CloudOpera Orchestrator SDN V200R002C10 Backup and Restoration Guide 01
CloudOpera Orchestrator SDN V200R002C10 Backup and Restoration Guide 01
CloudOpera Orchestrator SDN V200R002C10 Backup and Restoration Guide 01
V200R002C10
Issue 01
Date 2018-01-10
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: [email protected]
Preface
Purpose
This document provides guidance for backing up and restoring the CloudOpera Orchestrator
SDN service instances.
Intended Audience
This document is intended for system maintenance engineers who are familiar with:
l Live network
l Service maintenance
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Conventions
Symbol Description
Symbol Description
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Change History
Issue Date Description
Contents
Preface................................................................................................................................................ ii
1 Overview......................................................................................................................................... 1
1.1 Backup and Restoration Scenarios................................................................................................................................. 1
1.2 Backup and Restoration Policies.................................................................................................................................... 3
1.2.1 Concepts...................................................................................................................................................................... 4
1.2.2 Backup Policies........................................................................................................................................................... 6
1.2.3 Restoration Policies..................................................................................................................................................... 8
1.3 Backup Server Requirements....................................................................................................................................... 12
2 Data Backup..................................................................................................................................14
2.1 Setting Global Backup Parameters............................................................................................................................... 15
2.2 Backing Up Dynamic Data...........................................................................................................................................18
2.2.1 Logical Backup..........................................................................................................................................................18
2.2.1.1 Backing Up Dynamic Data on Scheduled.............................................................................................................. 18
2.2.1.2 Backing Up Dynamic Data in Real Time............................................................................................................... 20
2.2.2 Physical Backup........................................................................................................................................................ 22
2.3 Backing Up Product Application Software.................................................................................................................. 28
2.4 Backing Up Database Software.................................................................................................................................... 28
2.5 Backing Up OS Data.................................................................................................................................................... 29
2.6 Backing Up Management Plane................................................................................................................................... 30
5.1.2 Benefits...................................................................................................................................................................... 51
5.1.3 Solution Overview..................................................................................................................................................... 52
5.2 Establishing a Remote DR System............................................................................................................................... 53
5.2.1 Node Introduction......................................................................................................................................................53
5.2.2 Environment Requirements....................................................................................................................................... 55
5.2.3 Process Overview...................................................................................................................................................... 57
5.2.4 Installing the Primary and Secondary Site................................................................................................................ 59
5.2.5 Configuring Services of the Primary Site..................................................................................................................61
5.2.6 Security Hardening.................................................................................................................................................... 61
5.2.6.1 Overview................................................................................................................................................................ 61
5.2.6.2 Uploading Node Data Files and Tools....................................................................................................................62
5.2.6.3 MySQL Database Hardening..................................................................................................................................64
5.2.6.4 Remote SSH Security Hardening........................................................................................................................... 66
5.2.6.5 OS Port Hardening..................................................................................................................................................68
5.2.6.6 Security Hardening Requirements..........................................................................................................................72
5.2.7 Configuring the DR System...................................................................................................................................... 72
5.2.7.1 Updating Certificates for the Management Plane and Service Plane..................................................................... 72
5.2.7.2 Backing up the Primary and Secondary Sites.........................................................................................................76
5.2.7.3 Associating the Primary and Secondary Sites........................................................................................................ 76
5.2.8 Migrating the DR System.......................................................................................................................................... 77
5.2.9 Configuring Services of the Secondary Site..............................................................................................................78
5.3 Remote DR System Common Operations.................................................................................................................... 79
5.3.1 Disaster Recovery Scenarios..................................................................................................................................... 79
5.3.2 Disaster Recovery System Drill................................................................................................................................ 80
5.3.3 Taking Over Services from the Faulty Site................................................................................................................81
5.3.4 Forcibly Synchronizing Data Between Sites............................................................................................................. 82
5.3.5 Deleting the Data Synchronization Relationship Between the Active and Standby Sites........................................ 84
5.3.6 Separating the Primary and Secondary Sites............................................................................................................. 85
5.3.7 Updating Certificates for the Disaster Recovery System.......................................................................................... 86
5.3.8 Changing the Encryption Key of DR Certificates..................................................................................................... 88
5.3.9 Manually Synchronizing DR Certificates..................................................................................................................89
5.4 Remote DR System Alarms..........................................................................................................................................91
5.4.1 ALM-100000 Certificate of the Remote DR System About to Expire..................................................................... 91
5.4.2 ALM-101200 Abnormal Replication........................................................................................................................ 92
5.4.3 ALM-101201 Abnormal Heartbeat........................................................................................................................... 93
5.4.4 ALM-101203 Migration Failure................................................................................................................................96
5.4.5 ALM-101204 Abnormal Deployment of the Primary and Secondary Sites..............................................................97
6 Common Operations.................................................................................................................100
6.1 Configuring SFTP Fingerprint Authentication...........................................................................................................100
6.2 How Do I Start a Service?.......................................................................................................................................... 102
6.3 How Do I Stop a Service?.......................................................................................................................................... 102
6.4 Starting a DB Instance................................................................................................................................................ 103
7 FAQ.............................................................................................................................................. 106
7.1 Failed to Create Dynamic Data Backup Tasks........................................................................................................... 106
7.2 Failed to Create Service Restoration Tasks................................................................................................................ 107
7.3 OS Security Hardening Items..................................................................................................................................... 107
7.4 MySQL Database Security Hardening Items..............................................................................................................119
7.5 How to Upload Files to a Specified Directory After OS Security Hardening Is Performed...................................... 122
7.6 Updating Certificates of Active and Standby Sites Manually.................................................................................... 123
7.6.1 Updating CA Certificates of Management Nodes................................................................................................... 123
7.6.2 Updating CA Certificates of Non-Management Nodes...........................................................................................125
7.6.3 Updating the Certificate Password.......................................................................................................................... 127
7.7 Changing Passwords for Backup Server User............................................................................................................ 127
1 Overview
The product data should be backed up in a timely manner so that when the product
malfunctions, backup files can be used to restore data so that the product can be fast restored.
Before performing backup and restoration operations, understand backup and restoration
scenarios and policies.
Backup Scenarios
To fast restore data, backup is required in the following scenarios. Table 1-1 lists common
backup scenarios. Ensure that no system or service provisioning operation that takes much
time is performed.
Restoration Scenarios
To restore a service instance whose database instances are running properly but the service
instance is unavailable because of data errors, select the corresponding backup files and
restore data. Table 1-2 lists common restoration scenarios.
Generally, if the service instance cannot be used Periodically dynamic back up data.
because the database instance is running properly, but
the service instance data is abnormal, you can restore
the service instance data to the state in a certain time
point.
l If the database upgrade or patch installation fails, 1. Database software backup files
database files are damaged, but the OS still runs 2. Dynamic data backup files
properly, you can use the backup data to restore
the database to the state before the upgrade or
patch installation.
l If database upgrade or patch installation is
successful, CloudOpera Orchestrator SDN is
abnormal, the database files are damaged, but the
OS still runs properly, you can use the backup
data to restore the database to the state after the
upgrade or patch installation.
successfully. A restoration policy specifies the data restoration sequence to ensure that users
can restore data successfully.
1.2.1 Concepts
Understanding common concepts of the backup and restore operations will help you
understand the backup and restoration scenarios and policies.
Product
A product contains multiple services.
Service
A service is a set of on-demand, dynamic, and scalable software that is provided for
applications (and third-party applications).
Database Instance
A database instance is a process and the database files it controls. A database instance is a set
of multiple databases.
Service Instance
A service instance contains multiple microservice instances. One database corresponds to one
or more microservice instances.
Figure 1-1 illustrates the relationship between service instances and database instances.
Associated Service
When multiple service instances share the same database, these service instances are
associated services. One of the associated service instances is selected, all the associated
service instances are also selected. These associated service instances are backed up or
restored as a whole.
In Figure 1-2, service 1 and service 2 are associated services (sharing database A). If you
select service instance 1 or service instance 2, the other service instance will also be selected.
That is, service instance 1 and service instance 2 are both selected. Service instance 1 and
service instance 2 are backed up or restored.
Data Description
Data Type Data Description
Static data Indicates the data that will not change in real time when
the system runs, that is, the data when you back up the
product application software and database software.
Dynamic data Indicates the data that changes in real time when the
system runs, that is, the service instance data.
Full Backup
All the selected data and files of a time point are completed backed up. The backup mode
provided in this document supports only full backup.
Incremental Backup
Compared with the last backup, data and files that have changed will be backed up. The
backup mode provided in this document does not support incremental backup.
Management Node
Log in to the IP address of the management plane of CloudOpera Orchestrator SDN. The
management node is the node whose name ends with Deploy in the node plan.
Backup Parameters
Table 1-3 describes backup parameters.
Item Description
Backup file storage threshold The maximum number of latest backup files that
CloudOpera Orchestrator SDN can store is limited. If the
number of backup files exceeds seven, the earliest
backup files will be deleted automatically.
The default number of latest backup files that can be
stored is as follows:
l Dynamic data: 15.
l Product application software: 1.
l Database software: 5.
l OS: 3.
l Management plane: 3.
The threshold for storing backup files of dynamic data
can be modified by referring to 2.1 Setting Global
Backup Parameters. The threshold for storing backup
files of the management plane can be modified by
referring to 3.5 Restoring Management Plane. The
product application software, database software, and OS
are not often backed up and restored. The default backup
file storage threshold for these three types of data is
already the recommended value in CloudOpera
Orchestrator SDN. You do not need to manually change
the threshold.
Backup Mode
l Scheduled backup: Data is automatically backed up to a backup server at scheduled time.
There are three types of scheduled backup: one-time backup, periodic scheduled backup,
and default scheduled backup.
For periodic scheduled backup, you are advised to set the backup interval to one day.
Although the interval can be user-defined, a long interval is not recommended because data
backup at long intervals may result in data loss during data restoration.
– Default scheduled backup: After CloudOpera Orchestrator SDN is successfully
installed and the backup server parameters are set, the system automatically creates
a default scheduled backup task which will be executed at 01:00:00 every day.
l Manual backup: Data of a service instance is manually backed up to a backup server.
Figure 1-3 shows the backup modes supported by various types of data.
During the normal running of the product, Periodically dynamic back up data. It is
the dynamic data changes in real time. recommended that the backup period is set to
Therefore, you need to obtain the latest 1 day.
dynamic data to restore the product when
the product is faulty.
l If you need to restore all the three types of data, restore operating system data, static
data, and dynamic data in sequence.
l If you need to restore static data and dynamic data, restore static data first.
Requirement Description
2 Data Backup
After global backup parameters are set successfully, in order to ensure the safety and stability
of CloudOpera Orchestrator SDN, you need to back up the data. When CloudOpera
Orchestrator SDN is abnormal, you can use the backup data to restore CloudOpera
Orchestrator SDN.
NOTICE
The backup data may contain some personal information (such as names, mobile numbers,
and email addresses) as well as the names and passwords of all users configured on
CloudOpera Orchestrator SDN. You must follow the applicable laws in your country or the
privacy policies of your company and take effective measures to fully protect customer
privacy.
You can manually back up the management-plane applications and service instance data
through CloudOpera Orchestrator SDN.
Prerequisites
You have obtained the IP address of the backup server, the user name and password of the
SFTP protocol, and the storage path for the backup files.
Context
If multiple backup servers are configured in the same region, the same backup data is stored
on all backup servers in the region. Backup servers in this region work in redundancy mode.
When a backup server is faulty, other backup servers can provide backup data.
Step 2 Choose Backup and Restore > Configurations > Configure Global Backup Parameters
from the main menu.
NOTE
Due to data cache, it takes about 20 seconds to open the page for the first time. The waiting time
depends on the number of services in the system and the server performance.
Step 3 In the Configure Backup Server Parameters area, click Add Backup Servers and set
backup server parameters. For details about how to set server parameters, see Table Table
2-1.
Parameter Description
Transmission Mode The transmission mode between server and the backup server.
Only the SFTP mode is supported.
Parameter Description
Parameters User name and corresponding password for the SFTP protocol.
Enter the user name and password according to the actual
situation.
If the primary and secondary management node serves as a
backup server, the corresponding user account is backupuser.
The default password of backupuser is Changeme_123.
NOTE
l In security hardening scenarios, the root user does not support SFTP.
Therefore, you are advised to use the backupuser user, not the root
user, as the backup server user.
l If changing the password for the backup server user, you need to
change the password for the backup server in the global backup
parameters. If you do not change the password, CloudOpera
Orchestrator SDN cannot access the backup server. As a result, the
backup and restore function cannot be used.
Server Connectivity Click Validate to verify that fingerprint authentication for all
nodes are added and connectivity for the backup server is tested.
l If the Warning dialog box is displayed, click OK to add
fingerprint authentication. Otherwise, fingerprint
authentication is not added to the node. The node cannot
connect to the backup server, which will result in data
backup failure.
l If the Warning dialog box is not displayed, fingerprint
authentication has been added for all nodes.
NOTE
The execution duration of verification varies depending on the number
of nodes in the system and the machine performance. The execution
duration is about 30 seconds.
Parameter Description
Backup Path Click Browse to set the backup path for the backup server.
l If the planned backup server is used, select a path based on
the site requirements.
NOTE
l The system has automatically associated with this backup path. You
can choose a desired one based on site requirements.
l The backup path must be subfolders under the SFTP shared
directory, such as bin.
l A backup task can be successfully executed only when the backup
directory has sufficient space. You are advised to run the df -h
command to check whether the backup directory has sufficient
space.
l If the management node is used as the backup server, select
the dev directory.
Step 4 Click in the row of the newly added backup server to save information about it.
----End
If the target service is associated with other services, when the target service is selected, the
associated services are also selected. If the storage threshold of the target service is
modified, the modification also applies to the associated services. For details about the
association relationship between services, see section 1.2.1 Concepts.
c. In the displayed dialog box, click OK.
l Set the storage threshold for backup files of products or service instances in batches.
a. In the Configure Storage Strategy of the Dynamic Data Backup File area, select
the product to be backed up and click in the Details column.
b. Select the target product or the service instance under the product.
c. Enter the number of backup files in Batch Modifying Selected Threshold and
click Apply.
d. In the Warning dialog box, click OK.
e. At the bottom of the page, click OK.
f. In the dialog box that is displayed, click OK.
Context
Logical backup and physical backup have different definitions and application scenarios. For
details, see Table 2-2.
Logical backup Run structured query language 1.1 Backup and Restoration
(SQL) statements to export data Scenarios
from the database and save the
exported data in a file. If the status
of a task is not Succeeded during
logical backup of a database
instance in the service deployment
system, data of the task cannot be
restored during logical restoration
of the database instance.
Physical backup Copy operating system files If the master and slave database
included in the database from a instances are abnormal, you are
directory to another. advised to use this mode to back
up database configuration files.
Prerequisites
l Global backup parameters have been set. For details, see 2.1 Setting Global Backup
Parameters.
l Service instance whose database instances are running properly.
Context
l Before creating a backup task, ensure that no system or service provisioning operation
that takes much time is performed, preventing the backup task from affecting other
operations.
l 24 hours after CloudOpera Orchestrator SDN is successfully installed, the system
automatically enables scheduled backup and automatically backs up all the current
services data at 01:00:00 every day (excluding the new added or deleted service
instances). If you want to create another scheduled backup task, see the following
procedure.
Procedure
Step 1 Open a web browser, input https://IP address with the floating IP address of the primary and
secondary management nodes:31943 in the address box and press Enter.
Step 2 Input the user name admin and password on the login page, and click Log In.
Step 3 Choose Backup and Restore > Configurations > Schedule Backup Data from the main
menu.
NOTE
Due to data cache, it takes about 20 seconds to open the page for the first time. The waiting time
depends on the number of services in the system and the server performance.
Step 5 On the Select backup object page, set the backup object.
1. Set the scheduled task type. The options are One-Time Task and Periodic Task.
2. Select the product to be backed up and click in the Detail Information column.
3. Select service instances of the product that need to be backed up and deselect SMS/
WAN.
NOTE
If the service instance to be backed up is associated with other service instances, when the service
instance is selected, the associated service instances will also be selected. For details about the
association relationship between service instances, see 1.2.1 Concepts.
4. Click Next.
Step 6 On the Set schedule parameters page, set the relevant parameters and click Next.
Step 7 (Optional) On the Set the backup reason page, enter descriptions of the current backup task
in the Backup reason text box to differentiate the current task from other backup tasks.
Step 8 Click Next. In the displayed Warning dialog box, click OK.
l The task is created successfully. After the task starts, click Task Information List to
view the task execution results.
l If the task fails, contact Huawei technical support.
----End
Related Tasks
After a scheduled backup task is created, you can click Modify to modify the created
scheduled backup task.
Prerequisites
l You have set global backup parameters. For details, see 2.1 Setting Global Backup
Parameters.
l Service instance whose database instances are running properly.
Context
Ensure that no system or service provisioning operation that takes much time is performed.
Procedure
Step 1 Open a web browser, input https://IP address with the floating IP address of the primary and
secondary management nodes:31943 in the address box and press Enter.
Step 2 Input the user name admin and password on the login page, and click Log In.
Step 3 Choose Backup and Restore > Backup data > Backup Dynamic Data from the main menu.
NOTE
Due to data cache, it takes about 20 seconds to open the page for the first time. The waiting time
depends on the number of services in the system and the server performance.
Step 4 On the Select backup object page, select the product to be backed up and click in the
Detail Information column. Select services of the product that need to be backed up, deselect
SMS/WAN, and click Next.
NOTE
If the service instance to be backed up is associated with other service instances, when the service
instance is selected, the associated service instances will also be selected. For details about the
association relationship between service instances, see section 1.2.1 Concepts.
Step 5 (Optional) On the Set the backup reason page, enter the name of the current backup task in
the Backup reason text box to differentiate the current task from other backup tasks.
Step 6 Click Next. In the displayed Warning dialog box, click OK.
l The task is created successfully. To view the task execution results, click Task
Information List.
l If the task fails, contact Huawei technical support.
----End
Prerequisites
Ensure that fingerprint authentication is added to the master and slave database nodes and
primary and secondary management nodes. For details, see 6.1 Configuring SFTP
Fingerprint Authentication.
Procedure
Step 1 Log in to the service deployment system (https://IP address with the floating IP address of the
primary and secondary management nodes:31943).
2. Select the backup policy whose Policy Name is default, click in the Operation
column, and modify the backup policy.
NOTE
The backup policy whose Policy Name is default is the default backup policy. Directly modify it
to facilitate physical backup.
Set Backup mode to Physical backup, and set other backup policy parameters with
reference to Table 2-3.
NOTE
– If Scheduled Backup is enabled, the system completes physical backup when the specified
time arrives.
– If Scheduled Backup is disabled, manually perform physical backup with reference to Step 3.
When you select all database instances, only the database instances on the current page can be
selected by default. If the database instances occupy more than one page, select all database
instances on each page in sequence.
2. On the Manual Backup page, select the backup policy whose Backup mode is set to
Physical backup and Policy Name is selected as described in Step 2.2.
3. Click OK. Manual backup is successfully issued. When the manual physical backup
policy is successfully issued, the Deployment > Microservices Deployment > Tasks
page is displayed.
4. On the displayed Task List page, view Progress and Status information of each task of
database instance physical backup.
When the progress of each database instance physical backup task reaches 100% and
Status is successful, physical backup is successful.
----End
Prerequisites
You have set global backup parameters. For details, see 2.1 Setting Global Backup
Parameters.
Procedure
Step 1 Open a web browser, input https://IP address with the floating IP address of the primary and
secondary management nodes:31943 in the address box and press Enter.
Step 2 Input the user name admin and password on the login page, and click Log In.
Step 3 Choose Backup and Restore > Backup data > Backup Product Application Software
from the main menu.
Step 4 On the Select backup object page, select the object product and click Next.
Step 5 (Optional) On the Set the backup reason page, enter the backup task name for Backup
reason to distinguish it from other backup tasks.
Step 6 Click Next. In the displayed Warning dialog box, click OK.
l The system has created a task successfully. Click Task Information List to view the
task execution status.
l If the task execution fails, rectify the failure based on detailed information about the task.
----End
Prerequisites
You have set global backup parameters. For details, see 2.1 Setting Global Backup
Parameters.
Procedure
Step 1 Open a web browser, input https://IP address with the floating IP address of the primary and
secondary management nodes:31943 in the address box and press Enter.
Step 2 Input the user name admin and password on the login page, and click Log In.
Step 3 Choose Backup and Restore > Backup data > Backup Database Software from the main
menu.
Step 4 On the Select backup object page, select the object product and click Next.
Step 5 (Optional) On the Set the backup reason page, enter the backup task name for Backup
reason to distinguish it from other backup tasks.
Step 6 Click Next. In the displayed Warning dialog box, click OK.
l The system has created a task successfully. Click Task Information List to view the
task execution status.
l If the task execution fails, rectify the failure based on detailed information about the task.
----End
Prerequisites
You have set global backup parameters. For details, see 2.1 Setting Global Backup
Parameters.
Procedure
Step 1 Open a web browser, input https://IP address with the floating IP address of the primary and
secondary management nodes:31943 in the address box and press Enter.
Step 2 Input the user name admin and password on the login page, and click Log In.
Step 3 Choose Backup and Restore > Backup data > Backup Backup Operating System from
the main menu.
Step 4 On the Select backup object page, select the object node and click Next.
Step 5 (Optional) On the Set the backup reason page, enter the backup task name for Backup
reason to distinguish it from other backup tasks.
Step 6 Click Next. In the displayed Warning dialog box, click OK.
l The system has created a task successfully. Click Task Information List to view the
task execution status.
l If the task execution fails, rectify the failure based on detailed information about the task.
----End
Prerequisites
You have set global backup parameters. For details, see 2.1 Setting Global Backup
Parameters.
Procedure
Step 1 Choose Backup and Restore > Backup data >Backup Management from the main menu.
Step 2 (Optional) Enter the number of backup files in the Backup File Storage Threshold row.
Step 3 Create corresponding backup tasks as required, including the manual task and the timed task.
Timed Task Create a task. 1. On the Timed Task tab, click Create.
2. Set parameters according to the plan, and then
click Save.
3. In the Warning dialog box, click OK.
After the timed task is created successfully,
choose System > Task Manager > Task
Information List to view the task status.
– If the task is successfully executed, no further
operation is required.
– If the task failed to be executed, choose
System > Task Manager > Task Information
List to view the task status and rectify the
failure based on detailed information about the
task.
Refresh tasks. On the Timed Task tab, click Refresh to refresh the
timed task list.
----End
When CloudOpera Orchestrator SDN is abnormal, you can use the backup data to restore
CloudOpera Orchestrator SDN.
Prerequisites
l Data of the service instances to be restored has been backup up. For details, see 2.2.1.1
Backing Up Dynamic Data on Scheduled or 2.2.1.2 Backing Up Dynamic Data in
Real Time.
l Service instances to be restored are in the stopped state, and database instances are
running properly. For details, see 6.3 How Do I Stop a Service?.
Context
The system automatically checks the file integrity. If the files are complete, the system starts
restoration.
Procedure
Step 1 Open a web browser, input https://IP address with the floating IP address of the primary and
secondary management nodes:31943 in the address box and press Enter.
Step 2 Input the user name admin and password on the login page, and click Log In.
Step 3 Choose Backup and Restore > Restore Data > Restore Dynamic Data from the main
menu.
NOTE
Due to data cache, it takes about 20 seconds to open the page for the first time. The waiting time
depends on the number of services in the system and the server performance.
Step 4 On the Restore Dynamic Data page, select the backup server.
Step 5 Select the product to be restored and click in the Detail Information column.
NOTE
Step 6 Select service instances of the product that need to be restored and deselect SMS/WAN.
Select corresponding backup files in the Backup File column based on the restoration
scenario and click Restore at the bottom of the page.
NOTE
If the service instance to be restored is associated with other service instances, when the service instance
is selected, the associated service instances will also be selected. For details about the association
relationship between service instances, see section 1.2.1 Concepts.
NOTICE
If the SMS/WAN service instance is restored, no data are displayed for each host IP address
after you choose Service Monitor > Service Monitoring > Hosts. For details about service
monitoring, see "Viewing Monitoring Data" in Maintenance Guide.
----End
Follow-up Procedure
Start the restored service instances. For details, see section 6.2 How Do I Start a Service?.
Prerequisites
l Data of the service instances to be restored has been backup up. For details, see 2.2.1.1
Backing Up Dynamic Data on Scheduled or 2.2.1.2 Backing Up Dynamic Data in
Real Time.
l Service instances are in the stopped. For details, see 6.3 How Do I Stop a Service?.
Procedure
Step 1 Open a web browser, input https://IP address with the floating IP address of the primary and
secondary management nodes:31943 in the address box and press Enter.
Step 2 Input the user name admin and password on the login page, and click Log In.
Step 3 Choose Backup and Restore > Restore Data > Restore Product Application Software
from the main menu.
NOTE
Due to data cache, it takes about 20 seconds to open the page for the first time. The waiting time
depends on the number of services in the system and the server performance.
Step 4 Restore product application software on the Restore Product Application Software page.
1. Select the backup server.
2. Select the object product and click in the Node Information column.
3. Select the node whose product application software is to be restored.
4. Click Restore.
5. In the displayed Warning dialog box, click OK.
The system has created a task successfully. Click Task Information List to view the
task execution status. If the task execution fails, rectify the failure based on detailed
information about the task.
6. Start the restored product application software. For details, see section 6.2 How Do I
Start a Service?.
----End
Follow-up Procedure
1. Restore a service instance data. For details, see 3.1 Restoring Dynamic Data.
2. Start the service. For details, see section 6.2 How Do I Start a Service?.
Prerequisites
l Database software, product application software, and service instance data have been
backed up.
l Service Instances are in the stopped. For details, see section 5.3-Stoping a Service.
l Database services are in the stopped. For details, see section 6.5 Stopping a DB
Instance.
Procedure
Step 1 Log in to the management plane of CloudOpera Orchestrator SDN.
1. Open a web browser, input https://IP address:31943 in the address box and press Enter.
– In a two-node cluster, replace IP address with the floating IP address of the primary
and secondary management nodes.
– In a single node system, replace IP address with the IP address of the management
node.
2. Input the user name admin and password on the login page, and click Log In.
Step 2 Open a web browser, input https://IP address with the floating IP address of the primary and
secondary management nodes:31943 in the address box and press Enter.
Step 3 Input the user name admin and password on the login page, and click Log In.
Step 4 Choose Backup and Restore > Restore Data > Restore Database Software from the main
menu.
NOTE
Due to data cache, it takes about 20 seconds to open the page for the first time. The waiting time
depends on the number of services in the system and the server performance.
Step 5 On the Restore Database Software page, select the backup server.
Step 6 Select the product to be restored and click in the Detail Information column.
----End
Follow-up Procedure
1. Start the database service. For details, see section 6.4 Starting a DB Instance.
2. Start the restored service instances. For details, see section 5.2-Start a Service.
3. Restore the service instance data. For details, see section 4.1-Restoring Service
Instance Data.
Prerequisites
The OS data, database software, product application software, and service instances data have
been backed up.
Procedure
Step 1 Choose Backup and Restore > Restore Data > Restore Operating System from the main
menu.
NOTE
Due to data cache, it takes about 20 seconds to open the page for the first time. The waiting time
depends on the number of services in the system and the server performance.
Step 2 On the Restore Operating System page, select the backup server. For details about how to
select nodes or service instances, see 6.6 Selecting One or Multiple Backup Objects.
Step 3 Select the object node and select the backup file in the Backup File column. Then click
Restore.
Step 4 In the select restore mode and continue dialog, select a restoration mode based on the
virtualization scenario and box, click OK.
l If the VM on which the service node is deployed is created in the FusionSphere
OpenStack+KVM scenario, select ISO.
l If the VM on which the service node is deployed is created in the VMWare,
FusionCompute, or OpenStack+FusionCompute scenario, select PXE.
Step 5 In the displayed Warning box, select Are you sure you have finished configuring and
starting VMs? and click OK.
The system has created a task successfully. In the displayed Prompt dialog box, click Task
Information List to view the task execution result.
NOTICE
After the task is created, wait about 10 minutes. The system will report the task execution
progress in Task Information List. When the task execution progress is displayed as 1% in
Task Information List, you can proceed with the next step.
Restoration Procedure
Mode
NOTE
You have
selected ISO in If there are primary and secondary management nodes, the ISO image file of the
OS exists only on one of the management nodes. Log in to any one of the
Step 4.
management nodes to check whether the ISO file exists. If the file does not exist,
log in to the other management node. In the following part, operations on
management nodes only need to be performed on the management node which
contains the ISO file.
1. Use FileZilla to log in to the management node as the ossadm user.
2. Obtain the generated ISO image file of the OS, for example,
restoreos_20171201162234.iso, from the /opt/oss/manager/agent/
BackupService/tools/q_deployer/tftpboot/pxelinux.cfg/ directory.
3. Contact the lab O&M personnel to upload the ISO file to the server on
which the node with the OS to be restored is deployed.
4. Contact the lab O&M personnel to set the VM to boot from a CD-
ROM drive in the virtualization management software in use (for
example, vCenter or FusionManager).
5. Log in to the management node through the VNC console in the
virtualization management software, and choose Restore OS.
The OS restoration task will continue. Otherwise, the restoration task
will be canceled two hours later.
6. After the OS is restored, go to Step 7.
Restoration Procedure
Mode
NOTICE
You have
selected PXE in The DHCP service is started on the maintenance network of the CloudOpera
Orchestrator SDN when you restore OS data. Ensure that there is no MAC-
Step 4.
restricted DHCP server in the maintenance network plane. Otherwise, the boot
process of the OS restoration will be affected, causing the OS restoration failure.
1. Contact the lab O&M personnel to set the VM to boot from the
network.
The OS restoration task will continue. Otherwise, the restoration task
will be canceled two hours later.
2. After the OS is restored, go to Step 7.
Step 7 Use PuTTY to log in to the node with the OS restored as the ossadm user.
l If you can successfully log in to the node, the node is normal. In this case, go to Step 8.
l If the login fails or no response is returned, the node is abnormal. In this case, go to Step
8 and contact Huawei technical support.
Step 8 Contact the lab O&M personnel to set the VM to boot from a boot disk.
----End
Follow-up Procedure
1. Restore database software. For details, see 3.3 Restoring Database Software.
2. Restore product application software. For details, see 3.2 Restoring Product
Application Software.
3. Restore service instances data. For details, see 3.1 Restoring Dynamic Data.
Prerequisites
The DHCP service is started on the maintenance network of the CloudOpera Orchestrator
SDN when you restore OS data.
NOTE
When restoring the OS data, ensure that there is no MAC-restricted DHCP server in the maintenance
network plane. Otherwise, the boot process of the OS restoration will be affected, causing the OS
restoration failure.
Procedure
Step 1 Use PuTTY to log in to the faulty node as user sopuser
l If you can successfully log in to the faulty node, go to Step 2.
l If you cannot log in to the faulty node, go to Step 4.
Step 2 Run the following command to check whether the network connection is normal.
su - sopuser
Ping management plane IP address
Ensure that the network connection is normal. If it is abnormal, contact the network
administrator.
Step 3 Contact the IT administrator to check whether the VM of the management node is normally
running. Ensure that the VM of the management node is not powered off or is not deleted.
If the VM is running normally, go to Step 4.
Step 4 Log in to any non-management node in the same area as the management plane as the
sopuser user.
Step 5 Run the following commands to restore the OS of the management plane:
su - ossadm
cd /opt/oss/manager/agent/BackupService/tools/backuprestore/restoreOS
./restoreManagerOS.sh
Step 6 Enter the following in sequence: the IP address of the faulty management node, the IP address
of the node you have logged in to, the IP address of the remote SFTP backup server, backup
path, and the user name and password of the backup server. Then press Enter.
Please enter manager ip:10.10.10.1
Please enter local machine ip:10.10.10.3
Please enter backup server ip:10.10.10.2
Please enter backup file path:bin/management/static/
20170713174525181/10.10.10.1/OS/20170713174525181.tar.gz
Please enter backup server username:sopuser
Please enter backup server passwd:
Parameter Description
Please enter local machine IP address of the node that you have logged in to.
ip
Please enter backup server IP address of the remote SFTP backup server.
ip NOTE
The value of this parameter must be the same as the value set in
Setting Global Backup Parameters for backup and restoration.
Parameter Description
Please enter backup file Backup path of the OS files of the management plane.
path The format of the backup path is as follows:
Path configured during global parameter setting/
management/static/Timestamp/IP address of the management
node to be restored/OS/Backup file to be restored
For example, if the path is set to bin during global parameter
setting, then the backup path is bin/management/static/
20170713174525181/10.10.10.1/OS/
20170713174525181.tar.gz.
In this path:
management/static/20170713174525181/10.10.10.1/OS/
20170713174525181.tar.gz is the specific file backup path,
and the actual path prevails.
Step 7 When the following information is displayed, enter the mode for restoring the OS of the
management node:
Which restoration mode do you want? [ISO/PXE]:
l If the VM is created in the OpenStack+KVM scenario, enter ISO and press Enter.
l If the VM is created in the VMWare, FusionCompute, or OpenStack+FusionCompute
scenario, enter PXE and press Enter.
The following information is displayed:
Are you sure you have finished configuring and starting VMs? [y/n]:
Configured Procedure
Restoration
Mode
You have entered 1. Use FileZilla to log in to the non-management node in Step 4 as the
ISO in Step 7. ossadm user.
2. Obtain the generated ISO image file of the OS, for example,
restoreos_20171201162234.iso, from the /opt/oss/manager/agent/
BackupService/tools/q_deployer/tftpboot/pxelinux.cfg/directory.
3. Contact the lab O&M personnel to upload the ISO file to the server
on which the management node with the OS to be restored is
deployed.
4. Contact the lab O&M personnel to set the VM to boot from a CD-
ROM drive in the virtualization management software in use (for
example, vCenter or FusionManager).
5. Log in to the management node through the VNC console in the
virtualization management software, and choose Restore OS.
6. Go to Step 9.
NOTICE
You have entered
PXE in Step 7. The DHCP service is started on the any one a non-management which is in the
same area with management plane of the when you restore OS data. Ensure that
there is no MAC-restricted DHCP server in the maintenance network plane.
Otherwise, the boot process of the OS restoration will be affected, causing the OS
restoration failure.
1. Contact the lab O&M personnel to set the VM to boot from the
network.
2. Go to Step 9.
Step 10 Use PuTTY to log in to the node with the OS restored as the ossadm user.
l If you can successfully log in to the node, the node is normal. In this case, go to Step 11.
l If the login fails or no response is returned, the node is abnormal. In this case, go to Step
11 and contact Huawei technical support.
Step 11 Contact the lab O&M personnel to set the VM to boot from a boot disk.
----End
Prerequisites
l The management plane has been backed up.
l You have contacted Huawei technical support to obtain the third-party integrity check
tool package BKSigntool_1.0.1_SLES_x86_64.tar.gz.
l Log in to the management plane of CloudOpera Orchestrator SDN. The OS of the
management node is running properly. If the OS of the management node is faulty, refer
to 3.4.2 Restoring Management Node OS Data to rectify the fault.
l You have obtained the passwords of user ossadm and user root.
Procedure
NOTICE
you need to perform Step 1 to Step 3 on the primary and secondary management nodes.
Step 1 Synchronize the backup data packages of the backup server to the management node to be
restored.
1. Use FileZilla to log in to the backup server.
NOTE
For the user name and password, see 2.1 Setting Global Backup Parameters.
2. Obtain the management-plane backup data packages management.tar.gz and
management.tar.gz.sign from the backup file directory of the backup server.
NOTE
The backup file path is Root directory of the backup server/Globalparameter configuration path/
management/management/Timestamp/IPaddress of the management node to be restored.
3. Use PuTTY to log in to the primary management node as the sopuser user and run the
following command to change to the root user.
su - root
Password:
If OS security hardening is performed, upload the backup data packages and files with reference to
7.5 How to Upload Files to a Specified Directory After OS Security Hardening Is Performed.
7. Use PuTTY to log in to the primary management node on site B as the sopuser user, run
the following command to change to the root user.
su - root
Password:
8. Run the following command to copy the backup data packages and files obtained in step
Step 1.2 and the third-party integrity check tool package
l If the following information is displayed, the check fails. In this case, contact Huawei
technical support.
The backup data package verification failed. The backup data package may have
been tampered with. You are not advised to use the data package for
restoration.
----End
Follow-up Procedure
After the management plane is successfully restored, you must clear backup data packages in
the directory to reduce disk space occupation.
1. Use PuTTY to log in to the primary management node on site B as the ossadm user, run
the following command to change to the root user.
su - root
Password:
The management-plane dynamic backup data of site A can be restored on site B through
CloudOpera Orchestrator SDN. In this manner, site B becomes the mirror site of site A.
NOTE
The following takes sites A and B as an example to describe how to remotely restore the management
plane.
Site A: Service data on site A is damaged due to incidents such as fire or power failure. The site is
running improperly.
Site B: The running status of site B is normal. After backup data on site A is restored on site B, site B
becomes a backup site of site A.
Prerequisites
l Products, regions, planes, and services on sites A and B are the same.
l The site that provides backup data is running properly.
l Trust relationship has been built at sites A and B.
l Data has been synchronized at sites A and B.
l The dynamic backup data and management plane of site A have been backed up, and the
management plane backup is later than the dynamic data backup.
Context
After product installation is completed on sites A and B, the two sites have established a trust
relationship and synchronized data between them.
Procedure
Step 1 Synchronize the backup files and dynamic data of site A to site B.
1. Use FileZilla to log in to the backup server on site A as the backup server user.
NOTE
For the user name and password, see Setting Backup Server Parameters.
2. Obtain the management-plane backup data packages management.tar.gz and
management.tar.gz.sgin from the backup path of the backup server on site A.
All files in the Root directory of the The backup file path is Root directory of
backup server/Global parameter the backup server/Global parameter
configuration path/Product name/ configuration path/Product name/
dynamic/ directory dynamic/
For example, the login user of the backup
server is ossadm, the directory is /home/
ossadm/bin/product/dynamic.
3. Use FileZilla to log in to the backup server of site B as the backup server user. Copy all
files in the Root directory of the backup server/Global parameter configuration path/
Product name/dynamic/ directory on site A to the same directory on site B.
NOTE
– For the user name and password, see Setting Backup Server Parameters.
– Ensure that the user who logs in to the backup server of site B has permission to access to the
copied files.
4. Use PuTTY to log in to the primary management node on site B as the sopuser user, run
the following command to change to the root user.
su - root
Password:
If OS security hardening is performed, upload files with reference to 7.5 How to Upload Files to
a Specified Directory After OS Security Hardening Is Performed. Then run the following
commands to change the directory owner and permission:
chown ossadm:ossgroup /opt/remoteRecovery/management.tar.gz*
"old_ip": "10.167.210.235",
"new_ip": "10.176.192.162"
},
{
"old_ip": "10.167.210.236",
"new_ip": "10.176.192.163"
}
]
}
]
After the modification, press Esc, and enter :wq! to save the configuration file and exit
the vi editor.
4. Run the following commands to modify the permission of the input.json file:
chmod 600 /opt/remoteRecovery/input.json
chown ossadm:ossgroup /opt/remoteRecovery/input.json
5. Run the following command to perform remote restoration as the ossadm user:
bash /opt/remoteRecovery/restoreData.sh input.json
6. When the following information is displayed, determine whether to configure the SFTP
fingerprint authentication between the primary management node of site B and the
backup server of site A.
Are you sure to continue [Default:n]? [y/n]:
– If you want to configure the SFTP fingerprint authentication, input y and press
Enter.
If the following information is displayed, the command is successfully executed.
Otherwise, contact Huawei technical support engineers.
Execution successful.
– If you do not want to configure the SFTP fingerprint authentication, input n and
press Enter. The command execution fails, restoration aborts.
In a two-node cluster, replace IP address with the floating IP address of the primary and secondary
management nodes.
2. Choose Backup and Restore > Manual Restoration > Restore Dynamic Data from
the main menu.
3. On the Restore Dynamic Data page, check whether the backup file on site B is the same
as that on site A in the Backup File column.
– If the file is the same, perform Step 3.4.
– If the file is not the same, contact Huawei technical support engineers.
4. Perform the restoration task and check whether the restoration task is executed
successfully. For details, see 3.1 Restoring Dynamic Data.
– If the task is successful, remote restoration is successful.
– If the task fails, contact Huawei technical support engineers.
----End
Follow-up Procedure
After the remote restoration is successful, you must clear backup data packages in the
directory to reduce disk space consumption.
1. Use PuTTY to log in to the primary management node on site B as the ossadm user, Run
the following command to switch to the root user:
su - root
Password:
5.1.1 Positioning
The remote DR solution can effectively reduce losses caused by disastrous incidents and
further improve DR capabilities of the server to defend against various security risks.
In a remote DR system, two sets of CloudOpera Orchestrator SDN systems with the same
functions are established in two remote areas. One site is specified to provide services for
external systems. The other site is used to protect the site. When natural disasters such as fire,
flood, and earthquake occur, or hardware power failure, network exception, software and
hardware error, or manual operation error occurs on the site that provides services for external
systems, services on the site can be taken over by the other site quickly. This effectively
prevents data loss, data damage, and service interruption and ensures normal system running.
5.1.2 Benefits
This section describes the advantages of the remote DR solution.
l Virtualization DR. DR for FusionSphere and VMware virtual machines (VMs) makes up
for the deficiency of virtualization platform DR in traditional DR solutions.
l Stability and reliability. The multi-instance service design is used. Each instance works
independently and is mutually backed up.
l Diversified data replication. Data replication can be configured for different types of
data. For example, you can customize data replication for the following types of data:
Massively Parallel Processing Database (MPPDB), Hadoop Distributed File System
(HDFS), MySQL, Catalog, ElasticSearch (ES), and Reliable High Message (RHM).
l Rapid service takeover. When the site that provides services for external systems is
faulty, the other site takes over services from the faulty site to continue providing
services, ensuring service continuity.
l Visualized operation interfaces. You can manage and maintain the remote DR system on
the web user interfaces. Compared with the command operation mode, the ease of use is
improved.
Remote DR solution can effectively reduce losses caused by disastrous incidents such as
earthquakes, fires, and power failures, and further improves DR capabilities of the server to
defend against various security risks.
CloudOpera Orchestrator SDN remote DR solution provides 1:1 DR capability. The solution
comprises two CloudOpera Orchestrator SDN systems: one serves as the primary site and the
other serves as the secondary site. The two sites are redundant for each other. When the
primary site is faulty, the secondary site takes over services from the primary site.
Some common terms are described as follows to facilitate the installation of the CloudOpera
Orchestrator SDN remote DR system.
Parameter Description
Primary Site Indicates the physical primary site. The primary site is determined during
the installation and will not change with the active/standby switchover. The
primary site is active at most time.
Secondary Site Indicates the physical secondary site. The secondary site is determined
during the installation and will not change with the active/standby
switchover. The secondary site is standby at most time and provides
protection for the primary site.
Standby Site Indicates the site that provides protection for the active site.
l The primary site and secondary site deployment schemes must be the same, that is,
certificates, number of nodes and the CloudOpera Orchestrator SDN version must be the
same.
l Internal communication and synchronous data replication between the OM planes of the
primary and secondary sites is performed through the physical link between layer-3
switches on the primary and secondary sites as marked by the yellow bidirectional lines
in networking diagram figure.
l If the primary site is faulty, you can manually switch the service data from the primary
site to the secondary site. After the primary site is recovered, manually switch the service
data from the secondary site to the primary site.
l The remote DR system uses remote replication as the data replication mode. Remote
replication requires SSL security communication such as VPN. The requirements for the
network bandwidth are as follows:
– The network between the two sites must meet the following requirements:
n Bandwidth >= Gigabit Ethernet (GE)
n Delay < 50 ms
n Packet loss rate < 0.1%
– Network redundancy switchover < 50 ms
Figure 5-2 shows the node deployment plan of CloudOpera Orchestrator SDN.
NOTE
For information about the specifications of resources (vCPU, memory, and data disk) on CloudOpera
Orchestrator SDN nodes, see "VM Resources" section in the CloudOpera Orchestrator SDN Planning
Guide.
Table 5-1 provides the function descriptions of CloudOpera Orchestrator SDN VM nodes.
VM Configuration
Table 5-2 lists the software configuration requirements for the CloudOpera Orchestrator SDN
server.
Client
Table 5-3 lists the software configuration requirements for the CloudOpera Orchestrator SDN
DR system clients.
Table 5-3 Configuration requirements for the CloudOpera Orchestrator SDN remote DR
system clients
Software Type Requirements
Table 5-4 lists the minimum hardware configuration requirements for CloudOpera
Orchestrator SDN clients.
Table 5-4 Minimum hardware configuration requirements for CloudOpera Orchestrator SDN
clients
Configuration Item Requirements
RAM 4 GB
Network Bandwidth
Table 5-5 lists the requirements for the network status based on various data replication
modes.
Table 5-6 describes tasks in each phase during installation and commissioning of CloudOpera
Orchestrator SDN remote DR system.
Install the primary site. Install CloudOpera Orchestrator SDN on the primary and
secondary sites separately.
Install the secondary site.
NOTE
If CloudOpera Orchestrator SDN installed on the primary and
secondary sites is not the latest version, it needs to be upgraded.
For details, see the upgrade guide of the corresponding version.
Back up data at the primary Back up data at the primary site so that data can be restored
site in case of a fault.
Task Description
Precautions
When Installing the active site and standby site, you have to write Region Name in the
planning tool. Region Values of Region Name at the active and standby sites must be
different.
NOTE
The naming rule of Region Name is as follows: Country name abbreviation-Region-No.-Letter. for
example, cn-global1-1-a.
Procedure
Step 1 Check whether the time of deploy node on the active site and standby site is correct and
consistent.
You are advised to run the date command to check the correctness and consistency. If the time
is inconsistent or incorrect, run the following command as the root user and change the OS
time of these VM node as prompted:
bash /usr/local/tools/maintain_tools/maintain_tools.sh
Step 2 Understand the planning and networking of active and standby site nodes. For details, see
section Networking Solution in CloudOpera Orchestrator SDN Installation and
Commissioning Guide.
Step 3 Install the active site and standby site. Perform operations in Table 5-7.
Table 5-7 Description of operations about installing the active site and standby site
Step 4 Verify the installation at the active and standby sites separately. For details, see section
Verifying the Installation in CloudOpera Orchestrator SDN V200R002C10 Installation and
Commissioning Guide.
Step 5 Apply for and load the applied license at the active and standby sites separately. For details,
see section Follow-up Operations in CloudOpera Orchestrator SDN V200R002C10
Installation and Commissioning Guide.
----End
Follow-up Procedure
After the active site and standby site are installed, perform the following procedure to copy
the CA certificate to the secondary management node:
NOTE
Perform the following steps at the active and standby sites separately:
Step 1 Use PuTTY to log in to the secondary management node as the sopuser user and switch to
the root user.
su - root
Step 2 Run the following commands to copy the CA certificate from the primary management node
to the secondary management node:
cd /opt/oss/manager/var/
Step 3 Run the following command to set the owner of the CA certificate of the secondary
management node:
Step 4 Run the following commands to check whether the ca.cer and ca_key.pem files exist:
cd /opt/oss/manager/var/ca/
ll
----End
Procedure
Step 1 Open a web browser, input https://Floating IP address of the management node of the
primary site:31943 in the address box, input the user name admin and password, and press
Enter.
Step 2 Commission services at the active site. For details, see section Interconnecting with
External Systems (TSDN) and Interconnecting with External Systems (IP WAN) in
CloudOpera Orchestrator SDN V200R002C10 Installation and Commissioning Guide.
----End
5.2.6.1 Overview
This section describes the purpose, impact, and precautions of performing security hardening
on CloudOpera Orchestrator SDN.
Purpose
Security hardening aims to defend the OS and database from hacker and virus attacks,
improving the system and network security.
l The default configurations of the SUSE Linux OS usually do not meet security
requirements of the telecommunications management system.
The default configurations include but are not limited to the following items:
– Redundant services are installed and running.
– Weak passwords and anonymous access are configured.
– Unnecessary external communication ports are opened.
– Vulnerable Transmission Control Protocol/Internet Protocol (TCP/IP) parameters
are set.
Therefore, OSs are a weakness in daily operation and management. To ensure secure and
stable OS operation, you are advised to perform security hardening for the OS on
servers.
l Databases have security risks.
For example, the database provides default accounts and shared accounts and uses
simple login passwords, increasing the probabilities of being attacked. Therefore, you
need to harden the database to enhance its resistance to threats.
l Antivirus software must be deployed to defend from virus attacks.
Antivirus software protects the system and network by defending them against malware
and network risks.
Impact
l For OS: Some OS parameters and user rights will be adjusted after the security
hardening.
l For database: If the MySQL database is used, database services may be unavailable
during security hardening. Perform security hardening at a proper time.
Precautions
l Precautions before security hardening include:
– Ensure that the power supply is uninterrupted during security hardening.
– If any operation fails or any error occurs during security hardening, contact Huawei
technical support engineers.
l To securely use the Redis database, comply with the following requirements:
– Redis databases must be deployed on independent nodes.
– After the installation and deployment are complete on the live network, you must
change the password for the database administrator.
– Do not use redis-cli to connect to the database on the live network.
– When you connect to the database using redis-cli, do not enter a password in
commands. The interaction method is recommended.
l You are advised to use the certificates applied from a CA to replace the default ER
certificates. To reduce the risk of being cracked, replace certificates periodically. For
details, see CloudOpera Orchestrator SDN Maintenance Guide of the corresponding
version.
Prerequisites
l Node data files have been generated by the planning tool in the data planning tool
package. For details, see section Generating the Plan Data in CloudOpera Orchestrator
SDN V200R002C10 Installation and Commissioning Guide.
l 7-Zip has been installed on the PC.
Procedure
Step 1 Decompress the remote batch processing tool package
CloudOpera_Orchestrator_RemoteTool_x.x.x_SLES_Linux.7z to PC with the 7-Zip
software.
Step 2 Use FileZilla to upload the following files to the /usr/local/tools directory on the primary
management node as the root user:
l Batch processing tool package: CloudOpera_DeploySystem_SLES_Linux.zip
l Digital certificate file: CloudOpera_DeploySystem_SLES_Linux.zip.asc
Step 3 Use PuTTY to log in to the primary management node as the root user.
Step 4 Run the following commands to verify the integrity of the batch processing tool package:
cd /usr/local/tools
The tool package is integral if the following information is displayed. Otherwise, contact
Huawei technical support engineers.
gpg: Good signature from "OpenPGP signature key for Huawei software (created on
30th Dec,2013) <[email protected]>"[ultimate]
Step 5 Run the following command to decompress the batch processing tool package to the
CloudOpera_DeploySystem_SLES_Linux directory:
unzip CloudOpera_DeploySystem_SLES_Linux.zip -d
CloudOpera_DeploySystem_SLES_Linux
Step 6 Run the following command to create the directory to stored node data files. The directory
name is the value of Region Name which is setted when CloudOpera Orchestrator SDN is
installed.
mkdir -p /usr/local/tools/CloudOpera_DeploySystem_SLES_Linux/cn-global-1-a
Step 7 Use FileZilla to upload the node data files in .csv format to the /usr/local/tools/
CloudOpera_DeploySystem_SLES_Linux/cn-global-1-a directory on the primary
management node as the root user:
NOTE
Node data files in .csv format are the ones generated in Generating the Plan Data in CloudOpera
Orchestrator SDN V200R002C10 Installation and Commissioning Guide.
Step 8 On the primary management node, run the following commands to specify the regions to be
initialized as the root user.
cd /usr/local/tools/CloudOpera_DeploySystem_SLES_Linux
bash designateRegion.sh
Step 9 Input the region name, that is the value of Region Name which is set when CloudOpera
Orchestrator SDN is installed, for example, cn-global-1-a, and press Enter.
NOTE
If the input information is incorrect, press Ctrl+Backspace to delete the incorrect information. This
method can also be used to delete incorrect input information when .sh scripts are executed.
----End
Prerequisites
l The passwords for the sopuser and root users are the same on all nodes respectively, the
password is available, and the sopuser, root and ossadm users can use the password to
remotely log in to all the nodes.
l Ensure that the allNodes.csv file exists in the /usr/local/tools/
CloudOpera_DeploySystem_SLES_Linux/cn-global-1-a directory on the primary
management node of the active and standby sites and the file contents are consistent with
the actual network plan.
Context
To ensure the security of CloudOpera Orchestrator SDN, security hardening must be
performed on the database. Some database items are automatically hardened during the
installation of the database on VMs. For details, see section 7.4 MySQL Database Security
Hardening Items.
Procedure
Step 1 Check the database status.
1. Open a web browser, input https://Floating IP address of the CloudOpera Orchestrator
SDN management node of the active site:31943 in the address box and press Enter.
2. Input the user name admin and password on the login page, and click Log In.
3. Choose Deployment > Database > RDBMS from the main menu.
4. Check whether the status of all database instances is normal.
– The database status is normal if the Instance Type and Status relationship is as
follows. Perform Step 2.
– If the database status is , restore the database. For details, see "Database Fault" in
CloudOpera Orchestrator SDN Troubleshooting and perform Step 2.
Step 2 Obtain the .json configuration file of the active and standby sites.
1. Use PuTTY to log in to the primary management node of the active site as the sopuser.
2. Run the following command to switch to the root user:
su - root
3. Run the following command to run the database hardening scripts:
cd /usr/local/tools/CloudOpera_DeploySystem_SLES_Linux
bash hardenDBDRBase.sh
The following information is displayed:
Are you sure you want to continue(y/n):
NOTE
1. Use PuTTY to log in to the primary management node of the active site as the sopuser.
2. Run the following command to switch to the root user.
su - root
3. Run the following command to execute the database hardening scripts:
cd /usr/local/tools/CloudOpera_DeploySystem_SLES_Linux
bash hardenDBDRBase.sh
The following information is displayed:
Are you sure you want to continue(y/n):
NOTE
----End
Prerequisites
l The password for the root user is the same on all nodes, the password is available, and
the root user can use the password to log in to all the nodes.
l The .csv node data files and remote batch processing tool have been uploaded to the
primary management node. For details, see 5.2.6.2 Uploading Node Data Files and
Tools.
Context
To ensure the security of CloudOpera Orchestrator SDN, security hardening must be
performed for the OS. For details about all the OS items to be hardened, see section 5.2.6.5
OS Port Hardening.
You can perform this task using the remote batch processing tool package, which can be used
to verify the environment of multiple VMs simultaneously. The file used in this task has been
generated during the installation of CloudOpera Orchestrator SDN.
NOTICE
l After remote SSH security hardening is enforced, you cannot log in to the server as the
root user. Therefore, log in as the sopuser user and switch to the root user to perform
operations.
l After remote SSH security hardening is enforced, you cannot use the root user to upload
files to a specified directory on the server using FileZilla. Instead, you must use the
ftpuser user to upload the files to the /opt/pub/upload/ftproot directory using FileZilla,
and use the root user to copy files from the /opt/pub/upload/ftproot directory to the
specified directory.
Procedure
Step 1 Set the ftpuse user password based on the password complexity requirements in Step 5. Log
in to the primary management node as the root user and run the following command to check
whether the password meets the OS requirements:
echo "ftpuser user password" | cracklib-check
l If OK is displayed, the password meets the OS requirements.
ftpuser user password: OK
l If other information is displayed, the password does not meet the OS requirements. Set
and check the password again.
ftpuser user password: it is based on a dictionary word
Step 2 Log in the primary management node as the root user, and run the following commands to
remote SSH security hardening:
cd /usr/local/tools/CloudOpera_DeploySystem_SLES_Linux
bash hardenSSH.sh
Step 3 Enter y and press Enter when prompted as follows:
Are you sure you want to continue(y/n):
Step 4 Enter the password for the root user and press Enter when prompted as follows:
Input the default password for all hosts:
Step 5 Enter the password for the ftpuser by following the password complexity requirements, and
press Enter when prompted as follows:
To improve security of users' passwords, set passwords based on the following rules:
l Cannot contain the user name or the user name in reverse order.
l Contain 8 to 32 characters.
l Cannot contain over 2 consecutive occurrences of a character or string.
l Contain at least one uppercase letter (A to Z), one lowercase letter (a to z), and one digit
(0 to 9).
l Contain at least one special character such as ~@#^*-_+[{}]:./?%=
l Cannot be the same as the recent twelve passwords.
l Cannot be changed at an interval less than 7 days.
Step 6 Enter the password for the ftpuser again and press Enter when prompted as follows:
Comfirm the password for ftpuser:
l The Successful Hosts row displays the IP addresses of nodes on which operations
succeeded.
l The Failed Hosts row displays the IP addresses of nodes on which operations failed.
Contact Huawei technical support engineers for to troubleshoot the problem.
----End
Prerequisites
l The SSH client version requirements are met: Xshell 5 or later and PuTTY 0.68 or later.
l You have obtained OS security hardening package
CloudOpera_OSHardening_SLES_x86_64.zip and its signature file. For details, see
Obtaining and Verifying Software Packages in CloudOpera Orchestrator SDN
V200R002C10 Installation and Commissioning Guide.
Context
Perform the following steps on all CloudOpera Orchestrator SDN nodes.
Procedure
Step 1 Upload the OS security hardening package and its signature file to all nodes of active site
separately.
1. Upload the security hardening package and its signature file to the /opt/pub/upload/
ftproot directory on the primary management node and secondary management node of
active site by using FileZilla as the ftpuser. Use the password of the ftpuser user that is
configured in performing 5.2.6.4 Remote SSH Security Hardening.
NOTE
– The primary management node and the secondary management node refer to <regionAlias>-
OM-Global-Deploy01 and <regionAlias>-OM-Global-Deploy02 respectively.
– To ensure system security, the root directory is automatically changed when the ftpuser user
uses the FileZilla to log in to the VM node. On the FileZilla, /opt/pub/upload/ftproot is
displayed as /ftproot.
Therefore, upload the software package to /ftproot.
2. Log in to the primary management node and secondary management node in active site
as the sopuser user, and copy the security hardening package and its signature file from
the /opt/pub/upload/ftproot directory to the /usr/local directory.
NOTE
To ease the operation, you can use the sopuser users to log in to all other nodes except the primary
and secondary management nodes using FileZilla, and upload the files to the /var/tmp directory of
each node.
su - root
cd /opt/pub/upload/ftproot
scp CloudOpera_OSHardening_SLES_x86_64.zip* sopuser@<IP address of another
to-be-hardened node>:/var/tmp
Information similar to the following is displayed for initial file transferring. Input yes:
The authenticity of host '10.167.211.86 (10.167.211.86)' can't be established.
ECDSA key fingerprint is SHA256:k4jIHWEbMXGPC+eyZhIrbCxR73cS6Dt1twXoSkfsg7w.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
Enter the password of the sopuser user for the node to which the files are to be uploaded.
[email protected]'s password:
4. Log in to all nodes except the primary and secondary management nodes as the sopuser
user and copy the security hardening package and its signature file the /var/tmp
directory to the /usr/local directory.
su - root
cp /var/tmp/CloudOpera_OSHardening_SLES_x86_64.zip* /usr/local
Step 2 Verify the integrity of the security hardening package.
For details about how to verify software package, see Verifying Software Packages in
CloudOpera Orchestrator SDN V200R002C10 Installation and Commissioning Guide.
Step 3 Set the IP address whitelist of secondary site on all nodes of active site.
1. Log in to the OS requiring security hardening as user sopuser user and then switch to
root user. Decompress the package.
su - root
cd /usr/local
unzip -q CloudOpera_OSHardening_SLES_x86_64.zip -d harden
Run the following command to check whether the decompression is successful:
ls /usr/local/harden
The package is decompressed successfully if information similar to the following is
displayed.
master:~ # ls /usr/local/harden/
bootstrap.sh iptables scriptISO scriptOS
CloudSOP log.txt scriptIT version
2. Add physical IP addresses of all nodes at standby site and floating IP address
information of secondary site to the IP whitelist of active site.
bash /usr/local/harden/iptables/custom/add_backup_cluster_ip.sh <IP address of the
Deploy01 node of standby site> <IP address of the Deploy02 node of standby site> <IP
address of the Service01 node of standbysite> <IP address of the Service02 node of
standby site> <IP address of the DB01 node of standby site> <IP address of the DB01
node of standby site> <IP address of the OM01 node of standby site><IP address of the
OM01 of standby site> <floating IP address of the Deploy node of standby site>
<floating IP address of the Service node of standby site>
For example: bash /usr/local/harden/iptables/custom/add_backup_cluster_ip.sh
10.19.3.31 10.19.3.32 10.19.3.33 10.19.3.34 10.19.3.35 10.19.3.36 10.19.3.37 10.19.3.38
10.19.3.39 10.19.3.30
The commands are successfully run if the following message is displayed:
[2017-10-15 17:51:08] [10359] [INFO] successful to add the backup cluster IPs.
NOTE
If secondary site includes a capacity expansion node, you also need to add the physical IP address
of this capacity expansion node to the whitelist of active site.
4. Retain the session for setting the IP address whitelist and create a session. Log in to the
server as the sopuser user, and check whether the IP address whitelist is set successfully.
Step 4 Refer to Step 1 to Step 3 to perform the security hardening operations on all nodes of standby
site, and set the IP address whitelist of active site on all nodes of standby site.
For details about how to verify software package, see Verifying Software Packages in
CloudOpera Orchestrator SDN V200R002C10 Installation and Commissioning Guide.
Step 6 Use the sopuser user to log in to the hardened server and check whether iptables whitelist
hardening is successful.
su - root
iptables -nL
Step 7 (Optional) The audit service is disabled, and the related audit rules have been configured after
the OS harden because enable the audit service will affect the performance. If there is a higher
security need, you can run the following commands to enable the audit service.
su root
chkconfig auditd on
/etc/init.d/auditd restart
----End
If the network segment of the NTP service changes, modify the iptables settings accordingly.
Antivirus Requirements
Antivirus software is not preinstalled on CloudOpera Orchestrator SDN. To ensure the system
security, you are advised to deploy the antivirus software provided by Trend Micro on VMs
run on Linux OS. You need to purchase, install, and deploy antivirus software, and upgrade or
install patches on a scheduled basis.
Do not install or run non-standard software, such as the firewall, antivirus, game, or pirated
software, on the key servers. Otherwise, unpredictable consequences may be produced.
Huawei will not be liable for any loss caused thereby.
When a remote DR system is created, the following checks and operations will be performed:
l Check whether the heartbeat IP addresses of the primary and secondary sites can
communicate with each other.
l Check whether the number of nodes deployed on the primary and secondary sites is
consistent.
l Check whether services and service versions deployed on the primary and secondary
sites are consistent respectively.
l Check whether a backup policy can be created successfully.
Prerequisites
Security hardening has been performed on the primary and secondary sites. For details, see
5.2.6 Security Hardening.
5.2.7.1 Updating Certificates for the Management Plane and Service Plane
Before creating a remote DR system, you can use the same CA certificate to update the
certificates of both the active and standby sites. This operation ensures that the active and
standby sites use the same CA certificate for normal communication between the sites. The
following describes how to the CA certificates of the management plane and service plane of
sites.
Prerequisites
You have obtained the following CA certificates from the certificate authority, stored the
certificates to the PC, and obtained certificate passwords:
l ca.cer: certificate of identify of the root certificate
l ca_key.pem: private key for the certificate of identify of the root certificate
Context
NOTICE
l During CA certificate update, services on all nodes need to be restarted so that the
certificate becomes valid. Therefore, perform the following operations at a time when the
service volume is small.
l Before roll back, Ensure that CA certificate has been backed up to /tmp/cert directory.
Procedure
Step 1 Disabling database failover.
1. Log in to the primary management node as the sopuser user, Run the following
commands to switch to the ossadm user.
su - ossadm
2. Run the following command to disable the failover function:
cd /opt/oss/manager/apps/DBHASwitchService/bin
./switchtool.sh -cmd set-ignore-nodes -nodes all
If the following command output is displayed, the failover function is successfully
disabled:
Successful
Step 2 Check whether the PC has CA certificates that are applied from the certificate authority.
If… Then…
The CA 1. Use FileZilla to upload the ca.cer and ca_key.pem certificates to the /
certificates exist ftproot directory of the primary management node of the active site as
the ftpuser.
NOTE
The absolute directory of /ftproot is /opt/pub/upload/ftproot/.
2. On the primary management node of the active site, perform Step 3 to
Step 9.
If… Then…
Step 3 Use PuTTY to log in to the primary management node on the active site as the sopuser, run
the following command to switch to user root:
su - root
Step 4 Run the following command to create a directory for store new certificates.
mkdir -p /tmp/CA
Step 5 Run the following commands to copy the uploaded CA certificate to the certificate save path
and modify the owner and permission of the certificate:
cp /ftproot/ca.cer /tmp/CA/
cp /ftproot/ca_key.pem /tmp/CA/
chown -R ossadm:ossgroup /tmp/CA
chmod 640 /tmp/CA/*
Step 6 Run the following commands to update the CA certificate.
The original CA certificate is automatically backed up to the /tmp/cert directory of the
management node.
su - ossadm
cd /opt/oss/management/apps/EngrCommonService/tools/common
bash replaceCaCert.sh -capath /tmp/CA
The following information is displayed:
Password:
Step 7 Enter the password of the uploaded certificate, and press Enter.
When the system displays the following information, the CA certificate password is correct.
Otherwise, the password may be incorrect.
Successed to check input password.
l If information similar to the following is displayed and the IP address of the node on
which the certificate fails to be updated is a service node, locate and rectify the fault.
And then, manually update the CA certificate on the service node where the certificate
fails to be updated. For details, see section 7.6 Updating Certificates of Active and
Standby Sites Manually.
ca certificate of service plane replace failed, ip list:
10.10.10.10,10.10.10.11
iii. Enter the password of the original certificate and press Enter.
When the system displays the following information, the CA certificate
password is correct.
Successed to check input password.
iv. When the system displays information indicating that CA certificates of all
nodes are successfully updated, perform Step 8 to check the certificate
rollback result.
Step 9 Update the CA certificate of the standby site with reference to steps Step 2 to Step 8.
----End
Procedure
Step 1 Set global backup parameters at the primary and secondary sites separately. For details, see
section 2.1 Setting Global Backup Parameters.
NOTICE
When you configure the backup server, ensure that the active and standby sites use the same
backup policy (The address, backup path, user name, and password of the backup server at the
primary site are the same as those at the secondary site).
Step 2 Back up data on the primary and secondary sites so that when a fault occurs, data can be
recovered in time. For details, see section 2.2 Backing Up Dynamic Data.
----End
Prerequisites
l You have configured the backup parameters on the active and standby sites and back up
data on the active site. For details, see CloudOpera Orchestrator SDN Backup and
Restoration.
NOTE
When you configure the backup server, ensure that the active and standby sites use the same
backup policy. That is, the backup path, user name, and password of backup servers of the active
site are the same as those of the standby site, so that the backup data can be transmitted between
the active and standby sites.
l You have obtained the following information for both the active and standby sites:
– Heartbeat IP address (IP addresses of the active management node and standby
management node)
– Site region
Context
If you need to modify the heartbeat IP address of the active and standby sites, you must delete
the existing disaster recovery system and create another one. For details, see section 5.3.6
Separating the Primary and Secondary Sites and this section.
Procedure
Step 1 Open a web browser, input https://Floating IP address of the CloudOpera Orchestrator SDN
management node of the primary site:31943 in the address box, input the user name admin
and password, and press Enter.
Step 2 Choose System > Remote DR System > Manage Remote DR System from the main menu.
Step 4 On the displayed page, set parameters according to the plan and click Precheck.
l If the check succeeds, in the displayed dialog box, click OK. And click OK on the page.
l If the check fails, resolve the problem as prompted and re-create the DR system.
Step 5 In the Warning dialog box, click OK, and then in the displayed dialog box, click OK.
The system has created a task successfully. Click Task Information List to view the task
execution status. If the task execution fails, rectify the failure based on detailed information
about the task.
Step 7 On the Disaster Recovery Management page, check the statuses in the Heartbeat Status
and Data Synchronization Status columns.
l If the statuses all display , the remote DR system status is normal. Go to Step 8.
l If any status displays , contact Huawei technical support.
Step 8 Check whether the basic functions of the system are normal. For example, check whether the
menu options on the web page of the O&M plane are completely displayed and no abnormal
alarm information is displayed about DR on the O&M plane.
----End
Follow-up Procedure
If two sites form a remote DR system for the first time, you need to update the certificates of
the DR system to improve system security. For details, see 5.3.7 Updating Certificates for
the Disaster Recovery System.
Context
Assume that services are successfully migrated from the active site to the standby site, the
active site becomes the standby site and the standby site becomes the active site. The data
replication direction between site changes accordingly.
If service migration fails, the active site still functions as the active site and the standby site
functions as the standby site.
Procedure
Step 1 Log in to the management plane of CloudOpera Orchestrator SDN.
1. Open a web browser, input https://Floating IP address of the CloudOpera Orchestrator
SDN management node of the active site:31943 in the address box and press Enter.
2. Input the user name admin and password on the login page, and click Log In.
Step 2 Choose System > Remote DR System > Manage Remote DR System from the main menu.
Step 3 On the Disaster Recovery Management page, check the statuses in the Heartbeat Status
and Data Synchronization Status columns.
If the heartbeat status displays and the data synchronization status displays or , the
statuses are normal. Perform Step 4. Otherwise, contact Huawei technical support engineers.
Step 5 In the Warning dialog box, click OK, and then in the displayed dialog box, click OK.
The system has created a task successfully. Click Task Information List to view the task
execution status. If the task execution fails, rectify the failure based on detailed information
about the task.
Step 7 On the Disaster Recovery Management page, check the Primary and Secondary columns.
The migration is complete if the active/standby status of the original primary and secondary
sites has changed.
Step 8 Check whether the basic functions of the system are normal. For example, check whether the
menu options on the web page of the O&M plane are completely displayed and no abnormal
alarm information is displayed about DR on the O&M plane.
----End
Procedure
Step 1 Open a web browser, input https://Floating IP address of the management node of the
primary site:31943 in the address box, input the user name admin and password, and press
Enter.
Step 2 Commission services at the active site. For details, see section Interconnecting with
External Systems (TSDN) and Interconnecting with External Systems (IP WAN) in
CloudOpera Orchestrator SDN V200R002C10 Installation and Commissioning Guide.
Step 3 Check whether the current active site is the primary site.
1. Open a web browser, input https://Floating IP address of the CloudOpera Orchestrator
SDN management node of the active site:31943 in the address box and press Enter.
2. Input the user name admin and password on the login page, and click Log In.
3. Choose System > Remote DR System > Manage Remote DR System from the main
menu.
4. On the Disaster Recovery Management page, check whether the IP address of the
active site is that of the primary site.
– If the active site is the primary site, no further operation is required.
– If the active site is not the primary site, migration the DR system on the secondary
site so that the active and standby sites are the same as planned. For details, see
5.2.8 Migrating the DR System.
----End
Scenario Scheme
During DR reconstruction, the newly created Associating the Active and Standby
secondary site and the currently running primary Sites
site are set up as a DR system.
Scenario Scheme
During routine maintenance, check whether the Disaster Recovery System Drill
secondary site can take over services from the NOTE
primary site. After the migration is complete at the
secondary site, perform a migration at the
primary site to migrate services back to the
primary site.
Context
Assume that services are successfully migrated from the active site to the standby site, the
active site becomes the standby site and the standby site becomes the active site. The data
replication direction between site changes accordingly.
If service migration fails, the active site still functions as the active site and the standby site
functions as the standby site.
Procedure
Step 1 Log in to the management plane of CloudOpera Orchestrator SDN.
1. Open a web browser, input https://Floating IP address of the CloudOpera Orchestrator
SDN management node of the active site:31943 in the address box and press Enter.
2. Input the user name admin and password on the login page, and click Log In.
Step 2 Choose System > Remote DR System > Manage Remote DR System from the main menu.
Step 3 On the Disaster Recovery Management page, check the statuses in the Heartbeat Status
and Data Synchronization Status columns.
If the heartbeat status displays and the data synchronization status displays or , the
statuses are normal. Perform Step 4. Otherwise, contact Huawei technical support engineers.
Step 5 In the Warning dialog box, click OK, and then in the displayed dialog box, click OK.
The system has created a task successfully. Click System > Task Manager > Task Information
List to view the task execution status. If the task execution fails, rectify the failure based on
detailed information about the task.
Step 7 On the Disaster Recovery Management page, check the Primary and Secondary columns.
The migration is complete if the active/standby status of the original primary and secondary
sites has changed.
Step 8 Check whether the basic functions of the system are normal. For example, check whether the
menu options on the web page of the O&M plane are completely displayed and no abnormal
alarm information is displayed about DR on the O&M plane.
----End
Context
You can perform service takeover only on the secondary site which is running properly. After
the takeover is successful, the secondary site takes over services from the faulty primary site,
becomes the active site, and provides services for system.
Procedure
Step 1 Log in to the management plane of CloudOpera Orchestrator SDN.
1. Open a web browser, input https://Floating IP address of the management node of the
standby site:31943 in the address box and press Enter.
2. Input the user name admin and password on the login page, and click Log In.
Step 2 Choose System > Remote DR System > Manage Remote DR System from the main menu.
Context
NOTICE
If you forcibly synchronize data when data is inconsistent on the active and standby sites, the
full data will be synchronized from the specified site to the peer site after the synchronization
is successful. Data on the peer site will be overwritten.
l The network for data replication between sites is interrupted for a long time and needs to
be restored.
l Data synchronization relationship between sites has been deleted.
Procedure
Step 1 Log in to the management plane of CloudOpera Orchestrator SDN.
1. Open a web browser, input https://Floating IP address of the CloudOpera Orchestrator
SDN management node of the active site:31943 in the address box and press Enter.
2. Input the user name admin and password on the login page, and click Log In.
Step 2 Choose System > Remote DR System > Manage Remote DR System from the main menu.
Step 3 On the Disaster Recovery Management page, check the statuses in the Heartbeat Status
and Data Synchronization Status columns.
If the heartbeat status displays but the data synchronization status display , to Step 4.
Step 4 In the row of the remote DR system with data to be synchronized, click . Select the data
synchronization direction between the active and standby sites.
NOTE
You are advised to synchronize data from the currently active site to the standby site to reduce system
data loss. In a dual-active scenario, determine the synchronization direction based on actual conditions.
Step 5 In the Warning dialog box, click OK, and then in the displayed dialog box, click OK.
The task create successful. Click System > Task Manager > Task Information List to view
the task execution status. If the task execution fails, rectify the failure based on detailed
information about the task.
Step 7 On the Disaster Recovery Management page, check the status in the Data Synchronization
Status column.
If the status displays , the synchronization is successful. Otherwise, check whether the
network status is normal. If data synchronization still fails after the fault is rectified, contact
Huawei technical support.
Step 8 Check whether the basic functions of the system are normal. For example, check whether the
menu options on the web page of the O&M plane are completely displayed.
----End
Prerequisites
Ensure that no service is being processed. If a service is being processed, wait until the
service processing is complete and perform the operations described in this section.
Procedure
Step 1 Log in to the management plane of CloudOpera Orchestrator SDN.
1. Open a web browser, input https://Floating IP address of the CloudOpera Orchestrator
SDN management node of the active site:31943 in the address box and press Enter.
2. Input the user name admin and password on the login page, and click Log In.
Step 2 Choose System > Remote DR System > Manage Remote DR System from the main menu.
Step 3 On the Disaster Recovery Management page, check the status in the Data Synchronization
Status column.
Step 4 In the row of the remote DR system with data synchronization relationship to be deleted, click
.
Step 5 In the Warning dialog box, click OK, and then in the displayed dialog box, click OK.
The system has created a task successfully. Click Task Information List to view the task
execution status. If the task fails to be executed, wait for about five minutes and perform Step
4. If the task execution fails, rectify the failure based on detailed information about the task.
Step 7 On the Disaster Recovery Management page, check the status in the Data Synchronization
Status column.
Click on the left to display details. If all data synchronization statuses that are displayed
are , the data synchronization relationship is successfully deleted. Otherwise, contact
Huawei technical support.
NOTE
For details about how to restore the data synchronization relationship between sites, see 5.3.4 Forcibly
Synchronizing Data Between Sites.
Step 8 Check whether the basic functions of the system are normal. For example, check whether the
menu options on the web page of the O&M plane are completely displayed.
----End
Context
After the inter-site disaster recovery relationship is successfully deleted, the inter-site data
replication relationship is also deleted. Services on each site are not affected. You can connect
the active and standby sites to compose a DR system. For details, see section 3.3.4-
Associating the Primary and Secondary Site for Disaster Recovery.
Procedure
Step 1 Log in to the management plane of CloudOpera Orchestrator SDN.
1. Open a web browser, input https://Floating IP address of the CloudOpera Orchestrator
SDN management node of the active site:31943 in the address box and press Enter.
2. Input the user name admin and password on the login page, and click Log In.
Step 2 Choose System > Remote DR System > Manage Remote DR System from the main menu.
Step 3 On the Disaster Recovery Management page, check the status in the Data Synchronization
Status column.
Step 5 In the Warning dialog box, click OK, and then in the displayed dialog box, click OK.
The task create successful. Click System > Task Manager > Task Information List to view
the task execution status. If the task execution fails, rectify the failure based on detailed
information about the task.
Step 7 On the Disaster Recovery Management page, if the deleted DR system is no longer
displayed, it has been successfully deleted.
Step 8 Check whether the basic functions of the system are normal. For example, check whether the
menu options on the web page of the O&M plane are completely displayed and no abnormal
alarm information is displayed about DR on the O&M plane.
----End
Prerequisites
You have obtained the new SSL certificate and password from certificate authority:
Ensure that the identity certificate and the trust certificate are in the ASCII format. Other formats
are not supported.
Procedure
Step 1 Log in to the management plane of CloudOpera Orchestrator SDN.
1. Open a web browser, input https://Floating IP address of the CloudOpera Orchestrator
SDN management node of the active site:31943 in the address box and press Enter.
2. Input the user name admin and password on the login page, and click Log In.
Step 2 Choose Disaster Recovery > Remote Disaster Recovery > Manage Remote DR System
from the main menu.
Check the heartbeat status between the active and standby sites.
l If the Heartbeat Status column displays , perform the following operation to update
the certificates.
l If the Heartbeat Status column displays , diagnose and rectify the fault, and then
perform the following operations to update the certificates.
Step 3 Use FileZilla as the ftpuser to upload the identity certificate, private key file of the identity
certificate, and trust certificate to the /ftproot directory on the primary management node.
NOTE
Step 4 Use PuTTY to log in to the primary management node of the active site as the sopuser.
su - root
Step 6 Run the following command to create a backup directory for the certificates and press Enter:
mkdir -p /tmp/cert/DR
Step 7 Run the following command to back up the DR system certificates and press Enter:
cp -p /opt/oss/manager/etc/ssl/dr/* /tmp/cert/DR/
Step 8 Run the following command to create a directory to store the updated certificates:
mkdir -p /opt/updatecert
Step 9 Run the following command respectively to copy all the uploaded new certificates to the
corresponding directory:
Step 10 Run the following commands on PuTTY to set the certificate group and permission:
su - ossadm -c '/opt/oss/manager/apps/DRMgrService/bin/cert_tool'
Step 12 Enter the password for a new certificate and press Enter.
Step 13 Enter the directory for storing the new certificates /opt/updatecert and press Enter.
If the following information is displayed, the certificates for the DR system are successfully
updated. Otherwise, contact Huawei technical support engineers.
Update the certificate task create successful.
Step 15 Choose System > Task Manager > Task Information list from the main menu to view the
execution status of the DR certificate update task.
l If the task is successfully executed, the certificates are updated successfully. Perform the
following operations:
Choose Disaster Recovery > Remote Disaster Recovery > Manage Remote DR
System from the main menu. Check the heartbeat status between the active and standby
sites.
– If the Heartbeat Status column displays , the certificate is successfully updated.
– If the Heartbeat Status column displays , the certificate fails to be updated.
Contact Huawei technical support engineers.
l If the task execution failure, the certificate update fails. If you want to roll back to the
certificates before the update, perform the following operations:
a. Run the following command to copy the backup initial DR certificates to the
directory for storing the updated certificates:
cp -p /tmp/cert/DR/* /opt/updatecert/
b. Perform Step 10 to Step 15 to roll back the DR certificates.
----End
Procedure
Step 1 Use PuTTY to log in to the IP address of the primary management node as the sopuser.
su - ossadm
. /opt/oss/manager/bin/engr_profile.sh
cd /opt/oss/manager/agent/bin
Enter the new password and record the ciphertext of the new password when prompted as
follows:
New Password:
Reenter New Password:
cd /opt/oss/manager/etc/ssl/dr
vi manifest.json
Change the values of storePass, keyStorePass, and trustStorePass to the ciphertext of the
new password in Step 3.
{
"server.jks": {
"storeType": "JKS",
"storePass": "ciphertext of the new password"
},
"port" : 31949,
"arbitrationPort" : 27321,
"keyStorePass": "ciphertext of the new password",
"trustStorePass": "ciphertext of the new password",
"trustStoreType": "SunX509"
}
Press Esc, enter :wq! to save the configuration and exit the vi editor.
Step 5 Perform the following operations to restart the DRMgrService service on the active and
standby sites.
1. Use PuTTY to log in to the primary management node of the active site as the sopuser.
2. Run the following command to switch to the root user:
su - root
3. Run the following commands to restart the DRMgrService service:
. /opt/oss/manager/bin/engr_profile.sh
ipmc_adm -cmd restartapp -app DRMgrService
4. Use PuTTY to log in to the primary management node of the standby site as the sopuser.
5. Run the following command to switch to the root user:
su - root
6. Run the following commands to restart the DRMgrService service:
. /opt/oss/manager/bin/engr_profile.sh
ipmc_adm -cmd restartapp -app DRMgrService
----End
Prerequisites
You have obtained the IP address of the node on which the active site DRMgrService service
is deployed.
Procedure
Step 1 Use FileZilla to log in to the IP address of the primary management node as the ftpuser.
Step 2 Use FileZilla to download the certificate in the /opt/oss/manager/etc/ssl/dr directory to any
directory on the local PC.
Certificate name:
l manifest.json
l server.csr
l server.jks
Step 3 Perform the following operations to query and record the IP addresses of the nodes on the
active and standby sites on which the DRMgrService database is deployed.
1. Open a web browser, input https://Floating IP address of the CloudOpera Orchestrator
SDN management node of the active site:31943 in the address box and press Enter.
2. Input the user name admin and password on the login page, and click Log In.
3. Choose Deployment > Database > RDBMS from the main menu.
4. On the RDBMS page, select All from the drop-down list in the upper right corner, input
DRMgr in the search box, and press Enter. The IP Address column displays the IP
addresses of the nodes on the active and standby sites on which the DRMgrService
database is deployed.
Step 4 Perform the following operations to delete certificates in the DRMgrService database on the
active site.
1. Use PuTTY to log in to the primary management node of the active site as the sopuser.
2. Run the following command to switch to the ossadm:
su - ossadm
3. Run the following command to query and record the IP address and port number of the
DRMgrService database instance.
NOTE
The following is one command. Copy the command to a Notepad and delete unnecessary line
breaks.
cd /opt/oss/manager/apps/DataMgmtService/bin;./dbsvc_adm -cmd query-db-instance -
tenant manager -type mysql|grep deploydbsvr |grep Master|awk '{print $7,$8}'
If information similar to the following is displayed, "10.22.90.209" is the IP address of
the DRMgrService database instance, "32081" is the port number.
10.22.90.209 32081
The above is one command. Copy the command to a Notepad, replace the variables, and delete
unnecessary line breaks.
delete from tbl_certificate;commit;
exit
Step 5 Delete certificates in the DRMgrService database on the standby site by referring to Step 4.
Step 7 Perform the following operations to restart the DRMgrService service on the active and
standby sites.
1. Use PuTTY to log in to the primary management node of the active site as the sopuser.
2. Run the following command to switch to the root user:
su - root
3. Run the following commands to restart the DRMgrService service:
. /opt/oss/manager/bin/engr_profile.sh
ipmc_adm -cmd restartapp -app DRMgrService
4. Use PuTTY to log in to the primary management node of the standby site as the sopuser.
5. Run the following command to switch to the root user:
su - root
6. Run the following commands to restart the DRMgrService service:
. /opt/oss/manager/bin/engr_profile.sh
ipmc_adm -cmd restartapp -app DRMgrService
----End
Alarm Description
If the remaining days before the communication certificates of the DR system are less than
30, the DR system reports a certificate about to expire alarm daily. After the communication
certificates are updated, the alarm will be automatically cleared.
Alarm Attribute
Alarm ID Alarm Severity Alarm Type
Alarm Parameters
Name Description
Possible Causes
The remaining days before the communication certificates of the DR system are less than 30.
Procedure
Update the communication certificates of the DR system. For details, see 5.3.7 Updating
Certificates for the Disaster Recovery System.
Related Information
None
Description
The DR system periodically queries the data replication status between the active and standby
sites. If the replication status is abnormal, a replication error alarm is reported. If the DR
system confirms that the replication status is normal, the alarm is automatically cleared.
Attribute
Alarm ID Alarm Severity Alarm Type
Parameters
Name Description
Possible Causes
l The network for data replication between the active and standby sites is abnormal.
l The data replication service is abnormal.
Procedure
Locate and clear the alarms according to the following scenarios.
Scenario Operation
Check the network connection The following describes how to check the heartbeat
of the DR system. connectivity between the active and standby sites.
1. Use PuTTY to log in to the active site management
node as the sopuser.
2. Run the following command to switch to the root user:
su - root
3. Run the following command to check the connectivity
between the active site management node and the
standby site management node:
ping IP address of the standby site management node
l If the IP address can be pinged, the network
connection is normal.
l If a request timeout or unreachable target host
message is returned, the network connection is
abnormal. Check and restore the network
connection.
Check the abnormal MySQL For details, see section Database Fault in CloudOpera
database scenarios and rectify Orchestrator SDN Troubleshooting.
the database faults.
If the alarm still exists after resolving the preceding possible causes, collect information
generated during alarm handling and contact Huawei technical support engineers.
Related Information
None
Description
The DR system reports a heartbeat abnormal alarm if the active and standby sites do not
receive the heartbeat information from the peer end within the preset duration. The heartbeat
abnormal alarm is automatically cleared after the heartbeat information between the active
site and the standby site is normal.
Attribute
Alarm ID Alarm Severity Alarm Type
Parameters
Name Description
Possible Causes
l The heartbeat network between the active and standby sites is abnormal.
l The disaster recovery service of the active or standby site is abnormal.
l The heartbeat communication certificates of the active site management node and the
standby site management node do not match or are invalid.
Procedure
Step 1 Check the heartbeat network connectivity between the active and standby sites.
1. Use PuTTY to log in to the active site management node as the sopuser.
2. Run the following command to switch to the root user:
su - root
3. Run the following command to check the connectivity between the active site
management node and the standby site management node:
ping IP address of the standby site management node
– If the IP address can be pinged, the network connection is normal. Perform Step 2.
– If a request timeout or unreachable target host message is returned, the network
connection is abnormal. Check and restore the network connection, and perform
Step 2.
Step 2 Check the disaster recovery process on the active site management node and standby site
management node.
1. Check the disaster recovery process on the active site management node.
a. Use PuTTY to log in to the management nodes as the sopuser.
b. Run the following command to switch to the root user:
su - root
c. Run the following command to check the disaster recovery process:
ps -ef|grep DRMgrService
If information similar to the following is displayed, the disaster recovery process
does not exist on the management node. Contact Huawei technical support.
Otherwise, the disaster recovery process exists on the management node, perform
Step 2.2.
ossadm 63211 1660 0 16:15 pts/1 00:00:00 grep DRMgrService
2. Similarly, check the DR process on the primary management node of the standby site.
Step 3 Check whether the communication certificates of the active site management node and
standby site management node match.
1. Use PuTTY to log in to the active site management node as the sopuser.
2. Run the following command to switch to the root user:
su - root
3. Run the following command to check the file size of the active site communication
certificate:
ls -l /opt/oss/manager/apps/DRMgrService/etc/ssl/server.jks
Information similar to the following is displayed. 4275 indicates the file size of the
communication certificate.
-rw-r----- 1 ossadm ossgroup 4275 Mar 16 19:20
4. Log in to the standby site management node and perform Step 3.1 to Step 3.3.
– If the file sizes of the three communication certificates are the same, the
communication certificates match with each other. Perform Step 4.
– If the file sizes of the three communication certificates are different, manually
synchronize the certificates and then restart the disaster recovery process. For
details, see 5.3.9 Manually Synchronizing DR Certificates.
5. After the certificates are manually synchronized, check whether the alarm is cleared.
– If yes, the alarm handling process is complete.
– If no, contact Huawei technical support.
Step 4 Check whether the communication certificates of the active site management node and
standby site management node are invalid.
1. Use PuTTY to log in to the primary site management node as the sopuser user.
2. Run the following command to switch to the root user:
su - root
3. Run the following commands to check the certificate validity:
NOTE
Ensure that you have obtained the DR Certificates password. The default password for the DR
Certificates is Changeme_123. You can change the password. For details, see 5.3.8 Changing the
Encryption Key of DR Certificates.
cd /opt/oss/manager/apps/DRMgrService/etc/ssl
/opt/oss/rtsp/jre-1.3.36/bin/keytool -list -v -keystore server.jks -storepass Password for
the DR Certificates
Information similar to the following is displayed. The date next to "until" is the
certificate validity.
– If the certificates will expire within 30 days, see 5.3.7 Updating Certificates for
the Disaster Recovery System to process this issue and then check whether the
alarm is cleared.
n If yes, the alarm handling process is complete.
n If no, contact Huawei technical support.
– If the certificates will expire in more than 30 days, contact Huawei technical
support engineers.
4. Perform the preceding operations on the primary management node of the standby site to
check the certificate validity.
----End
Related Information
None
Alarm Description
When a disaster recovery system performs automatic migration and the migration fails, a
migration failure alarm is reported. After the migration is performed again and is successful,
the disaster recovery system will automatically clear the migration failure alarm.
Alarm Attribute
Alarm ID Alarm Severity Alarm Type
Alarm Parameters
Name Description
Possible Causes
l Services at the active site cannot be stopped.
l Data synchronization direction cannot be reversed.
l Services at the standby site cannot be started.
Procedure
Collect the fault related information and contact Huawei technical support.
Related Information
None
Alarm Description
This alarm is generated when nodes, service versions, or service instances deployed on the
active and standby sites are inconsistent.
Alarm Attribute
Alarm ID Alarm Severity Alarm Type
Alarm Parameters
Name Description
Possible Causes
l Nodes deployed on the active and standby sites are inconsistent.
l Service versions deployed on the active and standby sites are inconsistent.
l Service instances deployed on the active and standby sites are inconsistent.
Procedure
Locate and clear the alarm according to the following scenarios.
Scenario Operation
Scenario Operation
Check whether nodes deployed on the 1. Open a web browser, input https://Floating IP
active and standby sites are consistent. address of the CloudOpera Orchestrator SDN
management node of the active site:31943 in the
address box and press Enter.
2. Input the user name admin and password on the
login page, and click Log In.
3. Choose Resource > Server from the main
menu.
4. On the Server page, check the Name column.
Check whether the number of nodes deployed
on the active and standby sites is the same.
For example, GLO-Global-DB01 and SHA-
Global-DB01 are database nodes deployed on
the active and standby sites respectively.
l If yes, the alarm handling process is
complete.
l If no, add the same type of nodes according
to the expansion guide of corresponding
version. And synchronize data for the active
and standby sites. For details, see 5.3.4
Forcibly Synchronizing Data Between
Sites.
The alarm still exists after resolving Collect information generated during alarm
the preceding possible causes. handling and contact Huawei technical support
engineers.
Related Information
None
6 Common Operations
Prerequisites
You have obtained the initial password for the root user on the remote SFTP server. You have
obtained the initial password for the sopuser user of database nodes and the initial password
for the sopuser user of management node from Maintenance Guide.
Context
The SFTP protocol is used to back up databases to a remote server. To prevent phishing
attacks, SFTP fingerprint authentication must be enabled on the remote server. Manually add
the host key of the remote server to the known_hosts file on the local node.
Master/slave database nodes: Indicates the node whose node name ends with DB01 or DB02
in the node plan.
Procedure
Step 1 Log in to the remote SFTP server as the root user and run the following command to obtain
the host key to a local PC:
ssh-keyscan -t ecdsa IP address of the remote SFTP server
A host key is displayed, as follows:
IP address of the remote SFTP server ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHS4AQHonYvoDJ
+k8cPPrWGgZWXHHu6yXlKeYG4adPdZOe0siBCMVYSJJuRpEHnbV8+34csE3kAzqEHxQKZRwMc=
NOTE
Step 6 Log in to all the other database node and the other management node respectively as the
sopuser user, repeat Step 4 to Step 5 to configure SFTP fingerprint authentication.
----End
Follow-up Procedure
Back up data to the remote SFTP server. For details, see 2 Data Backup.
Procedure
Step 1 Log in to the service deployment system (https:// Floating IP address of the management
nodes:31943) and choose Monitor > Service Management > Start and Stop Products.
Step 2 Click for Product in the Product Alias column to start a service on the service or O&M
nodes.
NOTE
Step 3 On the Service tab for monitoring statuses, select one or more services to be started and click
Start. In the displayed dialog box, click OK to start the selected services.
NOTE
Due to data cache, it takes about 5 seconds to open the tab for the first time. The waiting time depends
on the number of services in the system and the server performance.
----End
Procedure
Step 1 Log in to the service deployment system (https:// Floating IP address of the management
nodes:31943) and choose Monitor > Service Management > Start and Stop Products.
Step 2 Click for Product in the Product Alias column to stop a service on the service or O&M
nodes.
NOTE
Step 3 On the Service tab for monitoring statuses, select one or more services to be stopped and click
Stop. In the displayed dialog box, click OK to stop the selected services.
NOTE
Due to data cache, it takes about 5 seconds to open the tab for the first time. The waiting time depends
on the number of services in the system and the server performance.
----End
Procedure
Step 1 You have logged in to the Management-plane of CloudOpera Orchestrator SDN (https://the
floating IP address of the primary and secondary management nodes:31943) using a browser.
Step 2 Choose Monitor > Service Management > Start and Stop Products.
Step 4 Select one or more nodes on which the databases need to be started and click in the
Operation column. Click Yes in the displayed dialog box to start the selected nodes.
NOTE
Due to data cache, it takes about 5 seconds to open the page for the first time. The waiting time depends
on the number of services in the system and the server performance.
----End
Step 1 You have logged in to the Management-plane of CloudOpera Orchestrator SDN (https://the
floating IP address of the primary and secondary management nodes:31943) using a browser.
Step 2 Choose Monitor > Service Management > Start and Stop Products.
Step 4 Select one or more nodes on which the databases need to be stopped and click in the
Operation column. Click Yes in the displayed dialog box to stop the selected nodes.
NOTE
Due to data cache, it takes about 5 seconds to open the page for the first time. The waiting time depends
on the number of services in the system and the server performance.
----End
Procedure
Step 1 On the page that backs up dynamic data or operating system operations and so on, Click
and select 200 from the drop-down list to display the maximum number of backup objects
that is allowed on the current page.
NOTE
When you deselect the selected backup objects by clearing the Instance Name check box, only the
backup objects on the current page are deselected. The backup objects on other pages will not be
deselected.
When you select all backup objects by selecting the Instance Name check box, only the backup objects
on the current page are selected. The backup objects on other pages will not be selected.
----End
7 FAQ
Prerequisites
The global backup parameters have been set.
Solution
Step 1 Choose Monitor > Service Management > Start and Stop Products from the main menu.
l If the DB Status of the product shows Unknown or Not Running, restore the database
by referring to section Database Restoration in CloudOpera Orchestrator SDN
Troubleshooting.
l If the DB Status of the product shows Running, contact Huawei technical support
engineers.
Step 2 Create a dynamic data backup task. For details, see2.2 Backing Up Dynamic Data.
----End
Prerequisites
l The service database instances are running properly.
l The service instances to be backed up have been obtained and backup data for these
services are available.
l The names of the service instances to be stopped have been noted down when data
restoration fails.
Solution
Step 1 Stop the running service instances. 6.3 How Do I Stop a Service?.
Step 2 Create backup a task. For details, see 3 Local Data Restoration.
----End
System Service
No. Hardening Description Hardening Method
File Permission
No. Hardening Description Hardening Method
1 The permissions, users, and user groups l The file permission for /etc/shadow
for files /etc/shadow and /etc/passwd is set to 000 and the user and user
are set. group are set to root.
l The file permission for /etc/passwd
is set to 644 and the user and user
group are set to root.
Kernel Parameter
No. Hardening Description Hardening Method
3 The umask parameter for newly created In the /etc/login.defs file, umask is
OS accounts is set to 027. set to 027.
7 User password is required each time the The following command is run:
sudo commands are run. sed -i "/Defaults env_reset/c Defaults
env_reset,timestamp_timeout=0" /etc
/sudoers
8 Only users in the wheel group are In the /etc/pam.d/su and /etc/
allowed to run the su command. pam.d/su-l files, the following rules
are set:
auth required pam_wheel.so use_uid
group=wheel
9 The backupuser and ftpuser users are In the /etc/ssh/sshd_config file, the
required to log in to the OS by using only following rules are set:
SFTP and can only access directories that Match User backupuser
are available to them. ChrootDirectory /opt/backup
ForceCommand internal-sftp -l INFO
-u 007
Match User ftpuser
ChrootDirectory /opt/pub/upload
ForceCommand internal-sftp -l INFO
-u 007
10 Users who are allowed to access the OS In the /etc/ssh/sshd_config file, the
in SSH mode are set. following rule is set:
AllowUsers User name
For example, if the sopuser,
backupuser, ftpuser, and ossadm
users exist, the rule is AllowUsers
backupuser sopuser ftpuser ossadm.
12 The space limit of user disks is set. l If the ftpuser user exists, the
space size of the /opt partition is
limited to 10 GB.
l If the backupuser user exists, the
space size of the /opt partition is
limited to 40% of the total
partition size.
Log Audit
No. Hardening Description Hardening Method
2 Events of changing the system time are In the /etc/audit/audit.rules file, the
recorded. following information is added:
-a always,exit -F arch=b64 -S adjtimex -
S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -
S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S
clock_settime -k time-change
-a always,exit -F arch=b32 -S
clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
3 Events that affect the following items In the /etc/audit/audit.rules file, the
are recorded: following information is added:
l /etc/group -w /etc/group -p wa -k identity
l /etc/passwd (user ID) -w /etc/passwd -p wa -k identity
l /etc/shadow -w /etc/gshadow -p wa -k identity
l /etc/gshadow (password) -w /etc/shadow -p wa -k identity
l /etc/security/opasswd (old password -w /etc/security/opasswd -p wa -k
whose number depends on PAM- identity
based maximum password attempts)
6 Login and logout events are monitored. In the /etc/audit/audit.rules file, the
following information is added:
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
17 Logins in SSH mode are recorded l SSH logs are stored in the
independently. mkdir /var/log/sshd directory.
l SSH logs are stored in the
touch /var/log/sshd/sshd.log file.
l In the /etc/rsyslog.conf file, the
following information is added to the
end of the file:
if ($programname == 'sshd') \
then {
-/var/log/sshd/sshd.log
stop
}
l The SSH service is restarted by
running the service sshd restart
command.
l The syslog service is restarted by
running the systemctl restart
rsyslog.service command.
19 The lack of the wtmp log on some The wtmp log is recreated by running
SUSE OSs is resolved. the following command:
touch /var/log/wtmp
chmod 664 /var/log/wtmp
chown root:utmp /var/log/wtmp
Network Connection
No. Hardening Description Hardening Method
10 The option for allowing trusted hosts is l The /etc/hosts.equiv file is deleted
disabled. if any.
l The /root/.rhosts file is deleted if
any.
The following commands are run to
create a symbolic link:
ln -s /dev/null /etc/hosts.equiv
ln -s /dev/null /root/.rhosts
11 The timeout period after login is set. In the /etc/profile file, the following
information is added:
TMOUT=900
export TMOUT
Disabled OS Users
No. User Name Description
System Settings
No. Hardening Description Hardening Method
1 The OS and the database cannot reside The MySQL database is installed in
in the same partition. the /opt directory by default.
2 The MySQL database operating The hardening tool adds the sopuser or
account dbuser is not allowed to log in ossadm user to the following file
to the OS in SSH mode. according to the condition:
/etc/ssh/sshd_config
The MySQL database operating user
dbuser is not allowed to log in to the
OS.
3 The command history of the MySQL The hardening tool automatically runs
database is not allowed to be displayed. the following command is run:
ln -s /dev/null $HOME/.mysql_history
1 The database instance user root is not This security hardening item is
allowed to log in to the database. configured by default when the
database instance is created.
File Permission
No. Hardening Description Hardening Method
1 Permission for the MySQL software The hardening tool automatically runs
installation directory is set. the following command is run:
chmod 750 /opt/mysql
2 Permission for the data file directory is The hardening tool automatically runs
set. the following command is run:
chmod 700 /opt/mysql/data/Instance
name>
3 Permission for the my.cnf file is set. The hardening tool automatically runs
the following command is run:
chmod 600 my.cnf
4 Permission for the log_bin file is set. The hardening tool automatically runs
the following command is run:
chmod 600 log_bin
5 Permission for the relay_log file is set. The hardening tool automatically runs
the following command is run:
chmod 600 relay_log
6 Permission for the innodb data The hardening tool automatically runs
directory is set. the following command is run:
chmod 700 /opt/mysql/data/Instance
name
7 Permission for the innodb log file The hardening tool automatically runs
directory is set. the following command is run:
chmod 700 /opt/mysql/data/Instance
name
8 Permission for the audit log file The hardening tool automatically runs
audit.log is set. the following command is run:
chmod 600 /opt/mysql/data/<nstance
name/audit.log
1 The creation of user names for logging The hardening tool automatically runs
in to the MySQL database is restricted. the following command is added to the
database startup commands:
--safe-user-create
2 The MySQL client of an early version The following is added to the /opt/
cannot access the server of a later mysql/my_product.cnf file:
version in the old password secure_auth=on
authentication mode.
3 The directory for importing MySQL The following is added to the /opt/
data is fixed. The directory varies mysql/data/Instance name/my.cnf file:
according to database instance names. secure-file-priv=/opt/mysql/data/
Instance name
4 Soft links for database files are The hardening tool automatically runs
disabled. the following command is added to the
database startup commands:
--skip-symbolic-links
5 Data are not allowed to be imported to The following is added to the /opt/
the MySQL database in remote mode. mysql/data/Instance name/my.cnf file:
local-infile=0
8 Unauthorized users are not allowed to The following is added to the /opt/
view database names. mysql/data/Instance name/my.cnf file:
skip_show_database
9 The port number range used by the The following is added to the /opt/
MySQL database is restricted. The mysql/data/Instance name/my.cnf file:
default port number 3306 cannot be port=Port number used by the database
used. instance
10 The MySQL database character set The following is added to the /opt/
must be UTF8. mysql/data/Instance name/my.cnf file:
character-set-server=utf8
Answer
This section uses the operation of uploading the client.crt file to /opt/oss/Product/apps/
MessagingLBService/nginx/conf/kafka/rest_ssl as an example to describe the detailed steps.
Step 1 Upload the client.crt file to the /opt/pub/upload/ftproot directory on the active management
node and standby management node by using SFTP as the ftpuser.
NOTE
l The initial password of the ftpuser user was set during SSH security hardening.
l If the password has been changed, use the new password to log in. Changing passwords periodically
prevents password leaks and unauthorized access.
l To ensure system security, the root directory is automatically changed when the ftpuser user uses
the FileZilla to log in to the VM node. On the FileZilla, /opt/pub/upload/ftproot is displayed as /
ftproot.
Therefore, upload the software package to /ftproot.
Step 2 Log in to the active management node and standby management node as the sopuser user,
and copy the client.crt file to the/opt/oss/Product/apps/MessagingLBService/nginx/conf/
kafka/rest_ssl directory.
su - root
cp /opt/pub/upload/opt/pub/client.crt /opt/oss/Product/apps/MessagingLBService/nginx/
conf/kafka/rest_ssl
Step 3 Log in to the standby management node as the sopuser user. Copy the client.crt file from the
standby management node to /var/tmp of the non-management node by running the scp
command.
su - root
scp /opt/pub/upload/ftproot/client.crt sopuser@<IP address of the data node>:/var/tmp
Enter the password of the sopuser user as prompted:
Authorized users only. All activity may be monitored and reported.
Step 4 Log in to the non-management node as the sopuser user, and copy the client.crt file and its
signature file to the /opt/oss/Product/apps/MessagingLBService/nginx/conf/kafka/rest_ssl
directory.
su - root
cp /var/tmp/client.crt /opt/oss/Product/apps/MessagingLBService/nginx/conf/kafka/
rest_ssl
----End
Context
l IR certificates are saved in /opt/oss/manager/etc/ssl/internal.
l IR certificates include the following files:
– manifest.json: certificate configuration file
– server.cer: identity certificate file of the server
– server.p12: certificate in .p12 format
– server_key.pem: private key to the identity certificate file of the server
– trust.cer: trust certificate file of the server
– trust.jks: trust certificate file in .jks format
Precautions
l Certificate update takes effect after nodes are restarted. You are advised to perform this
operation during off-peak hours.
l You are advised to back up the certificate file before update. Compress the IR certificate
file and save it to a directory where the current certificate does not reside.
l IR certificates on the management plane are updated at the same time.
l If active and standby nodes exist, restart them in the following sequence to prevent an
active/standby switchover:
a. Stop the standby node.
b. Stop the active node.
c. Start the active node.
d. Start the standby node.
precedure
Step 1 (Optional) Update the certificate password. For details, see 7.6.3 Updating the Certificate
Password.
Step 2 Log in as the sopuser user to the primary and secondary management nodes of the standby
site separately.
Step 3 Upload CA certificate files ca.cer and ca_key.pem to the /tmp directory on the primary and
secondary management nodes of the standby site.
NOTE
You can obtain the certificates from the CA or the /opt/oss/manager/var/ca/ directory on the
management nodes of the active site.
Step 4 Run the following commands as the root user to replace the CA certificates.
su - root
cp /tmp/ca.cer /opt/oss/manager/var/ca/
cp /tmp/ca_key.pem /opt/oss/manager/var/ca/
During replacing the IR certificate, Y/N is displayed for you to confirm. The commands above
enable you to enter the parameter –force to skip this confirmation step.
2. Run the following commands to start the primary management node:
. /opt/oss/manager/bin/engr_profile.sh
ipmc_adm -cmd startnode
Step 8 Update the IR certificate of the secondary management node.
1. Log in to the secondary management node as the sopuser user and run the following
commands to update the IR certificate:
su - ossadm
cd /opt/oss/manager/agent/bin
./osskey -cmd replace_ircerts [-force]
2. Run the following commands to start the secondary management node:
. /opt/oss/manager/bin/engr_profile.sh
ipmc_adm -cmd startnode
----End
Context
l IR CA certificates are saved in /opt/oss/manager/var/ca/. CA certificates exist only on
management nodes.
Precautions
l After a certificate is updated, CloudOpera Orchestrator SDN must be restarted to apply
the certificate. Therefore, update certificates in off-peak hours.
l Back up the original certificate files before updating certificates.
l If active and standby nodes exist, restart them in the following sequence to prevent an
active/standby switchover:
a. Stop the standby node.
b. Stop the active node.
c. Start the active node.
d. Start the standby node.
Procedure
Step 1 Log in as the sopuser user to non-management nodes (except the Deploy01 or Deploy02
nodes in the VM) in sequence and run the following command to switch to the ossadm user.
su - ossadm
Step 2 Run the following commands to stop the non-management nodes in sequence:
NOTE
. /opt/oss/manager/bin/engr_profile.sh
ipmc_adm -cmd stopnode
Step 3 Run the following commands to update the IR CA certificates:
cd /opt/oss/manager/agent/bin
./osskey -cmd replace_ircacerts
Step 4 Run the following commands to start the nodes:
NOTE
. /opt/oss/manager/bin/engr_profile.sh
ipmc_adm -cmd startnode
Step 5 Run the following commands to check whether the time stamp of the certificate file is
updated.
cd /opt/oss/manager/etc/ssl/internal
ll
-rw------- 1 ossadm ossgroup 895 Sep 4 19:57 manifest.json
-rw------- 1 ossadm ossgroup 8122 Sep 4 19:57 server.cer
----End
Procedure
Step 1 Log in to the primary management node as the sopuser user and run the following commands
to obtain the ciphertext for the new password:
su - ossadm
. /opt/oss/manager/bin/engr_profile.sh
NOTE
vi /opt/oss/manager/agent/etc/mcagent.conf
Step 3 Press Esc and run the :wq! command to save and exit from the edit mode.
----End
Prerequisites
You have obtained the new password for the backup server user.
Procedure
Step 1 Log in to the management plane of CloudOpera Orchestrator SDN.
1. Open a web browser, input https://floating IP address of the primary and secondary
management nodes:31943 in the address box and press Enter.
2. Input the user name admin and password on the login page, and click Log In.
Step 2 Choose Backup and Restore > Configurations > Configure Global Backup Parameters
from the main menu.
Step 3 On the Configure Global Backup Parameters page, click in the Operation column of
the backup server with the password to be changed.
Step 4 Change the value of Password in the Parameters column to the new password for the backup
server user.
Step 5 Click Validate to verify that connectivity for the backup server is tested.
Step 7 Click in the row of the backup server to save the new password.
----End