Professional Documents
Culture Documents
14.1 10
Coriant TNMS
Installation Manual (IMN, Windows)
Issue: 5
A50023-K2035-X040-05-76D1
The information in this document is subject to change without notice and describes only the
product defined in the introduction of this documentation. This documentation is intended for the
use of Coriant customers only for the purposes of the agreement under which the document is
submitted, and no part of it may be used, reproduced, modified or transmitted in any form or
means without the prior written permission of Coriant. The documentation has been prepared to
be used by professional and properly trained personnel, and the customer assumes full responsibility when using it. Coriant welcomes customer comments as part of the process of continuous development and improvement of the documentation.
The information or statements given in this documentation concerning the suitability, capacity,
or performance of the mentioned hardware or software products are given "as is" and all liability
arising in connection with such hardware or software products shall be defined conclusively and
finally in a separate agreement between Coriant and the customer. However, Coriant has made
all reasonable efforts to ensure that the instructions contained in the document are adequate
and free of material errors and omissions. Coriant will, if deemed necessary by Coriant, explain
issues which may not be covered by the document. Coriant will correct errors in this documentation as soon as possible.
IN NO EVENT WILL CORIANT BE LIABLE FOR ERRORS IN THIS DOCUMENTATION OR
FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT,
INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO
LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR
DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN
IT.
This documentation and the product it describes are considered protected by copyrights and
other intellectual property rights according to the applicable laws.
Other product names mentioned in this document may be trademarks of their respective
owners, and they are mentioned for identification purposes only.
Copyright Coriant 2014. All rights reserved.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Table of Contents
This document has 96 pages.
Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Structure of this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Symbols and conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Available documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Online Help system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Manual (UMN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installation Manual (IMN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade Manual (UPMN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
11
11
12
12
13
13
13
13
13
2
2.1
2.2
2.2.1
2.3
2.4
2.5
Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Component delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Supported Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Prerequisites by component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
BIOS configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
15
15
16
17
17
18
3
3.1
3.2
3.3
3.4
3.5
3.6
3.7
19
19
19
19
20
20
20
21
4
4.1
4.2
4.3
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.5
4.6
4.7
23
23
23
24
25
25
26
26
27
27
27
28
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
5.1
5.2
5.3
5.4
5.5
5.5.1
5.6
5.6.1
5.6.2
5.6.3
5.7
5.7.1
5.7.2
5.7.3
5.7.4
5.8
5.9
Adobe Reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
User Account Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
MSXML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
MS.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Uninstalling Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
OSI Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Installing OSI Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring OSI stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Uninstalling OSI stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
CopSSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Installing CopSSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Configuring CopSSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
CopSSH Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
CopSSH Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
NTI third-party software installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6
6.1
6.2
6.3
TNMS installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Full installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Installation of separate components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
About the automatic priority updates installation . . . . . . . . . . . . . . . . . . 45
7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
7.10
7.11
7.12
Post-installation procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Starting services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Starting a Client session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Logging in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Default username and password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Changing the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Terminating a Client session. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Single Sign-on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Standby server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
License keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Internet Explorer configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Connection timeout configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Importing a public certificate from IOC Online Planning (IOC OP) . . . . . 50
8
8.1
8.2
8.2.1
8.2.2
8.3
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
8.4
8.5
8.5.1
8.5.2
8.5.3
8.5.4
10
10.1
10.1.1
10.1.2
10.1.3
10.2
10.3
11
TNMS uninstallation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
12
12.1
12.2
12.2.1
12.2.2
12.2.3
12.2.4
12.2.5
12.2.6
12.2.7
12.2.8
12.2.9
12.2.10
12.2.11
12.2.12
12.3
12.3.1
12.3.2
12.4
12.4.1
12.4.2
12.4.3
12.4.4
12.5
12.6
12.6.1
Security hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Physical and hardware hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Operating System hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft Windows security patches . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disable and delete unnecessary accounts . . . . . . . . . . . . . . . . . . . . . .
Uninstall unnecessary applications and roles . . . . . . . . . . . . . . . . . . . .
Configure Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disable unnecessary shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disable Remote Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows Error Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Digitally signed communications (Local Security Policy) . . . . . . . . . . . .
Minimize system services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Access/Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reduce passive FTP port range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Networking and firewall configuration . . . . . . . . . . . . . . . . . . . . . . . . . .
List of ports to open in the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to configure the Windows firewall . . . . . . . . . . . . . . . . . . . . . . . . .
OEM Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
JBoss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CopSSH (SFTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TNMS Maintenance Packages and Workaround Updates . . . . . . . . . .
User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restricting the specified files permissions . . . . . . . . . . . . . . . . . . . . . .
65
65
68
70
70
70
71
75
75
75
75
75
76
76
76
77
77
78
78
78
80
81
81
82
89
89
89
89
90
90
90
90
92
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
List of Figures
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13
Figure 14
Figure 15
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
List of Tables
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Table 7
Table 8
Table 9
Table 10
Table 11
Table 12
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
10
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Preface
1 Preface
This Installation Manual contains a complete description of the installation and initial
configuration processes of TNMS.
1.1
Intended audience
This document is intended for commissioners of TNMS.
1.2
Chapter
Title
Subject
Chapter 1
Preface
Chapter 2
Preparation
Provides a guide of the hardware and software required for the installation.
Chapter 3
Chapter 4
Chapter 5
Software prerequisites
installation
Chapter 6
TNMS installation
Chapter 7
Post-installation procedures
Chapter 8
Chapter 9
Contains a list of all acronyms and their long form used in TNMS.
Table 1
Abbreviations
Structure of the manual
Some features described in this documentation may not be available. To identify the
features released for the product, see the Customer Release Notes delivered together
with the product.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
11
Preface
1.3
Commands
Commands and screen output are printed in a monospaced font.
Example:
Issue
powercfg.exe /hibernate off
Variables
Placeholders are printed in <angle brackets>, and filenames and paths are printed in
italics.
Example:
Warnings
A safety message indicates a dangerous situation where personal injury is possible.
Example:
1.4
Available documentation
The following documents are delivered with TNMS:
12
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
1.4.1
Preface
Descriptive.
This is for when you want to know what any window element is, in any window. Particular aspects of TNMS or deeper knowledge of it are routinely provided, together
with topical best practices.
Operational.
This is for when you want to know how to perform a task.
After invoking help from the menu bar, you can search for topics via the table of contents, the index or a word search.
Clicking the Help button in the current window, which displays information about the
window contents.
Pressing F1, which displays information about the contents of the active window.
For most windows, F1 help is further available through the main help menu (Help > On
<window name>).
1.4.2
1.4.3
1.4.4
1.4.5
Other documents
TNMS Core and Network Elements
This manual concerns TNMS only. For more detailed information on TNMS Core or the
managed network elements (NEs), see the corresponding documentation.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
13
Preface
Release notes
Where applicable, contains installation hints, patch descriptions, list of supported NEs,
list of supported cards and any relevant last-minute information.
14
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Preparation
2 Preparation
2.1
Component delivery
Before installation, be sure that:
2.2
The delivery is complete and in accordance with the delivery units specified in the
delivery note (hardware, software and documentation).
The components are not damaged in any way.
Make sure you use the installation packages in the target machine since TNMS
installation from a network drive is not supported.
Hardware requirements
The tables below give a rough overview of the hardware recommendations for installing
TNMS; running TNMS may require different specifications depending on parameters
such as network architecture (number of Clients) or operation policies (backup, logs).
The final hardware specifications and configuration must be planned specifically for
each customer. Ask Coriant Technical Sales for more information.
Two hardware configurations (Medium and Large) designed for new installations are
provided (Table 2).
g
Configuration
TNMS Server +
Netserver
(1 optional client
only for local troubleshooting)
TNMS Client
Table 2
Characteristics
Medium
Large
DL580 G7
or
BL660c G8 (blade server)
Minimum CPU
Minimum RAM
32 GB
128 GB
Minimum HDD
(4 x) 300 GB HD
(4 x) 146 GB + (2 x) 300GB for
hardware reuse
Minimum RAM
Minimum HDD
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
15
Preparation
A new installation using the Legacy hardware configuration does not support Optical
Management.
Configuration
Characteristics
Legacy hardware
PY TX/RX200S7
Minimum CPU
Minimum RAM
12 GB
Minimum HDD
TNMS Client
or
Minimum CPU
Minimum RAM
Minimum HDD
TNMS Server
PY RX/TX300S7
Minimum CPU
Minimum RAM
Minimum HDD
Minimum CPU
Intel i5-3470
or
Intel Xeon E3-1220v2 4C/4T 3.10 GHz 8 MB
Minimum RAM
Minimum HDD
Common Netserver
Minimum CPU
Intel i5-3470 or
Intel Xeon E3-1220v2 4C/4T 3.10 GHz 8 MB
Minimum RAM
Minimum HDD
Common Client
TNMS Netserver
Table 3
2.2.1
Virtualization
TNMS supports virtualization using VMware ESXi 4.1. However Coriant does not
provide neither is responsible for stability limits or performance in these circumstances.
16
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Preparation
The requisites of the virtual machines are similar to those presented in Table 2 and
Table 3, except for the CPU that only requires comparable CPU resources.
2.3
Full Installation
Client
Citrix Server
Microsoft Windows
Server 2008 R2 SP1
(x64) 1)
Microsoft Windows
Server 2008 R2
SP1 (x64) 1)
NTFS
mandatory
Microsoft Windows 7
Professional SP1
(x32/x64)
Table 4
1)
Server,
Server + Netserver
NTFS
mandatory
Netserver
Microsoft Windows 7
Professional SP1
(x64)
Operating System recommendations for TNMS Server, NetServer, Client and Citrix Server
Both the Microsoft Windows Server 2008 R2 SP1 (x64) Enterprise Edition and the Standard Edition are supported. However If the machine has more than 32 GB of RAM you must install the Microsoft Windows Server
2008 R2 SP1 (x64) Enterprise Edition, as the Standard Edition cannot allocate more than 32 GB of RAM.
Throughout this and the following chapters the designation of the several operating
systems is often abbreviated to allow for better readability. Always refer to the table
above for the exact versions supported for TNMS.
2.4
Prerequisites by component
The following table describes which software is required for each component. Attend to
the fact that the table also shows the order in which the components should be installed.
After installing the operating system, the system should be commissioned as follows:
Software
Full
Installation
Server +
Netserver
Server
Netserver
Client
Adobe Reader
Mandatory
Optional
Optional
Optional
Mandatory
MSXML
Mandatory
Mandatory
Mandatory
Mandatory
Mandatory
MS.NET
Mandatory
Mandatory
Mandatory
Mandatory
Mandatory
Oracle 11.2.0.3
Mandatory
Mandatory
Mandatory
OSI Stack
Mandatory
Mandatory
Mandatory
CopSSH
Mandatory
Mandatory
Mandatory
Citrix XenApp
Optional
Table 5
A dedicated Java JRE installation is not mandatory given that the installer already
includes the JRE versions required by TNMS. However you can manually install Java
j2re-1.6.0_43 (32 or 64 bit) if required by other software.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
17
Preparation
To install the Java j2re-1.6.0_43 (32 or 64 bit) use the packages available in the TNMS
prerequisites and follow the default installation procedure. For additional information
refer to the Oracle Java documentation.
Disable all Java automatic updates on the machines where Java is installed. If Java
automatic updates are enabled the system may not work properly.
2.5
BIOS configuration
The following chapter, describes the recommended configurations for the system BIOS.
These refer to HP machines and may differ with other hardware configurations.
To access the BIOS, boot the machine and press F9 in the startup screen.
18
Processor options:
Go to System Options > Processor Options > Intel Virtualization Technology,
and set to Disabled.
System Options > Processor Options > Intel VT-d, and set to Disabled.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
3.1
3.2
Disk configuration
It is recommended that you configure a RAID 1 for the disks where the operating
systems will be installed.
While booting the machine, proceed as follows:
1. When the Press any key to view Option ROM messages appears, click ENTER.
2. When the internal controller displays the message Press <F8> to run the option
ROM Configuration For Arrays Utility, click F8.
3. At the Main Menu, select Create Logical Drive.
4. Using the default settings, create the RAID 1 configuration with the two available
hard drives.
3.3
Windows installation
The steps below refer to the Windows operating system installation using the Integrated
Lights-Out (iLO) management console.
1. Open the iLO management console.
2. Click Virtual Drives menu > Image file menu entry.
3. In the Mount Image File file dialog box, select the Windows 2008 R2 ISO file and
press Open.
4. Restart the machine and boot from CD-ROM (typically by pressing F11 to access to
the boot menu).
The Windows installation is standard with no special configurations or inputs. Just need
to create one NTFS partition on the previous created volume (RAID 1) with ~50% of the
available space. The others 50% will be applied on a new partition to be created afterwards.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
19
3.4
3.5
Medium configuration
In order to configure a Windows medium configuration, proceed as follows:
1. Login in Windows.
2. Go to Start > All Programs > HP System Tools > HP Array Configuration Utility (64bits) > HP Array Configuration Utility (64-bits).
3. In tab Configuration, in Select an available device... combo box, select your device
(make sure it is not the Embedded slot).
4. In System and Devices panel, expand the Smart Array tree and select the first
branch and click Create Array.
5. Select the two available disks and click OK.
6. Click Create Logical Drive to create a new logical drive.
7. Select RAID 1 and keep the default settings. Click Save to finish the operation.
3.6
Large configuration
In order to configure a Windows large configuration, proceed as follows:
1. Login in Windows.
2. Go to Start > All Programs > HP System Tools > HP Array Configuration Utility (64bits) > HP Array Configuration Utility (64-bits).
3. In tab Configuration, in Select an available device... combo box, select your device
(make sure it is not the Embedded slot).
4. In System and Devices panel, expand the Smart Array tree and select the first
branch and click Create Array.
5. Select all available disks and click OK.
20
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
3.7
Disk partitioning
Three new partitions are needed:
One from the internal disks (D) with the other ~50% available - NTFS
Two from the disk array - NTFS
In order to configure the disk partitioning for medium and large configurations, proceed
as follows:
1. Go to Start > Search Programs and Files > type Server Manager and press Enter.
2. In Server Manager, expand the server tree Server Manager > Storage > Disk Management.
In case the window Initialize Disk is displayed, click OK keeping the default settings.
3. Identify the disk that contains the C: drive and select the grey partition that displays
an Unallocated area.
3.1 Right-click the unallocated area and select New Simple Volume, click Next.
3.2 Choose the recommended partition size (typically 50% of the disk size) and click
Next.
3.3 Choose the drive letter D to the new partition and click Next.
3.4 In the Format Partition window, format this volume with the following settings:
File system = NTFS
Allocation unit size = Default
Choose a volume label for the new partition
Enable the Perform quick format option
3.5 Click Next and Finish to complete the partition creation step.
4. Identify the disk that does not contain any partition (C, D) and select the grey partition that displays an Unallocated area.
4.1 Right-click the unallocated area and select New Simple Volume, click Next.
4.2 Choose the recommended partition size (typically 65% of the disk size) and click
Next.
4.3 Choose the drive letter E to the new partition and click Next.
4.4 In the Format Partition window, format this volume with the following settings:
File system = NTFS
Allocation unit size = Default
Choose a volume label for the new partition
Enable the Perform quick format option
4.5 Click Next and Finish to complete the partition creation step.
5. Identify the disk that contains the E: drive and select the grey partition that displays
an Unallocated area.
5.1 Right-click the unallocated area and select New Simple Volume, click Next.
5.2 Choose the recommended partition size (typically 35% of the disk size) and click
Next.
5.3 Choose the drive letter F to the new partition and click Next.
5.4 In the Format Partition window, format this volume with the following settings:
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
21
22
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Determine the file system to be used, the partition to be used by the installation and
the components to install.
The machine where the TNMS Server is installed should use NTFS, as it provides
extra security for the Oracle database files.
How the network, IP addresses and TCP/IP name management will be handled.
Ensure that the host IP addresses are static, that is, do not use DHCP dynamic
addresses.
In the machines where the TNMS Server and/or Netserver are installed, disable
Hibernate by running the following command as administrator:
powercfg.exe /hibernate off
4.2
TNMS Component
Legacy Medium
Legacy Large
Medium
Large
Server
12 GB
24 GB
16 GB
64 GB
Netserver
4 GB
4 GB
Table 6
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
23
4.3
Audit policy
Proceed to configuring Audit policy only if your network has legacy, NEC-interfaced
NEs, that is, other than hiT 7300 or hiT 7100.
To enable auditing locally in the installed OS:
1. Open the Local Security Policy settings via Start menu/button > Control Panel
(Windows 7 only) > Administrative tools > Local Security Policy icon.
2. In the tree pane, select Audit Policy under Local Policies.
Figure 1
3. In the details pane double-click the following policy settings to open the properties
window:
Audit Account Logon Events, to track users logon and logoff - select the
check boxes Success and Failure.
Audit Account Management, to report changes to user account - select the
check boxes Success and Failure.
Audit Directory Service Access, to report access and changes to the directory
service - No auditing (no check box selected).
Audit Logon Events, to report success/failure of any local or remote accessbased logon - select the check boxes Success and Failure.
Audit Object Access, to report file and folder access - select the check boxes
Success and Failure.
The auditing configuration for the individual object (file or folder) must be set
within its properties.
24
Audit Policy Change, to report group policies changes - select the check boxes
Success and Failure.
Audit Privilege Use, to report when permissions (read, write...) are used select only the check box Failure.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
4.4
Audit Process Tracking, to report when process and programs fail (not security
related) - No auditing (no check box selected).
Audit System Events, to report standard system events (not security related) select the check boxes Success and Failure.
FTP configuration
The following chapter provides you guidance through the needed component services
configuration.
4.4.1
6.
7.
8.
9.
Open Start > Administrative tools > Server Manager > Roles.
Click Add Roles to open the Add Roles Wizard and click Next.
In Server Roles, select "Web Server (IIS) and click Next.
In Web Server (IIS) click Next.
In Role Services, select the top end following services from the tree:
Web Server
Common HTTP Features
Static Content
Default Document
Directory Browsing
HTTP Errors
Health and Diagnostics
HTTP Logging
Request Monitor
Security
Request Filtering
Performance
Static Content Compression
Management Tools
IIS Management Console
IIS Management Scripts and Tools
Management Service
IIS Management Compatibility - when you select this option a warning
pops up informing you that two other components must also be installed.
Accept their installation.
IIS 6 Scripting Tools
FTP Server
FTP Service
FTP Extensibility
Click Next.
In Confirmation, click Install.
In Results, select Close.
Reboot your computer.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
25
4.4.2
Start > Administrative Tools > Internet Information Services (IIS) Manager.
In the left pane tree, expand the Default Computer > Sites.
In the right pane tree, select Add FTP Site. This opens the Add FTP Site window.
Enter the FTP site name.
In Physical Path, change the folder to C:\inetpub\ftproot, click OK and Next.
In Binding and SSL Settings step, configure the IP Address or leave as default.
In SSL, select Allow SSL. Click Next.
In Authentication and Authorization Information step, select Authentication as
Basic.
9. In Authorization - Allow access to All users, permissions Read and Write.
10. Click Finish.
4.4.3
26
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
4.4.4
4.5
Domain Verification
Check if a network domain exists. Use the following windows steps:
1. Go to System Properties via, Start > Control Panel > System.
2. In Computer name, domain, and workgroup settings, check the Domain information.
If a network domain exists and both TNMS Core and TNMS belong to it, then
log on to that domain and proceed with the installation as you normally would.
If a network domain does not exist, then:
You may skip this configuration, but then you will not have Single Sign On
capabilities in TNMS.
Contact your network administrator to provide you information details on
how to configure the domain since domain details are specific for your
network.
4.6
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
27
The TNMS installer will check if the hosts file is correctly configured. In case the server
belongs to a domain, make sure FQDN matches the domain.
If no domain exists and the hosts file is not configured, the installation will not proceed.
4.7
TNMS enforces this setting during its installation. However, to avoid warnings while
installing TNMS, configure the dynamic port range before the installation (required for
Server and Netserver machines), as described below.
Execute the following procedure to ensure the correct configuration of the Server and
Netserver machines:
1. Open the command line (cmd) as Administrator.
2. Execute the command:
netsh int ipv4 show dynamicport tcp
3. If the reported start port is not 49152, then execute the command:
netsh int ipv4 set dynamicport tcp start=49152 num=16384
persistent
Windows is now prepared concerning dynamic port range configuration.
28
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
5.1
Adobe Reader
You can either download the latest Adobe Reader from the Adobe website (recommended) or use the version included in the Prerequisites folder.
Coriant is not responsible for issues or vulnerabilities introduced by Adobe Reader, in
particular when you perform its download.
To install Adobe Reader just follow the standard options shown in its installer. Any
specific information on this see the Adobe Reader documentation.
5.2
5.3
MSXML
MSXML 4.0 is an XML parser. It must be installed on the system so that network
configuration data can be imported and exported in XML format.
To install MSXML 4.0 SP2 on all supported operating systems, proceed as follows:
1. Double-click the msxml4sp2.msi file in the MSXML directory on the software DVD.
2. A welcome window is now displayed. Press Next to continue.
3. In the End-User License Agreement window, accept the terms of the license
agreement, and press Next to continue.
4. In the Customer Information window, enter a user name and the name of your
company in the appropriate fields. Press Next to continue.
5. In the Choose Setup Type window, press Install Now.
6. The window Installing Microsoft XML Parser and SDK window is now displayed.
The progress of the installation is indicated by the progress bar.
7. Once the installation is complete, the window Completing the Microsoft XML
Parser and SDK Setup Wizard is displayed. Press Finish to complete the installation.
5.4
MS.NET
Windows Server 2008
MS.NET 3.5 is installed with Windows Server 2008, but requires activation. To activate
.NET 3.5, proceed as follows:
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
29
5.5
Oracle
This section describes the installation of Oracle Database 11g Release 2 (64-bit) for
Microsoft Windows x64. The supported version is 11.2.0.3.
The Oracle Database must be installed in the TNMS Server machine.
Before installing
To successfully install and run TNMS, at least 40GB of free disk space must be available in the destination machine before installing the Oracle database. RAM
requirements are indicated in Table 7 RAM requirements and Oracle template files.
TNMS Configuration
Oracle template
file
Managers
Large
128
TNMS_LW.dbt
All
Medium
32
TNMS_MW.dbt
All
Legacy
TMNS_SW.dbt
Table 7
For the remaining hardware, follow the recommendations described in 2.2 Hardware
requirements. Note that the values in this table are recommended and may vary according to the network dimension and the used hardware.
Before installing
By default, the TNMS Database Installer assumes the following directory locations:
However, it is possible to install from different locations. If you choose to use previous
default directory locations you have to create them manually before you start the installation. During the installation you will be requested to confirm the directory paths. If you
use different locations you must enter them manually whenever applicable.
1
Create both default directory locations indicated above. If you want to use other
locations, make sure they are accessible from the installer (in a local or mapped
drive).
Unzip the Oracle installation disks 1 and 2 to c:\oramedia (in case of recommended
default location. Only the extracted database folder is required. The directory structure should be as follows:
c:\oramedia\database
30
Copy the folders from the delivered TNMS media to the <TNMS INSTALLER
DIRECTORY> (recommended default location: c:\inst). The directory structure
should be as follows:
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
c:\inst\TNMS_Installer
c:\inst\TNMS_Prerequisites
Installation
The following steps guide you through the Oracle Database installation.
1
Go to <TNMS_INSTALLER_DIRECTORY>\TNMS_Prerequisites\Oracle\
installation, right-click the Exec_TNMS_oracle_install.bat file and
select Run as administrator.
A new terminal window opens. The installation log location is c:\temp and the full
path is displayed on the screen.
Enter the drives for the ORADATA, ORALOG and ORATRACE directories, or
accept the default by pressing [ENTER]. Make sure you specify a valid drive letter
followed by the colon sign (for example: c:).
Enter the TNMS database name, or accept the default by pressing [ENTER]. The
database name must be between 1 and 12 characters long and the first character
must be alphabetic.
The main menu is presented as follows:
0 - Check requirements
1 - Oracle Software Installation
2 - TNMS database creation
3 - TNMS database configuration
4 - Exit
Enter the desired option.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
31
Press [ENTER] to confirm the default path or enter the template file path for your
configuration:
5.5.1
Uninstalling Oracle
To uninstall the TNMS database and the Oracle software you must use the uninstallation
tool provided by Oracle. Proceed as follows:
1. Go to Start > All Programs> Accessories > Command Prompt, opposite-click,
select run as administrator and then enter the following command:
<Oracle Home>\deinstall\deinstall.bat
32
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
5.6
OSI Stack
If QB3 is to be used, an OSI stack must be installed on the NetServer PCs before the
NetServer software.
5.6.1
5.6.2
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
33
5.6.3
Click Start > Control panel > System and Security > System.
Open the Advanced system settings > Advanced tab.
Click the button "Environment variables"
In the lower list (user variables), search for OSIPIPE variable.
The OSI stack configuration is finished.
Open Start > Control Panel > Administrative Tools > Services.
Select the OSI stack service and press Stop.
Open Start > Control Panel > Add/Remove Programs.
Select the OSI stack from the software list.
Click Uninstall.
6. Confirm the uninstall process with Finish and restart your computer.
5.7
CopSSH
CopSSH is a Secure Shell (SSH) File Transfer Protocol (SFTP) and Secure Copy (SCP)
server used for transferring data to and from some types of NEs.
CopSSH installation is required for netservers only if there are hiT 7100, hiT 7300
or ADVA NEs in your network.
34
In order to support SFTP or SCP transactions via the LCT, you must install and configure CopSSH in TNMS.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
5.7.1
Installing CopSSH
To install CopSSH 4.7.1 proceed as follows (same procedure for all supported operating
systems):
1. In the software DVD, go to the CopSSH directory, right-click the
Copssh_4.7.1_x86_Installer.exe file and run as administrator
2. The setup wizards Welcome window is shown. Click Next.
3. In the License Agreement window click I Agree.
4. Enter an Installation folder or accept the default by clicking Next.
5. Enter the service account credentials.
6. You must select the user that will be used for the CopSSH account service management, by choosing one of the following options:
Keep the default CopSSH user: SvcCOPSSH (the installer generates a random
password). If you choose this option, keep that password for the future (recommended).
Or
Select a new user (must be different from existing local machine users). In this
case you must provide a username and a password that matches the following
requirements:
- The username must be at least four characters in length.
- Passwords cannot contain the users account name or parts of the users
complete name exceeding two consecutive characters.
- Passwords must be at least six characters in length.
- Passwords must contain characters from three of the following four categories:
English uppercase characters (A through Z).
English lowercase characters (a through z).
Base 10 digits (0 through 9).
Non-alphabetical characters (for example: !, $, #, %).
Click Install.
7. Click Close to finish the installation.
5.7.2
Configuring CopSSH
As a security measure, CopSSHs default user cannot be used to access the machine.
Therefore, new users must be created.
Configuring users in CopSSH:
1. Create a user with limited privileges in the operating system. This user will be used
to perform the SFTP / SCP.
2. Grant the user write privileges on the C:\Program Files (X86)\ICW folder. Go to
Properties, add the user created and give the user modify permissions.
3. Go to Start > Programs > CopSSH, opposite-click on CopSSH Control Panel and
click Run as administrator.
4. In the Status tab, check if the service is running (green button). If not, click on the
red button to start it.
5. Go to Users tab and click Add.
6. Click Forward to begin the CopSSH User Activation wizard.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
35
7. Choose the current machine for domain and the user you created earlier. Click
Forward.
8. Select Shell access type:
For ADVA NEs, select Linux shell and Sftp.
For hiT 7100 and/or hiT 7300 NEs, select Sftp.
For ADVA and/or hiT 7300 NEs and/or hiT 7100 NEs, select Linux Shell and
Sftp.
In the three options available, only Password authentication must remain
checked. Uncheck the other two options Public key authentication and Allow
TCP forwarding..
Click Forward.
9. Click Apply to activate the user.
Changing the default number of simultaneous sessions
The following mandatory procedure is required in order to support multiple NE requests.
Note that, if you run the CopSSH's Control Panel after the procedure below, all the
changes to the passwd file will be reset.
1. Edit the file C:\Program Files (x86)\ICW\etc\sshd_config
Below is a sample sshd_config file (after the CopSSH Control Panel has been run
for the first time):
Port 22
Compression delayed
LogLevel INFO
TCPKeepAlive yes
LoginGraceTime 120
Protocol 2
MaxAuthTries 6
MaxSessions 10
Subsystem sftp internal-sftp -l ERROR
Match User copuser
PasswordAuthentication yes
PubkeyAuthentication no
AllowTcpForwarding no
MaxSessions 10
# Catch All
Match User *
AllowTcpForwarding no
MaxSessions 0
PasswordAuthentication no
PubkeyAuthentication no
2. Change both MaxSessions values (lines 8 and 13) to 100.
3. Add the line MaxStartups 10:30:100 after line 8 to control the number of open
unauthenticated sessions. This avoids an overload of the SSH daemon.
4. Below is the sample above after the changes:
36
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Port 22
Compression delayed
LogLevel INFO
TCPKeepAlive yes
LoginGraceTime 120
Protocol 2
MaxAuthTries 6
MaxSessions 100
MaxStartups 10:30:100
Subsystem sftp internal-sftp -l ERROR
Match User copuser
PasswordAuthentication yes
PubkeyAuthentication no
AllowTcpForwarding no
MaxSessions 100
# Catch All
Match User *
AllowTcpForwarding no
MaxSessions 0
PasswordAuthentication no
PubkeyAuthentication no
5. Save the sshd_config file and restart the CopSSH service using Windows Control
Panel.
5.7.3
CopSSH Troubleshooting
Go to Start > Programs > CopSSH > CopSSH Control Panel and in the Status
tab, check that the CopSSH service is running (green color). If not:
1.
2.
3.
4.
5.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
37
Administrator:unused:10500:10513:U-AUMELRD-TD-03\Administrator,S-1-521-3507081192-3007060136-515313314500:/home/Administrator:/bin/bashFTPUser:unused:11021:10513:FTPUser,UAUMELRD-TD-03\FTPUser,S-1-5-21-3507081192-3007060136-5153133141021:/home/FTPUser:/bin/bashGuest:unused:10501:10513:U-AUMELRD-TD-03\
Guest,S-1-5-21-3507081192-3007060136-515313314501:/home/Guest:/bin/bashsshd:unused:11025:10513:U-AUMELRD-TD-03\
sshd,S-1-5-21-3507081192-3007060136-5153133141025:/var/empty:/bin/bashSvcCOPSSH:unused:11026:10513:U-AUMELRD-TD-03\
SvcCOPSSH,S-1-5-21-3507081192-3007060136-5153133141026:/var/:/bin/bash
2. If the password file does not contain the details of the SFTP user, grant write
access to the ICW folder to the Windows user that is used to install COPSSH.
5.7.4
CopSSH Hardening
If you wish to further restrict the CopSSH's user privileges by making connections via
interactive shell impossible, do as follows:
Note that, if you run the CopSSH's Control Panel after the procedure below, all the
changes to the passwd file will be reset.
1. Go to <CopSSH installation path>\etc\ and edit the passwd file.
2. Edit the line (example) from
reguser:unused:11010:10513:reguser,U-TSVM41\TestPL,S-1-5-212769772405-123357289-3683661142-1010:/home/reguser:/bin/bash
to
(...):/bin/false
3. Save the file.
5.8
Antivirus
To protect TNMS against viruses, you should install F-Secure Client on all machines.
Refer to the software release notes to see the released versions.
5.9
38
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Run the NTI_DS_Installer.exe file. Check the file in the folder TNMS_Prerequisites.
Proceed as described in the setup windows. In the Welcome window, click Next.
In the License Agreement window, choose I accept the terms of License Agreement and click Next.
In the Directory Name (Default: C:/NTI_DS) window, enter the installation directory
or select it from the Choose dialog and click Next.
Click Next.
7
In the Pre-Installation Summary window check if the installation options are correct
and confirm by clicking Install.
In the Install Complete window, you see the message Your computer must be
restarted to complete the installation. Click Finish.
Ensure the services are started through Start > Control Panel > Administrative Tools
> Services.
The following services must exist and be in state Started.
JacORB IMR
OpenFusion.NotificationService 4.2.3
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
39
40
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
TNMS installation
6 TNMS installation
This chapter describes the TNMS installation. If you have a previous TNMS version
installed in your system, jump to 9 Upgrade to TNMS 14.1 10.
Before you install TNMS be sure to read and follow the directions below. Failing to
comply will result in a failed installation.
6.1
Full installation
To install TNMS Server, NetServer and Client in the same machine (full installation):
1. Copy all relevant priority updates into ...\TNMS Installer\PUs.
2. Login on the operating system with a user that has administrative rights.
3. Opposite-click the installation file in the TNMS SW CD and select Run as administrator (Figure 2).
Figure 2
The Introduction window opens and the complete list of installation steps is displayed on the left pane.
Click Next to continue.
4. Read the License Agreement and then select I accept the terms of the License
Agreement.
Click Next to continue.
5. In the Choose Install Set step, click Full to install all components in the machine.
The available buttons describe the installation variants offered.
Click Next to continue.
6. Select your type of hardware configuration: Medium, Large (see 2.2 Hardware
requirements) or Legacy Hardware.
Select Legacy Hardware to install TNMS Server in machines that meet the
hardware requirements for TNMS 13.2 1x but not for TNMS 14.x xx.
g
w
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
41
TNMS installation
Database port: the Oracle server port number. The default value is 1521.
Database username: the user scheme of the database to be created (example:
TNMS).
Using the same user / password in all installations is recommended since it
ensures that the database is restorable in any machine. However another user
/ password can be used for security reasons, as long as you keep these data for
future reference and you use the same user / password in the system where you
perform the backup and the system where you restore it.
If you select TMF/Corba, you must have previously installed the NTI as
described in 5.9 NTI third-party software installation.
Click Next.
10.3 Select the LCTs to be installed.
Click Next to continue.
10.4 Select the NEs to be installed and all their versions, for example:
[X] hiT 7300 5.10.0x
[X] hiT 7300 5.10.10
[X] hiT 7300 5.10.2x
[X] hiT 7300 5.30.50
[X] hiT 7300 5.30.60
Click Next to continue.
11. In the Choose Install Folder step:
11.1 Enter the path for the TNMS installation folder, the TNMS Data folder (see
note), the LCT installation folder and the EML Mediation installation folder.
42
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
TNMS installation
Make sure that the TNMS Data folder is empty. If not, backup and remove the
data or select a different folder.
12. If CopSSH is not installed in the machine, a warning pops up to let you know that the
NetServer requires you to install it (see 5.7.1 Installing CopSSH)
If CopSSH is already installed, you must provide a valid SFTP User, that is, a
Windows user that was added to CopSSH (see 5.7.2).
The user is not created again. The user mentioned in this step serves as a cross
check with the user added in the CopSSH configuration (see 5.7.2 Configuring
CopSSH).
13. In case you have more than one Network Interface Card (NIC) installed, the Choose
host IP address panel is displayed providing a list of the IPs associated with each
NIC.
Click the pulldown menu and choose the IP that corresponds to the host name of the
machine.
In case you only have one NIC, this panel is not displayed and you must proceed to
the next step.
14. Select the TNMS servers IP address (blank by default).
Enter the TNMS servers IP address if you are installing the netserver on a machine
other than the server (blank by default).
Click Next to continue.
g
g
This step is skipped in some cases, such as if the server has only one IP address.
15. In the OpenDS Directory Server Configuration step set the following OpenDS
database server information:
All fields except the Admin password, are automatically filled in. If not, cancel the
installation wizard, complete the 4.6 System Hosts configuration and start the installation once more.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
43
TNMS installation
18. If one or more of the priority updates you copied into ..\TNMS Installer\PUs does not
comply with a set of preconditions a warning message is displayed (for additional
information check 6.3 About the automatic priority updates installation).
A warning message may be displayed during the installation configuration stating that
the firewall is enabled. However, if you use the Windows Firewall, in some cases, the
firewall window displays the disabled status. Such contradiction arises due to the TNMS
Installer use of the netsh adv commands to check the firewall status which can return
a different status from that presented in the GUI.
To configure the firewall refer to 12.3 Networking and firewall configuration.
The TNMS installation creates the following services on the target machine after the full
installation is completed:
6.2
44
If you install the TNMS Client and/or the Netserver on Windows 7, go to Start >
Control Panel > System > Advanced System Settings > Advanced tab > Performance pane > Settings button > Visual Effects tab and select the option adjust
for best performance.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
6.3
TNMS installation
If you install the TNMS Netserver in a machine other than the Server, the TNMS
Servers IP address is requested during the installation.
If you install the TNMS Netserver in the same machine as the Server, the TNMS
Servers IP address is requested only if the server has more than one IP address.
If one or more PUs fail to meet one or more of these conditions, warnings are displayed
to let you know which PUs fail to comply with which condition. Also, in the Pre-installation summary you can find the following two sections:
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
45
TNMS installation
46
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Post-installation procedures
7 Post-installation procedures
If you decide to harden the system, you must do it before starting TNMS in a production
environment. See 12 Security hardening for instructions.
7.1
Starting services
Services, such as TNMS Server, TNMS EmlMediator and TNMS Generic Mediator start
automatically with the machine.
7.2
7.3
Logging in
Once started, TNMS can be logged in to. Press the spacebar or click the icon to get the
login window. You must fill in the fields:
Server name.
You can select a previously used value set from the menu. Alternatively, input server
data either in the <server IP address>:<port number> or <server name>:<port
number> formats. The default values are localhost:1100.
User name.
Input a valid user name.
Password.
Input the users password.
If you are logging in after an update rather than an installation from scratch, the users
and passwords remain unchanged from the previous version.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
47
Post-installation procedures
7.4
Password: e2e!Net4u#
7.5
If Single Sign-on is enabled later on, this menu item will no longer be displayed as no
password within TNMS will be required.
Password complexity rules
New passwords are validated by the system according to the rules below.
The new password must:
Differ from the old one by at least 3 characters. This is enforced only if the password
is changed through the Change Password window.
7.6
48
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
7.7
Post-installation procedures
Single Sign-on
By enabling Single Sign-on (SSO) the users can log in to TNMS using the operating
system credentials, without having to enter another username and password.
This configuration can be done at any point in time and is therefore described in the
TNMS User Manual.
7.8
Standby server
This configuration can be done at any point in time and is therefore described in TNMS
User Manual.
7.9
License keys
Logging in allows you to access elementary TNMS features such as viewing the network
map or activating NEs. However, full access to the whole TNMS, including the Managers
ASON, Ethernet and Optical, is granted through the acquisition and installation of proper
license keys.
g
7.10
7.11
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
49
Post-installation procedures
7.12
Get the IOC OP Server public certificate file tcserver.cer and copy it to the TNMS
Server.
For information on how to generate this file refer to the IOC OP Installation Manual
for Solaris, section on generating IOC OP server keystore and public key pair.
TNMS Server returns the certificate details and asks you to allow the import:
Owner: CN=tcserver tcserver, OU=Optical Networks, O=Coriant,
L=Lisboa, ST=Alfragide, C=PT
Issuer: CN=tcserver tcserver, OU=Optical Networks, O=Coriant,
L=Lisboa, ST=Alfragide, C=PT
Serial number: 4ffd7431
...
Trust this certificate? [no]: yes
7
50
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
8.1
General description
You must back up information contained in the following two data repositories:
Oracle server - DCN management and services information. This server includes
the TNMS database.
OpenDS server - User and security information.
Oracle database backups are used to recover the database from corruption events
or unexpected integrity issues and recovered it to its last most consistent state.
These backups contain TNMS specific data plus other Oracle files required for
database recovery.
The Oracle database backups are stored in Oracles Fast Recovery Area under the
BACKUPSET directory.
You must not use the BACKUPSET directory for any operations other than Oracle
database backups.
Full backups of the Oracle database are stored with a retention policy that allows for
a redundancy of 2 backups. Therefore the BACKUPSET directory contains the last
3 backups and older ones are automatically removed.
TNMS database backup files are used to restore TNMS to a previous state in order
to, for example, undo undesired user configurations or restore TNMS state to a
clean installation.
TNMS database backup files cannot be used to directly recover from an Oracle
database corruption event.
TNMS database backup files are stored under a target directory (local or remote) of
your creation or choice. Inside this directory, each backup operation creates a subdirectory named after the backup timestamp <yyyy_MM_dd_HH_mm_ss>, where
the backup files are saved.
When performing a database backup, ensure there are writing permissions to the
target directory.
OpenDS database backup files are also stored under a target directory (local or
remote) of your creation or choice. Inside this directory, each backup operation
creates a subdirectory named after the backup timestamp
<yyyy_MM_dd_HH_mm_ss>, where the backup files are saved.
You may choose to back up simultaneously the TNMS and OpenDS databases. In such
case, the timestamped subdirectory will contain both databases backup files.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
51
8.2
8.2.1
Interactive mode
To access the interactive mode console, run backuprestore.bat with no arguments
from
C:\Program Files (x86)\Coriant\TNMS\backuprestore (default location), to open the
interactive menu as displayed in Figure 3.
Figure 3
8.2.2
Non-interactive mode
The non-interactive mode allows you to embed the B&R feature into a scriptable
language in order to automate common and repetitive tasks.
To use the non-interactive mode, run the backuprestore.bat application from
C:\Program Files (x86)\Coriant\TNMS\backuprestore (default location) using arguments
to specify the operation you intend to perform (Table 8).
You can enter backuprestore-h in the command line to see this list.
Options
-b
--backup
-r
--restore
-s
--schema
-l
--ldap
-d
--directory
-u
-p
--password
-R
--recovery
Use this option to recover the Oracle database. Note that it does
not refer to the TNMS database.
Table 8
52
Description
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Options
-h
--help
Table 8
8.3
Description
This option displays the list of the available arguments.
8.3.1
In case you reschedule the daily backup, set it to run off high load periods, so that the
application performance is not affected.
This operation will perform the full backup of the entire Oracle database, including the
TNMS database backup files.
You should also consider to schedule an independent backup of the TNMS database
backup files since Oracle backup files are kept for 3 days maximum. Refer to the chapter
8.3.5 Automating the Backup procedures for more information.
To change the scheduled backup time:
1. Open a command line window using the option "Run as Administrator".
2. Go to the B&R application folder (the default is
C:\Program Files (x86)\Coriant\TNMS\backuprestore).
3. Run backuprestore.
4. Select option 4> Schedule settings on the console.
5. Provide the TNMS credentials (Figure 4).
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
53
Figure 4
6. Provide the new time for the scheduled backup to run, in a 24-hour format (Figure 4).
7. Press Enter.
8.3.2
Figure 5
Backup submenu
4.4 Select option 1> TNMS database from the submenu in Figure 5.
4.5 Enter the directory of your choice (local or remote) where the backup files will be
stored and press Enter.
5. Or run
backuprestore -b -s -d <directory> -u <username> -p <password>
As a result, a subdirectory named after the backup timestamp
<yyyy_MM_dd_HH_mm_ss> is created under the directory you provided and the backup
file of the TNMS database is saved within. The backup file is saved as <name of the
TNMS database>.DMP.
54
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
8.3.3
Figure 6
Backup submenu
4.4 Select option 2> LDAP database from the submenu in Figure 6.
4.5 Enter the directory where the backup files will be stored and press Enter.
5. Or run
backuprestore -b -l -d <directory> -u <username> -p <password>.
As a result, a subdirectory named after the backup timestamp
<yyyy_MM_dd_HH_mm_ss> is created under the directory you provided and the backup
file of the LDAP database is saved within. The backup file is saved as userRoot.ldif.
8.3.4
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
55
Figure 7
Backup submenu
4.4 Select option 3> Both TNMS and LDAP databases from the submenu in Figure
7.
4.5 Enter the directory where the backup files will be stored and press Enter.
5. Or run
backuprestore -b -a -d <directory> -u <username> -p <password>.
As a result, a subdirectory named after the backup timestamp
<yyyy_MM_dd_HH_mm_ss> is created under the directory you provided and the backup
files of the TNMS and LDAP databases are saved within. The backup files are saved
respectively as <name of the TNMS database>.DMP and userRoot.ldif.
8.3.5
You can also use SCHTASKS.EXE to inspect the schedule details or delete schedules.
To list schedule details run:
SCHTASKS.EXE /TN "<SCHEDULE_NAME>"
And to delete a schedule run:
SCHTASKS.EXE /DELETE /TN "<SCHEDULE_NAME>"
w
56
You must create a user in TNMS dedicated to scheduled backups and do not allow it to
expire. Create the user via User Administration and select the option User cannot
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
change password. When setting the backup commands to be run by the schedules, use
this user.
8.4
Figure 8
Backup window
In the TNMS main window, click the Administration > System > Backup menu
item.
The Backup window opens.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
The backup path must already exist beforehand in the server side, otherwise the
task fails and you receive the following error message in a notification popup, in
the bottom right corner: Backup operation failed.
TNMS server machine must have read and write permissions on the shared
folder, for everyone within the domain, so that no credentials are requested to
57
read it. However, for accesses from outside the domain, the credentials will still
be requested.
If you use a remote drive, you have to specify the full network drive path, since
TNMS is not able to reach the mapped drive through the letter assigned by
Windows.
Example:
Local drive - C:\<BackupFolder>
Remote drive - \\<IP address>\<BackupFolder>
Select whether to export the TNMS Data, the TNMS Users, or both.
When there is a backup running through the command line, it is not possible to run a
manual backup through the TNMS Client. The opposite is also not possible.
In the TNMS main window, click the Administration > System > Backup... menu
item.
The Backup window opens.
Click OK.
58
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
When a scheduled backup is run, both the TNMS database and LDAP are backed up.
8.5
8.5.1
g
8.5.2
After the Oracle database recovery, a TNMS database restore is not necessary since
the Oracle database backups also contain the TNMS specific data.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
59
Figure 9
Restore submenu
4.5 Enter the directory where to load the backup file <name of the TNMS database>.DMP from and press Enter.
5. Or run
backuprestore -r -s -d <directory>
The "TNMS Server" service is automatically restarted when the restore procedure is
complete.
8.5.3
Figure 10
Restore submenu
5.5 Enter the directory where to load the backup file (userRoot.ldif) from and press
Enter.
6. Or run
backuprestore -r -l -d <directory>
Both the "TNMS Server" and the OpenDS services are automatically restarted after the
restore procedure is complete.
60
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
8.5.4
Figure 11
Restore submenu
5.5 Enter the directory where to load the backup files (<name of the TNMS database>.DMP and userRoot.ldif) from and press Enter.
6. Or Run
backuprestore -r -a -d <directory>
The TNMS Server service will be stopped before the restore procedure and both the
TNMS Server and the OpenDS services will be restarted after the restore procedure.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
61
62
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
63
64
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
10.1
It is possible to install TNMS Client and TNMS Core Client / System Administration
either in a same machine or in separate machines. However, they must share a
machine if you want both client applications integrated with a GUI cut-through.
It is possible to install TNMS Netserver and TNMS Core Netserver in a same
machine, but, if you use the UDP protocol to connect the DCN to any NE, you must
follow the procedure described under 10.1.1 Configuring a Common Netserver.
It is possible to install TNMS Standby Server and TNMS Core Standby Server in a
same machine. In this scenario, you must follow the procedure described under
10.1.3 Configuring a Common standby server.
Figure 12
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
65
Figure 13
66
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Figure 14
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Common Netserver
67
Figure 15
10.1.1
68
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
TNMS Core
You must complete all of the following three sets of instructions for the configuration to
be complete.
This configuration can be done any time after installation. However the configuration
must be done prior to connecting TNMS Core and TNMS to same network element via
UDP, otherwise you will get an inconsistent network state representation.
Using both UDP and TCP protocols to connect to the same NE is not allowed and will
result in an inconsistent network state representation.
To configure the operating system in the Netserver machine, proceed as follows:
1.
2.
3.
4.
5.
TNMS Core and TNMS must use different IPs to communicate with each NE via
UDP protocol. If you configure the Primary IP in TNMS you must configure the Secondary IP in TNMS Core and vice versa. Those IPs are configured in the Bind IP Address
field.
In TNMS proceed as follows:
1. Go to the DCN Management window.
2. Create a new SNMP channel.
3. In the General tab:
3.1 If you want to use the Primary IP leave the Automatic IP Address checked. In
the field IP Address enter the Primary IP.
3.2 If you wish to use the Secondary IP:
Uncheck the Automatic IP Address.
In the field IP Address enter the Primary IP.
In the field Bind IP Address enter the Secondary IP.
The connection to the NetServer is performed using the Primary IP and the connection to the NEs will be established using the Secondary IP.
Remember you must use different IPs in TNMS and in TNMS Core. If you use the
Primary IP in TNMS you must use the Secondary IP in TNMS Core and vice versa.
4. Click OK and activate the channel.
In TNMS Core proceed as follows:
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
69
1.
2.
3.
4.
10.1.2
10.1.3
10.2
70
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
You can also synchronize the DCN between TNMS Core and TNMS, in shared network
management scenarios. You can schedule a periodical import from TNMS Core that
updates the DCN configuration in TNMS, avoiding the repetition of manual changes.
Check TNMS User Manual for detailed instructions on how to configure and use the
import from TNMS Core feature.
10.3
Important note
When an NE is simultaneously managed by TNMS and TNMS Core, the configuration
of the respective properties in the DCN Management window must be the same.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
71
72
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
TNMS uninstallation
11 TNMS uninstallation
Before uninstalling TNMS and in case you have a standby server assigned, you must
first unassign it by doing as follows in the active server:
1. Select Administration > System > Standby Server Configuration and fill in the
available fields. The address of the current standby server is filled in automatically.
2. Verify your input and click Unassign to start the procedure.
The progress and result can be followed in the configuration steps, along with the
elapsed time.
3. When the unassignment finishes, a notification pops up in the lower right corner with
the status of the operation, either success or error.
Alternatively, it is possible to check in System Event Log that the procedure has
ended successfully.
If any error occurs, the logs can be checked in
/tmp_home/[timestamp]/result.log.
In the standby server, perform the following steps:
1. Go to the installation folder and, in \bin\scripts, run as Administrator
standby-server.bat.
2. In the interactive menu select 3. Unconfigure StandBy.
To uninstall TNMS, do as follows:
1. Go to Start > Control Panel > Programs and Features.
2. In the list, opposite-click TNMS and select Uninstall.
3. Restart the machine once the uninstallation finishes.
When the application is uninstalled, the users and groups are kept on the system and
they are not deleted.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
73
TNMS uninstallation
74
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Security hardening
12 Security hardening
This chapter describes the existing TNMS security hardenings.
Note that TNMS already applies security hardening during installation. This means that,
for example, security settings are defined so that no unnecessary permissions are
granted. The remaining items are, in a default installation, hardened to an acceptable
level. However it is possible to improve from that level as is described in the following
sections.
12.1
12.2
12.2.1
The TNMS server machine should be located in a room where only the system
administrators have access.
A physical access control should be put in place, including, for example, electronic
door locks.
Any non-required I/O interfaces, such as USB interfaces or DVD drives, should be
removed or, at least, disabled.
Any type of communication interfaces not required for the operation of TNMS should
be removed or, at least, disabled. This is especially important for wireless interfaces
such as Bluetooth or WLAN adapters.
All hardware should be securely installed so that it cannot easily be moved.
The facilities where the hardware is located should have sufficient heat dissipation
and, if needed, the server room should be air-conditioned.
Additional security measures like video surveillance of server rooms is recommended.
The BIOS of the machines used for TNMS should be protected by password, to
prevent unauthorized modification of the machines BIOS configuration.
12.2.2
Administrator
sshd
SvcCOPSSH
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
75
Security hardening
All other users should be disabled. For example, during the Windows Server 2008 installation, the Administrator, Guest and Help Assistant accounts are created by default.
Both Guest and Help Assistant accounts should be disabled at all times.
To disable an account, do as follows:
1. Go to Start > All Programs > Administrative Tools > Server Manager > Configuration > Local Users and Groups > Users.
2. Right-click on the user name (for example Guest or Help Assistant) and select Properties.
3. Click on Disable Account.
12.2.3
Go to Start > All Programs > Administrative tools > Server manager > Roles
and click to remove roles.
12.2.4
Go to Start > Control Panel > Programs and Features, select the application and
click to remove.
Configure Auditing
To automatically configure the audit policies, run the following command, located in the
TNMS software:
TNMS_Prerequisites\Audit Policies\AuditPolicies.bat
t
12.2.5
You can check the configured audit policies by running in the command line:
auditpol /get /category:*
76
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Security hardening
Share
DriveLetter$
Disable
ADMIN$
IPC$
NETLOGON
SYSVOL
Print$
FAX$
Table 9
12.2.6
Description
12.2.7
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
77
Security hardening
12.2.8
Additional Software
The TNMS server machine should be dedicated to run the TNMS Server only. No additional software should be installed beyond the TNMS application and its prerequisites
listed below:
12.2.9
Acrobat Reader
CopSSH
ICW Base
ICW COPSSHCP
ICW OpenSSHServer
J2SE Runtime Environment
Java (TM)
MicroSoft Visual C++ Redestributable (several packages)
OSI Stack
TNMS
Virus Scanner (for example, TrendMicro OfficeScan Client)
12.2.10
78
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Security hardening
configuration of the system, such as in case of headless server (see 12.2.11 Remote
Access/Remote Desktop).
The following services must be disabled as they are not needed by TNMS. Some of
them must be considered inherently insecure:
ftp shall only explicitly enabled whenever legacy NEs are used, which only support ftp
and not SFTP/SCP or FTPS.
Smart card
SNMP Trap
Software Protection
SPP Notification Service
SSDP Discovery
Storage Service
Tablet PC Input Service
Telephony
Thread Ordering Server
TPM Base Services
UPnP Device Host
Virtual Disk
Volume Shadow Copy
WebClient
Windows Backup
Windows Biometric Service
Windows CardSpace
Windows Connect Now - Config
Registrar
Windows Media Player Network
Sharing Service
Windows Remote Management
(**)
Windows Search
WinHTTP Web Proxy Auto-Discovery Service
Wired AutoConfig
WLAN AutoConfig
WWAN AutoConfig
* FTP is only needed if TNMS manages legacy NEs, which support FTP but do not
support any secure protocol.
** Disable only if no remote server administration shall be permitted
Windows services can be disabled via Start > Administrative Tools > Services.
If a service is changed to "disabled" via context menu it is no longer running and will no
longer be automatically started during OS startup.
TNMS Server uses the following services:
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
79
Security hardening
12.2.11
80
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Security hardening
If the Allow connections only from computers running Remote Desktop with
Network Level Authentication check box is selected and not enabled, the Require
user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and applied to the Remote Desktop
Session Host server.
4. Click OK.
12.2.12
12.3
Coriant does not recommend the deployment of a firewall between the NetServer and
the NE network. This scenario is not tested and therefore is not officially supported. In
case the costumer needs to deploy one due to topology/security reasons, the ports listed
for NetServer <> NE communication in this manual can be used as a starting point to
configure the firewall for the Coriant hiT7300 and hiT7100 NEs. Other supported NEs
may need different/additional ports/protocols. Please refer to the specific NE's manual
to gather the required information to configure your firewall.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
81
Security hardening
12.3.1
Coriant does not recommend the use of a proxy to access the Citrix Server through the
web interface, but if you decide to use one you must open a port in the firewall for the
proxy.
Host address
Source
Destination
Service
Destination Port
Protocol
Application
Encrypte
d
Description
Optional / Mandatory
TNMS
Server
TNMS
Server
8093
PT
4189
TCP
TCP
MTOSI /
JMS
Optional
PCEP
Optional
No
Optional
TNMS
Server
17289
(Default)
TCP
MTMN
CORBA
(CORBA
NS)
TMF-814 interface
for integration into
umbrella NMS.
Only if CORBA
NBI is used
3528
(CORBA
IIOP)
TNMS
Server
CORBA
Northbound
Interface
configurable
TCP
CORBA
External CORBA
Naming Service.
configurable
TCP
CORBA
External CORBA
Notification Service.
Firewall between a remote Administrator machine and TNMS Server or TNMS NetServer (northbound)
machines
TNMS
remote
Administrator
machine
Table 10
82
3389
TNMS
Server
machine /
TNMS
NetServer
(northbound)
machine
TCP
RDP
(Windows
Remote
Access)
Yes (if
TNMS
security
hardening is followed)
Windows Remote
Desktop for remote
administration.
Optional
Only required if
TNMS
machines need
to be administered remotely.
Firewall rules
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Security hardening
Host address
Source
Destination
Service
Destination Port
Protocol
Application
Encrypte
d
Description
Optional / Mandatory
TNMS
Client
(CITRIX
server)
(CITRIX
client)
1494
TCP
ICA
No
For Citrix.
Optional
2598
TCP
ICA
Yes
80
TCP
http
No
443
TCP
https
Yes
Only required
when Citrix is
used.
Table 10
TNMS
Server
1098
TCP
RMI
1100
TCP
JBoss NS
JBoss Naming
Service
3873
TCP
EJB3
EJB3 Remoting
Connector
4444
TCP
RMI
4445
TCP
RMI
5445
TCP
RMI
8080
TCP
WEBDAV
WEBDAV service
8083
TCP
RMI
8093
TCP
JMS
JMS Service
Mandatory
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
83
Security hardening
Host address
Source
Destination
Service
Destination Port
Protocol
Application
Encrypte
d
Description
Optional / Mandatory
Netserver 22
Optional
Optional
Only if TNMS
manages hiT
7100 or hiT
7300 NEs
22
TNMS
NetServer
(northbound)
Table 10
84
TCP
SSH/SCP No (local
only)
Secure Copy
(secure copy over
ssh)
1198
TCP
RMI
1199
TCP
JBossNS
JBoss Naming
Service
3973
TCP
EJB3Con
n
JBoss default
EJB3connector
4445
TCP
RMI
8083
TCP
RMI
8093
TCP
RMI
RMI
19980
TCP
CORBA
CORBAOMNIORB
listening port
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Security hardening
Host address
Source
TNMS
Server
TNMS
Server
Destination
Service
Destination Port
Protocol
Application
Encrypte
d
No (local
only)
Description
22
TNMS
NetServer
1298
(northbound)
TCP
SFTP
TCP
RMI
1299
TCP
JBossNS
JBoss Naming
Service
4073
TCP
EJB3Con
n
JBoss default
EJB3connector
8083
TCP
RMI
8093
TCP
RMI
RMI
TCP
FTP
TCP
FTP
21
TNMS
NetServer
(north49152 bound)
65535
No (local
only)
Secure FTP
Naming service port
for RMI requests
from client proxies
File Transfer
Protocol
File Transfer
Protocol
Limit the dynamic
range used by the
FTP server:
Optional / Mandatory
Optional
Only if TNMS
manages
Juniper MX /
PTX NEs.
Optional
Only if TNMS
manages
hiT70xx, ADVA
or hiT7500
NEs.
1. Go to IIS connection
manager >
Connections
Column
(Server) > FTP
Firewall
Support > Set
Data Channel
Port Range and
insert desired
range.
2. Restart IIS.
3. Insert the same
range in the firewall.
Table 10
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
85
Security hardening
Host address
Source
Destination
TNMS
TNMS
Netserver Server
(northbound)
Service
Destination Port
Protocol
Application
Encrypte
d
Description
1098
TCP
RMI
No (local
only)
1100
TCP
JBoss
JBoss Naming
Service
3528
TCP
CORBA /
IIOP
CORBA Object
Adapter (used by
TNMS NBI/SBI)
4444
TCP
RMI
8083
TCP
RMI
8093
TCP
JMS
JMS Service
Optional / Mandatory
Mandatory
TNMS
standby
server
1521
TNMS
standby
server
TNMS
active
server
1521
TCP
TCP
Oracle
stream
No
Oracle database
replication
Optional
Oracle
No
Oracle database
replication
Optional Only if
there is a
standby TNMS
Server
installed.
No
DNS
Optional
only required if
TNMS standby
server is used
Table 10
86
DNS
server
53
NTP
server
123
TCP
DNS
Only if a DNS
service is used.
TCP /
UDP
NTP
No
NTP
Use TCP or UDP
depending on the
configuration of the
NTP server.
Mandatory
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Security hardening
Host address
Source
TNMS
Server
Service
Destination
Destination Port
Protocol
Application
Encrypte
d
Server
where
TNMS
logs are
transferred to
21
TCP
FTP
No
22
TCP
SFTP
Yes
Domain
controller
88
UDP
Kerberos
No
135
TCP /
UDP
DCE /
RPC
389
TCP /
UDP
LDAP
445
TCP /
UDP
AD / SMB
464
TCP /
UDP
Kerberos
Description
External server to
store logs
Optional / Mandatory
Optional
Only needed if
logs are to be
transferred to
an external log
file server.
Table 10
10000
13999
TCP
161
TCP
22
TNMS
Netserver
(southbound)
TCP
SNMPv3
over TCP
(RFC342
0)
Yes
(SNMPv3
)
SNMP multiplexing
ports (NAPT) for
embedded CT;
target NE
Mandatory
SNMP managers
SSH /
SCP
Yes
Secure Copy
(secure copy over
SSH)
Mandatory
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
87
Security hardening
Host address
Source
NE/GNE
management
interface
Service
Destination
Destination Port
Protocol
Application
Encrypte
d
Description
TNMS
Client
990-993
TCP
FTPS
(LCT)
g The number of
49152 65535
TCP
FTPS
Optional / Mandatory
Optional
For hiT 7300 /
hiT 7100 if
required for
FTPS file operations between
LCT and NE.
and not recommended. To
avoid direct
connectivity you
should configure the TNMS
SFTP settings
for tunneling
communications between
LCT and NEs.
22
32666
TNMS
Netserver
TCP
NetConf
Yes
(SSH)
UDP
SNMPv3
Yes
(SNMPv3
)
Trap notifications
from Juniper
(southbound)
Optional
(only if there are
Juniper NEs in
your network)
Table 10
88
8002
TNMS
Netserver
(southbound)
TCP
SNMPv3
Yes
(SNMPv3
)
Traphandler
Optional
(only if there are
any of these
NEs in your
network)
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
12.3.2
Security hardening
12.4
OEM Hardening
In this section you can find instructions on how OEM and 3rd party software that works
with TNMS can be hardened to decrease the attack surface for attacks against TNMS.
12.4.1
JBoss
JMX should be disabled.
To disable the JMX console remove the folder:
\TNMS\jboss\server\bicnet\deploy\jmx-console.war
12.4.2
CopSSH (SFTP)
You should limit user access to CopSSH home folder. To do so you must manually configure the NTFS file system properties as described below:
1. Create a local group by running the following command in the command line:
#> net localgroup CopsshUsers /ADD
2. Deny access to this group for each available local drive, by running:
#> cacls <drive letter>:\ /c /e /t /d CopsshUsers
3. Open access to the home directory, by running:
#> cacls copssh-inst-<path>\home /c /e /t /r \ CopsshUsers
4. Add the Copssh user to the user group above and make sure that the user is not
member of any other groups. Run
#> net localgroup CopsshUsers <user> /add
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
89
Security hardening
5. Go to the CopSSH control panel and activate user for 'Linux shell and Sftp' or 'Sftp
only'.
Shell access will not work due to limitations on system directories.
6. Repeat steps 4. and 5. for each user.
12.4.3
Oracle
File name
Location
Explanation/Goal
Hardening
config.dat
db-ds.xml
Table 11
12.4.4
Internet Explorer
The Internet Explorer should not be used for browsing the public internet, as this raises
the threat to compromise the system. You should disable the access to public internet.
12.5
12.6
User Management
Components
Username/Password
TNMS Server
(JMX
Console)
User: admin
The password is automatically generated
and there is no need to
change it.
Location
<Product Install
Dir>/jboss/server/bicnet/conf/props/jmxconsole-users.properties
Explanation/Goal
Hardening
Table 12
90
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Components
Username/Password
Generic
Mediator
User: admin
The password is automatically generated
and there is no need to
change it.
(JMX
Console)
Security hardening
Location
<Product Install
Dir>/jboss/server/gm/co
nf/props/jmx-consoleusers.properties
Explanation/Goal
Hardening
Multi Vendor
Mediator
(JMX
Console)
User: admin
The password is automatically generated
and there is no need to
change it
<Product Install
Dir>/jboss/server/mvm/c
onf/props/jmx-consoleusers.properties
Generic
Mediator
User:
RemoteLoginFunction
Password:
<no password>
LCT
User:
<Username_RU>
(concatenation of the
username from tab
SNMP Settings in NE
Properties window
and the string
"_RU")Password:
<Password from tab
SNMP Settings in NE
Properties window>
Table 12
The Generic
Mediator uses the
following user
only in the first
message of the
authentication
process between
the Generic
Mediator and the
RADIUS server.
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
91
Security hardening
Components
Username/Password
Connection
Manager,
BCB Mediator
User: jleal
Multiple NE
functions
User: tomcat
User and
Security Management
User: Administrator
User and
Security Management
User: ptc
Table 12
Password: tomcat
Password (default):
e2e!Net4u#
Location
Explanation/Goal
Hardening
Hardcoded in those
components so that their
authentication match
each one with the other.
Security context
for communication from server to
netserver components.
<data path>\TNMS\
nedata\webdav\webdav.war\WEB-INF\
classes\ users.properties
Security context
for communication from client to
server components.
ptc user is an
internal account.
12.6.1
92
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Index
A
Adobe Reader 29
Antivirus 38
Audit policies 76
Audit policy 24
B
Backup 51
automating 56
client 57
command line 53
console 52
interactive mode 52
LDAP 55
non-interactive mode 52
OpenDS 55
Oracle database 53
TNMS database 54
BIOS 18
C
Client
terminating session 48
Common
standby server 70
Common Netserver 68
Common Standby Server 70
Common standby server 70
Component delivery 15
Component Services 25
Console 52
CopSSH
configure 35
hardening 38
install 35
security hardening 89
troubleshooting 37
D
Disk configuration 19
Disk partitioning 21
Documentation
online help 13
Domain Verification 27
Dynamic Port range 28
F
Firewall
configuration 81
Windows firewall 89
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
H
Hardware 15
client 15
large configuration 15
medium configuration 15
netserver 15
requirements 15
security hardening 75
server 15
HP service pack 20
I
Installation
CopSSH 34
full 41
Hardware 15
OSI stack 33
separate components 44
TNMS 41
XML parser 29
Integrated Lights-Out 19
Interactive mode 52
Internet Explorer 49
Internet Information Services 26
Interworking 65
TNMS 65
J
Java
JRE 17
JBoss 89
JRE 17
L
Large configuration 20
LDAP 55
License 49
Local security policy 78
Login 47
M
Medium configuration 20
Microsoft Windows
security hardening 75
security patches 75
MS.NET 29
MSXML 29
N
Netserver 68
Non-interactive mode 52
NTI 38
93
O
OpenDS 55
Operating system
security hardening 75
shares 76
Operating Systems 17
Oracle 30
security hardening 90
template files 30
Uninstalling 32
Oracle backup files 53
OSI Stack 33
configure 33
install 33
OSI stack
Installation 33
uninstalling 34
P
Password 48
change 48
complexity rules 48
Policies 76
Prerequisites 17, 29
Q
Quick format 22
R
Recovering
Oracle 59
Recovery 59
Remote
access 80
desktop 80
Remote registry 77
Restore 51, 59
LDAP 60
OpenDS 60
simultaneous 61
TNMS database 59
Roles 76
S
Security 75
Security hardening 75
audit policies 76
CopSSH 89
digitally signed communications 78
firewall 81
Internet Explorer 90
jboss 89
local security policy 78
Microsoft Windows security patches 75
networking 81
OEM 89
operating system 75
Oracle 90
physical and hardware 75
remote access 80
remote registry 77
SFTP 89
system services 78
unnecessary accounts 75
unnecessary applications and roles 76
user management 90
Windows Error Reporting 77
Server 19
standby 49
Services 47
SFTP
security hardening 89
Single Sign-on 49
Standby server 49, 70
Structure
online help 13
System Hosts configuration 27
System services 78
T
Template files 30
Third-party software
OSI stack 33
XML parser 29
TNMS 65
uninstallation 73
TNMS Core 65
U
Uninstallation 73
Upgrade 63
User Account Control 29
User interface
username and password 48
Username 48
V
Virtual memory 23
94
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Virtualization 16
W
Web Server 25
Windows 19
Windows 7 26, 27
FTP 27
Windows Error Reporting 77
Windows Server 2008 25, 26, 29
FTP 26
X
XML parser
Installation 29
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
95
96
A50023-K2035-X040-05-76D1
Issue: 5 Issue date: July 2014
Abbreviations
Abbreviations
ACS
ALS
ASON
BCB
Broadcast Band
CAM
CBS
CC
CDM
CIR
CFM
CLI
CORBA
CSPF
Cross Connection
Cross-domain Manager
Committed Information Rate
Connectivity Fault Management
Console Interactive
Common Object Request Broker Architecture
Constrained Shortest Path First
CST
CSV
Comma-Separated Values
DA
DCN
DHCP
DNS
DSR
DWDM
ELP
EM
EM/NE
FA-LSP
FEC
FTP
GBE
Gigabit Ethernet
GCT
GUI Cut-Through
GFPG
Abbreviations
GM
GMPLS
Generic Mediator
Generalized Multi-Protocol Label Switching
GMT
GNE
GPS
GUI
IMN
Installation Manual
IOC
IOC OP
IP
LACP
LAG
Link Aggregation
LAN
LCT
LDAP
LSP
LSR
MDI
MIB
MSDE
MTOSI
MVM
NE
NEC
Multi-Vendor Mediator
Network Element
NE Controller
NIC
NNI
NTFS
NTP
NW
OAM
OCH
Optical Channel
ODU
Abbreviations
OM
OMS
OPU
OTS
OTU
PBS
PC
PCEP
PDF
PIR
PT
Personal Computer
Path Computation Engine Protocol
Portable Document Format
Peak Information Rate
Physical Trail
PTC
PTP
RAID
RNE
SCP
Secure Copy
SCSI
SDH
SFTP
SLA
Service-Level Agreement
SNC
SubNetwork Connection
SNCP
SNMP
SONET
SPC
SQL
SRLG
SSH
Secure Shell
STP
SVID
TC
TCP/IP
Abbreviations
TL1
Transaction Language 1
TE-Link
Traffic Engineering-Link
TMN
TN
TNMS
TP
USB
UMN
User Manual
UNI
UNI-S
UPS
VC
VLAN
WAN
WLAN
XC
User-to-Network Interface
User-to-Network Interface-Service
Uninterruptible Power Supply
Virtual Container
Virtual LAN
Wide Area Network
Wireless LAN
Cross Connection
X-NE
Cross-NE
XML
Glossary
Glossary
@CT
@CT is a web-based craft terminal (that is, element manager) software which provides
web access to hiT 7300 network elements (NEs) in the customer network without the
use of a management system. It communicates via SNMP with the NEs and uses the
FTPS for upload/download of software or other data configuration (for example, log
files).
3DES
Triple DES is the common name for the Triple Data Encryption Algorithm (TDEA or
Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard
(DES) cipher algorithm three times to each data block.
Actual Creation
State (ACS)
Is the current state of the path which results from the accumulation of the actual creation
states of the paths route elements.
Is a specification for the encryption of electronic data. AES is based on a design principle
known as a substitution-permutation network, and is fast in both software and hardware.
Alarm
Alarm log
An alarm log provides a list of the alarms associated with a managed object, and
provides the following information about each of the alarms:
the identification of the affected object
the identification of the failed NE or the NE in which the failed unit resides
the alarm severity
the time the event occurred
the indication whether the alarmed event is service affecting or not
the location and the affected traffic
Alarm severity
Alien wavelength
A wavelength that does not originate from a transponder or muxponder card, but is still
allowed to be multiplexed into the aggregate line signal for transport as an optical
channel by the system.
Automatic Laser
Shutdown (ALS)
Is a technique used to automatically shut down the output power of the transmitter in
case of fiber break. This is a safety feature that prevents dangerous levers of laser light
from leaking out of a broken fiber, provided ALS is provisioned on both ends of the fiber
pair.
101
Glossary
AutomaticallySwitched Optical
Networks (ASON)
ASON domains are built on the VC4 layer of hiT 7065, 7070 or 7080, and on OCh layer
of hiT 7300 and on ODU2 layer of hiT 7100, which have a Control Plane. The Control
Plane uses network-generated signaling and routing protocols to set up or release a
connection, and can restore one when it fails. ASON domains can be built up as part of
the transport network. They provide the benefit of easy end-to-end provisioning, and
fault and protection management. Soft permanent connections (SPCs) connect both
endpoints (NE1 and NE2) within an ASON domain. If a path fails, an alternative path is
automatically used.
Is a telecommunications term for loop network topology, a common configuration in telecommunications transmission systems, this loop or ring is used to provide redundancy.
The system consists of a ring of bidirectional links between a set of stations. In normal
use, traffic is dispatched in the direction of the shortest path towards its destination. In
the event of the loss of a link, or of an entire station, the two nearest surviving stations
"loop back" their ends of the ring. In this way, traffic can still travel to all surviving parts
of the ring, even if it has to travel "the long way round".
Card
A card is a plug-in unit that occupies one (or multiple) shelf slots. Cards perform specific
electrical and/or optical functions within an NE.
Each card has a faceplate with information LEDs and, in most cases, several ports for
interconnection of optical fibers and/or optical interfaces.
Card slot
A card slot is the insertion facility for a card in a shelf. Each card slot is designed for one
or several particular card types.
Mechanical coding elements make sure that each card can be fully inserted only into a
card slot that is suitable for the given card type. Therefore, fundamental shelf equipping
errors (which might cause hardware damage or fatal malfunctions) are impossible.
Is the guaranteed average rate (in Mbit/s) at which the information units are transferred
through the port over a measurement interval.
Commissioning
Controller card
102
Glossary
Dense Wavelength
Division Multiplexing (DWDM)
Data Encryption
Standard (DES)
Is a widely-used method of data encryption using a private key. DES applies a 56-bit key
to each 64-bit block of data. The process can run in several modes and involves 16
rounds or operations.
Domain
TNMS allows you to restrict user groups to operate only a set of NEs or DCN subnets
instead of the entire network. This partitioning is called a Domain and limits the operation on nodes outside of their partitions by assigning user groups to domains. Further,
you can also assign policies to domains for further control and security, limiting the user
groups to specific menu entries and actions. This arrangement is required, for example,
in network centers that are responsible for maintaining only a subset of the nodes. The
main purpose is security: it avoids that a login to the system grants access to the entire
network. TNMS now supports the creation, modification or deletion of multiple domains,
granting or restricting their accesses. By default, all NEs belong to the GLOBAL domain
which cannot be modified or deleted.
Is a protection scheme defined in the ITU-T G.8031 standard designed to protect pointto-point Ethernet paths such as VLAN based Ethernet networks. To achieve protection
ELP uses two disjointed paths, a working path and a protection path, traffic is carried
firstly on the active path (working path) and in case of failure, traffic is switched to the
protection path. Both paths can be monitored using OAM protocols like CFM.ELP
provides 1:1 bi-directional protection switching with revertive mode capabilities.ELP
must first be configured at the NE side via the LCT, only then they are visible in TNMS
so that you can use it in the E-LAN and E-Line service creation via the New Ethernet
Service wizard.ELP is supported in specific network elements and cards only. Refer to
the NE dedicated documentation for more information.
Element Manager
(EM)
Ethernet
Fault management
File Transfer
Protocol (FTP)
Network elements enable the user to perform operation, administration and maintenance tasks with the NE system in a GUI environment.
Ethernet is a family of frame-based computer networking technologies for LANs. It
defines a number of wiring and signaling standards for the physical layer, through
means of network access at the MAC/Data Link Layer, and a common addressing
format.
Fault management reports all hardware and software malfunctions within an NE, and
monitors the integrity of all incoming and outgoing digital signals.
FTP is a network protocol used to transfer files from one computer to an NE and viceversa through the network.
103
Glossary
Frequency
Is a protocol suite extending MPLS to manage further classes of interfaces and switching technologies other than packet interfaces and switching, such as time division multiplex, layer-2 switch, wavelength switch and fiber-switch.
Intelligent Optical
Control (IOC)
Is the Coriant software platform integrating the software defined networking (SDN)
framework with intelligent control for multi-layer optical transport networks. IOC
addresses the complete operational workflow and network lifecycle from service
planning to optimization up to maintenance, by combining the capabilities of the Coriant
TransNet optical planning tool, the IOC OP provisioning system and the TNMS network
management system.
Is the principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and
essentially establishes the Internet.
Internet Protocol
version 4 (IPV4)
Link Aggregation
Control Protocol
(LACP)
Within the IEEE specification the Link Aggregation Control Protocol (LACP) provides a
method to control the bundling of several physical ports together to form a single logical
channel. LACP allows a network device to negotiate an automatic bundling of links by
sending LACP packets to the peer (directly connected device that also implements
LACP).
Link Aggregation
(LAG)
Allows a bridge to treat multiple physical links between two end-points as a single logical
link, referred to also as a port-channel. The feature can be used to directly connect two
switches when the traffic between them requires high bandwidth and/or reliability, or to
provide a higher bandwidth connection to a public network. For this purpose, all the
physical links in a given port-channel must operate in full-duplex mode and at the same
speed.If a physical port or the related link of a LAG fails, the traffic previously carried
over the failed link automatically is switched to the remaining link(s) of the LAG (rapid
reconfiguration). Bandwidth degradation is an obvious impact if the sum ofthroughput of
the two/multiple aggregated links are higher than the throughput of the remaining link(s).
Be aware that certain link failures are not always visibleto both ends of a link. Link
Aggregation Control Protocol (LACP) and Automatic Laser Shutdown (ALS) enabled,
guarantees that both ends of a link properly detect all failures and perform the correct
response.LAG groups must first be created at the NE side via the LCT, only then, they
are visible in TNMS so that you can use it in the E-LAN and E-Line service creation via
the New Ethernet Service wizard. LAG is supported in specific network elements and
cards only. Refer to the NE dedicated documentation for more information.
Laser
Laser safety
104
A laser is a device that generates an intense narrow beam of light by stimulating the
emission of photons from excited atoms or molecules.
Laser safety rules are a group of mechanisms and actions necessary to protect all users
from harmful laser light emissions.
Glossary
LCT is a client-based craft terminal (that is, element manager) software which provides
access to network elements (NEs) in the customer network without the use of a management system.
Line interface
A line interface is a transponder interface that faces the line side of the link. Contrast
with client interface which faces the client equipment side of the link.
hiT 7300 LH segment is a DWDM application characterized by a reach of more than 500
km and up to 1200 km.
Is a path through an MPLS network, set up by a signaling protocol such as LDP, RSVPTE, BGP or CR-LDP. The path is set up based on criteria in the forwarding equivalence
class (FEC).
Sometimes called transit router, is a type of a router located in the middle of a Multiprotocol Label Switching (MPLS) network. It is responsible for switching the labels used to
route packets. When an LSR receives a packet, it uses the label included in the packet
header as an index to determine the next hop on the Label Switched Path (LSP) and a
corresponding label for the packet from a look-up table. The old label is then removed
from the header and replaced with the new label before the packet is routed forward.
MD5
Maintenance Association End Points
(MEP)
Management Information Base (MIB)
MX
Juniper MX Series Universal Edge Routers are Ethernet-centric services routers that
are purpose-built for demanding carrier and enterprise applications (font: Juniper website).
NetConf
Network Craft
Terminal (NCT)
NCT is a network management craft terminal (that is, element manager) software which
is used for either local or remote network management.
Network Element
(NE)
A network element (NE) is a self-contained logical unit within the network. The NE can
be uniquely addressed and individually managed via software.
Each NE consists of hardware and software components to perform given electrical and
optical functions within the network.
105
Glossary
Network Management
The network management layer includes all the required functions to manage the optical
network in an effective and user-friendly way, such as the visualization of the network
topology, creation of services, and correlation of alarms to network resources.
Network topologies
A topology of a network is defined by the list of NEs included in the network and the list
of links that connect those NEs (for example, point-to-point, chain, ring, and so on).
Network to Network
Interface (NNI)
Is an interface which specifies signaling and management functions between two networks. NNI circuit can be used for interconnection of IP (e.g. MPLS) networks.
Coriant TransNet
Planning of a hiT 7300 network is done by the Coriant TransNet tool. Coriant TransNet
is a sophisticated software simulation tool developed specifically for designing and/or
upgrading optical DWDM networks with hiT 7300. It runs on PCs using Microsoft
Windows operating systems.
Optical Channel
A predefined wavelength that can be used to transmit a bit stream by means of a modulated light signal.
Optical Network
Node (ONN)
An ONN is an NE where the incoming channels are either dropped or routed to a line in
a different direction, outgoing channels can also be added locally. Apart from multiplexing and demultiplexing an ONN NE implements optical or 3R signal regeneration and
dispersion compensation.
Optical path
The path followed by an optical channel from the first multiplexer to the last demultiplexer.
Path Computation
Engine Protocol
(PCEP)
Implements, sets up and manages PCEP, while also notifying OM when PCEP is available or unavailable to send/receive PCEP Route messages.
Performance management
Performance monitoring and signal quality analysis provide information for detecting
and alerting, a cause that could lead to a degraded performance before a failure is
declared.
Peak Information
Rate (PIR)
Is a burstable rate set on routers and/or switches that allows throughput overhead.
Related to Committed Information Rate which is a committed rate speed guaranteed/capped. For example, a CIR of 10 Mbit/s PIR of 12 Mbit/s allows you access to 10
Mbit/s minimum speed with burst/spike control that allows a throttle of an additional 2
Mbit/s.
Pseudo-Random
Binary Sequence
(PRBS)
Is a known sequence of bits that can be used as a test signal to measure transmission
delay and bit error rate of a channel. In this test, one port inserts the PRBS signal in the
channel (source port) and another detects if the sequence was received correctly (sink
port). This kind of test is traffic affecting since the test sequence is inserted into the
OPUk until the test is stopped.
Trails are represented as Physical Trails (PTs). They connect two Physical Termination
Points (PTP) on a physical layer rate, but can also contain non-physical layers.
PTX
106
Juniper Packet Transport Routers are Converged Supercore platforms that deliver
powerful capabilities based on the Junos Express chipset and forwarding architectures
optimized for MPLS and Ethernet, with integrated, coherent 100GbE technology (font:
Juniper website).
Glossary
Required Creation
State (RCS)
Optical Signal to
Noise Ratio (OSNR)
Ring network
Synchronous Digital
Hierarchy (SDH)
Is the desired state of the path, which is set by the user upon creation.
OSNR is the ratio of an optical signal power to the noise power in the signal.
A ring network is a network topology in which each NE connects to exactly two other
NEs, forming a circular optical path for signals (that is, a ring).
Is a standardized protocol that transfer multiple digital bit streams over optical fiber using
lasers or highly coherent light from light-emitting diodes. At low transmission rates data
can also be transferred via an electrical interface. The method was developed to replace
the Plesiochronous Digital Hierarchy system for transporting large amounts of telephone
calls and data traffic over the same fiber without synchronization problems.
Security management
Security Management controls the individual access to particular NE functions via the
network management system and/or via a craft terminal, using a hierarchical security
management user ID, and password concept.
In computation, a finite-state machine is event driven if the transition from one state to
another is triggered by an event or a message.
Service Provisioning
via NMS
Is a family of cryptographic hash functions that takes an arbitrary block of data and
returns a fixed-size bit string, the cryptographic hash value, such that any (accidental or
intentional) change to the data will (with very high probability) change the hash value.
The data to be encoded are often called the message, and the hash value is sometimes
called the message digest or simply digest.
Simple Network
Management
Protocol (SNMP)
Software management
Software management performs all software downloads, uploads, and software integrity
functions.
Is a cryptographic network protocol for secure data communication, remote commandline login, remote command execution, and other secure network services between two
networked computers that connects, via a secure channel over an insecure network, a
server and a client (running SSH server and SSH client programs, respectively).
Subsystem
107
Glossary
Tandem Connection
Monitoring (TCM)
TCMs are configurable parameters (via Element Manager) of the transponders. They
provide a Performance Management of all the Optical Transport Network (that is, endto-end connection) or specific sections only and implement an Optical channel Data Unit
(ODU) termination provisioned to support up to six TCM levels.
Transmission
Control Protocol
(TCP)
Is one of the core protocols of the Internet protocol suite (IP), and is so common that the
entire suite is often called TCP/IP. TCP provides reliable, ordered, error-checked
delivery of a stream of octets between programs running on computers connected to a
local area network, intranet or the public Internet. It resides at the transport layer.
TL1
Transaction Language 1 (TL1) is a widely used management protocol in telecommunications. It is a cross-vendor, cross-technology man-machine language, and is widely
used to manage optical (SONET) and broadband access infrastructure in North
America. TL1 is used in the input and output messages that pass between Operations
Systems (OSs) and Network Elements (NEs). Operations domains such as surveillance,
memory administration, and access and testing define and use TL1 messages to
accomplish specific functions between the OS and the NE.
TNMS
TNMS Core
TNMS CT
TNMS CT is a transparent software platform for SDH and DWDM NEs using QD2, QST,
QST V2, Q3 or SNMP telegram protocols. It supports line, star, ring and mesh networks
and provides access to NEs via Ethernet interface or via a serial line interface (RS232).
TNMS DX
Transponder card
A transponder card receives an optical input signal and converts it to an optical output
signal suitable for DWDM multiplexing and transmission.
Transponder
loopback
Loopbacks are diagnostic tests that can be activated via Element Manager. Loopbacks
return the transmitted signal back to the sending device after the signal has passed
across a particular link. The returned signal can then be compared to the transmitted
one. Any discrepancy between the transmitted and the returned signal helps to trace
faults.
108
Glossary
User Datagram
Protocol (UDP)
Is one of the core members of the Internet protocol suite (the set of network protocols
used for the Internet). With UDP, computer applications can send messages, in this
case referred to as datagrams, to other hosts on an Internet Protocol (IP) network
without prior communications to set up special transmission channels or data paths.
UDP uses a simple transmission model with a minimum of protocol mechanism. It has
no handshaking dialogues, and thus exposes any unreliability of the underlying network
protocol to the user's program. As this is normally IP over unreliable media, there is no
guarantee of delivery, ordering or duplicate protection. UDP provides checksums for
data integrity, and port numbers for addressing different functions at the source and destination of the datagram.
hiT 7300 ULH segment is a DWDM application characterized by long path lengths of up
to 1600 km.
User-to-Network
Interface (UNI)
Is a demarcation point between the responsibility of the service provider and the responsibility of the subscriber. This is distinct from a Network to Network Interface (NNI) that
defines a similar interface between provider networks.
Wavelength
The time in minutes that TNMS waits until it tries to switch to the working path again,
assuming the Revertive option is selected.
eXtensible Markup
Language (XML)
Is a markup language that defines a set of rules for encoding documents in a format that
is both human-readable and machine-readable. The design goals of XML emphasize
simplicity, generality, and usability over the Internet. It is a textual data format with strong
support via Unicode for the languages of the world. Although the design of XML focuses
on documents, it is widely used for the representation of arbitrary data structures, for
example in web services.
109
Glossary
110