing the Oracle database backup schedule settings. . . . . . . . . . . 54
Backup submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Backup submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Backup submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Backup window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Restore submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Restore submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Restore submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Distributed TNMS applications (large system). . . . . . . . . . . . . . . . . . . . 65
Distributed TNMS applications (medium system) . . . . . . . . . . . . . . . . . 66
Common Netserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Common Standby Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
A50023-K2035-X040-05-76D1
List of Tables
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Table 7
Table 8
Table 9
Table 10
Table 11
Table 12
A50023-K2035-X040-05-76D1
Structure of the manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Hardware requirements for new installations of TNMS 14.1 10. . . . . . . 15
Hardware recommendations for installations of TNMS 14.1 10 on reused
legacy hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Operating System recommendations for TNMS Server, NetServer, Client
and Citrix Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
TNMS software prerequisites and their installation sequence . . . . . . . 17
Paging file size. Note that automatic management is recommended. . . 23
RAM requirements and Oracle template files . . . . . . . . . . . . . . . . . . . . 30
List of the available arguments in non-interactive mode . . . . . . . . . . . . 52
Windows default shares. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Database-related configurations and security hardenings. . . . . . . . . . . 90
Default TNMS user accounts and security hardenings. . . . . . . . . . . . . 90
10
A50023-K2035-X040-05-76D1
Preface
1 Preface
This Installation Manual contains a complete description of the installation and initial
configuration processes of TNMS.
1.1
Intended audience
This document is intended for commissioners of TNMS.
1.2
Structure of this document

The IMN is a single .pdf file viewable and printable with Adobe Reader.
This document is structured as follows:
Chapter
Title
Subject
Chapter 1
Preface
Provides an introduction for this document.
Chapter 2
Preparation
Provides a guide of the hardware and software required for the installation.
Chapter 3
Server operating system

configuration
Describes the creation and configuration of the logical drives in the

machine where the server will be installed.
Chapter 4
Initial system configuration
Describes the configurations of the operating system required for

TNMS correct functioning.
Chapter 5
Software prerequisites
installation
Describes how to install and configure all software prerequisites of

TNMS.
Chapter 6
TNMS installation
Describes how to install TNMS in your operating system.
Chapter 7
Post-installation procedures
Describes all post-installation configurations and actions.
Chapter 8
Backup and restore
Guides the TNMS administrator through the B&R procedures.
Chapter 9
Upgrade to TNMS 14.1 10
Describes the migration to version 14.1 10 from a previous TNMS

release.
Chapter 10 TNMS and TNMS Core

working together
Describes how to configure TNMS to share resources and data with

TNMS Core.
Chapter 11 TNMS uninstallation
Describes how to uninstall TNMS.
Chapter 12 Security hardening
Describes the existing TNMS security hardenings.
Contains a list of all acronyms and their long form used in TNMS.
Table 1
Abbreviations
Structure of the manual
Some features described in this documentation may not be available. To identify the
features released for the product, see the Customer Release Notes delivered together
with the product.
A50023-K2035-X040-05-76D1
11
Preface
1.3
Symbols and conventions

The following sections describe the symbols and conventions used in the IMN.
Graphical user interface text
Window titles are placed inside quotation marks. Button names, keys, main or context
menu entries, keystrokes are printed in bold.
Example:
Click the View menu, and then click Log List....
Commands
Commands and screen output are printed in a monospaced font.
Example:
Issue
powercfg.exe /hibernate off
Variables
Placeholders are printed in <angle brackets>, and filenames and paths are printed in
italics.
Example:
Save the log file <NEname>.txt to ../<product installation directory>/bin
Warnings
A safety message indicates a dangerous situation where personal injury is possible.
Example:
Important Notice on Product Safety:

This product may present safety risks due to laser, electricity, heat, and other sources
of danger.
Notices
A notice is a must. Follow notices to avoid damage, loss or interruption. Example:
Do not reboot while mirroring.

Notes
A note is an alert. Follow notes to learn about exceptions, side effects or something
obscure or yet unclear. Example:
Read the Customer Release Notes before installing.

Tips
A tips is a suggestion. Follow tips for convenience or efficiency. Example:
Before mirroring, limit the size of the root filesystem.
1.4
Available documentation
The following documents are delivered with TNMS:
12
A50023-K2035-X040-05-76D1
1.4.1
Preface
Online Help system

A context-sensitive online help system is provided with TNMS which includes information on window contents, menus and meaning of the icons shown, and comprehensive
instructions on the functions offered by the user interface. You can find the tasks and
procedures necessary to operate and administer TNMS on the systems table of contents.
That is, the Online Help system follows a two-pronged approach:
Descriptive.
This is for when you want to know what any window element is, in any window. Particular aspects of TNMS or deeper knowledge of it are routinely provided, together
with topical best practices.
Operational.
This is for when you want to know how to perform a task.
Help can be invoked in any of the following ways:
After invoking help from the menu bar, you can search for topics via the table of contents, the index or a word search.
Clicking the Help button in the current window, which displays information about the
window contents.
Pressing F1, which displays information about the contents of the active window.
For most windows, F1 help is further available through the main help menu (Help > On
<window name>).
1.4.2
User Manual (UMN)

The UMN is available from Main > Help and displayed in its own Adobe Reader window.
It overviews TNMS architecture, describes its features and functions, takes you through
all major operation topics and helps you troubleshoot common issues. This document is
intended for all users of TNMS.
1.4.3
Installation Manual (IMN)

The Installation Manual contains a complete description of the installation procedures of
the TNMS Server, and the uninstallation procedures of the TNMS Server and TNMS
Client.
1.4.4
Upgrade Manual (UPMN)

The Upgrade Manual describes in detail all the upgrade procedures of the TNMS components from a previous TNMS release to the current release.
1.4.5
Other documents
TNMS Core and Network Elements
This manual concerns TNMS only. For more detailed information on TNMS Core or the
managed network elements (NEs), see the corresponding documentation.
A50023-K2035-X040-05-76D1
13
Preface
Release notes
Where applicable, contains installation hints, patch descriptions, list of supported NEs,
list of supported cards and any relevant last-minute information.
14
A50023-K2035-X040-05-76D1
Preparation
2 Preparation
2.1
Component delivery
Before installation, be sure that:
2.2
The delivery is complete and in accordance with the delivery units specified in the
delivery note (hardware, software and documentation).
The components are not damaged in any way.
Make sure you use the installation packages in the target machine since TNMS
installation from a network drive is not supported.
Hardware requirements
The tables below give a rough overview of the hardware recommendations for installing
TNMS; running TNMS may require different specifications depending on parameters
such as network architecture (number of Clients) or operation policies (backup, logs).
The final hardware specifications and configuration must be planned specifically for
each customer. Ask Coriant Technical Sales for more information.
Two hardware configurations (Medium and Large) designed for new installations are
provided (Table 2).
g
Configuration
TNMS Server +
Netserver
(1 optional client
only for local troubleshooting)
TNMS Client
Table 2
New TNMS installations are not recommended in a distributed environment.
Characteristics
Medium
Large
Base reference model DL360p G8

or
BL460c G8 (blade server)
DL580 G7
or
BL660c G8 (blade server)
Minimum CPU
(2x) Intel Xeon E5-2680/90
(4x) Intel Xeon E7-4870

or
(4x) Intel Xeon E5-4650
Minimum RAM
32 GB
128 GB
Minimum HDD
(4 x) 300 GB HD
(4 x) 146 GB + (2 x) 300GB for
hardware reuse
(2 x) 300 GB internal SSDs

(6 x) 300 GB internal HDs
Base reference model ESPRIMO E710 E90+ or PY RX100S7

Minimum CPU
Intel i5-3470 or Intel Xeon E3-1220v2 4C/4T 3.10 GHz 8 MB
Minimum RAM
8 GB DDR3 1600 GHz
Minimum HDD
HD SATA III 500GB 7.2K or HD SATA 6G 500GB 7.2K HOT PL

3.5" BC
Hardware requirements for new installations of TNMS 14.1 10

In addition the Legacy hardware configuration is provided (Table 3). This configuration
is designed for the reuse of hardware compatible with TNMS 13.2 1x but not with later
releases.
A50023-K2035-X040-05-76D1
15
Preparation
A new installation using the Legacy hardware configuration does not support Optical
Management.
Configuration
Characteristics
Legacy hardware
TNMS Server + Netserver
Base reference model
PY TX/RX200S7
(1 optional client only for

local troubleshooting)
Minimum CPU
Intel Xeon E5-2420 6C/12T 1.90 GHz 15 MB
Minimum RAM
12 GB
Minimum HDD
2x HD SATA 6GB 500GB 7.2K HOT PL 3.5" BC
TNMS Client
ESPRIMO E710 E90+ or PY RX100S7
or
Minimum CPU
Intel i5-3470 or Intel Xeon E3-1220v2 4C/4T 3.10

GHz 8 MB
Minimum RAM
8 GB DDR3 1600 GHz
Minimum HDD
HD SATA III 500GB 7.2K or HD SATA 6G 500GB 7.2K

HOT PL 3.5" BC
TNMS Server
PY RX/TX300S7
(1 optional client only for

local troubleshooting)
Minimum CPU
Intel Xeon E5-2609 4C/4T 2.40 GHz 10 MB
Minimum RAM
24 GB DDR3 1333 GHz
Minimum HDD
2x HD SAS 6GB 300GB 15K HOT PL 2.5" EP
ESPRIMO E710 E90+

or
PY RX100S7
Minimum CPU
Intel i5-3470
or
Intel Xeon E3-1220v2 4C/4T 3.10 GHz 8 MB
Minimum RAM
8 GB DDR3 1600 GHz
Minimum HDD
HD SATA III 500GB 7.2K

or
HD SATA 6G 500GB 7.2K HOT PL 3.5" BC
Common Netserver
ESPRIMO E710 E90+ or PY RX100S7
(TNMS +TNMS Core)
Minimum CPU
Intel i5-3470 or
Intel Xeon E3-1220v2 4C/4T 3.10 GHz 8 MB
Minimum RAM
16 GB DDR3 1600 GHz
Minimum HDD
HD SATA III 500GB 7.2K

or
HD SATA 6G 500GB 7.2K HOT PL 3.5" BC
Common Client
TNMS Netserver
Table 3
Hardware recommendations for installations of TNMS 14.1 10 on reused legacy hardware
2.2.1
Virtualization
TNMS supports virtualization using VMware ESXi 4.1. However Coriant does not
provide neither is responsible for stability limits or performance in these circumstances.
16
A50023-K2035-X040-05-76D1
Preparation
The requisites of the virtual machines are similar to those presented in Table 2 and
Table 3, except for the CPU that only requires comparable CPU resources.
2.3
Supported Operating Systems

The following table provides the supported operating systems.
Full Installation
Client
Citrix Server
Microsoft Windows Microsoft Windows Microsoft Windows

Server 2008 R2 SP1 Server 2008 R2 SP1 Server 2008 R2 SP1
(x64)1)
(x64) 1)
(x64) 1)
Microsoft Windows
Server 2008 R2 SP1
(x64) 1)
Microsoft Windows
Server 2008 R2
SP1 (x64) 1)
NTFS
mandatory
Microsoft Windows 7
Professional SP1
(x32/x64)
Table 4
1)
Server,
Server + Netserver
NTFS
mandatory
Netserver
Microsoft Windows 7
Professional SP1
(x64)
Operating System recommendations for TNMS Server, NetServer, Client and Citrix Server
Both the Microsoft Windows Server 2008 R2 SP1 (x64) Enterprise Edition and the Standard Edition are supported. However If the machine has more than 32 GB of RAM you must install the Microsoft Windows Server
2008 R2 SP1 (x64) Enterprise Edition, as the Standard Edition cannot allocate more than 32 GB of RAM.
Throughout this and the following chapters the designation of the several operating
systems is often abbreviated to allow for better readability. Always refer to the table
above for the exact versions supported for TNMS.
2.4
Prerequisites by component
The following table describes which software is required for each component. Attend to
the fact that the table also shows the order in which the components should be installed.
After installing the operating system, the system should be commissioned as follows:
Software
Full
Installation
Server +
Netserver
Server
Netserver
Client
Adobe Reader
Mandatory
Optional
Optional
Optional
Mandatory
MSXML
Mandatory
Mandatory
Mandatory
Mandatory
Mandatory
MS.NET
Mandatory
Mandatory
Mandatory
Mandatory
Mandatory
Oracle 11.2.0.3
Mandatory
Mandatory
Mandatory
OSI Stack
Mandatory
Mandatory
Mandatory
CopSSH
Mandatory
Mandatory
Mandatory
Citrix XenApp
Optional
Table 5
TNMS software prerequisites and their installation sequence
A dedicated Java JRE installation is not mandatory given that the installer already
includes the JRE versions required by TNMS. However you can manually install Java
j2re-1.6.0_43 (32 or 64 bit) if required by other software.
A50023-K2035-X040-05-76D1
17
Preparation
To install the Java j2re-1.6.0_43 (32 or 64 bit) use the packages available in the TNMS
prerequisites and follow the default installation procedure. For additional information
refer to the Oracle Java documentation.
Disable all Java automatic updates on the machines where Java is installed. If Java
automatic updates are enabled the system may not work properly.
2.5
BIOS configuration
The following chapter, describes the recommended configurations for the system BIOS.
These refer to HP machines and may differ with other hardware configurations.
To access the BIOS, boot the machine and press F9 in the startup screen.
18
Disable the network:

Go to System Options > Embedded NICs > NIC # Boot Options and set to Disabled.
Where # represents the network interface card number.
Processor options:
Go to System Options > Processor Options > Intel Virtualization Technology,
and set to Disabled.
System Options > Processor Options > Intel VT-d, and set to Disabled.
Power management options:

System Options >Power management options > HP Power Profile, and set to
Maximum performance.
System Options > Power management options > HP Power Regulator, and set
to HP Static High Performance Mode
A50023-K2035-X040-05-76D1
Server operating system configuration
3 Server operating system configuration

Before installing the server operating system, you must create and configure the logical
drive where Windows will be installed.
The following chapter applies to the recommended medium and large configuration
hardware only and these steps may differ in case you have any other hardware configurations.
3.1
Integrated Lights-Out (iLO) management console

This chapter describes how to operate the Integrated Lights-Out (iLO) management
console. This console is used to access the server machine and for administration purposes. Refer to the iLO specific documentation for further information.
Accessing the Integrated Remote Console
Use the following information to access the console:
1.
2.
3.
4.
3.2
Address: https://<machine IP>

Username: <user>
Password: <password>
In the left panel tree, expand Information > Overview, and in Integrated Remote
Console, click the .NET link.
Disk configuration
It is recommended that you configure a RAID 1 for the disks where the operating
systems will be installed.
While booting the machine, proceed as follows:
1. When the Press any key to view Option ROM messages appears, click ENTER.
2. When the internal controller displays the message Press <F8> to run the option
ROM Configuration For Arrays Utility, click F8.
3. At the Main Menu, select Create Logical Drive.
4. Using the default settings, create the RAID 1 configuration with the two available
hard drives.
3.3
Windows installation
The steps below refer to the Windows operating system installation using the Integrated
Lights-Out (iLO) management console.
1. Open the iLO management console.
2. Click Virtual Drives menu > Image file menu entry.
3. In the Mount Image File file dialog box, select the Windows 2008 R2 ISO file and
press Open.
4. Restart the machine and boot from CD-ROM (typically by pressing F11 to access to
the boot menu).
The Windows installation is standard with no special configurations or inputs. Just need
to create one NTFS partition on the previous created volume (RAID 1) with ~50% of the
available space. The others 50% will be applied on a new partition to be created afterwards.
A50023-K2035-X040-05-76D1
19
3.4
HP service pack installation

It is highly recommended to update to the latest HP Service Pack for the corresponding
machine model. This service pack updates drivers, software and firmware to the latest
version. Check the HP support website for downloading the ISO service pack.
1. Open the iLO management console.
2. Click Virtual Drives menu > Image file menu entry.
3. In the Mount Image File file dialog box, select the ISO file and press Open.
A new CD-ROM drive is mapped in Windows, providing the content of the service
pack.
Login in Windows and run the CD-ROM setup located via
<drive>:\hp\swpackages\setup.exe
1. In the HP Smart Update Manager window, tab Welcome, click Next.
2. In tab Source Selection, choose the Default Repository and click Next.
3. In tab Select Targets, click the machine list item, click Edit Target and insert the
Windows Administrator username, its password and click Next.
4. In tab Review/Install Updates, click Install.
The machine may reboot automatically, if not click Reboot Now, choose the appropriate delay and click OK.
3.5
Medium configuration
In order to configure a Windows medium configuration, proceed as follows:
1. Login in Windows.
2. Go to Start > All Programs > HP System Tools > HP Array Configuration Utility (64bits) > HP Array Configuration Utility (64-bits).
3. In tab Configuration, in Select an available device... combo box, select your device
(make sure it is not the Embedded slot).
4. In System and Devices panel, expand the Smart Array tree and select the first
branch and click Create Array.
5. Select the two available disks and click OK.
6. Click Create Logical Drive to create a new logical drive.
7. Select RAID 1 and keep the default settings. Click Save to finish the operation.
3.6
Large configuration
In order to configure a Windows large configuration, proceed as follows:
1. Login in Windows.
2. Go to Start > All Programs > HP System Tools > HP Array Configuration Utility (64bits) > HP Array Configuration Utility (64-bits).
3. In tab Configuration, in Select an available device... combo box, select your device
(make sure it is not the Embedded slot).
4. In System and Devices panel, expand the Smart Array tree and select the first
branch and click Create Array.
5. Select all available disks and click OK.
20
A50023-K2035-X040-05-76D1
6. Click Create Logical Drive to create a new logical drive.

7. Select RAID 5 and keep the default settings. Click Save to finish the operation.
3.7
Disk partitioning
Three new partitions are needed:
One from the internal disks (D) with the other ~50% available - NTFS
Two from the disk array - NTFS
In order to configure the disk partitioning for medium and large configurations, proceed
as follows:
1. Go to Start > Search Programs and Files > type Server Manager and press Enter.
2. In Server Manager, expand the server tree Server Manager > Storage > Disk Management.
In case the window Initialize Disk is displayed, click OK keeping the default settings.
3. Identify the disk that contains the C: drive and select the grey partition that displays
an Unallocated area.
3.1 Right-click the unallocated area and select New Simple Volume, click Next.
3.2 Choose the recommended partition size (typically 50% of the disk size) and click
Next.
3.3 Choose the drive letter D to the new partition and click Next.
3.4 In the Format Partition window, format this volume with the following settings:
File system = NTFS
Allocation unit size = Default
Choose a volume label for the new partition
Enable the Perform quick format option
3.5 Click Next and Finish to complete the partition creation step.
4. Identify the disk that does not contain any partition (C, D) and select the grey partition that displays an Unallocated area.
Next.
4.3 Choose the drive letter E to the new partition and click Next.
File system = NTFS
5. Identify the disk that contains the E: drive and select the grey partition that displays
an Unallocated area.
Next.
5.3 Choose the drive letter F to the new partition and click Next.
A50023-K2035-X040-05-76D1
21
File system = NTFS

6. Close the Disk Manager window.
22
A50023-K2035-X040-05-76D1
4 Initial system configuration

4.1
Before you begin

Before installing complete the following steps:
Check the system requirements.
Determine the file system to be used, the partition to be used by the installation and
the components to install.
The machine where the TNMS Server is installed should use NTFS, as it provides
extra security for the Oracle database files.
Oracle must be installed in the same machine as TNMS Server.
How the network, IP addresses and TCP/IP name management will be handled.
Ensure that the host IP addresses are static, that is, do not use DHCP dynamic
addresses.
In the machines where the TNMS Server and/or Netserver are installed, disable
Hibernate by running the following command as administrator:
powercfg.exe /hibernate off
4.2
Virtual memory configuration

Coriant recommends that you configure your system to automatically manage the
paging file size:
1. Go to Start > Control Panel > System.
2. Click on Advanced system settings.
3. In the System Properties window, go to the Advanced tab and, in the Performance area, click on Settings.
4. In the Performance Options window, go to the Advanced tab and click on
Change.
5. In the Virtual Memory window, check Automatically manage paging file size for
all drives.
However, if you prefer to set a limit to the paging file size for Server and Netserver, do
as follows:
1. Follow the steps 1. to 4. above.
2. In the Virtual Memory window, uncheck Automatically manage paging file size
for all drives.
3. Select the systems drive, select Custom size and enter the paging file size (refer
to table Table 6).
Click Set to save the settings and then OK to close the window.
TNMS Component
Legacy Medium
Legacy Large
Medium
Large
Server
12 GB
24 GB
16 GB
64 GB
Netserver
4 GB
4 GB
Table 6
Paging file size. Note that automatic management is recommended.
A50023-K2035-X040-05-76D1
23
4.3
Audit policy
Proceed to configuring Audit policy only if your network has legacy, NEC-interfaced
NEs, that is, other than hiT 7300 or hiT 7100.
To enable auditing locally in the installed OS:
1. Open the Local Security Policy settings via Start menu/button > Control Panel
(Windows 7 only) > Administrative tools > Local Security Policy icon.
2. In the tree pane, select Audit Policy under Local Policies.
Figure 1
"Local Security Settings - Audit Policy" window
3. In the details pane double-click the following policy settings to open the properties
window:
Audit Account Logon Events, to track users logon and logoff - select the
check boxes Success and Failure.
Audit Account Management, to report changes to user account - select the
check boxes Success and Failure.
Audit Directory Service Access, to report access and changes to the directory
service - No auditing (no check box selected).
Audit Logon Events, to report success/failure of any local or remote accessbased logon - select the check boxes Success and Failure.
Audit Object Access, to report file and folder access - select the check boxes
Success and Failure.
The auditing configuration for the individual object (file or folder) must be set
within its properties.
24
Audit Policy Change, to report group policies changes - select the check boxes
Success and Failure.
Audit Privilege Use, to report when permissions (read, write...) are used select only the check box Failure.
A50023-K2035-X040-05-76D1
4.4
Audit Process Tracking, to report when process and programs fail (not security
related) - No auditing (no check box selected).
Audit System Events, to report standard system events (not security related) select the check boxes Success and Failure.
FTP configuration
The following chapter provides you guidance through the needed component services
configuration.
4.4.1
Installing Internet Information Services in Windows Server 2008

To install the FTP server proceed as follows:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Open Start > Administrative tools > Server Manager > Roles.
Click Add Roles to open the Add Roles Wizard and click Next.
In Server Roles, select "Web Server (IIS) and click Next.
In Web Server (IIS) click Next.
In Role Services, select the top end following services from the tree:
Web Server
Common HTTP Features
Static Content
Default Document
Directory Browsing
HTTP Errors
Health and Diagnostics
HTTP Logging
Request Monitor
Security
Request Filtering
Performance
Static Content Compression
Management Tools
IIS Management Console
IIS Management Scripts and Tools
Management Service
IIS Management Compatibility - when you select this option a warning
pops up informing you that two other components must also be installed.
Accept their installation.
IIS 6 Scripting Tools
FTP Server
FTP Service
FTP Extensibility
Click Next.
In Confirmation, click Install.
In Results, select Close.
Reboot your computer.
A50023-K2035-X040-05-76D1
25
Enabling ASP.NET and IIS

The following description details the configuration steps necessary in IIS Manager:
1. Open Start > Administrative tools > Internet Information Services (IIS)
Manager.
The Internet Information Services Manager enables you to configure, control and
troubleshoot IIS and ASP.NET.
2. In the Connections panel on the left, expand the server name and click in Application Pools.
3. In the Actions panel on the right, click Set Application Pool Defaults....
This opens the Application Pool Defaults window.
4. In the General section, set the Enable 32-Bit Applications option to True and
click OK.
4.4.2
Configuring the FTP Service in Windows Server 2008

To configure the FTP Service/Server, follow these steps:
1.
2.
3.
4.
5.
6.
7.
8.
Start > Administrative Tools > Internet Information Services (IIS) Manager.
In the left pane tree, expand the Default Computer > Sites.
In the right pane tree, select Add FTP Site. This opens the Add FTP Site window.
Enter the FTP site name.
In Physical Path, change the folder to C:\inetpub\ftproot, click OK and Next.
In Binding and SSL Settings step, configure the IP Address or leave as default.
In SSL, select Allow SSL. Click Next.
In Authentication and Authorization Information step, select Authentication as
Basic.
9. In Authorization - Allow access to All users, permissions Read and Write.
10. Click Finish.
4.4.3
Installing Internet Information Services in Windows 7

To install the FTP server proceed as follows:
1. Open Start > Control Panel > Programs and features > Turn Windows features
on or off.
2. Select the top end following services from the tree:
Internet information Services
FTP Server
FTP Service
FTP Extensibility
Web Management Tools
IIS 6 Management Compatibility
IIS 6 Management Console
IIS Management Scripts and Tools
Management Service
3. Click OK and confirm.
4. After the installation go to Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
5. Reboot your computer.
26
A50023-K2035-X040-05-76D1
4.4.4
Configuring the FTP Service in Windows 7

To configure the FTP Service/Server, follow these steps:
1. Start > Control Panel > Administrative Tools > Internet Information Services
(IIS) Manager.
2. In the right pane tree, select "Add FTP Site". This opens the Add FTP Site window.
3. Enter the FTP site name, default.
4. In Physical Path, change the folder to "C:\inetpub\ftproot", click OK and Next.
5. In "Binding and SSL Settings" step, configure the IP Address or leave as default.
6. In SSL, select "Allow SSL". Click Next.
7. In Authentication and Authorization Information step, select Authentication as
Basic.
8. In Authorization - Allow access to "All users", permissions "Read" and "Write".
9. Click Finish.
10. Then expand the tree in the left pane until default FTP. In the default FTP Home area
click on FTP Authentication. Then in the window right click Basic Authentication
and click Enable.
4.5
Domain Verification
Check if a network domain exists. Use the following windows steps:
1. Go to System Properties via, Start > Control Panel > System.
2. In Computer name, domain, and workgroup settings, check the Domain information.
If a network domain exists and both TNMS Core and TNMS belong to it, then
log on to that domain and proceed with the installation as you normally would.
If a network domain does not exist, then:
You may skip this configuration, but then you will not have Single Sign On
capabilities in TNMS.
Contact your network administrator to provide you information details on
how to configure the domain since domain details are specific for your
network.
4.6
System Hosts configuration

Since TNMS uses a static IP address configuration, it is mandatory that the system's
"hosts" file is properly configured with at least "<Server IP> <FQDN>" and "127.0.0.1
localhost".
Edit Windows hosts file (typically, C:\Windows\System32\drivers\etc\hosts) and for
each server insert a line like
xx.xx.xx.xx <full computer name>
where xx.xx.xx.xx is the static IP of the server in question, and full computer name
follows name.domain.com as found in Control Panel > System Properties >
Computer Name > Full computer name of the server in question.
If all is properly configured, the full computer name (as found in ... > Computer
Name > Full computer name) will appear automatically in the OpenDS Directory
Server Configuration window during the installation procedure.
A50023-K2035-X040-05-76D1
27
The TNMS installer will check if the hosts file is correctly configured. In case the server
belongs to a domain, make sure FQDN matches the domain.
If no domain exists and the hosts file is not configured, the installation will not proceed.
4.7
Dynamic Port range configuration

The default dynamic port range configuration for Windows Server 2008 and Windows 7
starts at port 49152 and ends at port 65535. This complies with the Internet Assigned
Numbers Authority (IANA) recommendation. Proper installation of TNMS requires the
default port range to be used.
TNMS enforces this setting during its installation. However, to avoid warnings while
installing TNMS, configure the dynamic port range before the installation (required for
Server and Netserver machines), as described below.
Execute the following procedure to ensure the correct configuration of the Server and
Netserver machines:
1. Open the command line (cmd) as Administrator.
2. Execute the command:
netsh int ipv4 show dynamicport tcp
3. If the reported start port is not 49152, then execute the command:
netsh int ipv4 set dynamicport tcp start=49152 num=16384
persistent
Windows is now prepared concerning dynamic port range configuration.
28
A50023-K2035-X040-05-76D1
Software prerequisites installation
5 Software prerequisites installation

This chapter describes the installation and configuration of all prerequisites in the
recommended installation sequence.
Refer to Table 5 TNMS software prerequisites and their installation sequence to know
which prerequisites are required for each TNMS component.
5.1
Adobe Reader
You can either download the latest Adobe Reader from the Adobe website (recommended) or use the version included in the Prerequisites folder.
Coriant is not responsible for issues or vulnerabilities introduced by Adobe Reader, in
particular when you perform its download.
To install Adobe Reader just follow the standard options shown in its installer. Any
specific information on this see the Adobe Reader documentation.
5.2
User Account Control

When applicable, Windows User Account Control must be disabled in order to continue
with the installation. According to your windows version, the procedure may vary. Typically, it can be disabled under Control Panel > User Accounts > Change User Account
Control Settings > Never Notify.
Restart the machine after performing this change.
5.3
MSXML
MSXML 4.0 is an XML parser. It must be installed on the system so that network
configuration data can be imported and exported in XML format.
To install MSXML 4.0 SP2 on all supported operating systems, proceed as follows:
1. Double-click the msxml4sp2.msi file in the MSXML directory on the software DVD.
2. A welcome window is now displayed. Press Next to continue.
3. In the End-User License Agreement window, accept the terms of the license
agreement, and press Next to continue.
4. In the Customer Information window, enter a user name and the name of your
company in the appropriate fields. Press Next to continue.
5. In the Choose Setup Type window, press Install Now.
6. The window Installing Microsoft XML Parser and SDK window is now displayed.
The progress of the installation is indicated by the progress bar.
7. Once the installation is complete, the window Completing the Microsoft XML
Parser and SDK Setup Wizard is displayed. Press Finish to complete the installation.
5.4
MS.NET
Windows Server 2008
MS.NET 3.5 is installed with Windows Server 2008, but requires activation. To activate
.NET 3.5, proceed as follows:
A50023-K2035-X040-05-76D1
29
1. Go to Administrative Tools > Server Manager > Features.

2. Click Add Features.
3. Select .NET Framework 3.5.1 features.
5.5
Oracle
This section describes the installation of Oracle Database 11g Release 2 (64-bit) for
Microsoft Windows x64. The supported version is 11.2.0.3.
The Oracle Database must be installed in the TNMS Server machine.
Before installing
To successfully install and run TNMS, at least 40GB of free disk space must be available in the destination machine before installing the Oracle database. RAM
requirements are indicated in Table 7 RAM requirements and Oracle template files.
TNMS Configuration
RAM (GB minimal)
Oracle template
file
Managers
Large
128
TNMS_LW.dbt
All
Medium
32
TNMS_MW.dbt
All
Legacy
TMNS_SW.dbt
Ethernet and ASON

only
Table 7
RAM requirements and Oracle template files
For the remaining hardware, follow the recommendations described in 2.2 Hardware
requirements. Note that the values in this table are recommended and may vary according to the network dimension and the used hardware.
Before installing
By default, the TNMS Database Installer assumes the following directory locations:
Oracle installation disks: c:\oramedia

TNMS INSTALLER DIRECTORY: c:\inst
However, it is possible to install from different locations. If you choose to use previous
default directory locations you have to create them manually before you start the installation. During the installation you will be requested to confirm the directory paths. If you
use different locations you must enter them manually whenever applicable.
1
Create both default directory locations indicated above. If you want to use other
locations, make sure they are accessible from the installer (in a local or mapped
drive).
Unzip the Oracle installation disks 1 and 2 to c:\oramedia (in case of recommended
default location. Only the extracted database folder is required. The directory structure should be as follows:
c:\oramedia\database
30
Copy the folders from the delivered TNMS media to the <TNMS INSTALLER
DIRECTORY> (recommended default location: c:\inst). The directory structure
should be as follows:
A50023-K2035-X040-05-76D1
c:\inst\TNMS_Installer
c:\inst\TNMS_Prerequisites
Installation
The following steps guide you through the Oracle Database installation.
1
Go to <TNMS_INSTALLER_DIRECTORY>\TNMS_Prerequisites\Oracle\
installation, right-click the Exec_TNMS_oracle_install.bat file and
select Run as administrator.
A new terminal window opens. The installation log location is c:\temp and the full
path is displayed on the screen.
Enter your configuration: Legacy, Medium or Large, by typing Y, M or L, respectively.
Enter the drives for the ORADATA, ORALOG and ORATRACE directories, or
accept the default by pressing [ENTER]. Make sure you specify a valid drive letter
followed by the colon sign (for example: c:).
Enter the TNMS database name, or accept the default by pressing [ENTER]. The
database name must be between 1 and 12 characters long and the first character
must be alphabetic.
The main menu is presented as follows:
0 - Check requirements
1 - Oracle Software Installation
2 - TNMS database creation
3 - TNMS database configuration
4 - Exit
Enter the desired option.
Choose option 0 - Check requirements by pressing 0.

The requirements check is executed, showing the available disk space and free
memory. In case the requirements are met, the following message is displayed: You
can now proceed with Oracle Database installation!
If the requirements are not met, the message Error: The Oracle
installation cannot be done, because some requirements failed
is displayed. Make sure you have enough disk space and memory before continuing.
Choose option 1 - Oracle Software Installation.

Press [ENTER] to confirm the default path or enter the Oracle Installer setup.exe
path (if different).
Press [ENTER] to confirm the default path or enter the TNMS.rsp file path (if different).
This action opens a new window. Wait until the Oracle Software installation finishes.
The message Successfully Setup Software. Please press Enter to
exit... is displayed. Press [ENTER] to close the window.
Choose option 2 - TNMS database creation.
A50023-K2035-X040-05-76D1
31
Press [ENTER] to confirm the default path or enter the template file path for your
configuration:
TNMS_LW.dbt - large configuration.

TNMS_MW.dbt - medium configuration.
TNMS_SW.dbt - legacy configuration.
Type the SYS password and then retype it.

Next, type the SYSTEM password and type it again.
Both SYS and SYSTEM passwords must be at least 5 characters long.
The TNMS database is created and the message Database created
successfully is displayed.
If any failure occurs during the TNMS database creation, the message Error
creating database. Check installation requirements is displayed.
Look for errors in the log file indicated on the screen.
Choose option 3 - TNMS database configuration.

Press [ENTER] to confirm the default path or enter the TNMSnetca.rsp file path.
Press [ENTER] to confirm the default path or enter the listener.ora file path.
The database is created and the message TNMS Database Configuration
Successful. Oracle Installation finished is displayed.
10 Choose option 4 - Exit.

The Oracle installation and configuration is completed. Restart the machine.
Post-installation verifications
In order to verify the installations check the Oracle Services and the TNMS database:
1. Go to Start > Run and run the command services.msc.
2. The following services should be started:
OracleOraDb11g_home1TNSListener
OracleServiceTNMS (if the default database name was TNMS)
3. Run the application:
<Oracle Home>\BIN\LSNRCTL
and run the command status.
5.5.1
<Oracle Home> is, by default, C:\oracle\product\11.2.0\dbhome_1\

4. Check if your SID exists and if its status is READY:
Instance "tnms", status READY... (if the default database name was
TNMS)
Uninstalling Oracle
To uninstall the TNMS database and the Oracle software you must use the uninstallation
tool provided by Oracle. Proceed as follows:
1. Go to Start > All Programs> Accessories > Command Prompt, opposite-click,
select run as administrator and then enter the following command:
<Oracle Home>\deinstall\deinstall.bat
32
A50023-K2035-X040-05-76D1
<Oracle Home> is, by default, C:\oracle\product\11.2.0\dbhome_1\

The following steps describe a typical uninstallation procedure. In case the uninstallation
tool requests you additional information, refer to the uninstallation tool documentation
at: http://docs.oracle.com/cd/E11882_01/install.112/e16774/deinstall.htm.
2. When prompted for the Listener Name, enter LISTENER and press Enter.
3. When prompted for the Oracle SID, enter TNMS and press Enter.
4. When prompted for TNMS database modification, enter "n" and press Enter.
(The details of database(s) TNMS have been discovered automatically. Do you still
want to modify the details of TNMS database(s)? [n]: n)
5. When prompted for continuation, enter "y" and press Enter.
(Do you want to continue (y - yes, n - no)? [n]: y)
6. Wait until the uninstallation finishes and then restart the machine.
7. Go to C:\ folder and delete the remaining folders and files.
C:\oracle
<PATH>\oradata (path chosen during installation)
5.6
OSI Stack
If QB3 is to be used, an OSI stack must be installed on the NetServer PCs before the
NetServer software.
5.6.1
Installing OSI Stack

To install an OSI stack, proceed as follows:
1. In the software DVD, go to the OSI_Stack directory, opposite-click setup.exe and
click Run as administrator.
2. A welcome window is now displayed. Press Next to continue.
3. In the Choose Destination Location window which is now displayed, a default
installation directory is offered for the OSI stack. Press Next to continue.
4. In the Please select: window, select the NSAP address option best suited to your
companys network and press Next.
5. In the Getting NSAP window, enter the NSAP address. For example, if you selected
the option NSAP should be derived from MAC address of my ethernet card on
step 4., enter the MAC address of the network card and press Next.
6. In the Start Copying Files ensure that the settings displayed are correct, and if so,
press Next to continue.
7. A setup status window is now displayed, showing the progress of the OSI stack
installation.
8. In the InstallShield Wizard Complete window select the option for restarting the
computer and press Finish to complete the OSI stack installation.
5.6.2
Configuring OSI stack

Once finished the OSI stack installation and the computer rebooted, you need to
proceed with the following set of configurations:
A50023-K2035-X040-05-76D1
33
1. Open OSI stack as administrator via

Start > Control Panel > OSI Stack, right-click OSI Stack and select Run as administrator.
You may need to switch to the classic view or click View as small icons or use the
search field for OSI Stack.
2. Activate the following options:
Select In Bind to Network Interface Card and activate all network interfaces.
In OpWin Configuration, activate "Open Stack, when Operator starts.
Activate Start stack as service".
Click ES-IS Stack parameter to enter the ES-IS configuration and disable
Enable emission of ES hello. Click Ok
3. Exit the OSI Stack Configuration and reboot the machine in order to reset the variables properly, otherwise you may experience unexpected delays in the service
readiness.
In case you have to check the environment variable OSIPIPE:
1.
2.
3.
4.
5.
5.6.3
Click Start > Control panel > System and Security > System.
Open the Advanced system settings > Advanced tab.
Click the button "Environment variables"
In the lower list (user variables), search for OSIPIPE variable.
The OSI stack configuration is finished.
Uninstalling OSI stack

To uninstall the OSI stack, follow the next steps:
1.
2.
3.
4.
5.
Open Start > Control Panel > Administrative Tools > Services.
Select the OSI stack service and press Stop.
Open Start > Control Panel > Add/Remove Programs.
Select the OSI stack from the software list.
Click Uninstall.
6. Confirm the uninstall process with Finish and restart your computer.
5.7
CopSSH
CopSSH is a Secure Shell (SSH) File Transfer Protocol (SFTP) and Secure Copy (SCP)
server used for transferring data to and from some types of NEs.
CopSSH installation is required for netservers only if there are hiT 7100, hiT 7300
or ADVA NEs in your network.
34
SFTP / SCP use is recommended since it is more secure than FTP.
In order to support SFTP or SCP transactions via the LCT, you must install and configure CopSSH in TNMS.
A50023-K2035-X040-05-76D1
5.7.1
Installing CopSSH
To install CopSSH 4.7.1 proceed as follows (same procedure for all supported operating
systems):
1. In the software DVD, go to the CopSSH directory, right-click the
Copssh_4.7.1_x86_Installer.exe file and run as administrator
2. The setup wizards Welcome window is shown. Click Next.
3. In the License Agreement window click I Agree.
4. Enter an Installation folder or accept the default by clicking Next.
5. Enter the service account credentials.
6. You must select the user that will be used for the CopSSH account service management, by choosing one of the following options:
Keep the default CopSSH user: SvcCOPSSH (the installer generates a random
password). If you choose this option, keep that password for the future (recommended).
Or
Select a new user (must be different from existing local machine users). In this
case you must provide a username and a password that matches the following
requirements:
- The username must be at least four characters in length.
- Passwords cannot contain the users account name or parts of the users
complete name exceeding two consecutive characters.
- Passwords must be at least six characters in length.
- Passwords must contain characters from three of the following four categories:
English uppercase characters (A through Z).
English lowercase characters (a through z).
Base 10 digits (0 through 9).
Non-alphabetical characters (for example: !, $, #, %).
Click Install.
7. Click Close to finish the installation.
5.7.2
Configuring CopSSH
As a security measure, CopSSHs default user cannot be used to access the machine.
Therefore, new users must be created.
Configuring users in CopSSH:
1. Create a user with limited privileges in the operating system. This user will be used
to perform the SFTP / SCP.
2. Grant the user write privileges on the C:\Program Files (X86)\ICW folder. Go to
Properties, add the user created and give the user modify permissions.
3. Go to Start > Programs > CopSSH, opposite-click on CopSSH Control Panel and
click Run as administrator.
4. In the Status tab, check if the service is running (green button). If not, click on the
red button to start it.
5. Go to Users tab and click Add.
6. Click Forward to begin the CopSSH User Activation wizard.
A50023-K2035-X040-05-76D1
35
7. Choose the current machine for domain and the user you created earlier. Click
Forward.
8. Select Shell access type:
For ADVA NEs, select Linux shell and Sftp.
For hiT 7100 and/or hiT 7300 NEs, select Sftp.
For ADVA and/or hiT 7300 NEs and/or hiT 7100 NEs, select Linux Shell and
Sftp.
In the three options available, only Password authentication must remain
checked. Uncheck the other two options Public key authentication and Allow
TCP forwarding..
Click Forward.
9. Click Apply to activate the user.
Changing the default number of simultaneous sessions
The following mandatory procedure is required in order to support multiple NE requests.
Note that, if you run the CopSSH's Control Panel after the procedure below, all the
changes to the passwd file will be reset.
1. Edit the file C:\Program Files (x86)\ICW\etc\sshd_config
Below is a sample sshd_config file (after the CopSSH Control Panel has been run
for the first time):
Port 22
Compression delayed
LogLevel INFO
TCPKeepAlive yes
LoginGraceTime 120
Protocol 2
MaxAuthTries 6
MaxSessions 10
Subsystem sftp internal-sftp -l ERROR
Match User copuser
PasswordAuthentication yes
PubkeyAuthentication no
AllowTcpForwarding no
MaxSessions 10
# Catch All
Match User *
MaxSessions 0
PasswordAuthentication no
2. Change both MaxSessions values (lines 8 and 13) to 100.
3. Add the line MaxStartups 10:30:100 after line 8 to control the number of open
unauthenticated sessions. This avoids an overload of the SSH daemon.
4. Below is the sample above after the changes:
36
A50023-K2035-X040-05-76D1
Port 22
Compression delayed
LogLevel INFO
TCPKeepAlive yes
LoginGraceTime 120
Protocol 2
MaxAuthTries 6
MaxSessions 100
MaxStartups 10:30:100
Subsystem sftp internal-sftp -l ERROR
Match User copuser
PasswordAuthentication yes
MaxSessions 100
# Catch All
Match User *
MaxSessions 0
PasswordAuthentication no
5. Save the sshd_config file and restart the CopSSH service using Windows Control
Panel.
5.7.3
CopSSH Troubleshooting
Go to Start > Programs > CopSSH > CopSSH Control Panel and in the Status
tab, check that the CopSSH service is running (green color). If not:
1.
2.
3.
4.
5.
Go to (Windows) Control panel > Administrative tools > Services.

Opposite-click the service "Openssh SSHD" and select Properties.
In the Log On tab, select Local System account.
Click OK.
Start the Openssh service.
Check if the SFTP user is added to the password file:

1. Edit the file C:\Program Files (x86)\ICW\etc\passwd.
It must contain the details of the SFTP user that was created and activated. For
example, if the user name is FTPUser, the file will be:
A50023-K2035-X040-05-76D1
37
Administrator:unused:10500:10513:U-AUMELRD-TD-03\Administrator,S-1-521-3507081192-3007060136-515313314500:/home/Administrator:/bin/bashFTPUser:unused:11021:10513:FTPUser,UAUMELRD-TD-03\FTPUser,S-1-5-21-3507081192-3007060136-5153133141021:/home/FTPUser:/bin/bashGuest:unused:10501:10513:U-AUMELRD-TD-03\
Guest,S-1-5-21-3507081192-3007060136-515313314501:/home/Guest:/bin/bashsshd:unused:11025:10513:U-AUMELRD-TD-03\
sshd,S-1-5-21-3507081192-3007060136-5153133141025:/var/empty:/bin/bashSvcCOPSSH:unused:11026:10513:U-AUMELRD-TD-03\
SvcCOPSSH,S-1-5-21-3507081192-3007060136-5153133141026:/var/:/bin/bash
2. If the password file does not contain the details of the SFTP user, grant write
access to the ICW folder to the Windows user that is used to install COPSSH.
5.7.4
CopSSH Hardening
If you wish to further restrict the CopSSH's user privileges by making connections via
interactive shell impossible, do as follows:
Note that, if you run the CopSSH's Control Panel after the procedure below, all the
changes to the passwd file will be reset.
1. Go to <CopSSH installation path>\etc\ and edit the passwd file.
2. Edit the line (example) from
reguser:unused:11010:10513:reguser,U-TSVM41\TestPL,S-1-5-212769772405-123357289-3683661142-1010:/home/reguser:/bin/bash
to
(...):/bin/false
3. Save the file.
5.8
Antivirus
To protect TNMS against viruses, you should install F-Secure Client on all machines.
Refer to the software release notes to see the released versions.
5.9
NTI third-party software installation

The NTI DS is a third-party software part of the TNMS prerequisites. You find the
installer in the installation folder TNMS_Prerequisites > NTI_DS and it launches and
controls the setup of this third-party software. The main setup also configures the
software after the installation to work with TNMS.
This procedure is mandatory only if you want to have NTI operational. Otherwise, skip
this procedure.
38
A50023-K2035-X040-05-76D1
Installing the NTI third-party software:

1
Run the NTI_DS_Installer.exe file. Check the file in the folder TNMS_Prerequisites.
Proceed as described in the setup windows. In the Welcome window, click Next.
In the License Agreement window, choose I accept the terms of License Agreement and click Next.
In the Choose Install Set window, click Next.

Choose Full Installation as the installation type.
In the Directory Name (Default: C:/NTI_DS) window, enter the installation directory
or select it from the Choose dialog and click Next.
In the Notification Service Configuration window, select one of the following

options:
Contact with IMR on every server start-up: off (default option).

Choose level of verbosity: fatal errors only (default option).
Choose details for compact Typecodes: off (default option).
Disable indirection encoding: on (default option).
Please enter port number for Notification Service: 17289 (default option).
Please choose maximum Java heap size for Notification Service: choose one
of the three available values. The default value is 256 MB.
Click Next.
7
In the Pre-Installation Summary window check if the installation options are correct
and confirm by clicking Install.
In the Install Complete window, you see the message Your computer must be
restarted to complete the installation. Click Finish.
After rebooting, proceed as follows:
Go to <Installation Folder>\NoSe\bin and run the Object Viewer by double

clicking the manager.bat file.
Locate the localhost of the OpenFusion object, right-click and then click Start
in the context menu. If already started, skip this step.
This changes the state to Started.
Ensure the services are started through Start > Control Panel > Administrative Tools
> Services.
The following services must exist and be in state Started.
JacORB IMR
OpenFusion.NotificationService 4.2.3
A50023-K2035-X040-05-76D1
39
40
A50023-K2035-X040-05-76D1
TNMS installation
6 TNMS installation
This chapter describes the TNMS installation. If you have a previous TNMS version
installed in your system, jump to 9 Upgrade to TNMS 14.1 10.
Before you install TNMS be sure to read and follow the directions below. Failing to
comply will result in a failed installation.
6.1
Full installation
To install TNMS Server, NetServer and Client in the same machine (full installation):
1. Copy all relevant priority updates into ...\TNMS Installer\PUs.
2. Login on the operating system with a user that has administrative rights.
3. Opposite-click the installation file in the TNMS SW CD and select Run as administrator (Figure 2).
Figure 2
How to set the TNMS installer to run with administrator rights in

Windows 7 and Windows Server 2008.
The Introduction window opens and the complete list of installation steps is displayed on the left pane.
Click Next to continue.
4. Read the License Agreement and then select I accept the terms of the License
Agreement.
5. In the Choose Install Set step, click Full to install all components in the machine.
The available buttons describe the installation variants offered.
6. Select your type of hardware configuration: Medium, Large (see 2.2 Hardware
requirements) or Legacy Hardware.
Select Legacy Hardware to install TNMS Server in machines that meet the
hardware requirements for TNMS 13.2 1x but not for TNMS 14.x xx.
g
w
Optical Management is not supported in the Legacy Hardware configuration.

7. A usage warning pops up to let you know that the database should not be in use by
any application.
8. Select Build and click Next to continue.
The Build option, if there is a previous TNMS version installed, will delete all the
data in the database. To upgrade your installation, refer instead to the Upgrade
Manual.
9. The Oracle database connection step asks you to enter a set of database connection parameters:
Database IP Address: the Oracle host IP address.
A50023-K2035-X040-05-76D1
41
TNMS installation
Database port: the Oracle server port number. The default value is 1521.
Database username: the user scheme of the database to be created (example:
TNMS).
Using the same user / password in all installations is recommended since it
ensures that the database is restorable in any machine. However another user
/ password can be used for security reasons, as long as you keep these data for
future reference and you use the same user / password in the system where you
perform the backup and the system where you restore it.
User password: the password for the DB user (example: fk12!igp).

The password must meet the following requirements:
Is at least four characters long.
Differs from the user name.
Has at least one alphabetic, one numeric and one punctuation characters.
Is not simple or obvious, such as welcome, account, database, or user.
Re-enter user password: re-enter the password.

Database name (SID): the name of the Oracle database (DB instance), which,
by default, is TNMS.
User sys password: fill in with the password defined in 5.5 Oracle.
Click Next to continue
10. In the Choose Components step:
10.1 Select the Managers to be installed.
On Legacy hardware installations the Optical Manager will not be installed. To

install and use the Optical Manager you must select the Medium or the Large
configuration.
Mind that all managers can be installed but each requires a specific license to
be used.
10.2 Select the North Bound Interface to install, if any.
If you select TMF/Corba, you must have previously installed the NTI as
described in 5.9 NTI third-party software installation.
Click Next.
10.3 Select the LCTs to be installed.
10.4 Select the NEs to be installed and all their versions, for example:
[X] hiT 7300 5.10.0x
[X] hiT 7300 5.10.10
[X] hiT 7300 5.10.2x
[X] hiT 7300 5.30.50
[X] hiT 7300 5.30.60
11. In the Choose Install Folder step:
11.1 Enter the path for the TNMS installation folder, the TNMS Data folder (see
note), the LCT installation folder and the EML Mediation installation folder.
42
A50023-K2035-X040-05-76D1
TNMS installation
Default paths are provided.

Make sure that the TNMS Data folder is empty. If not, backup and remove the
data or select a different folder.
12. If CopSSH is not installed in the machine, a warning pops up to let you know that the
NetServer requires you to install it (see 5.7.1 Installing CopSSH)
If CopSSH is already installed, you must provide a valid SFTP User, that is, a
Windows user that was added to CopSSH (see 5.7.2).
The user is not created again. The user mentioned in this step serves as a cross
check with the user added in the CopSSH configuration (see 5.7.2 Configuring
CopSSH).
13. In case you have more than one Network Interface Card (NIC) installed, the Choose
host IP address panel is displayed providing a list of the IPs associated with each
NIC.
Click the pulldown menu and choose the IP that corresponds to the host name of the
machine.
In case you only have one NIC, this panel is not displayed and you must proceed to
the next step.
14. Select the TNMS servers IP address (blank by default).
Enter the TNMS servers IP address if you are installing the netserver on a machine
other than the server (blank by default).
g
g
This step is skipped in some cases, such as if the server has only one IP address.
15. In the OpenDS Directory Server Configuration step set the following OpenDS
database server information:
All fields except the Admin password, are automatically filled in. If not, cancel the
installation wizard, complete the 4.6 System Hosts configuration and start the installation once more.
Computer name: <Computer Name>.<Domain>

Install directory: folder wherein the OpenDS server will be installed.
Server port, Admin port: ports used respectively to communicate with OpenDS
Server and for administrative actions.
The server and admin port numbers shown are default, not mandatory. You can
use any port number from 1024 to 49151
Admin ID: default is admin.
Admin password: select password (minimum 8 character).
Re-enter Admin password: re-enter the selected password.
Click Next to continue
16. In the Choose Shortcut Folder step configure the options of the icons and shortcuts
to be created during installation.
17. Decide whether to have Coriants as your default desktop wallpaper.
A50023-K2035-X040-05-76D1
43
TNMS installation
18. If one or more of the priority updates you copied into ..\TNMS Installer\PUs does not
comply with a set of preconditions a warning message is displayed (for additional
information check 6.3 About the automatic priority updates installation).
The PUs that generate warnings will not be installed.

Click Next to continue or click Cancel to go back to the previous step.
19. A summary of the installation settings is given in the Pre-Installation Summary step.
If the settings are correct, click Install to start the installation.
20. If an error, such as a corrupted PU file, is detected during the installation an error
message is displayed (for additional information check 6.3 About the automatic
priority updates installation).
21. The results of the installation are presented in the Installation Results step.
Click Done to close the installation wizard.
22. Reboot the machine to complete the installation.
After the TNMS Server has been installed and started, the system can be immediately
operated by selecting the server name and using the default user name and password
(see 7.3 Logging in and 7.4 Default username and password).
A warning message may be displayed during the installation configuration stating that
the firewall is enabled. However, if you use the Windows Firewall, in some cases, the
firewall window displays the disabled status. Such contradiction arises due to the TNMS
Installer use of the netsh adv commands to check the firewall status which can return
a different status from that presented in the GUI.
To configure the firewall refer to 12.3 Networking and firewall configuration.
The TNMS installation creates the following services on the target machine after the full
installation is completed:
6.2
TNMS (automatically started). In the server machine.

RCTSrv (automatically triggered off by TNMS and thus listed as Manual). In the
server machine.
Open DS (automatically started). In the server machine.
TNMS EmlMediator (automatically started). In the netserver machine.
TNMS Generic Mediator (automatically started). In the netserver machine.
TNMS TrapHandler (automatically started). In the netserver machine.
TNMS Multivendor Mediator (automatically started). In the netserver machine.
TNMS platform (automatically started). In the server machine.
Installation of separate components

To install only one of the components or a specific combination of components you must
follow the procedure described in the previous section until step 5. In this step choose
Client, Server, NetServer, Server and NetServer or Server and Client. The subsequent
steps are a subset of those described in 6.1 Full installation. However, note that:
44
If you install the TNMS Client and/or the Netserver on Windows 7, go to Start >
Control Panel > System > Advanced System Settings > Advanced tab > Performance pane > Settings button > Visual Effects tab and select the option adjust
for best performance.
A50023-K2035-X040-05-76D1
6.3
TNMS installation
If you install the TNMS Netserver in a machine other than the Server, the TNMS
Servers IP address is requested during the installation.
If you install the TNMS Netserver in the same machine as the Server, the TNMS
Servers IP address is requested only if the server has more than one IP address.
About the automatic priority updates installation

You can install priority updates (PU) either manually, anytime after installing TNMS, or
automatically, while installing TNMS. The automatic procedure includes several verifications that are useful and timesaving.
During the configuration of the installation the TNMS installer checks if:
The PUs are valid.

A PU is considered valid if its file has the characteristics of a PU and if the PU is
being installed on the supported TNMS version.
All dependencies between PUs are met.
There are no duplicated PUs.
If one or more PUs fail to meet one or more of these conditions, warnings are displayed
to let you know which PUs fail to comply with which condition. Also, in the Pre-installation summary you can find the following two sections:
Installation Check Warnings

In this section are listed all warnings displayed during the configuration steps. If any
warnings regarding PUs were displayed, you can find their content here. The PUs
listed in this section will not be installed.
Priority Updates to Install
In this section are listed all PUs that comply with the conditions above and that will
be installed.
Refer to the preinstall_warnings.log, if you need this information later on.

The correct installation of the PUs is also verified during the TNMS installation. If any
PU was not correctly installed, an error message is displayed.
Any error or warning messages during the installation are also referred in the final installation step. For details on these errors and warnings refer to the
PU_InstallLog.log, where ou can find the logs of the execution of all installed PUs.
A50023-K2035-X040-05-76D1
45
TNMS installation
46
A50023-K2035-X040-05-76D1
7 Post-installation procedures
If you decide to harden the system, you must do it before starting TNMS in a production
environment. See 12 Security hardening for instructions.
7.1
Starting services
Services, such as TNMS Server, TNMS EmlMediator and TNMS Generic Mediator start
automatically with the machine.
7.2
Starting a Client session

A Client session is started by clicking either the shortcut icon on the desktop (if one was
created during installation) or the client icon in the installation folder.
Functions authorized by the current users access rights can now be accessed. The user
defined below has full access rights:
7.3
Default available user - Administrator
Default user group - Administrators
Default policy - Global
Default domain - Global
Logging in
Once started, TNMS can be logged in to. Press the spacebar or click the icon to get the
login window. You must fill in the fields:
Server name.
You can select a previously used value set from the menu. Alternatively, input server
data either in the <server IP address>:<port number> or <server name>:<port
number> formats. The default values are localhost:1100.
User name.
Input a valid user name.
Password.
Input the users password.
If the Server is unavailable the following error message is displayed:

Server not reachable. Please check your network connectivity or if server is
running
In this situation check for one of the following scenarios:
The server is not reachable.

Network connectivity.
The server may not be running.
You are trying to connect to a standby server instead of the active server.
If you are logging in after an update rather than an installation from scratch, the users
and passwords remain unchanged from the previous version.
A50023-K2035-X040-05-76D1
47
7.4
Default username and password

After the TNMS Server has been installed and started, the system can be immediately
operated using the default user and password. Both fields are case-sensitive.
User name: administrator
Password: e2e!Net4u#
For security reasons, the administrator is requested to change the password.
7.5
Changing the password

The first password change is performed in a popup window after the first login. Subsequent changes are performed in the Administration > User Management > User Modification window. You are asked to enter the new password twice for confirmation, check
whether that user cant change the password or otherwise whether the user has to
change the password at next logon and/or define the password expiration deadline
between 3 and 90 days.
TNMS stores the history of passwords registry in the OpenDS database.
If Single Sign-on is enabled later on, this menu item will no longer be displayed as no
password within TNMS will be required.
Password complexity rules
New passwords are validated by the system according to the rules below.
The new password must:
Be at least 8 characters long
Contain at least 2 alphabetic characters
Contain at least 1 numeric character
Contain at least 1 special character other than #, $, *, / and @
Contain at most 3 consecutive digits or letters from the alphabet
Differ from the old one by at least 3 characters. This is enforced only if the password
is changed through the Change Password window.
The new password must not:
7.6
Be the same as the user id
Contain the user id
Contain a rotated version of the user id
Match any of the previous.
Terminating a Client session

A Client session terminates when you log off. All windows are closed and only the login
function is accessible.
48
A50023-K2035-X040-05-76D1
7.7
Single Sign-on
By enabling Single Sign-on (SSO) the users can log in to TNMS using the operating
system credentials, without having to enter another username and password.
This configuration can be done at any point in time and is therefore described in the
TNMS User Manual.
7.8
Standby server
This configuration can be done at any point in time and is therefore described in TNMS
User Manual.
7.9
License keys
Logging in allows you to access elementary TNMS features such as viewing the network
map or activating NEs. However, full access to the whole TNMS, including the Managers
ASON, Ethernet and Optical, is granted through the acquisition and installation of proper
license keys.
g
7.10
Optical Manager licenses require a TNMS service restart after importing.

Refer to the User Manual for more information on how to manage licenses.
Internet Explorer configuration

To ensure the correct behavior of the context sensitive online help, configure Internet
Explorer as follows:
1. Within Internet Explorer go to Tools > Internet Options > Security.
2. Select the desired security level and then click Custom:.
2.1 in the Scripting section, enable Active Scripting.
2.2 in the ActiveX controls and plug-ins, enable Initialize and script ActiveX
controls not marked as safe for scripting.
7.11
Connection timeout configuration

In order to avoid possible timeouts in communications between the TNMS Client and
Server, such as in case of APS uploads, proceed as follows:
1. Edit the file
<TNMS installation folder>\jboss\server\bicnet\deploy\jboss-web.deployer\
server.xml
2. Search for the section that configures the connector of port 8080 and adjust the
timeout to a value adequate to your network conditions. For example, to set the
timeout to 60 seconds you must enter the value 60000 as in bold below:
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="60000" disableUploadTimeout="true" />
3. Restart the TNMS Server.
A50023-K2035-X040-05-76D1
49
7.12
Importing a public certificate from IOC Online Planning

(IOC OP)
The communication between IOC OP and TNMS is SSL-encrypted. Such encryption is
in turn based on certificates.
If on IOC OP a keystore or certificate changes for any reason, a new key must be generated and then imported to avoid disabling communication.
The certificates shipped with Coriant products and solutions exist to perform a correct
installation and leave them ready to work.
Comply with all your organizations security rules and established practices before final
deployment.
To import a public certificate, proceed as follows:
1
Log in to IOC OP.
Get the IOC OP Server public certificate file tcserver.cer and copy it to the TNMS
Server.
For information on how to generate this file refer to the IOC OP Installation Manual
for Solaris, section on generating IOC OP server keystore and public key pair.
Open a Windows Command Prompt window (through cmd.exe).
Change to the directory with the keytool command:

cd<TNMS_InstallationDirectory>\jre\bin
Import tcserver.cer into the TNMS truststore.

Issue:
keytool -import -file tcserver.cer -alias tcserver -keystore
<Coriant_TNMS_InstallationDirectory>/jboss/server/bicnet/co
nf/sslmq.keystore -storepass changeit
TNMS Server returns the certificate details and asks you to allow the import:
Owner: CN=tcserver tcserver, OU=Optical Networks, O=Coriant,
L=Lisboa, ST=Alfragide, C=PT
Issuer: CN=tcserver tcserver, OU=Optical Networks, O=Coriant,
L=Lisboa, ST=Alfragide, C=PT
Serial number: 4ffd7431
...
Trust this certificate? [no]: yes
7
A successful import returns:

Certificate was added to keystore
50
A50023-K2035-X040-05-76D1
Backup and restore
8 Backup and restore

This chapter guides an TNMS administrator through the backup and restore procedures.
Backup and restore is a safeguard mechanism to backup the system and recover it, in
case a problem occur.
8.1
General description
You must back up information contained in the following two data repositories:
Oracle server - DCN management and services information. This server includes
the TNMS database.
OpenDS server - User and security information.
The required information is backed up into three sets:
Oracle database backups are used to recover the database from corruption events
or unexpected integrity issues and recovered it to its last most consistent state.
These backups contain TNMS specific data plus other Oracle files required for
database recovery.
The Oracle database backups are stored in Oracles Fast Recovery Area under the
BACKUPSET directory.
You must not use the BACKUPSET directory for any operations other than Oracle
database backups.
Full backups of the Oracle database are stored with a retention policy that allows for
a redundancy of 2 backups. Therefore the BACKUPSET directory contains the last
3 backups and older ones are automatically removed.
TNMS database backup files are used to restore TNMS to a previous state in order
to, for example, undo undesired user configurations or restore TNMS state to a
clean installation.
TNMS database backup files cannot be used to directly recover from an Oracle
database corruption event.
TNMS database backup files are stored under a target directory (local or remote) of
your creation or choice. Inside this directory, each backup operation creates a subdirectory named after the backup timestamp <yyyy_MM_dd_HH_mm_ss>, where
the backup files are saved.
When performing a database backup, ensure there are writing permissions to the
target directory.
OpenDS database backup files are also stored under a target directory (local or
remote) of your creation or choice. Inside this directory, each backup operation
creates a subdirectory named after the backup timestamp
<yyyy_MM_dd_HH_mm_ss>, where the backup files are saved.
You may choose to back up simultaneously the TNMS and OpenDS databases. In such
case, the timestamped subdirectory will contain both databases backup files.
A50023-K2035-X040-05-76D1
51
Backup and restore
8.2
Overview of the Backup and Restore interfaces

The TNMS DB backup can be performed via console, interactive (CLI) and non-interactive mode (friendly script), or via TNMS Client (GUI). TNMS DB restore can only be performed via console (interactive or non-interactive modes).
8.2.1
Interactive mode
To access the interactive mode console, run backuprestore.bat with no arguments
from
C:\Program Files (x86)\Coriant\TNMS\backuprestore (default location), to open the
interactive menu as displayed in Figure 3.
Figure 3
8.2.2
Backup & Restore console
Non-interactive mode
The non-interactive mode allows you to embed the B&R feature into a scriptable
language in order to automate common and repetitive tasks.
To use the non-interactive mode, run the backuprestore.bat application from
C:\Program Files (x86)\Coriant\TNMS\backuprestore (default location) using arguments
to specify the operation you intend to perform (Table 8).
You can enter backuprestore-h in the command line to see this list.
Options
-b
--backup
Performs a TNMS and/or an OpenDS database backup.
-r
--restore
Performs a TNMS and/or an OpenDS database restore.
-s
--schema
Performs the operation on the TNMS database.
-l
--ldap
Performs the operation on the LDAP (OpenDS) database.
-d
--directory
When saving or loading a backup, this option must be followed

by the path to the directory where the backup files will be stored
in or loaded from.
-u
--username This option must be followed by the TNMS username.
-p
--password
This option must be followed by the password matching the

TNMS username.
-R
--recovery
Use this option to recover the Oracle database. Note that it does
not refer to the TNMS database.
Table 8
52
Description
List of the available arguments in non-interactive mode
A50023-K2035-X040-05-76D1
Backup and restore
Options
-h
--help
Table 8
8.3
Description
This option displays the list of the available arguments.
List of the available arguments in non-interactive mode (Cont.)
Backup procedures through the command line

This chapter describes how to back up the system data using the command line. Before
proceeding, some general considerations and advice apply:
8.3.1
Oracle and OpenDS servers must be running.

You are advised to back up the files onto a safe repository.
You are responsible for guaranteeing that the TNMS server backup data files are not
corrupted or changed in any way, including the file name. Otherwise restoring the
backup will not be possible.
Backing up the Oracle database

The backup of the Oracle database runs automatically and is scheduled inside Oracle
Scheduler to run daily at a predefined hour, which, by default, is 03:00 AM.
These operations logs are stored in the B&R application folder, C:\Program Files (x86)\
Coriant\TNMS\backuprestore\RMAN_TNMS.log.
You can change the scheduled time using the B&R console schedule settings option.
No other parameter is changeable.
In case you reschedule the daily backup, set it to run off high load periods, so that the
application performance is not affected.
This operation will perform the full backup of the entire Oracle database, including the
TNMS database backup files.
You should also consider to schedule an independent backup of the TNMS database
backup files since Oracle backup files are kept for 3 days maximum. Refer to the chapter
8.3.5 Automating the Backup procedures for more information.
To change the scheduled backup time:
1. Open a command line window using the option "Run as Administrator".
2. Go to the B&R application folder (the default is
C:\Program Files (x86)\Coriant\TNMS\backuprestore).
3. Run backuprestore.
4. Select option 4> Schedule settings on the console.
5. Provide the TNMS credentials (Figure 4).
A50023-K2035-X040-05-76D1
53
Backup and restore
Figure 4
Changing the Oracle database backup schedule settings
6. Provide the new time for the scheduled backup to run, in a 24-hour format (Figure 4).
7. Press Enter.
8.3.2
Backing up the TNMS database

To back up the TNMS database:
C:\Program Files (x86)\Coriant\TNMS\backuprestore)
3. Back up the TNMS database using either the interactive mode console (go to step
4.) or the non-interactive mode (go to step 5.).
4. Either
back up the TNMS database using the interactive mode console:
4.1 Run backuprestore.
4.2 Select option 1> Perform backup.
4.3 Provide the TNMS credentials upon request (Figure 5).
Figure 5
Backup submenu
4.4 Select option 1> TNMS database from the submenu in Figure 5.
4.5 Enter the directory of your choice (local or remote) where the backup files will be
stored and press Enter.
5. Or run
backuprestore -b -s -d <directory> -u <username> -p <password>
As a result, a subdirectory named after the backup timestamp
<yyyy_MM_dd_HH_mm_ss> is created under the directory you provided and the backup
file of the TNMS database is saved within. The backup file is saved as <name of the
TNMS database>.DMP.
54
A50023-K2035-X040-05-76D1
8.3.3
Backup and restore
Backing up the LDAP (OpenDS)

To back up the LDAP (OpenDS):
2. Go to the B&R installation folder (the default is
3. Back up the LDAP using either the interactive mode console (go to step 4.) or the
non-interactive mode (step 5.)
4. Either
back up the LDAP using the interactive mode console:
Figure 6
Backup submenu
4.4 Select option 2> LDAP database from the submenu in Figure 6.
4.5 Enter the directory where the backup files will be stored and press Enter.
5. Or run
backuprestore -b -l -d <directory> -u <username> -p <password>.
file of the LDAP database is saved within. The backup file is saved as userRoot.ldif.
8.3.4
Backing up the TNMS database and the LDAP (OpenDS) simultaneously

To back up the TNMS database and the LDAP (OpenDS) simultaneously:
3. Back up the TNMS and the LDAP databases using either the interactive mode
console (go to step 4.) or the non-interactive mode (step 5.).
4. Either
back up the TNMS database and the LDAP using the interactive mode console:
A50023-K2035-X040-05-76D1
55
Backup and restore
Figure 7
Backup submenu
4.4 Select option 3> Both TNMS and LDAP databases from the submenu in Figure
7.
4.5 Enter the directory where the backup files will be stored and press Enter.
5. Or run
backuprestore -b -a -d <directory> -u <username> -p <password>.
files of the TNMS and LDAP databases are saved within. The backup files are saved
respectively as <name of the TNMS database>.DMP and userRoot.ldif.
8.3.5
Automating the Backup procedures

It is recommended to back up the TNMS database at least weekly. You can create
command scripts for the backup and restore procedures and configure the operating
system scheduler to run them at scheduled times.
It is recommended to automate the backup using TNMS instead of a command script

(see 8.4 Backup procedures through the TNMS client). The script contains sensitive
data, such as usernames or passwords, that require access control. By using TNMS you
overcome such security issues.
Ensure the correct access rights, according to your security policy, to any command
script containing sensitive data, such as usernames or passwords.
For example, you can create a weekly schedule with the following command:
SCHTASKS.EXE /CREATE /SC WEEKLY /TN "<SCHEDULE_NAME>" /ST
<SCHEDULE_TIME> /TR "<COMMAND>" /RU "SYSTEM"
Where:
<SCHEDULE_NAME> is the name of the schedule.

<SCHEDULE_TIME> is the time at which the command will be run (for example,
02:50:00).
<COMMAND> is the command to be run.
You can also use SCHTASKS.EXE to inspect the schedule details or delete schedules.
To list schedule details run:
SCHTASKS.EXE /TN "<SCHEDULE_NAME>"
And to delete a schedule run:
SCHTASKS.EXE /DELETE /TN "<SCHEDULE_NAME>"
w
56
You must create a user in TNMS dedicated to scheduled backups and do not allow it to
expire. Create the user via User Administration and select the option User cannot
A50023-K2035-X040-05-76D1
Backup and restore
change password. When setting the backup commands to be run by the schedules, use
this user.
8.4
Backup procedures through the TNMS client

The Backup feature is also embedded in the TNMS client. It allows you to run a manual
backup of the TNMS database (TNMS data) and/or LDAP (TNMS users), or to schedule
a backup.
The Backup window (Figure 8) allows you to see information about the backup status,
and choose to run a manual backup or schedule a backup. This window is for information purposes only.
Figure 8
Backup window
To run a manual backup of the TNMS database:

1
In the TNMS main window, click the Administration > System > Backup menu
item.
The Backup window opens.
Click the Manual button.

This opens the Manual Backup window.
Select the Path to save the backup file.

About the upload folder:
A50023-K2035-X040-05-76D1
The backup path must already exist beforehand in the server side, otherwise the
task fails and you receive the following error message in a notification popup, in
the bottom right corner: Backup operation failed.
TNMS server machine must have read and write permissions on the shared
folder, for everyone within the domain, so that no credentials are requested to
57
Backup and restore
read it. However, for accesses from outside the domain, the credentials will still
be requested.
If you use a remote drive, you have to specify the full network drive path, since
TNMS is not able to reach the mapped drive through the letter assigned by
Windows.
Example:
Local drive - C:\<BackupFolder>
Remote drive - \\<IP address>\<BackupFolder>
Select whether to export the TNMS Data, the TNMS Users, or both.
Click Start to run the backup.
The backup task starts.
When there is a backup running through the command line, it is not possible to run a
manual backup through the TNMS Client. The opposite is also not possible.
To schedule a backup of the TNMS database:

1
In the TNMS main window, click the Administration > System > Backup... menu
item.
The Backup window opens.
Click the Schedule button.

This opens the Schedule Backup window.
Check the Activate checkbox.
Under Backup Options, select the Start date.
Under Recurrence pattern, select the recurrence of the scheduling.

Periodic: allows you to define the recurring time and the backup period in days and
hours. It also allows you to define the end date.
Weekly: allows you to define the recurring time and the week days.
Monthly: allows you to define the recurring time and the days of the month.
At least one of these fields needs to be selected.
Select the Path where to save the backup file.

TNMS server machine must have read and write permissions on the shared folder.
If you use a remote drive, you have to specify the full network drive path, since
TNMS is not able to reach the mapped drive through the letter assigned by Windows
only.
Example:
Local drive - C:\backup

Remote drive - \\<IP address>\backup
Click OK.
This schedules the backup.
58
A50023-K2035-X040-05-76D1
Backup and restore
When a scheduled backup is run, both the TNMS database and LDAP are backed up.
8.5
Recovery & Restore procedures

This chapter describes how to recover/restore the previously backed up system data.
This application is run only through the command line.
8.5.1
Recovering the Oracle database

A database recovery is not the same as a TNMS database restore and should only
be performed in case of Oracle database corruption. Recovering the Oracle
database will restore the TNMS database. However, recovering the TNMS database
alone will not restore the Oracle database.
The database recovery automatically stops and restarts the "TNMS Server" service.
To restore the Oracle database:
C:\Program Files (x86)\Coriant\TNMS\backuprestore).
3. Use either the non-interactive mode or the interactive console:
Run backuprestore -R
or
backuprestore --recovery
Run backuprestore.
Select option 3> Perform database recovery.
An Oracle database recovery is made using the last consistent backup found in the Fast
Recovery Area of Oracle.
g
8.5.2
After the Oracle database recovery, a TNMS database restore is not necessary since
the Oracle database backups also contain the TNMS specific data.
Restoring the TNMS database

During this procedure the "TNMS Server" service is automatically stopped and
restarted.
To restore the TNMS database:
3. Restore the TNMS database using either the interactive mode console (go to step
4.) or the non-interactive mode (step 5.)
4. Either
restore the TNMS database using the interactive mode console:
4.2 Select option 2> Perform restore.
4.3 Provide the TNMS credentials upon request.
4.4 Select option 1> TNMS database from the submenu (Figure 9).
A50023-K2035-X040-05-76D1
59
Backup and restore
Figure 9
Restore submenu
4.5 Enter the directory where to load the backup file <name of the TNMS database>.DMP from and press Enter.
5. Or run
backuprestore -r -s -d <directory>
The "TNMS Server" service is automatically restarted when the restore procedure is
complete.
8.5.3
Restoring the LDAP (OpenDS)

To restore the LDAP:
1. Make sure the "OpenDS" service is running.
4. Restore the LDAP database using either the interactive mode console (go to step
5.) or the non-interactive mode (step 6.)
5. Either
restore the LDAP database using the interactive mode console:
5.4 Select option 2> LDAP database from the submenu (Figure 10).
Figure 10
Restore submenu
5.5 Enter the directory where to load the backup file (userRoot.ldif) from and press
Enter.
6. Or run
backuprestore -r -l -d <directory>
Both the "TNMS Server" and the OpenDS services are automatically restarted after the
restore procedure is complete.
60
A50023-K2035-X040-05-76D1
8.5.4
Backup and restore
Restoring the TNMS database and the LDAP (OpenDS) simultaneously

To restore the TNMS database and the LDAP:
1. Make sure the "TNMS Server" service is running.
4. Restore the TNMS and the LDAP databases using either the interactive mode
console (go to step 5.) or the non-interactive mode (step 6.)
5. Restore the TNMS and the LDAP databases using the interactive mode console:
5.4 Select option 3> Both TNMS and LDAP databases from the submenu (Figure
11).
Figure 11
Restore submenu
5.5 Enter the directory where to load the backup files (<name of the TNMS database>.DMP and userRoot.ldif) from and press Enter.
6. Or Run
backuprestore -r -a -d <directory>
The TNMS Server service will be stopped before the restore procedure and both the
TNMS Server and the OpenDS services will be restarted after the restore procedure.
A50023-K2035-X040-05-76D1
61
Backup and restore
62
A50023-K2035-X040-05-76D1
9 Upgrade to TNMS 14.1 10

To transfer your data to TNMS 14.1 10 refer to the TNMS Upgrade Manual (Windows),
where you can find the full description of the upgrade procedure.
A50023-K2035-X040-05-76D1
63
64
A50023-K2035-X040-05-76D1
TNMS and TNMS Core working together
10 TNMS and TNMS Core working together

TNMS and TNMS Core can be used in the same environment, with a common set of
hardware resources.
10.1
Configuring common hardware

TNMS and TNMS Core can be used in the same environment while sharing a common
set of hardware resources. However, there are constraints on how to set up such an
environment:
It is possible to install TNMS Client and TNMS Core Client / System Administration
either in a same machine or in separate machines. However, they must share a
machine if you want both client applications integrated with a GUI cut-through.
It is possible to install TNMS Netserver and TNMS Core Netserver in a same
machine, but, if you use the UDP protocol to connect the DCN to any NE, you must
follow the procedure described under 10.1.1 Configuring a Common Netserver.
It is possible to install TNMS Standby Server and TNMS Core Standby Server in a
same machine. In this scenario, you must follow the procedure described under
10.1.3 Configuring a Common standby server.
Below are examples of possible setups:

Example 1: Large system
The applications are mostly distributed on different machines.
Figure 12
A50023-K2035-X040-05-76D1
Distributed TNMS applications (large system)
65
Example 2: Medium system

To reduce the amount of machines in medium networks, components can run in parallel
on the same machine. The example in Figure 13 shows that the netservers run on the
same machines as the appropriate servers.
Figure 13
66
Distributed TNMS applications (medium system)
A50023-K2035-X040-05-76D1
Example 3: Common Netserver

TNMS and TNMS Core share a common Netserver machine.
Figure 14
A50023-K2035-X040-05-76D1
Common Netserver
67
Example 4: Common Standby server

TNMS and TNMS Core share a common Standby server machine.
Figure 15
10.1.1
Common Standby Server
Configuring a Common Netserver

A common Netserver is a machine where both the TNMS Core Netserver and the TNMS
Netserver are installed.
The hardware requirements for a Common Netserver are described in
Table 3 Hardware recommendations for installations of TNMS 14.1 10 on reused legacy
hardware.
There is no specific configuration in a common Netserver, except if you use the
UDP protocol to connect the DCN to a (supported) NE. In such hybrid scenarios a
special configuration of the Netserver machine is required in order to allow multiple connections without traffic interference. You should also consider a specific configuration of
the DCN while using TNMS and TNMS Core clients. So, in this particular case, you must
perform configurations in:
68
The operating system

TNMS
A50023-K2035-X040-05-76D1
TNMS Core
You must complete all of the following three sets of instructions for the configuration to
be complete.
This configuration can be done any time after installation. However the configuration
must be done prior to connecting TNMS Core and TNMS to same network element via
UDP, otherwise you will get an inconsistent network state representation.
Using both UDP and TCP protocols to connect to the same NE is not allowed and will
result in an inconsistent network state representation.
To configure the operating system in the Netserver machine, proceed as follows:
1.
2.
3.
4.
5.
Go to Start > Control Panel.

Select Network and Sharing Center.
Change Adapter Settings.
In Network Connection select the Use connection.
Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
Make sure the IP is statically defined and not by DHCP server. Note down the
defined Primary IP, as it will be necessary at later stage.
6. Choose Advanced tab.
7. In IP Setting tab add the Secondary IP in order to be used in the common server.
Note down the Secondary IP address, as it will be necessary later on.
8. Restart the Netserver.
TNMS Core and TNMS must use different IPs to communicate with each NE via
UDP protocol. If you configure the Primary IP in TNMS you must configure the Secondary IP in TNMS Core and vice versa. Those IPs are configured in the Bind IP Address
field.
In TNMS proceed as follows:
1. Go to the DCN Management window.
2. Create a new SNMP channel.
3. In the General tab:
3.1 If you want to use the Primary IP leave the Automatic IP Address checked. In
the field IP Address enter the Primary IP.
3.2 If you wish to use the Secondary IP:
Uncheck the Automatic IP Address.
In the field IP Address enter the Primary IP.
In the field Bind IP Address enter the Secondary IP.
The connection to the NetServer is performed using the Primary IP and the connection to the NEs will be established using the Secondary IP.
Remember you must use different IPs in TNMS and in TNMS Core. If you use the
Primary IP in TNMS you must use the Secondary IP in TNMS Core and vice versa.
4. Click OK and activate the channel.
In TNMS Core proceed as follows:
A50023-K2035-X040-05-76D1
69
1.
2.
3.
4.
In System Administration go to DCN.

In DCN Connections add a Netserver.
Choose the Netserver you created and add a new SNMP channel.
In the Channel Properties tab, in UDP Connection Settings group:
4.1 If you want to use the Primary IP leave the Automatic IP Address checked. In
the field IP Address enter the Primary IP.
4.2 If you wish to use the Secondary IP:
Uncheck the Automatic IP Address.
In the field IP Address enter the Primary IP.
In the field Bind IP Address enter the Secondary IP.
The connection to the NetServer is performed using the Primary IP and the connection to the NEs will be established using the Secondary IP.
Remember you must use different IPs in TNMS and in TNMS Core. If you used the
Primary IP in TNMS you must use the Secondary IP in TNMS Core and vice versa.
5. Click OK and activate the channel.
10.1.2
Configuring a Common Client

A common Client is a machine where both the TNMS Core Client / System Administration and the TNMS Client are installed.
The supported configurations for this scenario are all configurations of TNMS Core and
all the Legacy configurations of TNMS.
The hardware requirements for a Common Client are similar to those of a regular Client
(Table 3).
10.1.3
Configuring a Common standby server

The Common standby server allows you to have both TNMS and TNMS Core Standby
Servers running in the same machine.
In case of failure of one TNMS or TNMS Core active servers (connection loss due to
network failure or hardware failure of the server), it is possible to activate and use one
of the TNMS or TNMS Core standby servers until the problem is fixed.
No special installation procedures are necessary for the Common Standby servers. The
setup of this machine is done by installing first the TNMS Core, followed by TNMS
according to the corresponding Installation Manuals.
Later, a special configuration of the Netserver machine may be performed in order to
allow multiple connections. This configuration is similar to the Common Netserver.
For the standby server configuration procedures, refer to the TNMS Core Installation
manual (IMN) or the TNMS User Manual.
10.2
Importing data from TNMS Core

It is possible to import several types of data from TNMS Core. This feature can, for
example, speed up the setup of your TNMS. You can import DCN configurations,
physical trails, paths, subscribers and services involving hiT 7300 and FSP3000 R7
NEs.
70
A50023-K2035-X040-05-76D1
You can also synchronize the DCN between TNMS Core and TNMS, in shared network
management scenarios. You can schedule a periodical import from TNMS Core that
updates the DCN configuration in TNMS, avoiding the repetition of manual changes.
Check TNMS User Manual for detailed instructions on how to configure and use the
import from TNMS Core feature.
10.3
Important note
When an NE is simultaneously managed by TNMS and TNMS Core, the configuration
of the respective properties in the DCN Management window must be the same.
A50023-K2035-X040-05-76D1
71
72
A50023-K2035-X040-05-76D1
TNMS uninstallation
11 TNMS uninstallation
Before uninstalling TNMS and in case you have a standby server assigned, you must
first unassign it by doing as follows in the active server:
1. Select Administration > System > Standby Server Configuration and fill in the
available fields. The address of the current standby server is filled in automatically.
2. Verify your input and click Unassign to start the procedure.
The progress and result can be followed in the configuration steps, along with the
elapsed time.
3. When the unassignment finishes, a notification pops up in the lower right corner with
the status of the operation, either success or error.
Alternatively, it is possible to check in System Event Log that the procedure has
ended successfully.
If any error occurs, the logs can be checked in
/tmp_home/[timestamp]/result.log.
In the standby server, perform the following steps:
1. Go to the installation folder and, in \bin\scripts, run as Administrator
standby-server.bat.
2. In the interactive menu select 3. Unconfigure StandBy.
To uninstall TNMS, do as follows:
1. Go to Start > Control Panel > Programs and Features.
2. In the list, opposite-click TNMS and select Uninstall.
3. Restart the machine once the uninstallation finishes.
When the application is uninstalled, the users and groups are kept on the system and
they are not deleted.
A50023-K2035-X040-05-76D1
73
TNMS uninstallation
74
A50023-K2035-X040-05-76D1
Security hardening
12 Security hardening
This chapter describes the existing TNMS security hardenings.
Note that TNMS already applies security hardening during installation. This means that,
for example, security settings are defined so that no unnecessary permissions are
granted. The remaining items are, in a default installation, hardened to an acceptable
level. However it is possible to improve from that level as is described in the following
sections.
12.1
Physical and hardware hardening

Any effort in securing a system is useless if possible attackers can have physical access
to a TNMS machine. It is very easy to disable security mechanisms or compromise the
system if there is easy physical access to a machine. For this reasons the following
measures should be taken:
12.2
12.2.1
The TNMS server machine should be located in a room where only the system
administrators have access.
A physical access control should be put in place, including, for example, electronic
door locks.
Any non-required I/O interfaces, such as USB interfaces or DVD drives, should be
removed or, at least, disabled.
Any type of communication interfaces not required for the operation of TNMS should
be removed or, at least, disabled. This is especially important for wireless interfaces
such as Bluetooth or WLAN adapters.
All hardware should be securely installed so that it cannot easily be moved.
The facilities where the hardware is located should have sufficient heat dissipation
and, if needed, the server room should be air-conditioned.
Additional security measures like video surveillance of server rooms is recommended.
The BIOS of the machines used for TNMS should be protected by password, to
prevent unauthorized modification of the machines BIOS configuration.
Operating System hardening

Microsoft Windows security patches
Coriant recommends that you install the Microsoft Windows security patches listed in
the Customer Release Notes in all the machines running TNMS.
12.2.2
Disable and delete unnecessary accounts

Unnecessary accounts should not exist as the machine should be exclusively used by
TNMS server. Anyhow, it should be verified before TNMS is installed that no additional
unnecessary users exist.
TNMS only requires the existence of the following users:
Administrator
sshd
SvcCOPSSH
A50023-K2035-X040-05-76D1
75
Security hardening
All other users should be disabled. For example, during the Windows Server 2008 installation, the Administrator, Guest and Help Assistant accounts are created by default.
Both Guest and Help Assistant accounts should be disabled at all times.
To disable an account, do as follows:
1. Go to Start > All Programs > Administrative Tools > Server Manager > Configuration > Local Users and Groups > Users.
2. Right-click on the user name (for example Guest or Help Assistant) and select Properties.
3. Click on Disable Account.
12.2.3
Uninstall unnecessary applications and roles

TNMS only requires the following roles:
Web Server (IIS)

Security
FTP Server (optional - only if legacy NEs, which only support FTP, are to be
managed by TNMS)
Application development
.NET Extensibility
All other roles should be uninstalled.

To uninstall an unnecessary role:
Go to Start > All Programs > Administrative tools > Server manager > Roles
and click to remove roles.
To uninstall an unnecessary application:
12.2.4
Go to Start > Control Panel > Programs and Features, select the application and
click to remove.
Configure Auditing
To automatically configure the audit policies, run the following command, located in the
TNMS software:
TNMS_Prerequisites\Audit Policies\AuditPolicies.bat
t
12.2.5
You can check the configured audit policies by running in the command line:
auditpol /get /category:*
Disable unnecessary shares

System and security administrators should disable all unnecessary shares, configure
the necessary ones and harden all NTFS and Share permissions.
To disable shares, do as follows:
1. Get a list of all the shares on the server by running the following command:
#> net share
2. Disable all shares that are not in use. See Table 9 Windows default shares for
guidance on which default shares you should disable.
76
A50023-K2035-X040-05-76D1
Security hardening
Via command line:

#> net share <sharename> /delete
Via the graphical user interface:
1. Go to Start > Control panel > Administrative tools > Computer Management-> System Tools > Shared Folders > Shares
2. Select the share and chose "Stop sharing".
Share
Recommended Hardening measure
DriveLetter$
Disable
ADMIN$
Only needed in case of remote

administration of the machine.
Should not be disabled.
IPC$
Needed by Windows and can/must

thus not be disabled.
NETLOGON
Used by domain controller and

should not be disabled.
SYSVOL
Used by domain controller and

should not be disabled.
Print$

administration of printers.
Disable manually, if exists.
FAX$

administration of fax clients.
Disable manually, if exists.
Table 9
12.2.6
Description
Windows default shares
Disable Remote Registry

The Remote Registry service allows registry access to authenticated remote users.
Even though this service is blocked by the firewall and ACLs, if you have no reason to
allow remote registry access, Remote Registry should be disabled.
To disable the remote registry:
1. Go to Start > All Programs > Accessories > Run, enter regedit and press
Enter.
2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecureP
ipeServers\
3. Select winreg and right-click and select Permissions.
4. Select the appropriate users/groups and appropriate permissions.
5. Click OK and close the window.
12.2.7
Windows Error Reporting

Windows Error Reporting (WER) is a set of Windows technologies that capture software
crash data and support end-user reporting of crash information. WER should be
enabled.
A50023-K2035-X040-05-76D1
77
Security hardening
In Windows 7 the Windows Error Reporting is enabled by default. However, in Windows

Server 2008 you should enable WER.
To enable WER:
1. Go to Start > All Programs > Administrative tools > Server Manager and expand
Resources and Support.
2. Click on Configure Windows Error Reporting.
3. On the Windows Error Reporting Configuration dialog box, select one of the following options:
Yes, automatically send detailed reports - personal data may be sent to Microsoft.
Yes, automatically send summary reports - only non-personal data is sent to
Microsoft
4. Click OK.
12.2.8
Additional Software
The TNMS server machine should be dedicated to run the TNMS Server only. No additional software should be installed beyond the TNMS application and its prerequisites
listed below:
12.2.9
Acrobat Reader
CopSSH
ICW Base
ICW COPSSHCP
ICW OpenSSHServer
J2SE Runtime Environment
Java (TM)
MicroSoft Visual C++ Redestributable (several packages)
OSI Stack
TNMS
Virus Scanner (for example, TrendMicro OfficeScan Client)
Digitally signed communications (Local Security Policy)

It is possible to digitally sign all Microsoft network server communications. By default this
security feature is not switched on. To enable this feature, do as follows:
1. Go to Start > Control Panel > Administrative Tools and double-click Local
Security Policy.
2. Click to expand Local Policies and select Security Options.
3. From the list, right-click Microsoft network server: Digitally sign communications (always) and select Properties.
4. Select Enable and click OK to apply the changes.
5. Repeat step 3. and step 4. for the policy Microsoft network server: Digitally sign
communications (if client agrees).
12.2.10
Minimize system services

TNMS enables all services it requires for its proper operation. So, any active default
service should be disabled. If required, the Remote Access can be kept open for remote
78
A50023-K2035-X040-05-76D1
Security hardening
configuration of the system, such as in case of headless server (see 12.2.11 Remote
Access/Remote Desktop).
The following services must be disabled as they are not needed by TNMS. Some of
them must be considered inherently insecure:
ftp shall only explicitly enabled whenever legacy NEs are used, which only support ftp
and not SFTP/SCP or FTPS.
ActiveX Installer (AxInstSV)

Application Layer Gateway
Application Management
ASP.NET State
Bitlocker Drive Encryption
Service
Block Level Backup Engine
Service
DHCP Server/Client
Bluetooth
Bluetooth Support Service
BranchCache
Certificate Propagation
Credential Manager
Disk Defragmenter
Distributed Link Tracking Client
Encrypting File System
Enterprise Connect WebDAV
Fax
Function Discovery Provider
Host
Function Discovery Resource
Publication
Health Key and Certificate Management
HomeGroup Listener
HomeGroup Provider
IKE and AuthIP IPSec Keying
Modules
Any type of wireless LAN
adapters
Any type of bluetooth adapter

Interactive Services Detection
Internet Connection Sharing
KtmRm for Distributed Transaction Coordinator
Link-Layer Topology Discovery
Manager
Microsoft Office Diagnostics
Microsoft FTP Service (*)
Microsoft Software Shadow
Copy Provider
Net.Msmq Listener Adapter
Net.Pipe Listener Adapter
Net.TCP Listener Adapter
Network Location awareness
Office Source Engine
Parental Controls
Peer Name Resolution Protocol
Peer Networking Grouping/Identity Manager
Performance Counter DLL Host /
Logs / Alerts
Problem Report and Solution
Support
Program compatibility Assistant
Remote Access (**)
Remote Desktop (**)
Routing and Remote Access
Secondary Logon
Secure Socket Tunneling
Protocol Service
Smart card
SNMP Trap
Software Protection
SPP Notification Service
SSDP Discovery
Storage Service
Tablet PC Input Service
Telephony
Thread Ordering Server
TPM Base Services
UPnP Device Host
Virtual Disk
Volume Shadow Copy
WebClient
Windows Backup
Windows Biometric Service
Windows CardSpace
Windows Connect Now - Config
Registrar
Windows Media Player Network
Sharing Service
Windows Remote Management
(**)
Windows Search
WinHTTP Web Proxy Auto-Discovery Service
Wired AutoConfig
WLAN AutoConfig
WWAN AutoConfig
* FTP is only needed if TNMS manages legacy NEs, which support FTP but do not
support any secure protocol.
** Disable only if no remote server administration shall be permitted
Windows services can be disabled via Start > Administrative Tools > Services.
If a service is changed to "disabled" via context menu it is no longer running and will no
longer be automatically started during OS startup.
TNMS Server uses the following services:
A50023-K2035-X040-05-76D1
79
Security hardening
12.2.11
Application Host Helper Service

Certificate Propagation
COM+ Event System
COM+ System Application
Cryptographic Services
DCOM Server Process Launcher
Desktop Window Manager Session Manager
Diagnostic Policy Service
Distributed Transaction Coordinator
DNS Client
IIS Admin Service
IP Helper
IPsec Policy Agent
Microsoft FTP Service
Net.Pipe Listener Adapter
Net.Tcp Listener Adapter
Net.Tcp Port Sharing Service
Netlogon
Network Connections
Network List Service
Network Location Awareness
Network Store Interface Service
Optional: Virus Scanner - e.g. OfficeScan NT RealTime Scan
OpenDS
Openssh SSHD
OracleOraDb11g_home1TNSListener
OracleServiceTNMS
Plug and Play
Portable Device Enumerator Service
Power
Print Spooler
RCTSrv
Remote Desktop Configuration*
Remote Desktop Services*
Remote Desktop Services UserMode Port Redirector*
Remote Procedure Call (RPC)
RPC Endpoint Mapper
Security Accounts Manager
Server
Shell Hardware Detection
Remote Access/Remote Desktop

TNMS does not rely on the remote access/remote desktop feature provided by the
Windows operation system. However, it is possible to remotely administer TNMS
machines. It is therefore recommended that you configure the Network Level Authentication for the allowed connections as described below.
80
A50023-K2035-X040-05-76D1
Security hardening
To configure the Network Level Authentication for a connection:

1. On the Remote Desktop Session Host server, go to Start > Administrative Tools
> Remote Desktop Services > Remote Desktop Session Host Configuration.
2. Under Connections, right-click the name of the connection and then click Properties.
3. On the General tab, select Allow connections only from computers running
Remote Desktop with Network Level Authentication.
If the Allow connections only from computers running Remote Desktop with
Network Level Authentication check box is selected and not enabled, the Require
user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and applied to the Remote Desktop
Session Host server.
4. Click OK.
12.2.12
Reduce passive FTP port range

By default FTP uses any port of the dynamic port range 49152-65535, which is quite
wide. To limit this range do as follows:
12.3
The range should contain 50 or more ports.

1. Go to the IIS 7 Manager. In the Connections pane, click the server-level node in
the tree.
2. Double-click the FTP Firewall Support icon in the list of features.
3. Enter a range of values for the Data Channel Port Range.
4. Click Apply in the Actions pane to save your settings.
Networking and firewall configuration

You should configure the network in a way that makes the TNMS machines only accessible from machines with which TNMS needs to communicate. This can be done by
network segmentation and by firewall deployment. The hardening description below is
general, as the measures highly depend on the network infrastructure and topology.
You should consider disabling any default gateways and using static routes between the
TNMS machines and other machines with which TNMS needs to communicate. Access
to the general internet should also be disabled.
It is recommended that you install a network firewall. However, you can also use local
firewalls, such as Windows Firewall (see 12.3.2 How to configure the Windows firewall).
Coriant does not recommend the deployment of a firewall between the NetServer and
the NE network. This scenario is not tested and therefore is not officially supported. In
case the costumer needs to deploy one due to topology/security reasons, the ports listed
for NetServer <> NE communication in this manual can be used as a starting point to
configure the firewall for the Coriant hiT7300 and hiT7100 NEs. Other supported NEs
may need different/additional ports/protocols. Please refer to the specific NE's manual
to gather the required information to configure your firewall.
A50023-K2035-X040-05-76D1
81
Security hardening
12.3.1
List of ports to open in the firewall

Below is the list of ports to be open in the firewall, as well as their description.
Coriant does not recommend the use of a proxy to access the Citrix Server through the
web interface, but if you decide to use one you must open a port in the firewall for the
proxy.
Host address
Source
Destination
Service
Destination Port
Protocol
Application
Encrypte
d
Description
Optional / Mandatory
Firewall between a Planning Tool (PT) and TNMS Server

PT
TNMS
Server
TNMS
Server
8093
PT
4189
TCP
TCP
MTOSI /
JMS
Yes (TLS) TMF-854 interface

between TNMS and
PT. Used in the IOC
deployment.
Optional
PCEP
Yes (TLS) PCEP interfaces

used by TNMS to
request routes from
PT. Used in IOC
deployment
Optional
No
Optional
Only for IOC.
Only for IOC.
Firewall between an NBI and TNMS Server

CORBA
Northbound
Interface
TNMS
Server
17289
(Default)
TCP
MTMN
CORBA
(CORBA
NS)
TMF-814 interface
for integration into
umbrella NMS.
Only if CORBA
NBI is used
3528
(CORBA
IIOP)
TNMS
Server
CORBA
Northbound
Interface
configurable
TCP
CORBA
External CORBA
Naming Service.
configurable
TCP
CORBA
External CORBA
Notification Service.
Firewall between a remote Administrator machine and TNMS Server or TNMS NetServer (northbound)
machines
TNMS
remote
Administrator
machine
Table 10
82
3389
TNMS
Server
machine /
TNMS
NetServer
(northbound)
machine
TCP
RDP
(Windows
Remote
Access)
Yes (if
TNMS
security
hardening is followed)
Windows Remote
Desktop for remote
administration.
Optional
Only required if
TNMS
machines need
to be administered remotely.
Firewall rules
A50023-K2035-X040-05-76D1
Security hardening
Host address
Source
Destination
Service
Destination Port
Protocol
Application
Encrypte
d
Description
Firewall between CITRIX Client and CITRIX Server

Citrix server and client are only deployed if a central user interfaces server is used (for example a central
Windows server for TNMS clients). If not used, packets arriving at those ports can be rejected or dropped.
TNMS
user
workstation
TNMS
Client
(CITRIX
server)
(CITRIX
client)
1494
TCP
ICA
No
For Citrix.
Optional
2598
TCP
ICA
Yes
For Citrix SecureICA.
80
TCP
http
No
443
TCP
https
Yes
Only if you use the

Citrix web client. If
you have a Citrix
client installed
locally you do not
need to open these
ports
Only required
when Citrix is
used.
Firewall between TNMS clients and TNMS Server

TNMS
Client
Table 10
TNMS
Server
1098
TCP
RMI
Yes (TLS) Naming service port

for RMI requests
from client proxies
1100
TCP
JBoss NS
JBoss Naming
Service
3873
TCP
EJB3
EJB3 Remoting
Connector
4444
TCP
RMI
Port for the

RMI/JRMP invoker
4445
TCP
RMI
Port for the Pooled

invoker
5445
TCP
RMI
RMI (JMX HornetQ)
8080
TCP
WEBDAV
WEBDAV service
8083
TCP
RMI
RMI Web Service Port for dynamic

class and resource
loading
8093
TCP
JMS
JMS Service
Mandatory
Firewall rules (Cont.)
A50023-K2035-X040-05-76D1
83
Security hardening
Host address
Source
Destination
Service
Destination Port
Protocol
Application
Encrypte
d
Description
Firewall between TNMS clients and TNMS Netserver(s)

Embedde
d EM
Netserver 22
TNMS client can

open the craft
terminal as it is
embedded in the
TNMS client. To be
able to communicate with the central
SFTP server
running on the
TNMS Netserver
machine, a tunnel is
created.
Optional
Optional
Only if TNMS
manages hiT
7100 or hiT
7300 NEs
Only used for

NEs that use
SFTP, for
example: hiT
7300 and hiT
7100.
Firewall between TNMS Server and TNMS Netserver

TNMS
Server
22
TNMS
NetServer
(northbound)
Table 10
84
TCP
SSH/SCP No (local
only)
Secure Copy
(secure copy over
ssh)
1198
TCP
RMI
Naming service port

for RMI requests
from client proxies
1199
TCP
JBossNS
JBoss Naming
Service
3973
TCP
EJB3Con
n
JBoss default
EJB3connector
4445
TCP
RMI
Port for the Pooled

invoker
8083
TCP
RMI

class and resource
loading
8093
TCP
RMI
RMI
19980
TCP
CORBA
CORBAOMNIORB
listening port
A50023-K2035-X040-05-76D1
Security hardening
Host address
Source
TNMS
Server
TNMS
Server
Destination
Service
Destination Port
Protocol
Application
Encrypte
d
No (local
only)
Description
22
TNMS
NetServer
1298
(northbound)
TCP
SFTP
TCP
RMI
1299
TCP
JBossNS
JBoss Naming
Service
4073
TCP
EJB3Con
n
JBoss default
EJB3connector
8083
TCP
RMI

class and resource
loading
8093
TCP
RMI
RMI
TCP
FTP
TCP
FTP
21
TNMS
NetServer
(north49152 bound)
65535
No (local
only)
Secure FTP
Naming service port
for RMI requests
from client proxies
File Transfer
Protocol
File Transfer
Protocol
Limit the dynamic
range used by the
FTP server:
Optional
Only if TNMS
manages
Juniper MX /
PTX NEs.
Optional
Only if TNMS
manages
hiT70xx, ADVA
or hiT7500
NEs.
1. Go to IIS connection
manager >
Connections
Column
(Server) > FTP
Firewall
Support > Set
Data Channel
Port Range and
insert desired
range.
2. Restart IIS.
3. Insert the same
range in the firewall.
Table 10
A50023-K2035-X040-05-76D1
85
Security hardening
Host address
Source
Destination
TNMS
TNMS
Netserver Server
(northbound)
Service
Destination Port
Protocol
Application
Encrypte
d
Description
1098
TCP
RMI
No (local
only)
Naming service port

for RMI requests
from client proxies
1100
TCP
JBoss
JBoss Naming
Service
3528
TCP
CORBA /
IIOP
CORBA Object
Adapter (used by
TNMS NBI/SBI)
4444
TCP
RMI
Port for the

RMI/JRMP invoker
8083
TCP
RMI

class and resource
loading
8093
TCP
JMS
JMS Service
Mandatory
Firewall between TNMS active server and TNMS standby server

TNMS
active
server
TNMS
standby
server
1521
TNMS
standby
server
TNMS
active
server
1521
TCP
TCP
Oracle
stream
No
Oracle database
replication
Optional
Oracle
No
Oracle database
replication
Optional Only if
there is a
standby TNMS
Server
installed.
No
DNS
Optional
only required if
TNMS standby
server is used
Firewall between TNMS Server and Customer Network

TNMS
Server
Table 10
86
DNS
server
53
NTP
server
123
TCP
DNS
Only if a DNS
service is used.
TCP /
UDP
NTP
No
NTP
Use TCP or UDP
depending on the
configuration of the
NTP server.
Mandatory
A50023-K2035-X040-05-76D1
Security hardening
Host address
Source
TNMS
Server
Service
Destination
Destination Port
Protocol
Application
Encrypte
d
Server
where
TNMS
logs are
transferred to
21
TCP
FTP
No
22
TCP
SFTP
Yes
Domain
controller
88
UDP
Kerberos
No
135
TCP /
UDP
DCE /
RPC
389
TCP /
UDP
LDAP
445
TCP /
UDP
AD / SMB
464
TCP /
UDP
Kerberos
Description
External server to
store logs
Optional
Only needed if
logs are to be
transferred to
an external log
file server.
Communication with Optional

domain controller for Only required if
single sign on
SSO is used.
(SSO).
Traffic between TNMS and NE Network (firewall not recommended)

Example for hiT7300 / hiT7100
NE/GNE
TNMS
Netserver management
(southinterface
bound)
NE/GNE
management
interface
Table 10
10000
13999
TCP
161
TCP
22
TNMS
Netserver
(southbound)
TCP
SNMPv3
over TCP
(RFC342
0)
Yes
(SNMPv3
)
SNMP multiplexing
ports (NAPT) for
embedded CT;
target NE
Mandatory
SNMP managers
SSH /
SCP
Yes
Secure Copy
(secure copy over
SSH)
Mandatory
A50023-K2035-X040-05-76D1
87
Security hardening
Host address
Source
NE/GNE
management
interface
Service
Destination
Destination Port
Protocol
Application
Encrypte
d
Description
TNMS
Client
990-993
TCP
FTPS
Yes (SSL) FTP over SSL

For LCT communication.
(LCT)
g The number of
ports within this

range that are in
use at a given
time is the same
as LCTs communicating with
the NE up until a
maximum of 4
ports.
Additional ports
may be opened
if more simultaneous LCTs are
required.
49152 65535
TCP
FTPS
Optional
For hiT 7300 /
hiT 7100 if
required for
FTPS file operations between
LCT and NE.
and not recommended. To
avoid direct
connectivity you
should configure the TNMS
SFTP settings
for tunneling
communications between
LCT and NEs.
Yes (SSL) FTP over SSL

For LCT communication.

(Example for Juniper NEs)
NE/GNE
TNMS
Netserver management
(southinterface
bound)
NE/GNE
management
interface
22
32666
TNMS
Netserver
TCP
NetConf
Yes
(SSH)
NETCONF manage- Optional

(only if there are
ment interface for
Juniper NEs in
Juniper.
your network)
UDP
SNMPv3
Yes
(SNMPv3
)
Trap notifications
from Juniper
(southbound)
Optional
(only if there are
Juniper NEs in
your network)

(Example for hiT 7020, 7025, 7030, 7035, 7060, 7060HC, 7065, 7080 NEs)
NE/GNE
management
interface
Table 10
88
8002
TNMS
Netserver
(southbound)
TCP
SNMPv3
Yes
(SNMPv3
)
Traphandler
Optional
(only if there are
any of these
NEs in your
network)
A50023-K2035-X040-05-76D1
12.3.2
Security hardening
How to configure the Windows firewall

To configure the Windows 7 / Windows Server 2008 firewall proceed as follows:
1. Go to Start > Control Panel > Windows Firewall.
2. Click on Advanced settings.
3. In the left pane click on Inbound Rules or Outbound Rules, depending on the
direction of the connection you are configuring.
4. In the right pane, click on New Rule to open a port for the traffic of a service.
The New In/Outbound Rule Wizard starts.
5. In the Rule Type step select port.
Click Next.
6. In the Protocols and Ports step:
select TCP.
select Specific local ports and enter the port number to which the rule applies
(see Table 10).
Click Next.
7. In the Action step check Allow the connection.
Click Next.
8. In the Profile step check Domain (uncheck all others).
Click Next.
9. In the Name step type a name for the rule.
Click Finish to create the rule and close the wizard.
10. Repeat the procedure for each of the remaining ports.
12.4
OEM Hardening
In this section you can find instructions on how OEM and 3rd party software that works
with TNMS can be hardened to decrease the attack surface for attacks against TNMS.
12.4.1
JBoss
JMX should be disabled.
To disable the JMX console remove the folder:
\TNMS\jboss\server\bicnet\deploy\jmx-console.war
12.4.2
CopSSH (SFTP)
You should limit user access to CopSSH home folder. To do so you must manually configure the NTFS file system properties as described below:
1. Create a local group by running the following command in the command line:
#> net localgroup CopsshUsers /ADD
2. Deny access to this group for each available local drive, by running:
#> cacls <drive letter>:\ /c /e /t /d CopsshUsers
3. Open access to the home directory, by running:
#> cacls copssh-inst-<path>\home /c /e /t /r \ CopsshUsers
4. Add the Copssh user to the user group above and make sure that the user is not
member of any other groups. Run
#> net localgroup CopsshUsers <user> /add
A50023-K2035-X040-05-76D1
89
Security hardening
5. Go to the CopSSH control panel and activate user for 'Linux shell and Sftp' or 'Sftp
only'.
Shell access will not work due to limitations on system directories.
6. Repeat steps 4. and 5. for each user.
12.4.3
Oracle
File name
Location
Explanation/Goal
Hardening
config.dat
<USER_INSTALL_DIR> Binary file which

Restrict the file per\jboss\server\bicnet\conf allows to connect
missions according
USM to LDAP server. to 12.6.1.
db-ds.xml
Restrict the file per<USER_INSTALL_DIR> Text file which

connects JBoss com- missions according
\jboss\server\bicnet\
ponents to database. to 12.6.1.
deploy
Identified in the file by:
username/password.
Table 11
12.4.4
Database-related configurations and security hardenings.
Internet Explorer
The Internet Explorer should not be used for browsing the public internet, as this raises
the threat to compromise the system. You should disable the access to public internet.
12.5
TNMS Maintenance Packages and Workaround Updates

Coriant recommends that you install, when available, the TNMS Maintenance Packages
and Workaround Updates, since they may contain relevant security improvements.
12.6
User Management
Components
Username/Password
TNMS Server
(JMX
Console)
User: admin
The password is automatically generated
and there is no need to
change it.
Location
<Product Install
Dir>/jboss/server/bicnet/conf/props/jmxconsole-users.properties
Explanation/Goal
Hardening
Access manage- N/A: the password is

ment console with automatically generAdministrator role ated.
for JBoss
instance.
Only required for
JBoss administration / configuration.
Table 12
90
Default TNMS user accounts and security hardenings.
A50023-K2035-X040-05-76D1
Components
Username/Password
Generic
Mediator
User: admin
change it.
(JMX
Console)
Security hardening
Location
<Product Install
Dir>/jboss/server/gm/co
nf/props/jmx-consoleusers.properties
Explanation/Goal
Hardening

for JBoss
instance.
Only required for
Multi Vendor
Mediator
(JMX
Console)
User: admin
change it
<Product Install
Dir>/jboss/server/mvm/c
onf/props/jmx-consoleusers.properties

for JBoss
instance.
Only required for
Generic
Mediator
User:
RemoteLoginFunction
Password:
<no password>
LCT
User:
<Username_RU>
(concatenation of the
username from tab
SNMP Settings in NE
Properties window
and the string
"_RU")Password:
<Password from tab
SNMP Settings in NE
Properties window>
Table 12
Hardcoded. Authentication from TNMS (GM) to

the NE is possible when
checking the option in
NE Properties window:
"Use RADIUS server for
authentication". Then the
option "Use TNMS
username for LCT login
(Radius required at NE)"
in GCT User tab is
checked automatically.
The Generic
Mediator uses the
following user
only in the first
message of the
authentication
process between
the Generic
Mediator and the
RADIUS server.
N/A because this user

is only needed to fulfill
RADIUS protocol
requirements.
Hardcoded. Authentication sent from GM to

EM/NE to open LCT
window is possible when
the option "Use TNMS
username for LCT login
(Radius required at NE)"
in GCT User tab is
checked.
The EM/NE uses

this authentication
to allow the
opening of the
LCT window corresponding to that
NE.
N/A because it is not

possible to change this
password (solution
underway).
This user cannot be

used for login purposes.
Default TNMS user accounts and security hardenings. (Cont.)
A50023-K2035-X040-05-76D1
91
Security hardening
Components
Username/Password
Connection
Manager,
BCB Mediator
User: jleal
Multiple NE
functions
User: tomcat
User and
Security Management
User: Administrator
User and
Security Management
User: ptc
Table 12
Password (hardcoded): jleal
Password: tomcat
Password (default):
e2e!Net4u#
Password (hardcoded): e2e!Net4u#
Location
Explanation/Goal
Hardening
Hardcoded in those
components so that their
authentication match
each one with the other.
Security context
for communication from server to
netserver components.
N/A because it is not

possible to change this
password (solution
underway).
<data path>\TNMS\
nedata\webdav\webdav.war\WEB-INF\
classes\ users.properties
Security context
for communication from client to
server components.
Restrict the file permissions according to

12.6.1.
C:\Program Files (x86)\

OpenDS\install\ cf-usminstall-data_opends.ldif
Password for user N/A because the user

Administrator has has to be changed at
to be changed at the first login.
first login.
C:\Program Files (x86)\

OpenDS\install\ cf-usminstall-data_opends.ldif
ptc user is an
internal account.
Remove file after

installing and/or
protect the installation
directory against
unauthorized users.
Default TNMS user accounts and security hardenings. (Cont.)
12.6.1
Restricting the specified files permissions

To restrict the specified files permissions:
1.
2.
3.
4.
Navigate to the file using Windows Explorer.

Opposite-click the file and select Properties.
In the Security tab click on Advanced.
In the Advanced Security Settings window, Permissions tab, click on Change
Permissions.
5. Select all users except SYSTEM and the Administrators group and click on
Remove.
Only the user SYSTEM and the Administrators group should remain and both having
full access.
6. Click OK to accept the changes and close the window.
92
A50023-K2035-X040-05-76D1
Index
A
Adobe Reader 29
Antivirus 38
Audit policies 76
Audit policy 24
B
Backup 51
automating 56
client 57
command line 53
console 52
interactive mode 52
LDAP 55
non-interactive mode 52
OpenDS 55
Oracle database 53
TNMS database 54
BIOS 18
C
Client
terminating session 48
Common
standby server 70
Common Netserver 68
Common Standby Server 70
Common standby server 70
Component delivery 15
Component Services 25
Console 52
CopSSH
configure 35
hardening 38
install 35
security hardening 89
troubleshooting 37
D
Disk configuration 19
Disk partitioning 21
Documentation
online help 13
Domain Verification 27
Dynamic Port range 28
F
Firewall
configuration 81
Windows firewall 89
A50023-K2035-X040-05-76D1
H
Hardware 15
client 15
large configuration 15
medium configuration 15
netserver 15
requirements 15
server 15
HP service pack 20
I
Installation
CopSSH 34
full 41
Hardware 15
OSI stack 33
separate components 44
TNMS 41
XML parser 29
Integrated Lights-Out 19
Interactive mode 52
Internet Explorer 49
Internet Information Services 26
Interworking 65
TNMS 65
J
Java
JRE 17
JBoss 89
JRE 17
L
Large configuration 20
LDAP 55
License 49
Local security policy 78
Login 47
M
Medium configuration 20
Microsoft Windows
security patches 75
MS.NET 29
MSXML 29
N
Netserver 68
Non-interactive mode 52
NTI 38
93
O
OpenDS 55
Operating system
shares 76
Operating Systems 17
Oracle 30
template files 30
Uninstalling 32
Oracle backup files 53
OSI Stack 33
configure 33
install 33
OSI stack
Installation 33
uninstalling 34
P
Password 48
change 48
complexity rules 48
Policies 76
Prerequisites 17, 29
Q
Quick format 22
R
Recovering
Oracle 59
Recovery 59
Remote
access 80
desktop 80
Remote registry 77
Restore 51, 59
LDAP 60
OpenDS 60
simultaneous 61
TNMS database 59
Roles 76
S
Security 75
Security hardening 75
audit policies 76
CopSSH 89
digitally signed communications 78
firewall 81
Internet Explorer 90
jboss 89
local security policy 78
Microsoft Windows security patches 75
networking 81
OEM 89
operating system 75
Oracle 90
physical and hardware 75
remote access 80
remote registry 77
SFTP 89
system services 78
unnecessary accounts 75
unnecessary applications and roles 76
user management 90
Windows Error Reporting 77
Server 19
standby 49
Services 47
SFTP
Single Sign-on 49
Standby server 49, 70
Structure
online help 13
System Hosts configuration 27
System services 78
T
Template files 30
Third-party software
OSI stack 33
XML parser 29
TNMS 65
uninstallation 73
TNMS Core 65
U
Uninstallation 73
Upgrade 63
User Account Control 29
User interface
username and password 48
Username 48
V
Virtual memory 23
94
A50023-K2035-X040-05-76D1
Virtualization 16
W
Web Server 25
Windows 19
Windows 7 26, 27
FTP 27
Windows Error Reporting 77
Windows Server 2008 25, 26, 29
FTP 26
X
XML parser
Installation 29
A50023-K2035-X040-05-76D1
95
96
A50023-K2035-X040-05-76D1
Abbreviations
Abbreviations
ACS
Actual Creation State
ALS
Automatic Laser Shutdown
ASON
Automatically-Switched Optical Network
BCB
Broadcast Band
CAM
Common Array Manager
CBS
Committed Burst Size
CC
CDM
CIR
CFM
CLI
CORBA
CSPF
Cross Connection
Cross-domain Manager
Committed Information Rate
Connectivity Fault Management
Console Interactive
Common Object Request Broker Architecture
Constrained Shortest Path First
CST
Central Standard Time
CSV
Comma-Separated Values
DA
DCN
DHCP
(Oracles Sun Storage) Disk Array

Data Communications Network
Dynamic Host Configuration Protocol
DNS
Domain Naming Service
DSR
Dynamic Source Routing
DWDM
ELP
EM
EM/NE
FA-LSP
Dense Wavelength Division Multiplexing

Ethernet Linear Protection
Element Manager
Element Manager/Network Element object management
Forwarding Adjacency LSP
FEC
Forward Error Correction
FTP
File Transfer Protocol
GBE
Gigabit Ethernet
GCT
GUI Cut-Through
GFPG
Generic Framing Procedure Group
Abbreviations
GM
GMPLS
Generic Mediator
Generalized Multi-Protocol Label Switching
GMT
Greenwich Mean Time
GNE
Gateway Network Element
GPS
Global Positioning System
GUI
Graphical User Interface
IMN
Installation Manual
IOC
Intelligent Optical Control
IOC OP
IP
LACP
Intelligent Optical Control Online Planning

Internet Protocol
Link Aggregation Control Protocol
LAG
Link Aggregation
LAN
Local Area Network
LCT
Local Craft Terminal
LDAP
Lightweight Directory Access Protocol
LSP
Label Switched Path
LSR
Label Switch Router
MDI
Multiple Document Interface
MIB
Management Information Base
MSDE
Microsoft SQL Server Desktop Engine
MTOSI
Multi Technology Operations System Interface
MVM
NE
NEC
Multi-Vendor Mediator
Network Element
NE Controller
NIC
Network Interface Card
NNI
Network to Network Interface
NTFS
NTP
NW
(Microsofts) New Technology File System

Network Time Protocol
Network
OAM
Operation, Administration and Maintenance
OCH
Optical Channel
ODU
Optical Data Unit - transport technology
Abbreviations
OM
Optical Manager or Optical Management
OMS
Optical Multiplex Section
OPU
Optical Payload Unit - transport technology
OTS
Optical Transport Section - transport technology
OTU
Optical Transport Unit - transport technology
PBS
Peak Burst Size
PC
PCEP
PDF
PIR
PT
Personal Computer
Path Computation Engine Protocol
Portable Document Format
Peak Information Rate
Physical Trail
PTC
Planning Tool Connector
PTP
Physical Termination Point
RAID
Redundant Array of Independent Disks
RNE
Remote Network Element
SCP
Secure Copy
SCSI
Small Computer System Interface
SDH
Synchronous Digital Hierarchy
SFTP
Secure File Transfer Protocol, or Secure Shell File Transfer Protocol
SLA
Service-Level Agreement
SNC
SubNetwork Connection
SNCP
SubNetwork Connection Protection
SNMP
Simple Network Management Protocol
SONET
Synchronous Optical Networking
SPC
Soft Permanent Connection
SQL
Structured Query Language
SRLG
Shared Risk Link Group
SSH
Secure Shell
STP
Spanning Tree Protocol
SVID
TC
TCP/IP
Service Virtual Local Area Network Identifier

Topological Container or TransConnect
Transport Control Protocol/Internet Protocol
Abbreviations
TL1
Transaction Language 1
TE-Link
Traffic Engineering-Link
TMN
TN
TNMS
TP
Telecommunications Management Network

TransNet
Telecommunications Network Management System
Terminal Point
USB
Universal Serial Bus
UMN
User Manual
UNI
UNI-S
UPS
VC
VLAN
WAN
WLAN
XC
User-to-Network Interface
User-to-Network Interface-Service
Uninterruptible Power Supply
Virtual Container
Virtual LAN
Wide Area Network
Wireless LAN
Cross Connection
X-NE
Cross-NE
XML
eXtended Markup Language
Glossary
Glossary
@CT
@CT is a web-based craft terminal (that is, element manager) software which provides
web access to hiT 7300 network elements (NEs) in the customer network without the
use of a management system. It communicates via SNMP with the NEs and uses the
FTPS for upload/download of software or other data configuration (for example, log
files).
3DES
Triple DES is the common name for the Triple Data Encryption Algorithm (TDEA or
Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard
(DES) cipher algorithm three times to each data block.
Actual Creation
State (ACS)
Is the current state of the path which results from the accumulation of the actual creation
states of the paths route elements.
Advanced Encryption Standard (AES)
Is a specification for the encryption of electronic data. AES is based on a design principle
known as a substitution-permutation network, and is fast in both software and hardware.
Alarm
An alarm is a management mechanism intended to inform the user that there is a

standing fault condition in the system.
Alarm log
An alarm log provides a list of the alarms associated with a managed object, and
provides the following information about each of the alarms:
the identification of the affected object
the identification of the failed NE or the NE in which the failed unit resides
the alarm severity
the time the event occurred
the indication whether the alarmed event is service affecting or not
the location and the affected traffic
Alarm severity
Each failure is assigned a severity. The following values are used:

indeterminate
critical
major
minor
warning
cleared alarms
not Existent
not Alarmed
Element Manager (EM) can configure the severity which is assigned to each fault cause
by an alarm severity assignment profile. In addition, EM can specify that a fault cause
shall not be alarmed. These fault causes will be blocked, hence do not lead to any LED
alarm indications, log entries or alarm reporting.
Alien wavelength
A wavelength that does not originate from a transponder or muxponder card, but is still
allowed to be multiplexed into the aggregate line signal for transport as an optical
channel by the system.
Automatic Laser
Shutdown (ALS)
Is a technique used to automatically shut down the output power of the transmitter in
case of fiber break. This is a safety feature that prevents dangerous levers of laser light
from leaking out of a broken fiber, provided ALS is provisioned on both ends of the fiber
pair.
101
Glossary
AutomaticallySwitched Optical
Networks (ASON)
ASON domains are built on the VC4 layer of hiT 7065, 7070 or 7080, and on OCh layer
of hiT 7300 and on ODU2 layer of hiT 7100, which have a Control Plane. The Control
Plane uses network-generated signaling and routing protocols to set up or release a
connection, and can restore one when it fails. ASON domains can be built up as part of
the transport network. They provide the benefit of easy end-to-end provisioning, and
fault and protection management. Soft permanent connections (SPCs) connect both
endpoints (NE1 and NE2) within an ASON domain. If a path fails, an alternative path is
automatically used.
Bidirectional Selfhealing Ring (BSHR)
Is a telecommunications term for loop network topology, a common configuration in telecommunications transmission systems, this loop or ring is used to provide redundancy.
The system consists of a ring of bidirectional links between a set of stations. In normal
use, traffic is dispatched in the direction of the shortest path towards its destination. In
the event of the loss of a link, or of an entire station, the two nearest surviving stations
"loop back" their ends of the ring. In this way, traffic can still travel to all surviving parts
of the ring, even if it has to travel "the long way round".
Card
A card is a plug-in unit that occupies one (or multiple) shelf slots. Cards perform specific
electrical and/or optical functions within an NE.
Each card has a faceplate with information LEDs and, in most cases, several ports for
interconnection of optical fibers and/or optical interfaces.
Card slot
A card slot is the insertion facility for a card in a shelf. Each card slot is designed for one
or several particular card types.
Mechanical coding elements make sure that each card can be fully inserted only into a
card slot that is suitable for the given card type. Therefore, fundamental shelf equipping
errors (which might cause hardware damage or fatal malfunctions) are impossible.
Ethernet Connectivity Fault Management (CFM)
Is an end-to-end perservice Ethernet layer OA&M protocol. IEEE 802.1ag CFM is a

service level OA&M protocol that provides tools for detecting and isolating connectivity
failures in the network. This includes proactive connectivity monitoring, fault verification
and fault isolation for large Ethernet Metropolitan Area Networks (MANs) and WANs.
Committed Information Rate (CIR)
Is the guaranteed average rate (in Mbit/s) at which the information units are transferred
through the port over a measurement interval.
Commissioning
Controller card
Commissioning an network element (NE) is the process of taking an installed NE and

bringing it in to an operational state. The NE commissioning phase is performed after
the NE is installed and powered-up.
NE controller cards provide the central monitoring and controlling functions of the
system, as well as the MCF to operate the Q and QF Ethernet interfaces.
The controller card performs the following main functions: Fault Management, Performance Management, Configuration Management, Security Management, Equipment
Management, Communication Management, Software Management (performing all
software downloads, uploads, and software integrity functions) and controlling the NE
alarm LEDs.
Data Communication Network (DCN)
Data Communications Network is a management network for telecommunication transport systems.

A DCN domain interconnects several NEs for the purpose of network management. The
communication is established via the Optical Supervisory Channel (OSC) of the optical
links and an Ethernet/L2 switching network implemented by the NEs.
102
Glossary
Dense Wavelength
Division Multiplexing (DWDM)
In fiber-optic communications, wavelength-division multiplexing (WDM) is a technology

which multiplexes a number of optical carrier signals onto a single optical fiber by using
different wavelengths (colors) of laser light, that is, simultaneously places a large
number of optical signals (in the 1550 nm band) on a single optical fiber. This technique
enables bidirectional communications over one strand of fiber, as well as multiplication
of capacity.
Data Encryption
Standard (DES)
Is a widely-used method of data encryption using a private key. DES applies a 56-bit key
to each 64-bit block of data. The process can run in several modes and involves 16
rounds or operations.
Dynamic Host Configuration Protocol

(DHCP)
Is a standardized networking protocol used on IP networks that dynamically configures

IP addresses and other information that is needed for Internet communication. DHCP
allows computers and other devices to receive an IP address automatically from a
central DHCP server, reducing the need for a network administrator or a user from
having to configure these settings manually.
Domain
TNMS allows you to restrict user groups to operate only a set of NEs or DCN subnets
instead of the entire network. This partitioning is called a Domain and limits the operation on nodes outside of their partitions by assigning user groups to domains. Further,
you can also assign policies to domains for further control and security, limiting the user
groups to specific menu entries and actions. This arrangement is required, for example,
in network centers that are responsible for maintaining only a subset of the nodes. The
main purpose is security: it avoids that a login to the system grants access to the entire
network. TNMS now supports the creation, modification or deletion of multiple domains,
granting or restricting their accesses. By default, all NEs belong to the GLOBAL domain
which cannot be modified or deleted.
Ethernet Linear Protection (ELP)
Is a protection scheme defined in the ITU-T G.8031 standard designed to protect pointto-point Ethernet paths such as VLAN based Ethernet networks. To achieve protection
ELP uses two disjointed paths, a working path and a protection path, traffic is carried
firstly on the active path (working path) and in case of failure, traffic is switched to the
protection path. Both paths can be monitored using OAM protocols like CFM.ELP
provides 1:1 bi-directional protection switching with revertive mode capabilities.ELP
must first be configured at the NE side via the LCT, only then they are visible in TNMS
so that you can use it in the E-LAN and E-Line service creation via the New Ethernet
Service wizard.ELP is supported in specific network elements and cards only. Refer to
the NE dedicated documentation for more information.
Element Manager
(EM)
Ethernet
Fault management
File Transfer
Protocol (FTP)
Network elements enable the user to perform operation, administration and maintenance tasks with the NE system in a GUI environment.
Ethernet is a family of frame-based computer networking technologies for LANs. It
defines a number of wiring and signaling standards for the physical layer, through
means of network access at the MAC/Data Link Layer, and a common addressing
format.
Fault management reports all hardware and software malfunctions within an NE, and
monitors the integrity of all incoming and outgoing digital signals.
FTP is a network protocol used to transfer files from one computer to an NE and viceversa through the network.
103
Glossary
Frequency
Frequency is a physical attribute of a wave (for example, an optical wave), defined as

the number of wave cycles per time unit. The frequency is directly related to the wavelength.
Generalized MultiProtocol Label

Switching (GMPLS)
Is a protocol suite extending MPLS to manage further classes of interfaces and switching technologies other than packet interfaces and switching, such as time division multiplex, layer-2 switch, wavelength switch and fiber-switch.
Intelligent Optical
Control (IOC)
Is the Coriant software platform integrating the software defined networking (SDN)
framework with intelligent control for multi-layer optical transport networks. IOC
addresses the complete operational workflow and network lifecycle from service
planning to optimization up to maintenance, by combining the capabilities of the Coriant
TransNet optical planning tool, the IOC OP provisioning system and the TNMS network
management system.
Internet Protocol (IP)
Is the principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and
essentially establishes the Internet.
Internet Protocol
version 4 (IPV4)
Is a connectionless protocol for use on packet-switched networks. It operates on a best

effort delivery model, in that it does not guarantee delivery, nor does it assure proper
sequencing or avoidance of duplicate delivery. These aspects, including data integrity,
are addressed by an upper layer transport protocol, such as the Transmission Control
Protocol (TCP).
Link Aggregation
Control Protocol
(LACP)
Within the IEEE specification the Link Aggregation Control Protocol (LACP) provides a
method to control the bundling of several physical ports together to form a single logical
channel. LACP allows a network device to negotiate an automatic bundling of links by
sending LACP packets to the peer (directly connected device that also implements
LACP).
Link Aggregation
(LAG)
Allows a bridge to treat multiple physical links between two end-points as a single logical
link, referred to also as a port-channel. The feature can be used to directly connect two
switches when the traffic between them requires high bandwidth and/or reliability, or to
provide a higher bandwidth connection to a public network. For this purpose, all the
physical links in a given port-channel must operate in full-duplex mode and at the same
speed.If a physical port or the related link of a LAG fails, the traffic previously carried
over the failed link automatically is switched to the remaining link(s) of the LAG (rapid
reconfiguration). Bandwidth degradation is an obvious impact if the sum ofthroughput of
the two/multiple aggregated links are higher than the throughput of the remaining link(s).
Be aware that certain link failures are not always visibleto both ends of a link. Link
Aggregation Control Protocol (LACP) and Automatic Laser Shutdown (ALS) enabled,
guarantees that both ends of a link properly detect all failures and perform the correct
response.LAG groups must first be created at the NE side via the LCT, only then, they
are visible in TNMS so that you can use it in the E-LAN and E-Line service creation via
the New Ethernet Service wizard. LAG is supported in specific network elements and
cards only. Refer to the NE dedicated documentation for more information.
Laser
Laser safety
104
A laser is a device that generates an intense narrow beam of light by stimulating the
emission of photons from excited atoms or molecules.
Laser safety rules are a group of mechanisms and actions necessary to protect all users
from harmful laser light emissions.
Glossary
Local Craft network

(LCT)
LCT is a client-based craft terminal (that is, element manager) software which provides
access to network elements (NEs) in the customer network without the use of a management system.
Lightweight Directory Access Protocol

(LDAP)
Is an application protocol for accessing and maintaining distributed directory information

services over an Internet Protocol network.
Line interface
A line interface is a transponder interface that faces the line side of the link. Contrast
with client interface which faces the client equipment side of the link.
Long Haul (LH)
hiT 7300 LH segment is a DWDM application characterized by a reach of more than 500
km and up to 1200 km.
Label Switched Path

(LSP)
Is a path through an MPLS network, set up by a signaling protocol such as LDP, RSVPTE, BGP or CR-LDP. The path is set up based on criteria in the forwarding equivalence
class (FEC).
Label switch router

(LSR)
Sometimes called transit router, is a type of a router located in the middle of a Multiprotocol Label Switching (MPLS) network. It is responsible for switching the labels used to
route packets. When an LSR receives a packet, it uses the label included in the packet
header as an index to determine the next hop on the Label Switched Path (LSP) and a
corresponding label for the packet from a look-up table. The old label is then removed
from the header and replaced with the new label before the packet is routed forward.
MD5
Maintenance Association End Points
(MEP)
Management Information Base (MIB)
Message-digest algorithm is a widely used cryptographic hash function producing a

128-bit (16-byte) hash value, typically expressed as a 32 digit hexadecimal number
Are points at the edge of the domain that define the boundaries and sends and receives
CFM frames through the wire side (physical port) or relay function side.
Is used for backup purposes where you can plan automatic upload jobs.
MX
Juniper MX Series Universal Edge Routers are Ethernet-centric services routers that
are purpose-built for demanding carrier and enterprise applications (font: Juniper website).
NetConf
Network Configuration Protocol (NETCONF), is an IETF network management protocol.

NETCONF provides mechanisms to install, manipulate, and delete the configuration of
network devices. Its operations are realized on top of a simple Remote Procedure Call
(RPC) layer. The NETCONF protocol uses an Extensible Markup Language (XML)
based data encoding for the configuration data as well as the protocol messages. This
in turn is realized on top of the transport protocol.
Network Craft
Terminal (NCT)
NCT is a network management craft terminal (that is, element manager) software which
is used for either local or remote network management.
Network Element
(NE)
A network element (NE) is a self-contained logical unit within the network. The NE can
be uniquely addressed and individually managed via software.
Each NE consists of hardware and software components to perform given electrical and
optical functions within the network.
105
Glossary
Network Management
The network management layer includes all the required functions to manage the optical
network in an effective and user-friendly way, such as the visualization of the network
topology, creation of services, and correlation of alarms to network resources.
Network topologies
A topology of a network is defined by the list of NEs included in the network and the list
of links that connect those NEs (for example, point-to-point, chain, ring, and so on).
Network to Network
Interface (NNI)
Is an interface which specifies signaling and management functions between two networks. NNI circuit can be used for interconnection of IP (e.g. MPLS) networks.
Coriant TransNet
Planning of a hiT 7300 network is done by the Coriant TransNet tool. Coriant TransNet
is a sophisticated software simulation tool developed specifically for designing and/or
upgrading optical DWDM networks with hiT 7300. It runs on PCs using Microsoft
Windows operating systems.
Optical Channel
A predefined wavelength that can be used to transmit a bit stream by means of a modulated light signal.
Optical Network
Node (ONN)
An ONN is an NE where the incoming channels are either dropped or routed to a line in
a different direction, outgoing channels can also be added locally. Apart from multiplexing and demultiplexing an ONN NE implements optical or 3R signal regeneration and
dispersion compensation.
Optical path
The path followed by an optical channel from the first multiplexer to the last demultiplexer.
Path Computation
Engine Protocol
(PCEP)
Implements, sets up and manages PCEP, while also notifying OM when PCEP is available or unavailable to send/receive PCEP Route messages.
Performance management
Performance monitoring and signal quality analysis provide information for detecting
and alerting, a cause that could lead to a degraded performance before a failure is
declared.
Peak Information
Rate (PIR)
Is a burstable rate set on routers and/or switches that allows throughput overhead.
Related to Committed Information Rate which is a committed rate speed guaranteed/capped. For example, a CIR of 10 Mbit/s PIR of 12 Mbit/s allows you access to 10
Mbit/s minimum speed with burst/spike control that allows a throttle of an additional 2
Mbit/s.
Pseudo-Random
Binary Sequence
(PRBS)
Is a known sequence of bits that can be used as a test signal to measure transmission
delay and bit error rate of a channel. In this test, one port inserts the PRBS signal in the
channel (source port) and another detects if the sequence was received correctly (sink
port). This kind of test is traffic affecting since the test sequence is inserted into the
OPUk until the test is stopped.
Physical Trails (PT)
Trails are represented as Physical Trails (PTs). They connect two Physical Termination
Points (PTP) on a physical layer rate, but can also contain non-physical layers.
Planning Tool Connector (PTC)
Interfaces Coriant TransNet/Intelligent Optical Control DWDM network planning tool.
PTX
106
Juniper Packet Transport Routers are Converged Supercore platforms that deliver
powerful capabilities based on the Junos Express chipset and forwarding architectures
optimized for MPLS and Ethernet, with integrated, coherent 100GbE technology (font:
Juniper website).
Glossary
Required Creation
State (RCS)
Optical Signal to
Noise Ratio (OSNR)
Ring network
Synchronous Digital
Hierarchy (SDH)
Is the desired state of the path, which is set by the user upon creation.
OSNR is the ratio of an optical signal power to the noise power in the signal.
A ring network is a network topology in which each NE connects to exactly two other
NEs, forming a circular optical path for signals (that is, a ring).
Is a standardized protocol that transfer multiple digital bit streams over optical fiber using
lasers or highly coherent light from light-emitting diodes. At low transmission rates data
can also be transferred via an electrical interface. The method was developed to replace
the Plesiochronous Digital Hierarchy system for transporting large amounts of telephone
calls and data traffic over the same fiber without synchronization problems.
Security management
Security Management controls the individual access to particular NE functions via the
network management system and/or via a craft terminal, using a hierarchical security
management user ID, and password concept.
State Event Machine

(SEM)
In computation, a finite-state machine is event driven if the transition from one state to
another is triggered by an event or a message.
Service Provisioning
via NMS
Provisioning mode in hiT 7300.

The core equipment is provisioned by downloading and swapping NCFs, while
services are manually provisioned via the NMS.
When adding new services or expanding an existing network, the relevant line cards,
cross connections and internal port connections between line cards and multiplexers/demultiplexers are provisioned via the NMS.
Secure Hash Algorithm (SHA)
Is a family of cryptographic hash functions that takes an arbitrary block of data and
returns a fixed-size bit string, the cryptographic hash value, such that any (accidental or
intentional) change to the data will (with very high probability) change the hash value.
The data to be encoded are often called the message, and the hash value is sometimes
called the message digest or simply digest.
Simple Network
Management
Protocol (SNMP)
SNMP is used in network management systems to monitor network-attached devices for

conditions that warrant administrative control. It consists of a set of standards for
network management, including an application layer protocol, a database schema, and
a set of data objects.
Software management
Software management performs all software downloads, uploads, and software integrity
functions.
Secure Shell (SSH)
Is a cryptographic network protocol for secure data communication, remote commandline login, remote command execution, and other secure network services between two
networked computers that connects, via a secure channel over an insecure network, a
server and a client (running SSH server and SSH client programs, respectively).
Subsystem
A subsystem is a set of shelves and cards in multicontroller NE that is controlled by a

subagent. All subagents within a multicontroller NE are controlled by the master agent.
Topological Container (TC)
Defines a containment relationship between other topological container and/or NEs.

This means they can contain NE symbols and other TCs. The network map is always
associated with one TC, which corresponds to a network view.
107
Glossary
Tandem Connection
Monitoring (TCM)
TCMs are configurable parameters (via Element Manager) of the transponders. They
provide a Performance Management of all the Optical Transport Network (that is, endto-end connection) or specific sections only and implement an Optical channel Data Unit
(ODU) termination provisioned to support up to six TCM levels.
Transmission
Control Protocol
(TCP)
Is one of the core protocols of the Internet protocol suite (IP), and is so common that the
entire suite is often called TCP/IP. TCP provides reliable, ordered, error-checked
delivery of a stream of octets between programs running on computers connected to a
local area network, intranet or the public Internet. It resides at the transport layer.
TL1
Transaction Language 1 (TL1) is a widely used management protocol in telecommunications. It is a cross-vendor, cross-technology man-machine language, and is widely
used to manage optical (SONET) and broadband access infrastructure in North
America. TL1 is used in the input and output messages that pass between Operations
Systems (OSs) and Network Elements (NEs). Operations domains such as surveillance,
memory administration, and access and testing define and use TL1 messages to
accomplish specific functions between the OS and the NE.
TNMS
TNMS Core
Telecommunications Network Management System - is a standalone application that

provides a full range of network-management functions, from the transport networks
physical structure and its NEs to those required for Automatically-Switched Optical
Networks (ASON), SW management (also referred to as X-NE or Cross-NE), Optical
Management and Ethernet Management.
TNMS Core is an integrated solution designed for large, medium and small size networks. It supports NEs with DWDM, OTH, SDH, PDH, Ethernet in line, star, ring and
mesh network configurations. TNMS Core can be used to manage networks in the
access, edge, metro, core and backbone levels.
TNMS CT
TNMS CT is a transparent software platform for SDH and DWDM NEs using QD2, QST,
QST V2, Q3 or SNMP telegram protocols. It supports line, star, ring and mesh networks
and provides access to NEs via Ethernet interface or via a serial line interface (RS232).
TNMS DX
TNMS DX is a telecommunications network management system to operate, administer

and maintain hiT 7300 NEs. It allows remote operation and control of these network elements.
Trail Trace Identifier

(TTI)
TTI is a transponder card parameter (configurable via Element Manager) of which is

used to verify correct cabling or correct Tandem Connection Monitoring (TCM) configuration. The basic principle is that specific overhead bytes are reserved for Trace
Messages of the user's choosing. By specifying the Actually Sent (transmitted) and the
Expected (received) trace messages, the system can automatically verify that fiber connections have been made as intended. This is accomplished by comparing the expected
Trace Message to that actually received. If they differ, an alarm is raised, alerting personnel of the incorrect connections.
Transponder card
A transponder card receives an optical input signal and converts it to an optical output
signal suitable for DWDM multiplexing and transmission.
Transponder
loopback
Loopbacks are diagnostic tests that can be activated via Element Manager. Loopbacks
return the transmitted signal back to the sending device after the signal has passed
across a particular link. The returned signal can then be compared to the transmitted
one. Any discrepancy between the transmitted and the returned signal helps to trace
faults.
108
Glossary
User Datagram
Protocol (UDP)
Is one of the core members of the Internet protocol suite (the set of network protocols
used for the Internet). With UDP, computer applications can send messages, in this
case referred to as datagrams, to other hosts on an Internet Protocol (IP) network
without prior communications to set up special transmission channels or data paths.
UDP uses a simple transmission model with a minimum of protocol mechanism. It has
no handshaking dialogues, and thus exposes any unreliability of the underlying network
protocol to the user's program. As this is normally IP over unreliable media, there is no
guarantee of delivery, ordering or duplicate protection. UDP provides checksums for
data integrity, and port numbers for addressing different functions at the source and destination of the datagram.
Ultra Long Haul

(ULH)
hiT 7300 ULH segment is a DWDM application characterized by long path lengths of up
to 1600 km.
User-to-Network
Interface (UNI)
Is a demarcation point between the responsibility of the service provider and the responsibility of the subscriber. This is distinct from a Network to Network Interface (NNI) that
defines a similar interface between provider networks.
Virtual Local Area

Networks (VLAN)
In computer networking, a single layer-2 network may be partitioned to create multiple

distinct broadcast domains, which are mutually isolated so that packets can only pass
between them via one or more routers; such a domain is referred to as a Virtual Local
Area Network, Virtual LAN or VLAN.
Wavelength
Wavelength is a physical attribute of a wave (for example, an optical wave), defined as

the distance between corresponding points of two consecutive wave cycles.
The wavelength is directly related to the frequency of the wave.
Wait to restore time

(WTR)
The time in minutes that TNMS waits until it tries to switch to the working path again,
assuming the Revertive option is selected.
eXtensible Markup
Language (XML)
Is a markup language that defines a set of rules for encoding documents in a format that
is both human-readable and machine-readable. The design goals of XML emphasize
simplicity, generality, and usability over the Internet. It is a textual data format with strong
support via Unicode for the languages of the world. Although the design of XML focuses
on documents, it is widely used for the representation of arbitrary data structures, for
example in web services.
109
Glossary
110

Coriant TNMS 14.1 10

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Coriant TNMS 14.1 10

Uploaded by

Copyright:

Available Formats

TNMS

Issue date: July 2014

Coriant is continually striving to reduce the adverse environmental

Installation Manual (IMN, Windows)

Important Notice on Product Safety

The same text in German:

Wichtiger Hinweis zur Produktsicherheit

Installation Manual (IMN, Windows)

Server operating system configuration . . . . . . . . . . . . . . . . . . . . . . . . .

Initial system configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Software prerequisites installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Installation Manual (IMN, Windows)

Backup and restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Installation Manual (IMN, Windows)

Backup procedures through the TNMS client . . . . . . . . . . . . . . . . . . . . 57

Upgrade to TNMS 14.1 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

TNMS and TNMS Core working together . . . . . . . . . . . . . . . . . . . . . . .

Installation Manual (IMN, Windows)

Installation Manual (IMN, Windows)

"Local Security Settings - Audit Policy" window. . . . . . . . . . . . . . . . . . . 24

Installation Manual (IMN, Windows)

Installation Manual (IMN, Windows)

Structure of the manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Installation Manual (IMN, Windows)

Installation Manual (IMN, Windows)

Structure of this document

Provides an introduction for this document.

Server operating system

Describes the creation and configuration of the logical drives in the

Initial system configuration

Describes the configurations of the operating system required for

Describes how to install and configure all software prerequisites of

Describes how to install TNMS in your operating system.

Describes all post-installation configurations and actions.

Backup and restore

Guides the TNMS administrator through the B&R procedures.

Upgrade to TNMS 14.1 10

Describes the migration to version 14.1 10 from a previous TNMS

Chapter 10 TNMS and TNMS Core

Describes how to configure TNMS to share resources and data with

Chapter 11 TNMS uninstallation

Describes how to uninstall TNMS.

Chapter 12 Security hardening

Describes the existing TNMS security hardenings.

Installation Manual (IMN, Windows)

Symbols and conventions

Click the View menu, and then click Log List....

Save the log file <NEname>.txt to ../<product installation directory>/bin

Important Notice on Product Safety:

Do not reboot while mirroring.

Read the Customer Release Notes before installing.

Before mirroring, limit the size of the root filesystem.

Installation Manual (IMN, Windows)

Online Help system

Help can be invoked in any of the following ways:

User Manual (UMN)

Installation Manual (IMN)

Upgrade Manual (UPMN)

Installation Manual (IMN, Windows)

Installation Manual (IMN, Windows)

New TNMS installations are not recommended in a distributed environment.

Base reference model DL360p G8

(2x) Intel Xeon E5-2680/90