Interconnecting The CSM With U2K

Interconnecting the CSM with the
U2000 (Wireless/Core)
Contents
4.4.3.6.1 Interconnecting the CSM with the U2000 (Wireless/Core)
4.4.3.6.1.1 Setting the U2000 Trust Domain
4.4.3.6.1.2 Installing the IaaS Deployment Package
4.4.3.6.1.3 Checking Whether Two-Way SSL Authentication Is Enabled
4.4.3.6.1.4 Changing the CSM Authentication Mode
4.4.3.6.1.5 Setting the U2000 informations for Interconnection with the CSM
4.4.3.6.1.6 Performing Security Hardening for Internal Ports of the CSM
4.4.3.6.1.7 Checking the Interconnection of the CSM with the U2000
4.4.3.6.1.8 Creating Users (U2000)
4.4.3.6.1.9 Creating a nerestuser User
4.4.3.6.1 Interconnecting the CSM with the

U2000 (Wireless/Core)
After the CSM software is installed, you must interconnect the CSM with the U2000 so that the
U2000 can be used to centrally manage infrastructure as a service (IaaS) equipment.
NOTICE:
 Before interconnecting the CSM with the U2000, ensure that the U2000 has been installed
and commissioned and the services are running properly. If the U2000 is not installed, install
it. The reference document can be obtained at http://support.huawei.com/.
 For virtual U2000, see iManager U2000 MBB Network Management System Virtual
Product Documentation (SUSE).
 For non-virtual U2000, see iManager U2000 MBB Network Management System Product
Documentation (SUSE).
 Before interconnecting the CSM with the U2000, ensure that the U2000 version matches the
CSM version. For details about version mapping, see CSM release notes. You can contact
Huawei technical support to obtain the required document. Huawei technical support can
access http://support.huawei.com/. click the Support tab, choose Product Support > Cloud Core
Network > NFVI&MANO > MANO > MANO > CloudOpera CSM, click the Product
Documentation tab, select V200R017 in Version Selection, select Huawei CloudOpera
CSM V200R017C00SPCXXX Release Documents-EN in the lower part, and download it.
XXX indicates the software version number. The actual software version number prevails.
 Setting the U2000 Trust Domain

Before interconnected the CSM to the U2000, you must set the the active and standby CSM VMs
southbound and northbound integration network IP address (eth1), floating IP address (eth1:1) of
the active CSM on the U2000 and add the IP address to the U2000 trust domain in HA
southbound and northbound integration networking. In this way, the CSM can communicate
properly with the U2000 bus.
 Installing the IaaS Deployment Package

After you set the U2000 trust domain, you must install the IaaS deployment package on the
U2000 so that the static information, security information, and alarm information can be added to
the U2000.
 Checking Whether Two-Way SSL Authentication Is Enabled

When two-way Secure Sockets Layer (SSL) authentication is enabled on the U2000, you must
use client certificates matching the U2000 to update the existing certificates for normal
interconnection. U2000 V200R016 or later version supports this feature.
 Changing the CSM Authentication Mode

This section describes how to change the authentication mode from not interconnecting the CSM
to the U2000 or interconnecting the CSM to the U2000 using commands.
 Setting the U2000 informations for Interconnection with the CSM

You must perform deployment operations on the CSM to add the service IP address and U2000
type of U2000 server to ensure that the CSM is Interconnected to the U2000.
 Performing Security Hardening for Internal Ports of the CSM

After the CSM software is installed, you need to deploy a hardware firewall to reduce risks of
attacks on the CSM, improving security. If there is no hardware firewall, it is recommended that
you configure the OS firewall to perform security hardening on the internal ports of the CSM.
After security hardening is performed for internal ports of the CSM, only the U2000 is allowed
to access port 31013.
 Checking the Interconnection of the CSM with the U2000

After the CSM is interconnected with the U2000, the IaaS equipment is automatically added to
the U2000, and you can check whether the CSM is interconnected with the U2000 on the U2000
client.
 Creating Users (U2000)

After the CSM operation rights are set for U2000 users on the U2000 client, U2000 users can log
in to and operate the CSM and deploy VNFs.
 Creating a nerestuser User

Create a nerestuser user on the U2000 client. The NE can use this account to log in to CSM for
the lifecycle management.
Parent topic: Interconnecting the CSM with the U2000 (Integration Mode)
4.4.3.6.1.1 Setting the U2000 Trust Domain

Before interconnected the CSM to the U2000, you must set the the active and standby CSM VMs
southbound and northbound integration network IP address (eth1), floating IP address (eth1:1) of
the active CSM on the U2000 and add the IP address to the U2000 trust domain in HA
southbound and northbound integration networking. In this way, the CSM can communicate
properly with the U2000 bus.
Prerequisites
NOTICE:
 Before interconnection, if the CSM is in southbound and northbound integration networking,
the CSM interconnects with the U2000 in southbound and northbound integration
networking; if the CSM is in southbound and northbound isolation networking, the CSM
interconnects with the U2000 in southbound and northbound isolation networking. However,
the current CSM version does not support this function.
 Before interconnection, if the CSM is in southbound and northbound integration networking,
ensure that the CSM southbound and northbound integration network is connected to the
U2000 service network.
The U2000 software has been installed and the U2000 services are running properly.
Procedure
1. Log in to the U2000 server as user ossuser with the service IP address in SSH mode using
PuTTY.
2. Run the following commands to check the IP address list of the U2000 trust domain:
~> . /opt/oss/server/svc_profile.sh
~> cd /opt/oss/server/rancn/bin
~> ./mod_iplist.sh
The list of IP addresses added to the U2000 trust domain is displayed in the command
output.
10.146.24.234
10.146.67.102
10.146.77.111
10.146.80.70
NOTICE:
Network port names can be viewed in IP address planning in Learning System Planning and Basic
Operations.
 If the IP address list includes the active and standby CSM VMs southbound and
northbound integration network IP address eth1, the active CSM VM southbound and
northbound integration network floating IP address eth1:1, do not repeatedly add the
CSM service IP address, and the operation is now complete.
 If the IP address list is empty or excludes the active and standby CSM VMs southbound
and northbound integration network IP address eth1, the active CSM VM southbound and
northbound integration network floating IP address eth1:1, go to 3.
3. Run the following command to add the active and standby CSM VMs southbound and
northbound integration network IP address eth1, the active CSM VM southbound and
northbound integration network floating IP address eth1:1 to the U2000 trust domain:
NOTE:
When the CSM is deployed in a remote disaster recovery system, you need to add the IP addresses of eth1 for
the active and standby VMs and the IP addresses of eth1:1 for the active VM at the active and standby sites to
the U2000 trust domain.
The following table lists IP addresses in HA southbound and northbound integration

networking.
eth1 of the active CSM VM 10.146.32.67
eth1:1 of the active CSM VM 10.146.32.100
eth1 of the standby CSM VM 10.146.32.69
~> ./mod_iplist.sh add 10.146.32.67

~> ./mod_iplist.sh add 10.146.32.100
~> ./mod_iplist.sh add 10.146.32.69
When the following information is displayed, the active and standby CSM VMs southbound
and northbound integration network IP address eth1, the active CSM VM southbound and
northbound integration network floating IP address eth1:1 has been successfully added to the
U2000 trust domain.
Revise and synchronize the iplist.cfg successfully.
NOTE:
 If the active and standby CSM VMs southbound and northbound integration network IP address eth1, the
active CSM VM southbound and northbound integration network floating IP address eth1:1 changes, you
need to perform the preceding operations on the U2000 again.
 To delete the active and standby CSM VMs southbound and northbound integration network IP address
eth1, the active CSM VM southbound and northbound integration network floating IP address eth1:1 from
the U2000 trust domain, run the ./mod_iplist.sh del command. The operation procedure is similar to the
preceding procedure.
You can run the following command to query the IP address list of the U2000 trust domain
and then check whether the IP address is added successfully based on the command output:
~> ./mod_iplist.sh
The list of IP addresses added to the U2000 trust domain is displayed in the command
output.
10.146.24.234
10.146.67.102
10.146.77.111
10.146.80.70
10.146.32.67
10.146.32.100
10.146.32.69
4. Run the following command to switch to user root:

~> su - root
Password: password of user root
5. Run the following commands to check whether security hardening has been performed on
the internal ports of the U2000 server:
# . /opt/oss/server/svc_profile.sh
# sec_adm -cmd queryIPTables
 Security hardening has been performed if the following information is displayed, perform
6.
The security hardening rules have been set for internal ports on the OSS
server.
 Security hardening has not been performed if the following information is displayed, the
operation is now complete.
The security hardening rules have not been set for internal ports on the
OSS server.
6. (Optional) Check whether to perform this operation based on the command outputs in step 5.
Run the following command to make the setting of the U2000 trust domain take effect:
# sec_adm -cmd setIPTables
If the system displays Operation succeeded, the setting of the U2000 trust domain
take effect. Otherwise, contact Huawei technical support engineers.
Parent topic: Interconnecting the CSM with the U2000 (Wireless/Core)
4.4.3.6.1.2 Installing the IaaS Deployment

Package
After you set the U2000 trust domain, you must install the IaaS deployment package on the
U2000 so that the static information, security information, and alarm information can be added to
the U2000.
Prerequisites
 You have obtained the IaaS deployment package.
 The U2000 software has been installed and the U2000 services are running properly.
 You have obtained the corresponding operating system PGPVerify tools. For details, see
Obtaining Software Packages.
 You have obtained the public key file. For details, see Obtaining the Public Key File.
Procedure
PuTTY.
2. Upload CloudOpera_CSMV200R017C00SPC500_IAAS_deploy_pkg.tar, PGPVerify,
and KEYS in binary mode to the /export/home/mediation directory on the U2000 server as
user ossuser by using FileZilla. For details, see Transferring Files Using FileZilla.
NOTE:
If user ossuser does not have related rights of this directory, run the following commands using PuTTY:
a. Run the following command to switch to user root:
~> su - root

b. Run the following command to change the owner of the /export/home/mediation directory to user
ossuser.
# chown ossuser:ossgroup /export/home/mediation
c. Run the following command to switch to user ossuser:
~> su - ossuser
3. Run the following commands to check the integrity of the software package:
a. ~> cd /export/home/mediation
b. ~> tar -xvf CloudOpera_CSMV200R017C00SPC500_IAAS_deploy_pkg.tar
c. ~> chmod 500 ./PGPVerify
d. ~> ./PGPVerify -k KEYS -f
CloudOpera_CSMV200R017C00SPC500_IAAS_deploy.tar.gz.asc
 If the command output contains PASS, the software package success to be checked.
 If the command output contains FAIL or ERROR, the software package fails to be
checked. Use the PGP verify tool to check the software package on the local PC. For
details, see Check the Integrity of IaaS Deployment Package.
4. Run the following command to decompress the IaaS deployment package:
~> tar -zxvf CloudOpera_CSMV200R017C00SPC500_IAAS_deploy.tar.gz
NOTE:
If the system does not support the -z option, run the following commands to decompress the IaaS deployment
package:
~> gzip -d CloudOpera_CSMV200R017C00SPC500_IAAS_deploy.tar.gz
~> tar -xvf CloudOpera_CSMV200R017C00SPC500_IAAS_deploy.tar
5. Run the following commands to set the execute permission of the IaaS deployment scripts:
~> chmod -R 750 CloudOpera_CSMV200R017C00SPC500_IAAS_deploy
~> cd CloudOpera_CSMV200R017C00SPC500_IAAS_deploy
6. Run the following command to execute the environment variable:
~> . /opt/oss/server/svc_profile.sh
7. Run the following command to run the IaaS deployment scripts:
~> ./IAAS_deploy.sh
 When the following information is displayed, enter the database user name sybuser,
password of the database user sybuser, and the default database port 4100, do not need to
enter the database port, press Enter directly.
The database user name sybuser, the password Changeme_123, and the database port
4100 are used as examples.
Enter the user name for logging in to the U2000 database:[sybuser]
Enter the user password for logging in to the U2000 database:
Enter the database port[4100]:
NOTE:
When the following information is displayed, indicates the CSM interconnects with the Oracle database of
the U2000.
a.
Enter the password of the database user fmdb; the default database port 1521, do not need to enter the
database port, press Enter directly.
b. Enter the password of the database user pmcomdb.
Begin to run the VNFM deployment script...
Init the Oracle DatabaseInfo.
Enter the user password for logging in to the fmdb database:
Enter the database port[1521]:
...
Succeeded in connecting to the database.
Enter the user password for logging in to the pmcomdb database:
...
 When the following information is displayed, the scripts are executed, perform 8 and 9.
Otherwise, the scripts fail to be executed. Rectify the fault by following the displayed
instructions.
[info]:Succeeded in running the VNFM deployment script. Restart the
U2000 manually.
 When the following information is displayed, the scripts are executed, perform 8 and
10. Otherwise, the scripts fail to be executed. Rectify the fault by following the
displayed instructions.
[info]:Succeeded in running the VNFM deployment script. Restart the
PMService and PMEngine0201 manually, and then log in to the U2000
client again.
 When the following information is displayed, another user is installing the NE mediation
package, installing the IaaS deployment package, or uninstalling the NE mediation.
Please wait and try again later.
 Another mediation package or IaaS package is being installed, or another
mediation package is being uninstalled, please wait and try again later.
8. Run the following commands to delete the installation directory and the software package:
~> cd /export/home/mediation
~> rm -r CloudOpera_CSMV200R017C00SPC500_IAAS_deploy_pkg.tar
~> rm -rf CloudOpera_CSMV200R017C00SPC500_IAAS_deploy.tar.gz
~> rm -r CloudOpera_CSMV200R017C00SPC500_IAAS_deploy
NOTE:
If the IaaS deployment package is decompressed using the gzip and tar commands, run the following
commands to delete the installation directory and the software package:
~> cd /export/home/mediation
~> rm -r CloudOpera_CSMV200R017C00SPC500_IAAS_deploy_pkg.tar
~> rm -r CloudOpera_CSMV200R017C00SPC500_IAAS_deploy.tar
~> rm -r CloudOpera_CSMV200R017C00SPC500_IAAS_deploy
Restart the U2000 to make the settings take effect.
NOTICE:
During the restart of the U2000 services, the performance data and alarm data of the
managed NEs cannot be processed. Determine the impact of the restart before restarting the
U2000 services.
NOTE:
The time required for restarting the U2000 system services is related to the actual environment. In normal
cases, restarting the U2000 services takes about 30 minutes.
. Log in to the OSMU. For detailed operations, see Logging In to the OSMU in the CSM
Administrator Guide.
a. Choose General > Service Management.
b. On the Service Management tab page in the right pane, click Query, then you can
query the service status of the U2000.
c. Click Stop All.
In the displayed confirmation dialog box, click Yes to stop all services.
d. Click Start All.
In the displayed confirmation dialog box, click Yes to start all services.
Restart the services of the PMService and PMEngine, and then log in to the U2000 client.
. Run the following commands to restart the PMService and PMEngine:
~> svc_adm -cmd restartsvc PMService

~> svc_adm -cmd restartsvc PMEngine0X0X
NOTE:
Replace PMEngine0X0X by the displayed instructions [info]:Succeeded in running the
VNFM deployment script. Restart the PMService and PMEngine0201
manually, and then log in to the U2000 client again..
a. Re-log in to the U2000 client.

4.4.3.6.1.3 Checking Whether Two-Way SSL
Authentication Is Enabled
When two-way Secure Sockets Layer (SSL) authentication is enabled on the U2000, you must
use client certificates matching the U2000 to update the existing certificates for normal
interconnection. U2000 V200R016 or later version supports this feature.
Procedure
PuTTY.
~> su - root
3. Run the following commands to check whether two-way SSL authentication is enabled on
the U2000:
# cat /opt/oss/server/etc/ssl/option.xml | grep enableAuthPeer
# cat /opt/oss/server/etc/conf/svc_ssl.conf | grep SSLAuthenticate
If the value of enableAuthPeer is true or the value of SSLAuthenticate is SERVER or
SERVER_AND_CLIENT, go to 4. Otherwise, the operation is now complete.
4. (Optional) When two-way SSL authentication is enabled on the U2000, perform this step:
When two-way SSL authentication is enabled on the U2000, you must use client certificates
matching the U2000 to update the existing certificates for normal interconnection. For
details, see Updating Certificates of the CSM VM for Communicating with the U2000 (Wireless/Core) VM.
4.4.3.6.1.4 Changing the CSM Authentication

Mode
This section describes how to change the authentication mode from not interconnecting the CSM
to the U2000 or interconnecting the CSM to the U2000 using commands.
Prerequisites
NOTICE:
 After the authentication mode is changed to interconnecting the CSM to the U2000, only user
admin can be used, and you need to create users on the U2000 again.
 After the authentication mode is changed to interconnecting the CSM to the U2000, modify
the system saved logs cannot be reported before the U2000.
You have obtained the passwords of user csmuser and ossadm in the CSM, the initial password
of user csmuser is Changeme_123, the initial password of user ossadm is Changeme_123.
Procedure
1. Log in to the active CSM VM as user csmuser with the IP address in the table in SSH mode
using PuTTY. For details about how to use PuTTY, see section Logging In to the Server Using
PuTTY.
Table 1 IP address mapping
Version IP Address Remarks
SPC100 CP version Remote maintenance IP If you cannot log in to the VM using the remote
and address maintenance IP address, add a static route. For details,
earlier(Including see Adding a Static Route in the initial installation
SPC100) guide.
SPC300 version and  Southbound and  Southbound and northbound integration

versions later than northbound integration networking: If you cannot log in to the CSM VM
SPC300 networking: remote using the remote maintenance IP address, log in to
maintenance IP the CSM VM using the IP address of the
address or IP address southbound and northbound integration network
of the southbound and port or add a static route by following the
northbound integration instructions provided in Adding a Static Route
network port under the initial installation guide.
 Southbound and  Southbound and northbound isolation networking:
northbound integration If you cannot log in to the CSM VM using the
networking: remote remote maintenance IP address, log in to the CSM
maintenance IP VM using the IP address of the northbound network
address or IP address port or add a static route by following the
of the northbound instructions provided in Adding a Static Route
2. Run the following command to switch to user ossadm:

~> su - ossadm
Password: password of user ossadm
3. Run the following command to stop the application process.

~> cd /opt/oss/manager/bin
~> . engr_profile.sh
~> ipmc_adm -cmd stopapp
4. Run the following commands to change the authentication mode:
~> cd /opt/oss/CSM/apps/VNFM/lbin
~> ./modify_deploy.sh
Information similar to the following is displayed:
start Excute modify_depoly.sh
...
The Deployment Mode Modify Successful.
NOTE:
 If the command output contains The Deployment Mode Modify Successful., the authentication mode is
changed successful. Otherwise, contact Huawei technical support engineers.
 If the command output contains The Deployment Mode Is Integrated Deployment., the authentication
mode has been changed, do not need to execute this command.
5. Run the following command to start the application process.

~> ipmc_adm -cmd startapp
6. Changing the standby CSM authentication mode. For details, see 1 through 5.
4.4.3.6.1.5 Setting the U2000 informations for

Interconnection with the CSM
You must perform deployment operations on the CSM to add the service IP address and U2000
type of U2000 server to ensure that the CSM is Interconnected to the U2000.
Prerequisites
The U2000 trust domain has been set.
Procedure
PuTTY.
SPC100) guide.

2. Run the following command to switch to user ossuser:

~> su - ossuser
Password: password of user ossuser
3. Run the following commands to add the service IP address and U2000 type of U2000 server:
~> cd /opt/oss/CSM/apps/VNFM/lbin
~> ./modify_oss_ip.sh
a. When the following information is displayed, type the U2000 and press Enter:
Please input the Name of U2000:
NOTE:
Enter a user-defined U2000 name.
 The name is a string of 6 to 23 characters.
 The name contains letters, digits, or _.
b. When the following information is displayed, enter the service IP address of the U2000
and press Enter:
Please input the service IP address of U2000:
c. When the following information is displayed, perform operations based on the
connected U2000 version.
d. Confirm whether is SSLMode[y/n]:
NOTE:
 U2000 V200R016 or later Version: type y and press Enter.
 U2000 V200R015 Version: type n and press Enter.
e. When the following information is displayed, type 0 and press Enter:

Please enter the type of U2000:[0:U2000-M,1:U2000-U]
NOTE:
 0 indicates the U2000 for the core or wireless network, and 1 indicates the U2000 for the fixed
network.
 If the CSM services are not started, the message in 3.e is not displayed. In such a case, skip 3.e.
f. When the following information is displayed, type y and press Enter:

g. The service is running, you need to stop the service [y/n]:
h. ...
i. Stopping process vnfm-0-0 ... success
j. Starting process vnfm-0-0 ... success
Modify the OSS IP successfully.
NOTE:
 After the U2000 service IP address is added, the CSM services automatically restart, The process takes
about 2 minutes. Wait patiently.
 When the Modify the OSS IP successfully. message is displayed, the U2000 service IP
address is added.
4. Set the service IP address of the U2000 interconnected with the standby CSM VM. For
details, see 1 through 3.
NOTE:
The service IP address of the U2000 interconnected with the standby CSM VM is the same as that of the
U2000 interconnected with the active CSM VM.
4.4.3.6.1.6 Performing Security Hardening for

Internal Ports of the CSM
After the CSM software is installed, you need to deploy a hardware firewall to reduce risks of
attacks on the CSM, improving security. If there is no hardware firewall, it is recommended that
you configure the OS firewall to perform security hardening on the internal ports of the CSM.
After security hardening is performed for internal ports of the CSM, only the U2000 is allowed
to access port 31013.
Prerequisites
The iptables service is available before operations are performed on SUSE Linux.
Procedure
PuTTY.
SPC100) guide.


~> su - root
3. Run the following commands to perform security hardening for internal ports of the CSM.
# cd /opt/tools/script/common
# ./vnfm_iptables.sh -config
a. If the following information is displayed, enter the product install path, and press Enter.
b. Enter the install path[/opt/oss]:
c. If the following information is displayed, enter the product name, and press Enter.
d. Enter the install name[CSM]:
NOTE:
The product name is user-defined. In this document, CSM is used as an example.
2016-07-20 16:38:07 || main

2016-07-20 16:38:07 || main
====================================================
2016-07-20 16:38:07 || main ==== Executing vnfm_iptables.sh
========
2016-07-20 16:38:07 || main
====================================================
2016-07-20 16:38:07 || main
2016-07-20 16:38:07 ||
****************************************************************
2016-07-20 16:38:07 || Start task at: Wed Jul 20 16:38:07 CST 2016
2016-07-20 16:38:07 ||
****************************************************************
Enter the install path[/opt/oss]:/opt/oss
Enter the install name[CSM]:CSM
2016-07-20 16:38:13 || Finish deleting all iptables rules
2016-07-20 16:38:16 || Finish configuring iptables rules
2016-07-20 16:38:16 || Finish task at : Wed Jul 20 16:38:07 CST 2016
4. Harden the internal port of the standby CSM VM. For details, see 1 through 3.
Follow-up Procedure
After security hardening is performed on internal ports on the CSM, other products or tools
cannot access the internal ports of the CSM. To perform security unhardening for internal ports
of the CSM, run the command ./vnfm_iptables.sh -restore.
4.4.3.6.1.7 Checking the Interconnection of the

CSM with the U2000
After the CSM is interconnected with the U2000, the IaaS equipment is automatically added to
the U2000, and you can check whether the CSM is interconnected with the U2000 on the U2000
client.
Prerequisites
 The CSM has been interconnected to the U2000.
 You have logged in to the U2000 client. The user that logged in to the U2000 client has the
domain operation rights of the IaaS.
Procedure
1. Open the Main Topology page.
 Choose Topology > Main Topology (traditional style).
 Double-click Topo View in Application Center and choose Topology > Main
Topology (application style) to open the Main Topology window.
2. In the topology view in the right pane, check whether the icon is displayed.
 If yes, right-click the IaaS icon and choose Management from the shortcut menu. If the
system switches to the CSM, the CSM is interconnected with the U2000. If the system
does not switch to the CSM, resolve the problem as prompted.
 If no, the CSM is not interconnected to the U2000. When this occurs, contact Huawei
technical support engineers.
NOTE:
About 3 to 5 minutes later, if the IaaS icon is not displayed in the topology view, contact Huawei technical
support engineers.
4.4.3.6.1.8 Creating Users (U2000)

After the CSM operation rights are set for U2000 users on the U2000 client, U2000 users can log
in to and operate the CSM and deploy VNFs.
Prerequisites
 The CSM service is running properly.
 You have logged in to the U2000 client as a user in the SMManagers group.
Context
NOTE:
After VNFs have been deployed on the CSM and the CSM is interconnected with the U2000, old users created on
the CSM for VNF deployment become invalid. Create accounts with the same user names and passwords again on
the U2000.
Procedure
1. Open the Security Management page.
 Choose Security > Security Management (traditional style).
 Double-click Security Management in Application Center (application style).
2. Create user group and set operation rights.
a. In the Security Management navigation tree, right-click the User Group node and
choose New User Group, such as VNFM User Group.
b. On the Details tab, set the attributes of the user group.
 U2000 V200R016 or later Version:

i. Set the user group name, description, and maximum number of sessions.
For example, set Name to VNFM User Group, enter Monitoring operations
for VNF equipment in Description, and set Maximum sessions to the default
value Unlimited.
ii. Click Next.
 U2000 V200R015 Version:
i. Set the user group name, description, type, and maximum number of sessions.
For example, set Name to VNFM User Group, enter Monitoring operations
for VNF equipment in Description, set User group type to Common User
Group, and set Maximum sessions to the default value Unlimited.
ii. Click Next.
c. On the Domain tab page, set the domain for the user group to specify the object scope
that the user group manages.
i. Click Select.
ii. In the Authorization Mode area, select the Device mode.
iii. In the device list, select IaaS node, click .

iv. Click OK.
v. Click Next.
d. On the Operation Rights tab page, click Next.
If the NE mediation package is not deployed on the U2000, go to 2.i.
e. On the Secondary Authorization tab page, click Next.
f. On the Bound Subnet tab page, click Next.
g. On the Bound NE tab page, click Next.
h. On the Rules tab page, click Next.
i. Set the CSM operation rights for user groups.
. In the VNFM Rights tab page, set the CSM operation rights granted to VNFM
User Group.
Figure 1 Select VNFM rights
NOTE:
About 3 to 5 minutes later, if the operation items is not displayed, contact Huawei technical support
engineers.
j. Click Finish.
3. Create user.
. In the Security Management navigation tree, right-click User, and select New User.
a. In the New User dialog box, set the common attributes of the OM user and add the OM
user to the user group. For detailed operations, see Table 1.
Table 1 Common attributes of OM users
Parameter Parameter Description Mandatory (Yes/No)
User name Refers to the name of a new OM user, for example, Yes
VNFM_User.
NOTE:
The user name length must range from 6 to 32 characters,
and the field cannot contain space and the following
special characters: "#%&'+/;<=>?\
Description Provides a brief description of a user, for example, No

VNF equipment management user.
Password/Confirm Refers to the initial password of an OM user. When Yes

Password setting the password, ensure that the password meets
the requirement of the system user password policy.
After an OM user is created, the OM user needs to
use the initial password for the first login.
NOTE:
 The password settings must comply with the password
policies. For details about how to set password
policies, click Password Policy in the New User
dialog box.
 Do not use any character, including %% (double
percents), (double spaces), +++ (three pluses), ---
(three minuses), or END in your password.
Require user to change Deselect the Require user to change password on No

password on next login next login check box.
NOTE:
If the user has chosen this check box:
you can change the password of user on the U2000 client.
For details, see U2000 User Management User Guide.
b. Click Add. In the displayed Add User Group dialog box, select the new CSM, for
example, VNFM User Group, and click OK.
c. In the New User dialog box, click OK to complete the creation of a new OM user.

4.4.3.6.1.9 Creating a nerestuser User
Create a nerestuser user on the U2000 client. The NE can use this account to log in to CSM for
the lifecycle management.
Prerequisites
 You have logged in to the U2000 client as a user in the SMManagers group.
 You have created a user group for the nerestuser user and granted the VNF Management >
VNF Operation Management and VNFD Management operation rights to the CSM. For
details, see section Creating Users (U2000).
NOTE:
When the CSM is upgraded from vCMM V100R001C10 to CSM V200R016C10 and later version, if the vCMM
interconnects with the U2000 before the upgrade, you need to assign the VNF Management > VNF Operation
Management and VNFD Management permission to the CSM after the upgrade.
Context
NOTICE:
After VNFs have been deployed on the CSM and the CSM is interconnected with the U2000,
you need to create user nerestuser again on the U2000.
Procedure
1. Open the Security Management page.
 Choose Security > Security Management (traditional style).
 Double-click Security Management in Application Center (application style).
2. In the Security Management navigation tree, right-click User, and select New User.
3. In the New User dialog box, set the common attributes of the nerestuser user. For detailed
operations, see Table 1.
Table 1 Common attributes of the nerestuser user
User name Set to nerestuser. Yes

Table 1 Common attributes of the nerestuser user
Description Provides a brief description of a No

user. For example, this user is
used by the NE to connect to the
CSM.
Password/Confirm Password Set to Hk%w-!d@8Ve)qH6p. Yes
Require user to change password Deselect the Require user to No

on next login change password on next login
check box.
NOTE:
If the user has chosen this check box:
 You can change the password of
user nerestuser on the U2000
client. For details, see U2000
User Management User Guide.
 You need to run the SET
VNFMINFO command on the
LMT of VOMU (including
deployed VOMU and VOMU to
be deployed) to change the
password of user nerestuser as
well.
 Do not use any character,
including %% (double percents),
(double spaces), +++ (three
pluses), --- (three minuses), or
END in your password.
4. NOTE:
5. If Password validity period is set to 0, the password is valid permanently.
6. Click Add. In the displayed Add User Group dialog box, select the user group for the
nerestuser user and click OK.
7. In the New User dialog box, click OK to complete the creation of the nerestuser user.

Interconnecting The CSM With U2K

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Interconnecting The CSM With U2K

Încărcat de

Drepturi de autor:

Formate disponibile

Interconnecting the CSM with the

4.4.3.6.1 Interconnecting the CSM with the

 Setting the U2000 Trust Domain

 Installing the IaaS Deployment Package

 Checking Whether Two-Way SSL Authentication Is Enabled

 Changing the CSM Authentication Mode

 Setting the U2000 informations for Interconnection with the CSM

 Performing Security Hardening for Internal Ports of the CSM

 Checking the Interconnection of the CSM with the U2000

 Creating Users (U2000)

 Creating a nerestuser User

4.4.3.6.1.1 Setting the U2000 Trust Domain

The following table lists IP addresses in HA southbound and northbound integration

eth1 of the active CSM VM 10.146.32.67

eth1:1 of the active CSM VM 10.146.32.100

eth1 of the standby CSM VM 10.146.32.69

~> ./mod_iplist.sh add 10.146.32.67

4. Run the following command to switch to user root:

4.4.3.6.1.2 Installing the IaaS Deployment

Password: password of user root

a. Choose General > Service Management.

c. Click Stop All.

d. Click Start All.

. Run the following commands to restart the PMService and PMEngine:

~> svc_adm -cmd restartsvc PMService

a. Re-log in to the U2000 client.

Parent topic: Interconnecting the CSM with the U2000 (Wireless/Core)

Parent topic: Interconnecting the CSM with the U2000 (Wireless/Core)

4.4.3.6.1.4 Changing the CSM Authentication

Table 1 IP address mapping

Version IP Address Remarks

SPC300 version and  Southbound and  Southbound and northbound integration

2. Run the following command to switch to user ossadm:

3. Run the following command to stop the application process.

5. Run the following command to start the application process.

Parent topic: Interconnecting the CSM with the U2000 (Wireless/Core)

4.4.3.6.1.5 Setting the U2000 informations for

Version IP Address Remarks

SPC300 version and  Southbound and  Southbound and northbound integration

2. Run the following command to switch to user ossuser:

e. When the following information is displayed, type 0 and press Enter:

f. When the following information is displayed, type y and press Enter:

Parent topic: Interconnecting the CSM with the U2000 (Wireless/Core)

4.4.3.6.1.6 Performing Security Hardening for

Table 1 IP address mapping

Version IP Address Remarks

SPC300 version and  Southbound and  Southbound and northbound integration

2. Run the following command to switch to user root:

2016-07-20 16:38:07 || main

Parent topic: Interconnecting the CSM with the U2000 (Wireless/Core)

4.4.3.6.1.7 Checking the Interconnection of the

Parent topic: Interconnecting the CSM with the U2000 (Wireless/Core)

4.4.3.6.1.8 Creating Users (U2000)

b. On the Details tab, set the attributes of the user group.

 U2000 V200R016 or later Version:

iii. In the device list, select IaaS node, click .

d. On the Operation Rights tab page, click Next.

If the NE mediation package is not deployed on the U2000, go to 2.i.

e. On the Secondary Authorization tab page, click Next.

f. On the Bound Subnet tab page, click Next.

g. On the Bound NE tab page, click Next.

h. On the Rules tab page, click Next.