0% found this document useful (0 votes)

349 views646 pages

ENC Administrator Manual

Uploaded by

Slimani Azzeddine

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

349 views646 pages

ENC Administrator Manual

Uploaded by

Slimani Azzeddine

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 646

Administrator Manual

Ensemble Controller

Product Release: 15.2

Document Issue: A
Product Release: 20.1.1
Product Release: 20.1.1
Document
Document Issue: ADocument Issue: A
Number: 80000074000
Document Number: 80000065616
Document Number: 80000065616
Copyright © 2001-2023 Adtran Networks SE. All rights reserved.

Adtran Holdings, Inc.

901 Explorer Blvd.
Huntsville, AL 35806
USA

Adtran Networks SE, formerly known as ADVA Optical Networking SE (an Adtran company)
Campus Martinsried
Fraunhoferstrasse 9a
82152 Martinsried/Munich
Germany

Terms of Use (“Terms”):

Acceptance of Terms

By using this content, including without limitation any services, portals, webpages, manuals, documentation and
any other information provided herein (hereinafter referred to as “Content” and/or “Service”), you assent to the
following terms of use. If you do not agree to these terms, please do not use this Content.

If you are using this Content on behalf of your employer/hirer/contractor, you represent and warrant that you are
authorized to accept these Terms on your employer's/hirer’s/contractor’s behalf.

Use of the Content and Service

You agree not to access the Content by any means other than through the interface that is provided by Adtran
Networks SE. Adtran Networks SE, formerly known as ADVA Optical Networking SE, includes its affiliates and
successors (“Adtran”). You will not use the Service for any purpose that is unlawful or prohibited by these Terms.
You may not use the Service in any manner that could damage, disable, overburden, impair, or otherwise result in
unauthorized access to or interference with, the proper functioning of any Content, accounts, systems, networks
of Adtran or its licensor(s).

If parts of the Content (including without limitation service) require you to open an account, to choose a password
and/or a user name, you are entirely responsible for maintaining the confidentiality of your password and account,
and for any and all activities that occur under your account. You will maintain and promptly update your account
and any information you provide to Adtran to keep it accurate, current and complete.

You will notify Adtran immediately of any unauthorized use of your account or any other breach of security.
Adtran will not be liable for any losses you incur as a result of someone else using your password or account,
either with or without your knowledge. However, you could be held liable for losses incurred by Adtran due to
someone else using your account at any time, without the permission of the account hold.

You may obtain direct access via the Content (including without limitation portal or system) to certain confidential
information of Adtran and its suppliers and contractors, including without limitation technical, contractual,

Ensemble Controller R15.2 -Administrator Manual - Issue: A 2

Adtran

product, delivery, pricing, marketing and other valuable information that should reasonably be understood
as confidential ("Confidential Information"). You must hold Confidential Information in strict confidence.
Title to Confidential Information remains with Adtran or its respective suppliers and contractors.

No Warranties

ALL CONTENT IS PROVIDED ON AN ''AS IS AVAILABLE'' BASIS WITHOUT ANY WARRANTY OF ANY KIND
EITHER EXPRESSED OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. ADTRAN
MAKES NO WARRANTY AS TO THE ACCURACY, COMPLETENESS, OR RELIABILITY OF ANY CONTENT
AVAILABLE HEREIN. USE OF THE CONTENT IS AT YOUR SOLE RISK. YOU ARE RESPONSIBLE FOR VERIFYING
ANY INFORMATION BEFORE RELYING ON IT AND FOR TAKING ALL NECESSARY PRECAUTIONS TO ENSURE
THAT CONTENT IS FREE OF VIRUSES. The content of this document may include technical inaccuracies or
typographical errors. Adtran may make changes at any time to the Content (including without limitation
portals, systems, products or specifications) without notice and makes no commitment to update Content.

Adtran may provide economic projections and forward-looking statements on this Content (including
without limitation on portals or systems) that relate to future facts. Such projections and forward-looking
statements are subject to risks which cannot be foreseen and which are beyond the control of Adtran.
Adtran is therefore not in a position to make any representation as to the accuracy of economic projections
and forward-looking statements or their impact on the financial situation of Adtran or the market in the
shares of Adtran.

Limitation of Liability

IN NO EVENT SHALL ADTRAN NETWORKS SE OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATED TO
THE ACCESS OR USE OF THE CONTENT (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND BASED ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE), EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE. THE SAME APPLIES FOR ANY HARDWARE OR SOFTWARE INCLUDED IN THE CONTENT,
UNLESS A SIGNED AGREEMENT WITH ADTRAN NETWORKS SE OR ITS AFFILIATE(S) OR THE APPLICABLE
PRODUCT LIABILITY LAW EXPRESSLY STATES OTHERWISE.

Trademarks and Copyright

Documents and information, including text, images, graphics, sound files, animation files, video files and
their arrangement made available in the Content (including without limitation the portal or system) are
subject to copyright and other intellectual property protection. They may not be copied for commercial use
or distribution and may not be modified or reposted to other internet sites.

Unless otherwise indicated, all marks displayed on the Content (including without limitation portals) are
subject to the trademark rights of Adtran Networks SE or the respective trademark owner. Adtran Networks

Ensemble Controller R15.2 Administrator Manual - Issue: A 3

Adtran

SE and the Adtran Networks SE Logo are trademarks or registered trademarks of Adtran Networks SE in
Germany and other countries.

Any software that is made available for download from the Content ("Software") is a copyrighted work of
Adtran or the respective copyright owner.

The furnishing of this content does not give you any license or rights with respect any content, patents
and/or trademarks herein, unless the Content (including without limitation software) is governed by the
terms of your signed agreement with Adtran. Any reproduction or redistribution of the Content (including
without limitation Software) not in accordance with the foregoing is expressly prohibited.

Third Party Content

Third-party content is the property of their respective owners and does not imply a partnership between
Adtran and any other company. Any references to content that is not from Adtran are provided for
convenience only and do not in any manner serve as an endorsement of that content.

Software generally known as “open source software” is licensed pursuant to the applicable license terms.
The copyright owners of such software disclaim all warranties and conditions, express and implied,
including warranties or conditions of title and non-infringement, and implied warranties or conditions of
merchantability and fitness for a particular purpose, and all liability for damages, including direct, indirect,
special, incidental and consequential damages, such as lost profits.

Export Controls

The Content (including without limitation service, Software, or technology derived or obtained from the
portals) may be subject to the export control laws and/or the import laws of various country (“Controlled
Items”). This includes without limitation the export control laws and regulations of Germany, the European
Union, and the United States. You agree to comply strictly with all such laws. In particular, you will not use,
distribute, transfer or transmit the Controlled Items (even if incorporated into other products) except in
compliance with such laws. You are also responsible for complying with all applicable legal regulations of
the country where you are registered, and any foreign countries with respect to the use of the Controlled
Items by you, your affiliates, subsidiaries, directors, employees, authorized users and permitted third
parties, including end-users. Adtran will support you in obtaining any necessary export or import license for
Controlled Items. You agree that none of the Controlled Items will be sold or otherwise transferred to, or
made available for use by or for, any entity that is (a) named on the EU, U.S. or other government-issued
Sanctioned Party Lists (Denied Party List, Restricted Party, etc.) or (b) engaged, directly or indirectly, in the
design, development, production, stockpiling, or use of chemical or biological weapons, nuclear programs
(including activities related to nuclear devices, nuclear reactors, and nuclear fuel-cycle activities), missiles
and maritime nuclear propulsion projects, except as authorized under applicable laws and regulations.

You agree that, in the event you are notified by Adtran, a third party or a governmental agency about a
license requirement for Controlled Items or particular transactions, you will not export or re-export the

Ensemble Controller R15.2 Administrator Manual - Issue: A 4

Adtran

Controlled Items or pursue the transactions, directly or indirectly, until the required licenses are obtained,
and work with Adtran, the third party or the governmental agency to procure the required licenses.

You agree to indemnify and hold harmless Adtran in the event of your non-compliance with any applicable
German, EU, and U.S. export control laws and the export controls or import laws of other countries.

Governing Law and Place of Jurisdiction

The Content and any dispute arising out of or in connection with this Content is governed by German Law,
without its choice of law provisions and the United Nations Convention on Contracts for the International
Sale of Goods is hereby excluded. The District Court of Munich has exclusive jurisdiction for any dispute
arising out of or in connection with this Content.

Privacy Statement

All terms related to our privacy information are available at: https://www.adva.com/en/about-
us/legal/privacy-statement

All terms related to our privacy information for Customer Portal users are available at: https://advaoptical-
communities.force.com/customerportal/CustomerPortalTCs

Ensemble Controller R15.2 Administrator Manual - Issue: A 5

Adtran Contents

Contents
Administrator Manual 1

Contents 6

Preface 31
Safety Symbol and Message Conventions 31
Documentation 31
Rebranding 32
Ensemble Controller Documentation Suite 33
Accessing Documentation 33
Within Ensemble Controller 33
World Wide Web 33
Documentation Feedback 34
Obtaining Ensemble Controller Information 34
Support Info 34
Ribbon Menu 35
Creating a System Health Report 36
Requirement to Create a System Health Report 36
Procedure to Create a System Health Report 36
About Information 37
Obtaining Technical Assistance 37
Customer Portal 37
Technical Services 38
Call Adtran 38
Document Revision History 39

Installing and Logging into Ensemble Controller 48

Overview 48
Communication 49
Graphical User Interface 49
Subnetworks 50
Events 50
User Management 50

Ensemble Controller R15.2 Administrator Manual - Issue: A 6

Adtran Contents

Performance 50
Security 50
Pro-Vision Support 50
Installation Requirements 51
Required Minimum Server Hardware 51
General Information 52
Network Element Equivalents 52
Performance Management Object Count 55
Installing the Server Hardware 56
High-Availability Solution with a Redundant Server 56
Upgrading the Server Hardware 56
Supported Operating Systems (Server) 56
Minimum Requirements for Windows Test Servers 57
Recommended Windows Server Hardware 57
Recommended Linux Server Hardware 59
Required Minimum Client Hardware 60
Supported Operating Systems (Client) 61
Minimum Requirements for Test Systems 62
Recommendations for the User Environment 62
Client Server Requirements 63
The Embedded License Server 63
Supported Operating Systems 63
Installation Options 64
Required License Server Hardware for the Local Installation 64
Interaction of Ensemble Controller and Embedded License Servers in High
Availability 65
Antivirus Software 65
Server Environment 65
Client Environment 66
Local Area Network 66
Network Element-to-Server Connections 67
Server-to-Server Connections 67
Server-to-Client Connections 68
Server-to-Northbound Interface Connections 68
Network Elements 68
Ensemble Controller Server Filter 68

Ensemble Controller R15.2 Administrator Manual - Issue: A 7

Adtran Contents

Trapsink Table 68
SNMP Access 69
FTP Access 69
General Aspects 69
Using RADIUS, TACACS+, or LDAP 69
Third-Party Software 70
Using FTP or SSH Servers 70
Additional Software 70
Optional Hardware 71
Optional Applications 71
Ensemble Optical Director with Centralized Control Plane 72
Ensemble Sync Director Assurance Extension 72
Ensemble Fiber Director 73
Streaming High Availability 73
Transport API North Bound Interface 74
Installing Ensemble Controller 74
Installing Ensemble Controller in Windows 74
Requirements for Installing Ensemble Controller in Windows 75
Steps to Installing Ensemble Controller in Windows 75
Silent Installation of the Ensemble Controller Client 84
Verifying Services in Windows 85
Changing the Memory Settings of the Mediation Server in Windows (64 Bit) 87
Installing Ensemble Controller Client Only 88
Installing Ensemble Controller in Linux 92
Requirements for Installing Ensemble Controller in Linux 93
Steps to Installing Ensemble Controller in Linux 94
For Red Hat Enterprise Linux 7.x and 8.x 97
Verifying Services in Linux 99
Changing the Memory Settings of the Mediation Server in Linux 100
Troubleshooting Client Download Errors 100
"Cannot write to download directory" 101
"Cannot create installation directory" 101
"Error while updating or uncompressing" 102
Viewing and Deleting Installed Clients 103
Preparing and Enabling the Embedded License Server 104
Importing Ensemble Controller Server Certificates to the Client 106

Ensemble Controller R15.2 Administrator Manual - Issue: A 8

Adtran Contents

(Optional) Installing Additional Programs 107

Installing FileZilla 107
Installing PuTTY 111
Requirements 111
Procedure 112
Installing CopSSH 116
Starting the Ensemble Controller Server 122
Procedure to Start the Server in Windows 123
Using the Windows Start Menu 123
Using the Windows Command Prompt 123
Procedure to Start the Server in Linux 124
Stopping the Ensemble Controller Server 124
Procedure for Stopping the Server in Windows 124
Using the Windows Start Menu 124
Using the Windows Command Prompt 124
Procedure for Stopping the Server in Linux 125
Logging Into the Ensemble Controller Client 125
Requirements to Log Into the Ensemble Controller Client 126
Supported Encryption Protocols and Ciphers 126
HTTPS and JMS 126
Public/Private Keys x.509 (HTTP, JMS) 127
SSH: server-server, server-ftp server 128
Persistent password encryption 128
Server-NE Communication (SNMP, HTTP) 128
Procedure to Log Into the Ensemble Controller Client 128
Taking Remedial Action for Failed Login Attempts 133

Installing Ensemble Controller for Pro-Vision 135

Installation Procedure for Linux 135
Installation Procedure for Windows 136
Enabling User Permissions 137
Configuring FSP Network Manager Files 137
Starting the Server 138

Configuring Ensemble Controller 139

Security 139
Hardening the Ensemble Controller Application 140

Ensemble Controller R15.2 Administrator Manual - Issue: A 9

Adtran Contents

Increasing the Entropy of a Virtual Machine or Headless Server 141

Security Manager 143
User Authentication 143
Users Tab 144
Generic Information about Users 144
Ribbon Menu 145
Adding Users 146
Editing Users 146
Deleting Users 146
Exporting the Users Table 147
Resetting to Factory Default 147
Table 147
Details Pane 148
Identity 148
Groups 148
Groups Tab 149
Ribbon Menu 149
Adding Groups 149
Editing Groups 150
Deleting Groups 150
Table 150
Details Pane 150
Identity 151
Members 151
Network 151
Services 152
Roles Tab 153
Ribbon Menu 153
Adding Roles 153
Editing Roles 153
Deleting Roles 154
Table 154
Details Pane 154
Identity 154
Permissions 155
Action Log Tab 156

Ensemble Controller R15.2 Administrator Manual - Issue: A 10

Adtran Contents

Changing Event Severities 156

Table 156
Details Pane 156
Sessions Tab 157
Ribbon Menu 157
Table 157
Details Pane 157
Changing Passwords on Network Elements Using SNMP 158
Requirements to Change Passwords Using SNMP 159
Procedure to Change Passwords Using SNMP 159
Activating a Log File 161
Enabling a Connection of One Ensemble Controller Client to Multiple Servers 163
Enabling Two-Man Approval for Actions 164
Applying the Two-Man Rule Permission to User Actions 165
Assigning a User for Approver 165
About the Request Phase 165
About the Decision Phase 166
Opening the Approval Requests Dialog Box 166
Viewing the Approval Requests Dialog Box 166
Deciding on the Requests in the Approval Requests Dialog Box 167
About the Response Phase 167
Granting Temporary Admin User Rights on Network Elements 168
Viewing or Revoking Approved Requests 169
Requirement to Revoke Approved Requests 170
Opening the Approved Temporary Privileges Dialog Box 170
Revoking an Approved Request 170
Fallback Solution if the Network Element Connection Fails 170
Requirement to Use the Fallback Solution 171
Enabling the Network-Element Fallback User-Password Management Tool 171
Effect of Enabling the Management Tool 172
Opening the Management Tool 173
Sorting Table Content 173
Filtering Table Content 173
Revealing a Fallback User Password 173
Requirements to Reveal a Fallback User Password 173
Procedure to Reveal a Fallback User Password 174

Ensemble Controller R15.2 Administrator Manual - Issue: A 11

Adtran Contents

SSH Settings 175

SFTP Settings 175
High Availability 176
Standard High Availability 178
General Information 178
The Two-Node Cluster Concept 178
Server-Mode Switchover Behavior for Standard High Availability 180
Implications if Primary Servers Stop Working 180
Implications After Restoring Primary Servers 180
Manually Changing the Server Mode 181
Configuring Server Shell Scripts 181
Server Status 182
Comparing the Primary-to-Secondary Server Activity 183
Preparing to Configure Standard High Availability 185
Configuring Standard High Availability in Windows 186
Configuring Standard High Availability in Linux Systems 191
Configuring High Availability with the SSH Password 192
Configuring High Availability with the SSH Key 192
Applying and Testing the New Standard High-Availability Configuration 193
Maintaining Standard High Availability 198
Upgrading Ensemble Controller Servers that Use Standard High Availability 198
Changing an Existing Standard High-Availability Configuration 200
Requirements to Change a Standard High-Availability Configuration 200
Procedure to Change a Standard High-Availability Configuration 200
Changing the Ensemble Controller Server Work Mode 202
Enabling or Disabling Automatic Switchover for Standard High Availability 203
Disabling a Standard High-Availability Configuration 204
Streaming Replication High Availability 205
General Information 205
The Three-Node Cluster Concept 205
Primary and Standby Server Coordination 206
Resilience to Outages 206
Server Outages 207
Network Outages 207
Dividing a Cluster in Availability Zones 207

Ensemble Controller R15.2 Administrator Manual - Issue: A 12

Adtran Contents

Server-Mode Switchover Behavior for the Streaming Replication High

Availability 208
Comparing the Primary-to-Standby Server Activity 208
Effects of nmsadmin Operations on the Primary and Standby Server 210
Installation Requirements 212
Installation Software 215
Installation Overview 216
Installing and Configuring the Intended Primary Ensemble Controller Server 218
Requirements to Install and Configure the Intended Primary Ensemble
Controller Server 218
Procedure to Install and Configure the Intended Primary Ensemble
Controller Server 218
Installing and Configuring the Intended DCS Quorum Server 219
Requirements to Install and Configure the Intended DCS Quorum Server 219
Procedure to Install and Configure the Intended DCS Quorum Server 219
Installing and Configuring the Intended Standby Ensemble Controller Server 220
Requirements to Install and Configure the Intended Standby Ensemble
Controller Server 220
Procedure to Install and Configure the Intended Standby Ensemble
Controller Server 220
Maintaining Streaming Replication High Availability 221
Checking the Cluster Status 221
Pausing or Resuming the Streaming Replication High-Availability Control 222
Changing an Existing Streaming Replication High-Availability Configuration 223
Enabling the Single-Server Mode 223
Upgrading Streaming Replication High Availability 224
Updating High Availability Stream Package 227
Enhancing the Database Password Encryption Security 228
Any 13.x Version Upgraded to 13.3 or Later 228
Any Supported Version Before 13.1 Upgraded to 13.3 or Later 231
Initiating a Server Work Mode Switchover 232
Enabling or Disabling Automatic Switchover for Streaming Replication High
Availability 233
Reverting to a Non-Resilient Configuration or Disabling Streaming Replication
High Availability 233
Requirement to Revert to a Non-Resilient Configuration 233
Procedure to Revert to a Non-Resilient Configuration 233

Ensemble Controller R15.2 Administrator Manual - Issue: A 13

Adtran Contents

Migrating from Standard to Streaming Replication High Availability 234

Requirement to Migrate from Standard to Streaming Replication High
Availability 235
Procedure to Migrate from Standard to Streaming Replication High Availability 235
System Settings 236
Suppressing Noisy Events 237
Overview of Noisy Events Per Network Element 239
Broadcasting Messages to Ensemble Controller Clients 242
Requirement to Broadcast Messages 242
Procedure to Broadcast Messages 242
Server Preferences 245
Event Log Settings 245
Opening the Event Log Page 246
Event Log Parameters 247
Log Size Details of Live Events 249
Anonymization Details 249
Editing Security Parameters 250
Opening the Security Page 250
Setting Auto Lock and Auto Logout 251
Setting User Account Policies 252
Setting Authentication Parameters 254
Setting SMTP Properties 256
Setting the Default NE Identity Type 258
Changing the Network Element Icon Labeling 258
Setting the Client Time Zone 260
Configuring the NBI Trap Transmitter Settings 262
Requirement to Configure the NBI Trap Transmitter Settings 262
Procedure to Configure the NBI Trap Transmitter Settings 263
Configuring ENC-ELS Single Sign-On Connection 266
Requirement to Configure ENC-ELS Single Sign-On Connection 267
Procedure to Configure ENC-ELS Single Sign-On Connection 267
Configuring Operations from the fnm.properties File 268
Editing the fnm.properties File 269
Enabling the Login or Post-Login Dialog Box Message 271
Login Dialog Box Message 271
Post-Login Dialog Box Message 272

Ensemble Controller R15.2 Administrator Manual - Issue: A 14

Adtran Contents

Setting Up RADIUS Authentication 274

Configuring an External RADIUS Server 275
Configuring the RADIUS Server Access in Ensemble Controller 275
Configuring the RADIUS Server Timeout 276
RADIUS Access-Challenge 277
Logging In Through One-Time-Password 277
Setting Up TACACS+ Authentication 278
Configuring an External TACACS+ Server 279
Configuring the TACACS+ Server Access in Ensemble Controller 280
Configuring the TACACS+ Server Timeout 280
Setting Up LDAP Authentication 281
Configuring Access to the LDAP Server 282
Configuring the LDAP Server Timeout 283
Changing the Default Security Protocol 284
Using Multiple Network Interfaces for Communication 285
Prerequisites to Use Multiple Network Interfaces 285
Configuring Multiple Network Interfaces 286
Script or Command-based Operations 288
Enabling IPv6 289
Setting the Server Time Zone 289
In a Windows Operating System 289
In a Linux Operating System 290
Setting the Shared Buffer Size 291
Using Customer Certificates 292
Creating a Keystore and a Self-Signed Certificate 292
Generating a Certificate Signing Request and Signing the Certificate Externally 293
Creating the Key, Signing it Externally, and Bundling it as p12 Container 294
Adapting the jms.properties File to the New Password 295
Adapting the Ensemble Controller Server to the New Password 296
Keystore and Private Key Password Encryption 296
Encrypting Passwords or <text> 297
Adapting the jms.properties File to the Newly Encrypted Password 297
Adapting the Ensemble Controller Server to the Newly Encrypted Password 297
Updating the Keystore and Defining a New Passphrase 298
Command Definition 298

Ensemble Controller R15.2 Administrator Manual - Issue: A 15

Adtran Contents

Procedure to Update the Keystore and Define a New Passphrase for the Private
Key 299
Procedure to Define a New Passphrase for the Keystore 300
Changing the Maximum User Processes Property in Linux 300
Creating Configuration File Templates for Ethernet Devices 300
Design Objectives 301
Tag Set 301
Supported <default> Keywords 309
Rules 312
Installing the Docker-Community Edition Application in Linux 315
Installing Docker CE 316
Performing Post-Install Configuration 317
docker0 317
docker_gwbridge 318
Requirement 318
1-Node Cluster 318
N-Nodes Cluster [N>1] 319
Upgrading from Docker CE 18.09 to Docker CE 20.10 321
Stopping All Containerized Applications 322
Stopping the Docker Daemon 322
Uninstalling Docker 18.09 322
Displaying the History 322
Displaying Detailed Information About Installation Transaction ID 323
Uninstalling all Docker packages 323
Starting all Containerized Applications 323
Configuring Docker for IPv6 Management 323
Configuring Sync Assurance and the Ensemble Fiber Director Server 324
Installing the Map Library in Linux 324
Requirement to Install the Map Library 324
Procedure to Install the Map Library 325
Version 14.1 or Earlier 325
Version 14.2 or Later 325
Installing and Configuring the Sync Assurance Application in Linux 326
Requirements to Install the Sync Assurance Application 327
Procedure to Install the Sync Assurance Application 329
Command Output Example for a GNSS Service 331

Ensemble Controller R15.2 Administrator Manual - Issue: A 16

Adtran Contents

Stopping the Sync Assurance Application 332

Starting the Sync Assurance Application 332
Health Check and Database Backup for Sync Assurance Applications 334
Automatic Database Backups 334
Restoring the Database from a Backup File 335
Command Output Examples for GNSS Service Replicas 338
Connecting the Sync-Assurance Applications with the Ensemble Controller 339
Enabling Machine-Learning Based Alarms for GNSS 339
Creating Custom GNSS Scripts 339
Supported Files and Script Formats 340
System-Provided Custom GNSS Help Files 342
Custom Script Business Logic 343
Post-Creation Steps 347
Changing the Database Password of the Sync Assurance Applications 348
Configuring Streaming Network Telemetry Service 348
Installing the Ensemble Fiber Director Server in Linux 349
Requirements to Install the Ensemble Fiber Director Server 349
Procedure to Install the Ensemble Fiber Director Server 351
Installing the Ensemble Fiber Editor 351
Installing the Local Geographical Map-Tile Server in Linux 352
Chrome Security Concern 354
Ensemble Fiber Director Mobile Application 355
Prerequisites for Running the EFD Mobile Application 355
Installing the EFD Mobile Application 355
Running, Stopping, or Uninstalling the EFD Mobile Application 356
Consolidating Ensemble Controller Servers 356
Terminology 357
Requirements to Consolidate Servers 357
Prerequisite Steps for the Servers 357
Starting the ENC Migration Tool 358
Command Content Description 359
Included Attributes for Network Exports 363
Included Attributes for Link Exports 363
Included Attributes for Service Tree Exports 364
Included Attributes for Tracked Service Exports 364
Overview of the Command Sequence 365

Ensemble Controller R15.2 Administrator Manual - Issue: A 17

Adtran Contents

Summarized Command Sequence 366

Exporting Database Content from the Source Server 366
Importing Database Content to the Destination Server 367
Requirements to Import Database Content 367
Procedure to Import Database Content 368
Post-Migration Steps After the Import 370
Requirement for the Post-Migration Steps 370
Procedure for the Post-Migration Steps 370
Accessing Management Tools 371
Command Line Interface 371
Using a Secure Protocol 371
Using an Insecure Protocol 372
Configuring CLI Launch Commands 372
WEB Manager 374
Single Sign-On Support (SSO) 374
Scenarios That Support SSO 374
Establishing a Single Sign-On Connection 376
Establishing an SSO Connection Using Fallback Passwords 378
Requirements to Use SSO With Fallback Passwords 379
Procedural Description 380
Establishing an SSO Connection Using an Ad-Hoc Local Network Element
Account 381
Requirements to Use SSO With Ad-Hoc Accounts 381
Procedural Description 382
Disabling a Single Sign-On Connection 384
HTTP or HTTPS Communication 384
Configuring the Ensemble Controller-Internal HTTP Proxy 385
Editing the Property in the fnm.properties File 385
Configuring the Service in the Services Window 386
Configuring a Standard HTTP or HTTPS Proxy Server 386
Element Manager 388
Enabling the SNMP Forwarder Service in Windows 389
Running the Script File 389
Configuring the Service in the Services Window 389
Enabling the SNMP Forwarder Service in Linux 390
Fault Management 390

Ensemble Controller R15.2 Administrator Manual - Issue: A 18

Adtran Contents

Enabling Logging of Service Affected Alarms in the Ensemble Controller Database 390
Enabling and Configuring Event Logging to External CSV File 391
Installing the OSA WinSTS Tool 393

Maintaining Ensemble Controller 396

Adding or Removing Ensemble Controller Features 396
Adding Features to the Ensemble Controller 397
Removing Features from the Ensemble Controller 400
Changing the Database Password 403
Verifying the Ensemble Controller Server by Using the Healthcheck Script 405
For Windows 406
For Linux 406
Considerations When Replacing FSP 3000R7 Network Elements 406
Locking Client Upgrades or Downgrades 407
Customizing Network Element Icons 407
Updating Ensemble Controller Database Information 408
Database Update Actions 409
Status Check 409
Configuration Check 409
Inventory Check 409
Discovery Polling 410
Immediate Database Backup 410
Backing Up or Restoring the Ensemble Controller Database 410
Immediate Database Backup 411
Restoring the Ensemble Controller Database 412
General Requirements 412
Requirements When Upgrading to a Newer Ensemble Controller Version 412
Procedure to Restore the Database in Linux 412
Procedure to Restore the Database in Windows 413
Setting the Number of Database Backup Files Allowed to be Created 414
Upgrading Ensemble Controller 414
Successfully Upgrading Ensemble Controller 414
Requirements to Upgrade Ensemble Controller 416
Reconfiguring Properties for RADIUS or TACACS+ Configurations 417
Enhancing the Database Password Encryption Security 417
Any 13.x Version Upgraded to 13.3 or Later 417

Ensemble Controller R15.2 Administrator Manual - Issue: A 19

Adtran Contents

Any Supported Version Before 13.1 Upgraded to 13.3 or Later 418

Upgrading High Availability Servers 419
Retaining a Customized fnm.properties File 419
Upgrading an Existing Ensemble Controller Version 419
Upgrading by Installing a New Ensemble Controller Version 420
Overview of the Upgrade Procedure Steps 420
Upgrading Ensemble Controller in Windows 421
Requirements 421
Restriction 422
Procedure to Upgrade in Windows 422
Upgrading Ensemble Controller in Linux 427
Requirements to Upgrade in Linux 427
Restriction to Upgrade in Linux 428
Procedure to Upgrade in Linux 428
Enhancing the User Password Encryption After an Upgrade to Version 14.1 or
Later 430
Upgrading Sync Assurance in Linux 430
Requirements to Upgrade Sync Assurance 431
Procedure to Upgrade Sync Assurance 433
Procedure to Upgrade Sync Assurance 15.1 to 15.2 including GNSS and TPA Raw
Data Migration 434
Upgrading Ensemble Fiber Director in Linux 439
Uninstalling Ensemble Controller 439
Restrictions For Uninstalling the 10.5.1 Network Manager 439
Procedure to Uninstall Ensemble Controller 440
Uninstalling Linux Applications 444
Uninstalling the Sync Assurance Application 444

Managing the Centralized Control Plane 445

Setting Up the Centralized Control Plane 446
Configuring a Connection Between Ensemble Controller and the Centralized
Control Plane 447
Configuring Centralized Control Plane High Availability 449
Opening and Viewing the CPc Manager 450
Requirements to View the CPc Manager 450
Procedure to View the CPc Manager 451
Legacy Links Page 453

Ensemble Controller R15.2 Administrator Manual - Issue: A 20

Adtran Contents

Links Page 454

Migrating Links to the Centralized Control Plane or Deleting Them 456
Requirements to Migrate Links 456
Procedure to Migrate Links 456
NEs Configuration Page 457
Table Description 457
Action Controls 458
TE Links From CPc Page 459
NEs From CPc Page 461
Managing the Centralized Control Plane Server in Linux 462
Upgrading the Centralized Control Plane Server 463
Backing Up the Control Plane Database 463
Backup File Storage 464
Backup Operation Notifications 464
Restoring the Centralized Control Plane Database 465
Requirements to Restore the CPc Database 465
Procedure to Restore the CPc Database 465
Centralized Control Plane Server Health Check 466
Health Check Using Scripts 466
Health Check Using the Ensemble Controller GUI 466

Troubleshooting 467
Purpose 467
Assumptions 467
Terms 468
Preparation 469
Discussing the Management-Software Products Ensemble Controller and FSP
Element Manager 469
Discussing the Network Configuration 469
Clearly Defining the Issue That You Try to Resolve 470
Tools of the Trade 470
Troubleshooting Steps 470
Resolving Installation Issues 471
Cannot install Ensemble Controller. 471
The Ensemble Controller installation fails with an error message. 472
Updating the Ensemble Controller Client Launcher 473

Ensemble Controller R15.2 Administrator Manual - Issue: A 21

Adtran Contents

Requirement to Update the Client Launcher 473

Procedure to Update the Client Launcher 473
Obtaining a Client-Only Installation 473
Updating the Client Launcher 474
Resolving Start-up Issues 477
Ensemble Controller does not start without an error message. 477
The Ensemble Controller Server SNMP Forwarder does not start. 478
The Ensemble Controller Server Mediation Server does not start. 478
Cannot launch the Element Manager Using Ensemble Controller. 479
External event logging does not start. 479
Ensemble Controller Server Connectivity 480
Cannot find the specified host name 480
Ensemble Controller Server could be down or is not responding 480
Cannot connect to the Ensemble Controller Server: xyz 481
SNMP Connectivity Test 481
Unable to start or stop the Ensemble Controller Server without an error message. 482
Ensemble Controller Server processes do not start after server restart or crash. 483
The Ensemble Controller Server does not start after Linux restarts. 484
Linux stops with the error message: "No buffer space available." 484
Open-file limit is too low for the Ensemble Controller Server process in Linux 485
Cannot launch the Ensemble Controller Client. 485
Problem to start the Ensemble Controller Client 485
Irrelevant error message that Mediation Server could not start 486
Unable to launch the Ensemble Controller Client after download and upgrade to
12.1.1 487
Resolving Access Issues 487
Cannot ping the network element 488
Cannot configure the network element through the Element Manager 488
SNMP timeout occurs while accessing the network element 489
Option 1 – IP Connectivity Bad 489
Option 2 – Improper Handling of Fragmented Packets or MTU Too Small 490
The Ensemble Controller Client cannot connect to the Server 490
The Ensemble Controller Client cannot connect because of incorrect user name -
password pair 491
SNMPv3 communication fails after factory-default reset 491

Ensemble Controller R15.2 Administrator Manual - Issue: A 22

Adtran Contents

Centralized Control Plane Cannot Connect to the Network Element on Server with
Two Network Interfaces 492
Resolving Normal Operations Issues 493
General Trouble 494
Ensemble Controller Menu displays in gray color. 494
Ensemble Controller does not receive traps. 495
Ensemble Controller displays the network-element inventory incorrectly. 495
Ensemble Controller does not detect a fiber break. 496
The Ensemble Controller Server detects a false fiber break. 496
Different alarm severities in Ensemble Controller and Element Manager. 496
Removed module displays in the Ensemble Controller inventory. 497
Connections from removed modules still display. 497
Alarms in the Alarm View display in gray color. 497
You cannot start the Element Manager for an FSP 3000R7 NE. 498
Configuration backup of FSP 3000R7 fails with the message “Download protocol
…”. 498
After configuration, network element backup fails with the message “... Backup
server is not responding...” 498
You received the system event “Maximum amount of events, which are queued
for processing, has been reached (“500”), events are discarded.” 499
You receive the event “System time deviation high”. 499
The Notification Manager does not send emails although configured. 500
You receive the event “Authentication failure trap message”. 501
Ensemble Controller receives no traps for an FSP 3000R7 network element. 501
The system does not write the trap address to the FSP 150CM. 502
The Ensemble Controller Server crashes after a time or time zone change,
scheduled backup does not work, or status polling never ends. 503
“Unknown Entity” displays in alarm or event windows. 503
Security Manager permission "Write Access to Supported Connections" is not
blocked although disabled. 503
UDP Packet Loss on a Linux Server 504

Hardware or Software Support and Compatibilities 506

Communication Ports 506
Port Connection Sequence 507
Configuring Server and Client Communication Ports 507
Effects on the GUI Using Secure Ports 508

Ensemble Controller R15.2 Administrator Manual - Issue: A 23

Adtran Contents

Supported Communication Ports 508

Client Property Overview 516
Remote User Options 516
com.adva.common.workbench.dialog.login.force_system_user=false 516
Server Property Overview 516
Authentication Access Options 517
RADIUS 517
Properties for the Specific RADIUS Server 519
RADIUS Client Library 521
Specifying the RADIUS Authentication Type 521
TACACS+ 521
Properties for the Specific TACACS+ Server 522
Specifying the TACACS+ Authentication Type 524
LDAP 524
Basics About the LDAP Server Directory Structures 524
Using the Directory for Authentication 525
Using the Directory for Authorization 525
Specific LDAP Server Properties 529
Advanced Server Properties 530
Backup Options 534
com.adva.fnm.option.databasebackupfilesnumber 534
Heartbeat on Alarm NBI 534
Disk Space Monitoring Options 534
com.adva.fnm.option.diskSpaceLowThreshold 535
com.adva.fnm.option.diskSpaceCriticalThreshold 535
com.adva.fnm.option.diskSpacePollingFrequency 535
Ensemble Sync Director Options 536
com.adva.nlms.mediation.synchronization.discovery.SyncDiscoveryQueueSize 536
com.adva.nlms.mediation.synchronization.ncd.auto.align.with.subnet 536
com.adva.nlms.mediation.synchronization.ncd.auto.align.with.subnet.separator 536
com.adva.nlms.mediation.synchronization.snt.telemetry.tls.option 536
Health Center Properties 537
com.adva.fnm.option.HealthCenter.SampleRateInMinutes 537
com.adva.fnm.option.HealthCenter.ViewRefreshPeriodInSec 537
com.adva.fnm.option.HealthCenter.GaugeMonitoredHours 537
com.adva.fnm.option.HealthCenter.DBRetentionDays 537

Ensemble Controller R15.2 Administrator Manual - Issue: A 24

Adtran Contents

CPU Thresholds 537

com.adva.fnm.option.HealthCenter.CpuUtilizationThreshold 538
com.adva.fnm.option.HealthCenter.CpuDegradedThreshold 538
com.adva.fnm.option.HealthCenter.CpuUnhealthyThreshold 538
Memory Thresholds 538
com.adva.fnm.option.HealthCenter.PhysicalMemoryUtilizationThreshold 538
com.adva.fnm.option.HealthCenter.SwapMemoryUtilizationThreshold 539
com.adva.fnm.option.HealthCenter.PageVsPhysicalMemoryThreshold 539
com.adva.fnm.option.HealthCenter.MemoryDegradedThreshold 539
com.adva.fnm.option.HealthCenter.MemoryUnhealthyThreshold 539
Disk Thresholds 539
com.adva.fnm.option.HealthCenter.WindowsMonitoredDiskPartitions 539
com.adva.fnm.option.HealthCenter.LinuxMonitoredDiskPartitions 540
com.adva.fnm.option.HealthCenter.DiskDegradedThreshold 540
com.adva.fnm.option.HealthCenter.DiskUnhealthyThreshold 540
Embedded License Server Options 540
com.adva.fnm.option.flexeraServer.ipaddress 540
com.adva.fnm.option.backupFlexeraServer.ipaddress 540
com.adva.fnm.option.elsgui.ipaddress 541
com.adva.fnm.option.backupElsgui.ipaddress 541
com.adva.fnm.option.flexeraServer.pollingInterval 541
com.adva.fnm.option.flexeraServer.timeout 541
com.adva.fnm.option.flexeraServer.hostidprefix 541
com.adva.opt.flexera.requestLicenses 542
Graphical User Interface Options 543
com.adva.fnm.option.server_welcome_text 543
com.adva.fnm.option.server_postLogonText 543
com.adva.fnm.option.date_format 543
Browser-Related Properties 544
com.adva.fnm.security.CLI_[WINDOWS|LINUX] 544
com.adva.fnm.security.ssh.CLI_[WINDOWS|LINUX] 545
com.adva.fnm.option.useCLIOverTelnet 545
com.adva.fnm.security.browser_[WINDOWS|LINUX] 546
com.adva.fnm.security.pdf_[WINDOWS|LINUX] 546
com.adva.fnm.option.maxMapLabelLength 547
com.adva.fnm.security.auto_logout_user_disable 547

Ensemble Controller R15.2 Administrator Manual - Issue: A 25

Adtran Contents

High Availability Options 547

com.adva.fnm.ssl.knownHosts 547
com.adva.fnm.option.automaticSwitchover 548
com.adva.nlms.mediation.ha-stream.automatic-switchover 548
com.adva.fnm.option.slavePolling 549
com.adva.fnm.ssl.keyfile 549
com.adva.fnm.ssl.passphrase 549
com.adva.fnm.option.afterSwitchoverSecondaryScript=/opt/usr/bin/secondary.sh549
Internal Options 549
com.adva.fnm.option.recalculateCounter 550
com.adva.nlms.mediation.evtProc.maxEventQueueSize 550
Properties for Handling Event Processing Suspension 550
Properties for Handling Trap Flood Detection 550
com.adva.nlms.mediation.event.maxEventLogSize 551
Properties for Setting NBI Alarm or Event Filters 551
com.adva.nlms.mediation.event.initCSVLogOnStartup 552
com.adva.nlms.mediation.event.CSVLogLineBreakAtEOL 553
com.adva.nlms.mediation.event.syncAlarmsListenerPort 553
com.adva.fnm.option.hideFAMDetails 553
com.adva.fnm.option.trapsink.aging 553
com.adva.unsupported.ne.versions.check.enabled 555
Miscellaneous Options 555
com.adva.fnm.option.disableClientUpdates 555
com.adva.fnm.option.iphostnameenabled 555
com.adva.nlms.mediation.report.NeCountInventoryThreshold 555
com.adva.nlms.mediation.report.AlarmCountThreshold 556
com.adva.fnm.option.CSVSeparator 556
com.adva.nlms.mediation.report.keptfilesnumber 556
com.adva.nlms.mediation.report.keptfilesnumber.manual 556
com.adva.nlms.mediation.report.performance.PmReportPagesLimit 556
com.adva.nlms.mediation.report.reportExternalStorage 556
com.adva.nlms.mediation.report.sync.performance.device.types 558
com.adva.nlms.mediation.report.suffix 558
com.adva.nlms.mediation.neResources.csv.NE_RESOURCES_REGULAR_REPORT_
FILE_PATTERN 559

Ensemble Controller R15.2 Administrator Manual - Issue: A 26

Adtran Contents

com.adva.nlms.mediation.neResources.csv.NE_RESOURCES_REGULAR_REPORT_
DAYS_TO_RETAIN_FILES 559
com.adva.nlms.mediation.neResources.csv.NE_RESOURCES_REGULAR_REPORT_
MAX_FILE_SIZE 559
com.adva.nlms.mediation.CSV_FILE_TRANSFER 559
com.adva.nlms.mediation.sm.prov.cp.CP_POLICY_PROXY_NODES_IP 559
com.adva.nlms.mediation.sm.prov.cp.waitForMonitorEqualizationTimeInSecs 560
com.adva.nlms.mediation.sm.prov.cp.waitForEqualizationTimeInSecs 560
com.adva.nlms.mediation.sm.prov.cp.LOCKED_LINKS_ENABLED 560
com.adva.nlms.mediation.sm.prov.cp.UseCPRestForPrePathComputation 560
com.adva.nlms.mediation.sm.prov.cp.MaxNumberOfComputedPaths 561
com.adva.nlms.mediation.sm.DigitalSignalSuffix 561
com.adva.nlms.mediation.sm.EthernetDigitalSignalSuffix 561
com.adva.nlms.mediation.sm.ServiceNameTemplate 561
com.adva.nlms.common.visual.BANDWIDTH_USAGE_[LOW|HIGH] 562
com.adva.nlms.mediation.ethNEConfig.maxTemplateSizeInKB 562
com.adva.nlms.mediation.config.fsp_r7.useAdvaSpecificSerialNumbers 562
com.adva.nlms.mediation.config.shelfLocationInfoSettable 562
com.adva.nlms.mediation.sm.prov.ni.controller 563
Properties for Managing Pro-Vision 563
com.adva.fnm.option.UseSnmpForRest 563
com.adva.fnm.option.UseSFTPFileTransfer.device.types 563
Oscillating Events Suppression Options 564
com.adva.fnm.option.disableLoggingPeriod 564
com.adva.fnm.option.enableLoggingPeriod 564
com.adva.nlms.medation.config.dyingGaspDisabled.device.types 564
Password Change Action Manager Options 565
com.adva.fnm.option.pcaLogReceiver=<email_address> 565
com.adva.fnm.option.pcaMaxThreadCount 565
Performance Monitoring Options 565
com.adva.nlms.mediation.performance.CSVvalidTime 565
com.adva.nlms.mediation.neComm.150ccSnmpDelay 565
Qualitiy Compliance Options 565
com.adva.nlms.mediation.performance.CSVvalidTime 566
com.adva.nlms.mediation.report.sync.quality.compliance.clock.ref 566
com.adva.nlms.mediation.report.sync.quality.compliance.threshold.degraded.ns566

Ensemble Controller R15.2 Administrator Manual - Issue: A 27

Adtran Contents

com.adva.nlms.mediation.report.sync.quality.compliance.threshold.failed.ns 566
Rapid Term Monitoring (RTM) 566
com.adva.fnm.mediation.monitoring.rapidTermInterval 567
com.adva.fnm.mediation.monitoring.rapidStartAtSystemStartUp 567
Deletion of Log Files 567
Retrieving Monitoring Data 567
Specifying Monitored Attributes 568
Triggering RTM 568
Windows CLI Interface 569
Linux CLI Interface 569
Ensemble Controller GUI 569
nmsadmin Script 570
Scaling Options 570
com.adva.fnm.option.threadPoolSize 570
com.adva.nlms.mediation.polling.MAX_RUNNING_POLLING_TASKS 571
com.adva.nlms.mediation.performance.watchdog.olp 571
Security Options 571
com.adva.fnm.option.FallbackNEUserID 571
com.adva.fnm.option.FallbackPasswordManagement 572
com.adva.fnm.option.SSOviaFBP 572
com.adva.fnm.option.SSOviaAHA 572
com.adva.fnm.option.ssoDisabled.device.types 572
com.adva.fnm.option.maxFtpPasswordLength 572
Self-Monitoring 573
Specifying Monitored Attributes 573
Triggering Self-Monitoring 574
Activating Short-Term or Long-Term Monitoring 574
On-Demand Monitoring Using Ensemble Controller 575
On-Demand Monitoring Using nmsadmin 575
Retrieving Monitoring Data 576
Deletion of Log Files 576
Server Access Options 576
Properties for Servers with Multiple IP Interfaces 576
com.adva.fnm.option.webserver.port 578
com.adva.fnm.option.rest.securePort 578
com.adva.fnm.option.rest.securePortWithMutualAuth 578

Ensemble Controller R15.2 Administrator Manual - Issue: A 28

Adtran Contents

com.adva.nlms.mediation.server.proxy.startModule 578
com.adva.nlms.mediation.server.proxy.port 578
Properties for Configuring the Java Messaging System (JMS) 579
com.adva.fnm.mediation.monitoring.commandLineInterfacePORT 580
com.adva.fnm.option.server_timeout 580
com.adva.fnm.option.maxClientConnectionAlarmThreshold 580
com.adva.fnm.option.maxClientConnectionAllowed 581
TCA Monitoring Option 581
com.adva.nlms.mediation.thresholdCrossingAlert.tcaClearDelay=30 581
com.adva.nlms.mediation.thresholdCrossingAlert.tcaDetectionByParamId 581
Error-free Output of Database Validation Verification 581
Entity Index or AID Values 584
FSP 150 585
GE11x/XG210 585
FSP 150CC 586
f825 586
GE20x/Txx04 587
FSP 150CM 588
FSP 150CP 589
FSP 150EG-M[2|4|8] 589
FSP 150EG-X 589
FSP 1500 590
FSP 3000 C 590
FSP 3000R7 591
FSP 3000R7 - SH1PCS 591
Hatteras HN[400|4000] 592

Roles and Allocated Actions 594

Pro-Vision – Service Provisioning and Management Platform 615

Discovering Your Network 615
Discovery Configuration 615
Discovery Configuration 616
Viewing Discovery Networks 619
Running Discovery Manually 619
Viewing Discovery Information through the Task Manager 620
Setting Discovery Threads 621

Ensemble Controller R15.2 Administrator Manual - Issue: A 29

Adtran Contents

Setting the Display Name to the System Name 621

Avoiding Devices with Duplicate Display Names 621
Zero Touch Configuration 622
DNS Update 622
DHCP 622
Image Download Software/FPGA 623
Startup Config 623
Zero Touch Offline Sync/NTU Replacement 623
Fault Management 623
Configuring Alarm Filters 624
Event Log Parameters 625
Opening the Event/Alarm Filter Configuration Tool 626
Configuring Actions 626
Configuring Email Servers 626
Configuring Email Profiles 628
Configuring SNMP Trap Profiles 629
Configuring Suppress Profiles 630
Configuring System Command Profiles 631
Configuring Remark Action Profiles 632
Adding Alarm Filters 633
Configuring SNMP Trap Forwarding Profiles 635
Configuring Custom SNMP Traps 636
Viewing Events 638
Viewing Alarms 639
Performing Alarm Operations 639
Clearing Alarms 640
Configuring Alarm Severity 640
Auditing and Authorization 641
Configuring the Auditing Feature 641
Viewing Audit Information through the Task Manager 641
Sylsog Server Filters 642
Viewing the Audit Log 642
Configuring Authorization 643
Modifying an ENC User 645
Deleting an ENC User 646
Viewing Authentication Type LDAP Users 646

Ensemble Controller R15.2 Administrator Manual - Issue: A 30

Adtran Preface

Preface
Safety Symbol and Message Conventions 31
Documentation 31
Obtaining Ensemble Controller Information 34
Obtaining Technical Assistance 37
Document Revision History 39

The pictures or graphics shown in this document are for reference only.
They are based on the latest hardware revision available at the time of
publication. The equipment you received might look different than
pictures or graphics shown in this document.

Safety Symbol and Message

Conventions
You will see these symbols throughout the documentation. All personnel should correctly
follow and not ignore any safety instructions.

Icon Meaning Description

Notice Indicates the risk of equipment damage, malfunction,
process interruption, or negative impacts on surroundings.
Note Indicates supplemental information or helpful
recommendations.

Documentation
Rebranding 32
Ensemble Controller Documentation Suite 33
Accessing Documentation 33
Documentation Feedback 34

Ensemble Controller R15.2 Administrator Manual - Issue: A 31

Adtran Preface

Rebranding
In the context of changing marketing requirements, we rename Ensemble Controller
applications. This table shows the release when names changed, and the new names for
the applications.

Old Name / New

Release New Name Remark
Abbreviation Abbreviation
11.1.1 Network Manager Ensemble Controller ENC
/ NM
Network Manager Ensemble Controller ENC Server
Server Server
Network Manager Ensemble Controller ENC Client
Client Client
Service Manager Ensemble Optical EOD
Director
Sync Manager Ensemble Sync ESD
Director
Ethernet Ensemble ECBM
Configuration Command-Based
Manager Manager
Encryption Ensemble ECGD
Manager ConnectGuard
Director
Bandwidth Ensemble EBM
Manager Bandwidth Manager
12.2.1 Network Centralized Control CPc User
Intelligence Plane documentation
Controller / NI does not yet
Controller reflect the new
names
Network Control Plane CP Migration
everywhere. This
Intelligence Migration Tool Tool
will be completed
Manager / NI
in 13.1.
Manager
12.3.1 Ensemble CryptoManager
ConnectGuard
Director / ECGD

Ensemble Controller R15.2 Administrator Manual - Issue: A 32

Adtran Preface

Old Name / New

Release New Name Remark
Abbreviation Abbreviation
13.1.1 Control Plane Centralized Control CPc Manager
Migration Tool / Plane Manager
CP Migration Tool

Ensemble Controller Documentation Suite

Ensemble Controller includes these manuals:
l Ensemble Controller Administrator Manual
o Quickstart Administrator Guide

l Ensemble Controller Integration Manual

l Ensemble Controller User Manual

These manuals especially address licensed Ensemble Controller features:

l Packet Management Guide
l Synchronization Management Guide
l WDM Management Guide
l Ensemble Fiber Director User Manual

Accessing Documentation
Within Ensemble Controller
From the Ensemble Controller Help menu, you can view user documentation either in
PDF or web format.

The default Windows PDF viewer and web browser will normally be used to display the
manual.

To use a different browser or viewer, change the Ensemble Controller preferences. These
preferences are stored per user. For more information about how to change preferences
and use a different application, see the User Manual.

World Wide Web

Documentation Portal https://advadocs.com/

Ensemble Controller R15.2 Administrator Manual - Issue: A 33

Adtran Preface

Documentation Feedback
We want our documentation to be as helpful as possible. Feedback is always welcome.

Email [email protected]
Mail Adtran
Technical Documentation
Märzenquelle 1-3
98617 Meiningen-Dreissigacker
Germany

Obtaining Ensemble Controller

Information
The Ensemble Controller Help menu includes these options to obtain Ensemble
Controller information.

If these options are not available, your user role might be subject to a view restriction. For
more information about view restrictions, see User Manual, Help.

Support Info 34
About Information 37

Support Info
The support Info dialog box displays information about your Ensemble Controller Client
and Server version, for example:
l Version and build number
l Java version
l Interfaces
l Ports in use
l Certificate and license
l Thread dump

This information is especially useful for Technical Services when you troubleshoot
Ensemble Controller issues.

Ensemble Controller R15.2 Administrator Manual - Issue: A 34

Adtran Preface

To open the support Info dialog box, from the Ensemble Controller Help menu, select
Support Info.

Ribbon Menu 35
Creating a System Health Report 36

Ribbon Menu
The support Info dialog box provides a ribbon menu as described in this table.

The table provides a short description of each menu option and a link to the section with
more information if available.

Table 1: Support Info Dialog Box – Ribbon Menu Description

Link to More
Area Menu option Description
Information
Refresh Refresh Reload the dialog box with the
latest data from the server.
Operation Client Thread Dump Create a client thread dump.
Server Thread Dump Create a server thread dump.
System Health Report Create a system health report. Creating a
System Health
Report
Client Client error log folder Open the client error log folder.
Logging
Client error log file Open the client error log file.
Server mediation.err Open the server error log file.
Logging
mediation.log Open the server mediation log
file.
sm.log Open the server sm log file.
Export Export Export the information in the User Manual
dialog box to a JAR file, and then
send it to the Adtran Technical
Services department.
Help Manual Open the Help for this dialog box.
(F1)

Ensemble Controller R15.2 Administrator Manual - Issue: A 35

Adtran Preface

Creating a System Health Report

The Technical Services department uses system health reports to analyze and
troubleshoot Ensemble Controller problems.

Complete these steps to create a system health report.

Requirement to Create a System Health Report 36

Procedure to Create a System Health Report 36

Requirement to Create a System Health Report

To create system health reports, you need to have the permission Create System Health
Report. The system grants this permission to use with an administrator role, as the
default.
The administrator sets permissions and corresponding user roles in the Security
Manager. To open the Security Manager, in the Ensemble Controller application bar
Settings menu, select Security, and then Security Manager. For more information about
user roles and allocated privileges, see the Administrator Manual, Roles and Allocated
Actions.

Procedure to Create a System Health Report

1. To open the support Info dialog box, from the Ensemble Controller Help menu,
select Support Info.
2. From the ribbon menu, Operation area, select System Health Report.
A confirmation dialog box opens.
3. Click Yes, to open the Save dialog box.
–or–
Click No to stop this action.
4. After you click Yes, in the Save dialog box, browse to an appropriate location where
you want the system to save the report.
5. If required, in the File name field, you can change the file name.
By default, the system names the file in the format healthReport_yyyymmdd-
xxxx.zip.
If you change the file name, the system automatically adds the ZIP suffix if missing.
This applies if you use a Windows system. The same applies if you use a Linux system
but with a different suffix.
6. Click Save. A progress window appears.
It might take several minutes for the system to create the report, which depends on
the database size.
The system can create one report at a time. If you or users from other open Ensemble

Ensemble Controller R15.2 Administrator Manual - Issue: A 36

Adtran Preface

Controller Clients attempt to create another report simultaneously, an error message

displays in the message pane. The system sends these messages to all available
Ensemble Controller Clients.
After the system finishes the report, the message pane displays respective messages.
The server stores the latest report, and overwrites the existing file that you created
previously. That is, always one report is kept on the server.

About Information
To open a brief summary about the current Ensemble Controller version, from the Help
menu, select About.

Obtaining Technical Assistance

Product Maintenance Agreements and other customer assistance agreements are
available for Adtran products through your Adtran distribution channel. Our service
options include:
l 24 x 7 telephone support
l Web-based support tools
l On-site support
l Technical training, both on-site and at Adtran facilities in Germany and the USA
l Expedited repair service
l Extended hardware warranty service

Customer Portal
You can use the customer portal to:
l Access company information and resources at any time.
l Find information specific to your requirements, such as networking solutions,
services, and programs.
l Resolve technical issues by using online support services.
l Download and test software packages.
l Order Adtran training materials.

Access https://www.adva.com/en/customer-portal
Questions [email protected]

Ensemble Controller R15.2 Administrator Manual - Issue: A 37

Adtran Preface

Technical Services
Technical services are available to customers who need technical assistance with an
Adtran product that is under warranty or covered by a maintenance contract.

Online https://www.adva.com/en/about-us/contact
Email [email protected]

Call Adtran
Corporate Headquarters
Huntsville, AL, USA
+1 800 923 8726

Europe, Middle East and Africa

Martinsried/Munich, Germany
+49 (0)89 89 06 65 0

Ensemble Controller R15.2 Administrator Manual - Issue: A 38

Adtran Preface

Document Revision History

For detailed information about a specific product release, see the
appropriate Release Notes.

Product Document Document

Issue Date Description
Release Number Issue

9.6 80000041719 Issue A February Updated manual according to new features in this NM release.
2017
Issue B March 2017 Updated these property descriptions:
l com.adva.nlms.mediation.
CSV_FILE_TRANSFER in the Miscellaneous Options section
l com.adva.nlms.mediation.
performance.CSVvalid
Time in the Performance Monitoring Options section

Added a new section and respective topics about Keystore and Private Key
Password Encryption.
10.1 80000043004 Issue A May 2017 Updated manual according to new features in this NM release.

Ensemble Controller R15.2 Administrator Manual - Issue: A 39

Adtran Preface

Product Document Document

Issue Date Description
Release Number Issue

Issue B July 2017 Updated manual version according to the new GUI and also added the
missing section Verifying the Ensemble Controller Server by Using the
Healthcheck Script.
Issue C Added the property description "com.adva.fnm.option.serverIP".

Additionally, there have been general GUI changes in various places and thus
figures and text have been adapted accordingly.
10.2 80000044012 Issue A September Manual updated according to new features in this release.
2017
Issue B October 2017 Added operating systems supported by Ensemble Controller to the relevant
sections in Installation Requirements.
Updated the section Enabling and Configuring Event Logging to External CSV
File to cover the description of how to apply a time policy.

Ensemble Controller R15.2 Administrator Manual - Issue: A 40

Adtran Preface

Product Document Document

Issue Date Description
Release Number Issue

Added these properties to the section Miscellaneous Options:

l com.adva.nlms.mediation.
sm.prov.cp.UseCPRestFor
PrePathComputation
l com.adva.nlms.mediation.
sm.prov.cp.MaxNumberOf
ComputedPaths
l com.adva.fnm.option.NeTls
CertificateHandling

Issue C February Updated the table Supported Version-Upgrade Sequences.

2018
Added the permission "Service Protection Swap" to the section Roles and
Allocated Actions.
10.3 80000046842 Issue A February Manual updated according to new features in this release.
2018
Issue B March 2018 Updated the table Supported Version-Upgrade Sequences.
Renamed the section "Setting the Xmx Mediation Server Value" to Changing
the Memory Settings of the Mediation Server and added recommended Xmx
values according to the system size.
10.4 80000048557 Issue A June 2018 Manual updated according to new features in this release.

Ensemble Controller R15.2 Administrator Manual - Issue: A 41

Adtran Preface

Product Document Document

Issue Date Description
Release Number Issue

Issue B July 2018 Updated the table Supported Version-Upgrade Sequences.

Added a note about FSP 3000 C to the property
com.adva.fnm.option.NeTlsCertificateHandling.
10.5 80000049796 Issue A September Manual updated according to new features in this release.
2018
11.1 80000052359 Issue A March 2019
Issue B April 2019 Added these sections supporting the fiber plant management feature:
l Installing the Ensemble Fiber Director Server in Linux
l Installing the Map Library in Linux

Added the Ensemble Fiber Director permissions.

Updated the table Supported Version-Upgrade Sequences.
Decreased the number of 10 cores to 8 for the network sizes M and L in these
tables:
l Windows Hardware Requirements for Ensemble Controller Servers
l Linux Hardware Requirements for Ensemble Controller Servers

Corrected the activemq.useJMX default value description from false to true in

Properties for Configuring the Java Messaging System (JMS).
11.2 80000053554 Issue A July 2019 Manual updated according to new features in this release.

Issue B August 2019 Updated the Supported Version-Upgrade Sequences matrix.

Ensemble Controller R15.2 Administrator Manual - Issue: A 42

Adtran Preface

Product Document Document

Issue Date Description
Release Number Issue

Updated these sections about GNSS and the Geo Manager:

l Installing a GNSS Server on a Linux Operating System
o Requirements for Installing a GNSS Server

o Procedure for Installing a GNSS Server

o Restoring a Database-Backup File
o Added Enabling Machine-Learning Based Alarms for GNSS
l Installing the Ensemble Fiber Director Server in Linux

Added the section .

Increased the number of Ensemble Controller Clients that an Ensemble
Controller Server can manage on an extra-large system from 60 to 70.
Added FAS ALM information to the Network Element Equivalents table.
Added the MA-B5LT module to these tables:
l Core Modules
l Trail Creation Modules

Issue C September Updated these sections:

2019 l Supported Version-Upgrade Sequences

11.3 80000056611 Issue A November Manual updated according to new features in this release.
2019

Ensemble Controller R15.2 Administrator Manual - Issue: A 43

Adtran Preface

Product Document Document

Issue Date Description
Release Number Issue

Issue B December Added these sections:

2019 l Installing the Local Geographical Map-Tile Server in Linux
l Specifying the RADIUS Authentication Type
l Supported Version-Upgrade Sequences

12.1 80000058300 Issue A March 2020 Manual updated according to new features in this release.

Issue B Updated these sections:

l The existing feature Consolidating Ensemble Controller Servers that now
also covers the export and import of the Services tree and tracked services.
l Supported Version-Upgrade Sequences

Added the new section Upgrading Sync Assurance in Linux.

12.2 80000059648 Issue A July 2020 Manual updated according to new features in this release.

12.3 80000061738 Issue A November

2020
Issue B Removed Linux 6 as supported operating system for the Ensemble Controller
Client in Supported Operating Systems (Client).
Added missing modules to the table in Core Modules.
Removed the requirement about unblocking ports if you have more than one
node in Requirements to Install the Ensemble Fiber Director Server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 44

Adtran Preface

Product Document Document

Issue Date Description
Release Number Issue

12.4 80000062654 Issue A January 2021 Manual updated according to new features in this release.
13.1 80000063282 Issue A April 2021
Issue B June 2021 Removed the Run nVision permission from the Table Overview of Roles and
Their Allowed Actions.
Updated these sections:
l Supported Version-Upgrade Sequences

l Entity Index or AID Values

l Upgrading Streaming Replication High Availability

l Supported Files and Script Formats

Added the section Requirement for Using Standard and Embedded License
Server High Availability in Combination.
13.2 80000065827 Issue A September Manual updated according to new features in this release.
2021

Ensemble Controller R15.2 Administrator Manual - Issue: A 45

Adtran Preface

Product Document Document

Issue Date Description
Release Number Issue

13.3 80000066985 Issue A January 2022 Manual updated according to new features in this release. Added the
Quickstart Administrator Guide as new manual to the Ensemble Controller
documentation set.
Issue B July 2022 Updated and revised these sections:
l Supported Version-Upgrade Sequences
l Restoring the Centralized Control Plane Database
l Ensemble Optical Director with Centralized Control Plane
l Supported Operating Systems
l Communication Ports

Issue C December Updated Successfully Upgrading Ensemble Controller.

2022
14.1 80000068787 Issue A May 2022 Manual updated according to new features in this release.
14.2 80000070104 Issue A September
2022
Issue B November Updated Successfully Upgrading Ensemble Controller.
2022
14.3 80000071326 Issue A December Manual updated according to new features in this release.
2022
Issue B February Updated Successfully Upgrading Ensemble Controller.
2023

Ensemble Controller R15.2 Administrator Manual - Issue: A 46

Adtran Preface

Product Document Document

Issue Date Description
Release Number Issue

15.1 80000072271 Issue A May 2023 Manual updated according to new features in this release.
Issue B July 2023 Updated these sections:
l Successfully Upgrading Ensemble Controller
l Applying and Testing the New Standard High-Availability Configuration

15.2 80000074000 Issue A September Manual updated according to new features in this release.
2023

Ensemble Controller R15.2 Administrator Manual - Issue: A 47

Adtran Installing and Logging into Ensemble Controller

Chapter 1

Installing and Logging into

Ensemble Controller
This chapter introduces Ensemble Controller with an overview of the product and its main
features. It also includes instructions for how to install and start Ensemble Controller.

Overview 48
Installation Requirements 51
Installing Ensemble Controller 74
Preparing and Enabling the Embedded License Server 104
Importing Ensemble Controller Server Certificates to the Client 106
(Optional) Installing Additional Programs 107
Starting the Ensemble Controller Server 122
Stopping the Ensemble Controller Server 124
Logging Into the Ensemble Controller Client 125

Overview
Ensemble Controller is the Adtran element management system (EMS). It enables to
monitor and to keep an overview of all nodes (network elements) in a network that we
provide:
l Inventory
l Network interconnection
l Services

Ensemble Controller R15.2 Administrator Manual - Issue: A 48

Adtran Installing and Logging into Ensemble Controller

l Events
l Individual node status

Ensemble Controller also provides basic support for SNMP-capable third-party products,
which includes:
l Mapping network elements in the Topology Graph.
l Starting a local craft interface.
l Logging specific traps.
l Indicating network element level alarm states.

Use Ensemble Controller in network operation centers, where day-to-day monitoring and
troubleshooting is carried out. We recommend to use the available product-specific
Element Manager (EM) for on-site maintenance or the respective local craft interfaces.
You can open the product-specific EM or local craft interfaces directly from Ensemble
Controller.

Communication 49
Graphical User Interface 49
Subnetworks 50
Events 50
User Management 50
Performance 50
Security 50
Pro-Vision Support 50

Communication
Ensemble Controller is based on a general server-client architecture. Several Ensemble
Controller Clients can simultaneously run, which allows different users with different roles
and in different physical locations to work at the same time. Ensemble Controller
communicates with the network elements through SNMP. Only run one Ensemble
Controller Server instance on one machine.

Graphical User Interface

To work with services and events is easy with the intuitive graphical user interface (GUI).
The GUI is designed as a standard Windows interface.

Ensemble Controller R15.2 Administrator Manual - Issue: A 49

Adtran Installing and Logging into Ensemble Controller

Subnetworks
Ensemble Controller automatically proposes the topology for the connected network
elements if you install new subnetworks or manually specify a subnetwork. You can
manage multiple subnetworks with one Ensemble Controller.

Events
The event tool provides full overview of events. You can specify user-specific event filters
to tailor event notification to your requirements. Also, sounds and beeps can be
customized for each event on a per-user basis. Ensemble Controller correlates, analyses,
and re-assesses event severities. It displays fault causes and their correlations are
deduced.

User Management
Management of users is easy with the Security Manager. You define different user roles
with different user rights to Ensemble Controller. All passwords are encrypted.

Performance
Performance records are made available and also the facility to build up a record history
for each performance type.

Security
Ensemble Controller maintains the security level for each Client on the Server side. This
makes restricted network views possible and also centralized authentication through
RADIUS, TACACS+, or LDAP.

Pro-Vision Support
Pro-Vision standalone is superseded by Ensemble Controller. Ensemble Controller still
supports the Pro-Vision client using a web-based user interface.

Ensemble Controller R15.2 Administrator Manual - Issue: A 50

Adtran Installing and Logging into Ensemble Controller

Installation Requirements
Required Minimum Server Hardware 51
Required Minimum Client Hardware 60
The Embedded License Server 63
Antivirus Software 65
Local Area Network 66
Network Elements 68
Using RADIUS, TACACS+, or LDAP 69
Third-Party Software 70
Using FTP or SSH Servers 70
Additional Software 70
Optional Hardware 71
Optional Applications 71

Required Minimum Server Hardware

Several clients can simultaneously access the Ensemble Controller Server application:
l Up to 75 clients on extra-large (XL) servers.
l Up to 25 clients on large (L) servers.
l Up to 15 clients on medium (M) servers.
l Up to 10 clients on small (S) servers.

Connect the clients to the server using LAN or WAN connections.

Active northbound interface (NBI) sessions are also clients, for example, TAPI or MTOSI.

See these topics for information about the server hardware required for various
operating systems:

General Information 52
Supported Operating Systems (Server) 56
Minimum Requirements for Windows Test Servers 57
Recommended Windows Server Hardware 57
Recommended Linux Server Hardware 59

Ensemble Controller R15.2 Administrator Manual - Issue: A 51

Adtran Installing and Logging into Ensemble Controller

General Information
Network Element Equivalents 52
Performance Management Object Count 55
Installing the Server Hardware 56
High-Availability Solution with a Redundant Server 56
Upgrading the Server Hardware 56

Network Element Equivalents

Servers can manage a specific number of network element equivalents. This table
outlines the equivalent load that results with the use of various elements or shelves:

Table 2: Network Element Equivalents

Network
Element Type Element Per Unit Remarks
Equivalents
FAS ALM 16 Port 1 Device
FAS ALM 64 Port 4 Device
FSP 150CCf-825 1 Device Also 324 or 584.
FSP 150CC-GE20x 1 Device Includes all 201 and 206 variants.
FSP 150CC-T1804, FSP 1 Device
150CC-3204
FSP 150CM 6 Device Remote network terminals, for
example FSP 150CP, meet the
definition as additional network-
element equivalents, according
to the amounts specified in this
table.
FSP 150CP 1 Device
FSP 150EG-M2 1 Traffic Ethernet over Fiber (EoF).
FSP 150EG-M4 Module Ethernet over Copper (EoC).
FSP 150EG-M8 Ethernet over TDM (EoTDM).
1 x 10 Gbps or 10 x 10 Gbps
traffic module.
FSP 150EG-X 1 Traffic 1 x 10 Gbps or 10 x 10 Gbps
Module traffic module.

Ensemble Controller R15.2 Administrator Manual - Issue: A 52

Adtran Installing and Logging into Ensemble Controller

Ensemble Controller R15.2 Administrator Manual - Issue: A 53

Adtran Installing and Logging into Ensemble Controller

Ensemble Controller R15.2 Administrator Manual - Issue: A 54

Adtran Installing and Logging into Ensemble Controller

Performance Management Object Count

A performance management object (PMO) is an entity within an element that provides a
set of up to 64 individual registers. The registers contain either a counter for errored
seconds or packets sent, or condensed measurement values such as the average receive
power. The system obtains these counters during a 1-minute, 15-minute or a 24-hour
period. Some PMOs contain more than 64 registers. You can specify a maximum of 64 for
collection.

In addition to the per-element value of PMOs, you should also consider the number of
probing points for the performance monitoring values that the system collects. You can
find these in the table Windows Hardware Requirements for Ensemble Controller Servers.

Values for the 24-hour collections are less important to the system. Registers that collect
15-minutes values are important for proper dimensioning. The system needs to poll the
PMOs with all their registers within a 15-minute period, or 900 seconds.

Physical ports usually represent PMOs. Related virtual entities such as VLAN TPs or VCHs
are also PMOs if the system collects data from them.

Typical PMO usage is on average 3 PMOs and sourced from elements such as a 150CC
and about 12 per FSP 3000 shelf. In systems that collect large amounts of PMOs, this
factor can overload a server that has still lots of capacity in relation to network element
equivalents.

Ensemble Controller R15.2 Administrator Manual - Issue: A 55

Adtran Installing and Logging into Ensemble Controller

Installing the Server Hardware

Mount the servers in racks. Ensure that heat and airflow are within the site-per-rack limits.
Supply power to the servers from separate feeds into the equipment. In most cases, two
separate power supply units (PSUs) can power each server. The total power dissipation
must be within the site-limit-per rack. We highly recommend that you store your
Ensemble Controller backup files externally.

High-Availability Solution with a Redundant Server

You have the option to focus on high availability. To achieve this, use a second standby
server machine. Install this second server locally or remotely for situations such as fires,
earthquakes, or other catastrophic failures. If the primary server goes offline or loses
power, the secondary server automatically assumes control with full functionality.

Configure the standby server exactly as you configured the primary server.

Upgrading the Server Hardware

We recommend that you consider the growth of your network over the next two years
when you make decisions about your server hardware. At the end of two years, you can
then evaluate any new hardware requirements. You should consider the actual network
size and the projections for the next period.

Many hardware platforms allow you to upgrade or increase the number of CPUs or RAM,
if you require only a small increase in hardware power. You can add just one CPU to
upgrade some of the systems mentioned in Recommended Windows Server Hardware
and Recommended Linux Server Hardware.

If you use the high-availability solution with a redundant server, you can perform the
upgrade or exchange of the servers without interruption to network management.

Supported Operating Systems (Server)

You can install the Ensemble Controller Server on these 64-bit operating systems:

64-bit Operating System Version

Windows l Windows Server 2016
l Windows Server 2019
l Windows Server 2022

Red Hat Enterprise Linux l Linux 7.8, and 7.9

l Linux 8.4, and 8.6

Ensemble Controller R15.2 Administrator Manual - Issue: A 56

Adtran Installing and Logging into Ensemble Controller

You can use all supported Windows and Linux operating systems natively or on VMWare
vSphere 6.5, 6.7, or 7.0.

Starting with 16.1 version, ENC will no longer support MS Windows for
the server application. For new projects, we highly recommend to
consider the Linux operating system.

Minimum Requirements for Windows Test Servers

Table 3: Windows Server Hardware
Requirements for Test Systems
Processor 2 GHz
RAM 8 GB
HD 100 GB
LAN 100 Mbps

Recommended Windows Server Hardware

This table lists the recommended hardware requirements for different network sizes that
are characterized by the network equivalent counter. These examples use the HPE
ProLiant server.

Table 4: Windows Hardware Requirements for Ensemble Controller Servers

Network
Network
Element PMO Clients Computer Server Example1 SPECint2
Size
Equivalent
S 2,000 3,000 10 HPE ProLiant DL360 Gen10 with 41
1x 4208 with 8 cores and 16
threads @ 2.1 GHz, 16 GB RAM,
GBE LAN, 1x PSU 500W, 1x HD
M 4,000 6,000 10 HPE ProLiant DL360 Gen10 with 55
1x 4210 with 10 cores and 20
threads @ 2.2 GHz, 16 GB RAM,
GBE LAN, redundant PSU 500W,
2x HD

Ensemble Controller R15.2 Administrator Manual - Issue: A 57

Adtran Installing and Logging into Ensemble Controller

Table 4: Windows Hardware Requirements for Ensemble Controller Servers

Network
Network
Element PMO Clients Computer Server Example1 SPECint2
Size
Equivalent
L 10,000 12,000 25 HPE ProLiant DL360 Gen10 with 110
2x 4210 with 2x 10 cores and 20
threads @ 2.2 GHz, 16+16 GB
RAM, GBE LAN, redundant PSU
500W, 2x HD
XL3 40,000 60,000 75 HPE ProLiant DL360 Gen10 with 222
2x 6230 with 2x 20 cores and 40
threads @ 2.1 GHz, 64 GB RAM,
GBE LAN, 2x PSU 800W, 2x HD
XL3 80,000 100,000 75 HPE ProLiant DL360 Gen10 with 222
with 2x 6230 with 2x 20 cores and 40
24h- threads @ 2.1 GHz, 64 GB RAM,
values GBE LAN, 2x PSU 800W, 2x HD
only
Footnotes:
1. You need to follow these requirements:
l Up to a 500-GB hard drive and GbE LAN connections for field deployment, bare
metal, and virtualized servers.
l To install Ensemble Controller on a Windows Server in general, you must first
install the Microsoft Visual C++ 2015 Redistributable Package on your 64-bit
system.
l For new designs, we recommend the 64-bit version of Windows Server 2022,
and for upgrades also the 64-bit version of Windows Server 2016 or Windows
Server 2019.
l We do not deliver the operating system. You must order Microsoft Windows
and for virtualized deployments VMWare vSphere 6.0, 6.7, or 7.0 when you
order the hardware.
2. The SPECint value provides a performance number based on SPECint2017 (see
www.spec.org) containing a long list of recent computers. You can use this value to
find equivalent machines of different vendors or CPU types.

3. For XL systems, adjust the memory settings. See Changing the Memory Settings of
the Mediation Server in Linux and Setting the Shared Buffer Size for details.

Ensemble Controller R15.2 Administrator Manual - Issue: A 58

Adtran Installing and Logging into Ensemble Controller

If you plan to enhance your network in the future, we recommend that you use the next
server size.

Operating system patches that limit the CPU performance or virtual-machine overhead
do not affect performance of Ensemble Controller.

Depending on your unique requirements, you must adjust your system.

For information, see System Settings.

Recommended Linux Server Hardware

The number of network element equivalents characterize the network size. The Linux
hardware requirements for different network sizes based on their network element
equivalents are shown in this table. These examples use HPE ProLiant servers.

Table 5: Linux Hardware Requirements for Ensemble Controller Servers

Network
Network
Element PMO Clients Computer Server Example1 SPECint2
Size
Equivalents
S 2,500 3,500 10 HPE ProLiant DL360 Gen10 41
with 1x 4208 with 8 cores and
16 threads @ 2.1 GHz, 16 GB
RAM, GBE LAN, 1x PSU 500W,
1x HD
M 6,000 8,000 10 HPE ProLiant DL360 Gen10 55
with 1x 4210 with 10 cores and
20 threads @ 2.2 GHz, 16 GB
RAM, GBE LAN, redundant
PSU 500W, 2x HD
L 15,000 20,000 25 HPE ProLiant DL360 Gen10 110
with 2x 4210 with 2x 10 cores
and 20 threads @ 2.2 GHz,
16+16 GB RAM, GBE LAN,
redundant PSU 500W, 2x HD

Ensemble Controller R15.2 Administrator Manual - Issue: A 59

Adtran Installing and Logging into Ensemble Controller

Table 5: Linux Hardware Requirements for Ensemble Controller Servers

Network
Network
Element PMO Clients Computer Server Example1 SPECint2
Size
Equivalents
XL3 60,0004 90,000 75 HPE ProLiant DL360 Gen10 222
with 2x 6230 with 2x 20 cores
and 40 threads @ 2.1 GHz, 64
GB RAM, GBE LAN, 2x PSU
800W, 2x HD
XL3 120,000 150,000 75 HPE ProLiant DL360 Gen10 222
with with 2x 6230 with 2x 20 cores
24h- and 40 threads @ 2.1 GHz, 64
values GB RAM, GBE LAN, 2x PSU
only 800W, 2x HD
Footnotes:
1. You need to follow these requirements:
l Up to a 500-GB hard drive and GbE LAN connections for field deployments,

bare metal, and virtualized servers.

l We do not deliver the operating system or virtualization software. You must

order the supported versions. For virtualized deployments you must order
VMWare vSphere 6.5, 6.7, or 7.0 when you order the hardware.

2. The SPECint value provides a performance number based on SPECint2017 (see

www.spec.org) containing a long list of recent computers. You can use this value to
find equivalent machines of different vendors or CPU types.
3. For XL systems, adjust the memory settings and the maximum number of open file
descriptors. For details, see Changing the Memory Settings of the Mediation Server
in Windows (64 Bit), Setting the Shared Buffer Size and Installing Ensemble
Controller in Linux.

4. NEE and PMO might be lower for customers with Sync Director Assurance
extension.

If you plan to enhance your network in the future, we recommend that you use the next
server size. Operating system patches that limit the CPU performance or virtual-machine
overhead do not affect performance of Ensemble Controller.

Required Minimum Client Hardware

The Ensemble Controller Client can run as:

Ensemble Controller R15.2 Administrator Manual - Issue: A 60

Adtran Installing and Logging into Ensemble Controller

l A separate process on the same computer as the Ensemble Controller Server.

–or–
l A separate application on a different computer, and then you can also operate the
GUI using third-party applications such as Citrix® or GoGlobal™.

The computer where the Ensemble Controller Client runs can have a different operating
system than the computer that the Ensemble Controller Server uses. For example, the
server can run on a Linux workstation while the client runs on a Windows computer.
However, the Ensemble Controller Server does not support the use of sleep or standby
modes on the computer. Always close the Ensemble Controller Client or Ensemble
Controller Server before you set the computer in these modes.

Connect the clients to the server using LAN or WAN connections.

See these topics for information about the client hardware or software requirements for
various operating systems:

Supported Operating Systems (Client) 61

Minimum Requirements for Test Systems 62
Recommendations for the User Environment 62
Client Server Requirements 63

Supported Operating Systems (Client)

You can install the Ensemble Controller Client on these 64-bit operating systems:

64-bit Operating
Version
System
Windows l Windows 10
l Windows 11
l Windows Server 2016
l Windows Server 2019
l Windows Server 2022

Ensemble Controller R15.2 Administrator Manual - Issue: A 61

Adtran Installing and Logging into Ensemble Controller

64-bit Operating
Version
System
Red Hat Enterprise Use these versions with the GNOME 3 desktop manager and the
Linux X11 protocol, which you must install on the same server as the
Ensemble Controller Client:
l Linux 7.8, and 7.9

l Linux 8.4, and 8.6

You can use all supported Windows and Linux operating systems natively or on VMWare
vSphere 6.5, 6.7, or 7.0.

Minimum Requirements for Test Systems

Table 6: Client Hardware Requirements for Windows and
Linux Test Systems
Processor 2 GHz minimum
RAM 8 GB minimum
HD 20 GB free space, and 20 GB for /opt in
Linux
LAN 100 Mbps
DVD ROM Drive To install software (optional)
Screen l Size: 21 inches
l Minimum resolution: 1280 x 1024

Recommendations for the User Environment

Table 7: Recommended Client Hardware for the Windows and
Linux User Environment
Processor 2.5 GHz, 2 cores
RAM 16 GB
HD 50 GB free space
LAN 1000 Mbps
DVD ROM Drive To install software (optional)

Ensemble Controller R15.2 Administrator Manual - Issue: A 62

Adtran Installing and Logging into Ensemble Controller

Table 7: Recommended Client Hardware for the Windows and

Linux User Environment
Screen For network operations centers:
l Minimum Size: 31 inches
l High contrast, minimum resolution options:
o 3840 × 2160

–or–
o 4096 × 2160

Client Server Requirements

You can install the client application on a separate server. However, you must separately
purchase the hardware for this server and any third-party applications such as Citrix® or
GoGlobal™.

The Embedded License Server

The Embedded License Server stores the licenses that you purchased, and thus
determines the scope of system functions and features in Ensemble Controller, and also
whether you have unimpeded access to all network objects within a particular network.
With the Ensemble Controller version 12.1, the Embedded License Server is mandatory.

Supported Operating Systems 63

Installation Options 64
Required License Server Hardware for the Local Installation 64
Interaction of Ensemble Controller and Embedded License Servers in High
Availability 65

Supported Operating Systems

You can install the Embedded License Server on these 64-bit operating systems:

Ensemble Controller R15.2 Administrator Manual - Issue: A 63

Adtran Installing and Logging into Ensemble Controller

64-bit Operating System Version

Windows l Windows 10
l Windows 11
l Windows Server 2016
l Windows Server 2019
l Windows Server 2022

Red Hat Enterprise Linux l Linux 7.8, and 7.9

l Linux 8.4, and 8.6

Installation Options
You have these options to install the Embedded License Server:
l (Recommended) Locally on the server where you will also install Ensemble
Controller. This option requires additional server hardware as described in
Required License Server Hardware for the Local Installation.
–or–
l Standalone on a separate server that is independent from the server where you will
install Ensemble Controller.
–or–
l Two Embedded License Servers installed locally or standalone that operate in a
main-backup configuration for high availability. For information, see Interaction of
Ensemble Controller and Embedded License Servers in High Availability.

To install the Embedded License Server, we recommend to use the Ensemble Controller
installation wizard described in Installing Ensemble Controller.

After you install the Embedded License Server, you must prepare and enable it for
Ensemble Controller as described in Preparing and Enabling the Embedded License
Server.

Required License Server Hardware for the Local

Installation
If you locally install the Embedded License Server on the same server as Ensemble
Controller, meet these hardware requirements in addition to the Required Minimum
Server Hardware for Ensemble Controller.

Ensemble Controller R15.2 Administrator Manual - Issue: A 64

Adtran Installing and Logging into Ensemble Controller

Table 8: License Server Hardware Requirements

Processor 2 cores or reduction of the NEE size by 2000
RAM 4 GB
HD 10 GB

For information about the hardware requirements if you install the Embedded License
Server standalone on a separate server, see the Embedded License Server Administrator
Manual.

Interaction of Ensemble Controller and Embedded

License Servers in High Availability
Two Embedded Licenses Servers can operate in a main-backup configuration for high
availability. Ensemble Controller will favor interacting with the main Embedded License
Server whenever it is available. If the main Embedded License Server is unreachable, then
Ensemble Controller will interact with the backup Embedded License Server, which also
has information about the available licenses. If Ensemble Controller cannot reach either
of the main or backup Embedded License Servers, then it continues to use any previously
acquired licenses up until the time when their lease or the license expires.

For information about how to configure high availability for two Embedded License
Servers, see the Embedded License Server Administrator Manual.

Antivirus Software
If your system uses antivirus software and a firewall, you need to set up the Ensemble
Controller Server folders, files and the firewall ports so that they can all access the server
and the client environment.

Server Environment 65
Client Environment 66

These sections provide information about how to set up antivirus software. See
Communication Ports for information about required firewall ports.

Server Environment
Exclude these Ensemble Controller default installation directories from antivirus
protection:

Ensemble Controller R15.2 Administrator Manual - Issue: A 65

Adtran Installing and Logging into Ensemble Controller

l For a 32bit Windows OS, the default installation directory is

C:\Program Files\ADVA Optical Networking\FSP Network Manager
l For a 64bit Windows OS, the default installation directory is
C:\Program Files (x86)\ADVA Optical Networking\FSP Network
Manager
l For a Linux OS, the default installation directory is
opt/adva/fsp_nm

Exclude these EXE application files from antivirus protection. Make sure these files can
fully and permanently access the network in relation to the Ensemble Controller
installation directory:
l SNMP Forwarder
l Mediation Server
l JMS Server
l postgres\bin\pg_basebackup.exe
l postgres\bin\pg_ctl.exe

Client Environment
If you install Ensemble Controller on a PC or laptop that is running a
Windows operating system, problems can occur when virus scanners
are also running on the computer. To avoid any problems, configure
the antivirus scanner to use the settings that follow.

Exclude these directories from antivirus protection:

l Ensemble Controller installation directory
o For a 32bit Windows OS, the default installation directory is

C:\Program Files\ADVA Optical Networking\FSP Network Manager

o For a 64bit Windows OS, the default installation directory is
C:\Program Files (x86)\ADVA Optical Networking\FSP Network
Manager
o For a Linux OS, the default installation directory is
opt/adva/fsp_nm
l Ensemble Controller user directory
C:\Users\<username>\FSP Network Manager

Local Area Network

You need local area network (LAN) connectivity for communication between:

Ensemble Controller R15.2 Administrator Manual - Issue: A 66

Adtran Installing and Logging into Ensemble Controller

l The network element and the Ensemble Controller Server.

l For a high-availability solution:
o The Ensemble Controller Server and the Ensemble Controller standby Server.

–and–
o The network element and the Ensemble Controller standby Server.

l The Ensemble Controller Server and Clients.

l The Ensemble Controller Server and an operating support system, if applicable.

For information about communication ports, see Supported Communication Ports.

Network Element-to-Server Connections 67

Server-to-Server Connections 67
Server-to-Client Connections 68
Server-to-Northbound Interface Connections 68

Network Element-to-Server Connections

Network element bandwidth requirements depend on the network size.
l On the server side, we recommend a 1-Gbps connection to the router.
l Farther downstream, for FSP 3000R7 equipment, we recommend 64 Kbps per
lambda with a minimum of 256 Kbps per network element.
l If you use the Network Element Director (NED), you will need a minimum of 2
Mbps. For Ethernet and OSA equipment, we recommend a minimum of 200 Kbps
per device.
l For FSP 3000 C, we recommend a 5-10 Mbps capacity per node on its DCN
connection, depending on the node size.
l For FSP 3000 C networks, we recommend a 1-Gbps connection as long as the
number of nodes does not exceed 500. For larger networks, we recommend
interfaces with higher bit rates to stay above 2 Mbps DCN capacity in average per
node, considering statistical multiplexing.

Server-to-Server Connections
The bandwidth between a primary and a secondary server strongly depends on the
database size, which is based on the network size. The minimum bandwidth is 100 Mbps.
For larger networks, we recommend a 1-Gbps connection.

Ensemble Controller R15.2 Administrator Manual - Issue: A 67

Adtran Installing and Logging into Ensemble Controller

Server-to-Client Connections
The minimum bandwidth requirement is 4 Mbps per client. For example, you need 200
Mbps if 50 clients run at the same time. If a client supports multiple windows, the
minimum bandwidth requirement when you run all clients at the same time is:
l 6 Mbps for one client
l 300 Mbps for 50 clients

Server-to-Northbound Interface Connections

The minimum bandwidth requirement for a northbound interface (NBI) connection is 1
Mbps between a server and operating support systems (OSS).

Network Elements
Ensemble Controller Server Filter
For each network element that you want Ensemble Controller to manage, you must set
the server filter to allow write operations from Ensemble Controller.

See the related network element user documentation for instructions to manually add
the Ensemble Controller Server IP address to the trapsink table. When Ensemble
Controller discovers the network element, the system automatically adds the Ensemble
Controller Server IP address to the network element trapsink tables.

Trapsink Table
For all ADVA network elements that the Ensemble Controller Client discovers, the
Ensemble Controller Server automatically adds its IP address to the trapsink table of the
discovered network elements. Ensemble Controller can then receive SNMP traps, or event
messages, from these network elements.

If the network element trapsink table has reached the maximum number of 10 entries,
the Ensemble Controller Server cannot add its IP address, however, continues to try to
register itself until it succeeds.

For third-party devices such as Juniper, you must manually add the IP address of the
Ensemble Controller Server to the trapsink table through craft. See the associated
product user manual for information about how to add IP addresses to the trapsink table.

Ensemble Controller R15.2 Administrator Manual - Issue: A 68

Adtran Installing and Logging into Ensemble Controller

For more information about trapsink table registration, see the User Manual, Ensemble
Controller Architecture.

SNMP Access
You must enable the SNMP interface on managed network elements. On some network
elements, you can disable the SNMP interface. You must be familiar with the network
element SNMP settings such as user name and community strings. If the network
element uses SNMPv3, you must know the user name, security level, authentication and
privacy protocol, and the password.

FTP Access
If you use any new software features or use the network element configuration backup,
you must enable the FTP client on the network elements. On some network elements,
you can disable the FTP client. If you use secure FTP, you must enable the secure copy
protocol (SCP) in the network element, and you must know the network element settings.
To transfer files, an FTP server must be available, and you must know the FTP server
account details.

See the network element manual for more information about how to enable FTP clients.

General Aspects
To stay in sync with the network elements and their time stamps, be sure to have access
to a network time protocol (NTP) server. You can use Red Hat Linux or VMWare to take
advantage of virtualized server environments. We have not tested other solutions and
therefore cannot support them.

Using RADIUS, TACACS+, or LDAP

See the appropriate topic to configure Ensemble Controller for remote authentication
with one of these protocols:
l Setting Up RADIUS Authentication
l Setting Up TACACS+ Authentication
l Setting Up LDAP Authentication

Remote authentication through these protocols is optional in Ensemble Controller.

Ensemble Controller R15.2 Administrator Manual - Issue: A 69

Adtran Installing and Logging into Ensemble Controller

Third-Party Software
The Ensemble Controller installation package includes these software applications to
support and complement Ensemble Controller features. However, you can install any
software other than these third-party products because Ensemble Controller uses
standard protocols.

Supported Operating
Application Description
Systems
FTP Server: Windows Use for software downloads and network-
FileZilla element backup or restore activities.
Database: SQL All Installs automatically and scales to the
maximum network size. No other database
instance can be active on the same server
instance.

For information about how to install third-party products, see (Optional) Installing
Additional Programs.

Using FTP or SSH Servers

We recommend that you use the FTP and SSH servers available with the Linux operating
system.

Additional Software
The Ensemble Controller distribution set does not include these required, additional
software applications. You must provide them on all client machines.

Application Required to
A web browser, for Use the web GUI as craft.
example Firefox, Microsoft
Edge or Google Chrome
Adobe Acrobat Reader l Display reports.
–or–
l Read the Administrator Manual or User Manual.

Ensemble Controller R15.2 Administrator Manual - Issue: A 70

Adtran Installing and Logging into Ensemble Controller

Application Required to
Secure Shell (SSH) l Provide high availability.
–or–
l Provide encrypted communication through the ASCII
craft interface to network elements.
Docker containerization Use optional applications such as GNSS Assurance, TAPI, or
software Ensemble Fiber Director.
Tile server software Respresent expected offline tile servers for geographical
map.
Python with minimum SW Use optional Streaming HA solution on Linux RedHat
version 3.6.8 operation system.
OpenSSL with minimum
SW version 1.0.2

Optional Hardware
For the FTP server application, the hardware can be:
l The Ensemble Controller Server.
–or–
l An existing shared FTP server.
–or–
l A dedicated FTP server.

We recommend that you routinely back up your server using tape-backup systems and
that you use firewalls to secure your management systems.

Optional Applications
These optional applications require additional resources.

Ensemble Optical Director with Centralized Control Plane 72

Ensemble Sync Director Assurance Extension 72
Ensemble Fiber Director 73
Streaming High Availability 73
Transport API North Bound Interface 74

Ensemble Controller R15.2 Administrator Manual - Issue: A 71

Adtran Installing and Logging into Ensemble Controller

Ensemble Optical Director with Centralized Control Plane

You can provide Ensemble Controller with the optional Ensemble Optical Director. This
solution provides end-to-end service provisioning for WDM services. The Ensemble
Optical Director can use the distributed Control Plane (CPd) for the network elements or
the centralized Control Plane (CPc) server instance for routing calculation and signaling.

CPc is the state-of-the-art version of Control Plane for ENC. Therefore,

you should use CPc for all green-field installations.

If you want to use the CPc, you typically install it on the same system as Ensemble
Controller. The additional load must be reflected by 2 additional network element
equivalents for each shelf that the CPc manages.

You can install the CPc on a 64-bit operating Linux system using these versions:
l 7.8, and 7.9
l 8.4, and 8.6

For more information, see Managing the Centralized Control Plane, or the associated
Ensemble Controller release notes.

The maximum number of network elements that the CPc can handle in Ensemble
Controller 15.2 is 3,000.

Ensemble Sync Director Assurance Extension

The Ensemble Sync Director is part of the Ensemble Controller bundle and therefore does
not need extra resources.

GNSS Assurance and PTP (Time and Phase) Assurance are optional extension applications
that you build on top of a Docker container technology in Linux. You can install them
either on the same system as Ensemble Controller, or on a dedicated separate system
without Ensemble Controller. You need an online or offline tile server to use this
application for the geographic information system (GIS).

The system where you want to install GNSS Assurance or PTP Assurance must meet these
minimum requirements:

Ensemble Controller R15.2 Administrator Manual - Issue: A 72

Adtran Installing and Logging into Ensemble Controller

Disk Drive l 1 TB of dedicated disc space in /var/lib/docker. We recommend to use a

separate partition.
–or–
l 500 GB if you install only either one of the optional applications that is
GNSS Assurance or PTP Assurance.
l If you require enhanced performance, we recommend an SSD disk drive.

RAM l 64 GB if you install Ensemble Controller, GNSS Assurance, or PTP

Assurance on the same system. The number of supported devices and
PMOs reduces to 12,000 network element equivalents and 15,000 PMOs
for XL systems.
l 32 GB if you install GNSS Assurance or PTP Assurance on a dedicated
separate system without Ensemble Controller.

For details about necessary software for Sync Assurance tools, see Configuring Sync
Assurance and the Ensemble Fiber Director Server.

Ensemble Fiber Director

For details about necessary hardware and software to operate the Ensemble Fiber
Director, see the Ensemble Fiber Director User Manual and Installing the Ensemble Fiber
Director Server in Linux. The software runs on Docker containers in Linux systems. You
need an online or offline tile server to use this application for the geographic information
system (GIS).

Streaming High Availability

In contrast to standard high availability, the streaming high-availability solution requires
3 servers in total that is, 2 identical ones as described in High-Availability Solution with a
Redundant Server, and an additional quorum server.

The quorum server must meet these requirements:

RAM 4 GB
HDD 20 GB
CPU 2 core, 2 GHz
OS Linux

Ensemble Controller R15.2 Administrator Manual - Issue: A 73

Adtran Installing and Logging into Ensemble Controller

Transport API North Bound Interface

To install the transport API north bound interface (TAPI NBI) on the same system as
Ensemble Controller, the system must meet these minimum requirements:

Processor 2 cores with 2 GHz

RAM l 4 GB for up to 500 network size S
l 8 GB for network size M
l 16 GB for network size L
l 32 GB for network size XL

HDD 20 GB

You can install the TAPI NBI on a 64-bit operating Linux system using these versions:
l 7.8, and 7.9
l 8.4, and 8.6

The TAPI NBI requires also the Docker Engine to be installed as a pre-requisite. For more
information, see the ONF TAPI Integration Manual.

Installing Ensemble Controller

This section describes how to install Ensemble Controller in Windows or Linux, and then
to verify afterwards whether all services started successfully.

If installation failures occur, for details about remedial action, see Resolving Installation
Issues.

For information about how to uninstall Ensemble Controller, see Uninstalling Ensemble
Controller.

Installing Ensemble Controller in Windows 74

Installing Ensemble Controller in Linux 92
Troubleshooting Client Download Errors 100
Viewing and Deleting Installed Clients 103

Installing Ensemble Controller in Windows

Requirements for Installing Ensemble Controller in Windows 75

Ensemble Controller R15.2 Administrator Manual - Issue: A 74

Adtran Installing and Logging into Ensemble Controller

Steps to Installing Ensemble Controller in Windows 75

Silent Installation of the Ensemble Controller Client 84
Verifying Services in Windows 85
Changing the Memory Settings of the Mediation Server in Windows (64 Bit) 87
Installing Ensemble Controller Client Only 88

Requirements for Installing Ensemble Controller in

Windows
Area Requirement Description
Application In the Salesforce Customer Portal, make sure to download both of
Software these software installation files:
l Ensemble_Controller_for_Windows_v[xx.x.x]-B[xxxxx]-[xx]bit.zip.001
l Ensemble_Controller_for_Windows_v[xx.x.x]-B[xxxxx]-[xx]bit.zip.002

The system requires both of these files to completely install Ensemble

Controller.
Memory Adjust the memory settings according to your system size. See
Settings Changing the Memory Settings of the Mediation Server in Windows
(64 Bit) and Setting the Shared Buffer Size.
Antivirus Familiarize yourself with Antivirus Software.
Software
Administrative You have full administrative privileges on your local computer. Verify
Privileges and if required modify your user account control settings.
Virtual Memory On the computer where you want to install Ensemble Controller,
Paging File ensure that the system automatically manages the paging file for
virtual memory, or at least set it to the size of the physical memory in
the system.

Steps to Installing Ensemble Controller in Windows

1. After you download the required software installation files as described in the
Application Software requirement, unzip only the 001 ZIP file, for example:
Ensemble_Controller_for_Windows_v[xx.x.x]-B[xxxxx]-[xx]bit.zip.001

2. In the unzipped folder, select the EXE installation file, for example:
Ensemble_Controller_for_Windows_v[xx.x.x]-B[xxxxx]-[xx]bit.exe

Ensemble Controller R15.2 Administrator Manual - Issue: A 75

Adtran Installing and Logging into Ensemble Controller

The InstallAnywhere window appears with a status bar to show progress:

After the InstallAnywhere window, the Introduction window appears:

Ensemble Controller R15.2 Administrator Manual - Issue: A 76

Adtran Installing and Logging into Ensemble Controller

3. Click Next. The Choose Install Folder window appears:

4. To choose the installation folder, proceed with one of these options:

l Click Next to accept the default installation folder.

l Click Choose to browse and select an alternate folder.

We recommend that you install the Ensemble Controller in a

default folder. Do not install directly on system partition (just
C:\, without any folders), as Windows have restricted
permissions for the files in C:\.

l Click Restore Default Folder to reset to the default folder.

Ensemble Controller R15.2 Administrator Manual - Issue: A 77

Adtran Installing and Logging into Ensemble Controller

5. Click Next. The Choose Install Set window appears:

6. In the Install Set field, select the appropriate installation set:

Option Description or Steps

Typical All required components install.
Custom Clear the components that you do NOT want to install.
l To view a brief description for one of the installation components,
select the relevant one, and then see the Description area. For
more information about the ENC Server component, see the User
Manual, Ensemble Controller Architecture.

Ensemble Controller R15.2 Administrator Manual - Issue: A 78

Adtran Installing and Logging into Ensemble Controller

Option Description or Steps

l With the Ensemble Controller version 12.1, the Embedded License
Server is mandatory.

NOTE:
o If you use the Ensemble Controller wizard to install only the

Embedded License Server, clear ENC Server and ENC Client

but select Embedded License Server.
o If you already have the Embedded License Server installed, or

you prefer to use installation scripts instead, clear Embedded

License Server but select ENC Server and ENC Client. For
information about the supported installation scripts, see the
Embedded License Server Administrator Manual.

l NOTE: If you select ENC Client without automatic updates, make

sure to clear ENC Client. Ensemble Controller supports only either
one of the clients.

7. Click Next. The Pre-Installation Summary window appears:

8. Review the installation details. If incorrect, click Previous to step back through the
wizard windows, and then change any details. After you correct the installation

Ensemble Controller R15.2 Administrator Manual - Issue: A 79

Adtran Installing and Logging into Ensemble Controller

details, click Install. The Installing Ensemble Controller window appears. A status
bar indicates progress:

During installation, another Executing... window appears:

Ensemble Controller R15.2 Administrator Manual - Issue: A 80

Adtran Installing and Logging into Ensemble Controller

After the installation completes, the wizard starts the Ensemble Controller services.
The Post Install Process - ENC Server window appears:

Ensemble Controller R15.2 Administrator Manual - Issue: A 81

Adtran Installing and Logging into Ensemble Controller

9. Click Next. The Start ENC Server window appears:

10. If you selected the Embedded License Server in Step 6, clear Start ENC Server
because you must first configure the license-related properties in the
fnm.properties file and make sure that you have loaded a suitable set of licenses on
the Embedded License Server before the Ensemble Controller Server starts. Step 14
includes more information.

Ensemble Controller R15.2 Administrator Manual - Issue: A 82

Adtran Installing and Logging into Ensemble Controller

11. Click Next. If you selected the Embedded License Server in Step 6, it installs next.

12. Click Next. The Post Install Process - Embedded License Server appears.
13. Click Next. The Installation Complete window appears:

Ensemble Controller R15.2 Administrator Manual - Issue: A 83

Adtran Installing and Logging into Ensemble Controller

14. Click Done to finalize the installation.

15. If you selected the Embedded License Server in Step 6, before you proceed with this
procedure, first prepare and enable the Embedded License Server as described in
Preparing and Enabling the Embedded License Server.
16. If you completed this procedure because of an Ensemble Controller upgrade, restart
your computer. For more information about how to upgrade the Ensemble
Controller, see Upgrading Ensemble Controller. For clean installations, the restart is
not necessary.
17. Start the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.
18. Verify that all services run as described in Verifying Services in Windows. These
services incorporate the Ensemble Controller Server.
19. Start the Ensemble Controller Client as described in Logging Into the Ensemble
Controller Client.

Silent Installation of the Ensemble Controller Client

Complete these steps to "silently" install the Ensemble Controller (ENC) client.

A silent installation is one which does not display any indication of its progress and does
not require any user intervention (unattended).

It is useful for automating the installation process by using a text file, which is supported
only for the client installation and on a Windows operating system (OS).

1. Keep the Ensemble Controller installation application <ENC-version>.exe and the

text file fnmclientinstall.properties in the same directory.
An example of the fnmclientinstall.properties file, which you can use to perform a
silent installation with default settings, is available in the directory of an already
completed Ensemble Controller installation:
l In Windows, the Ensemble Controller installation directory is C:\Program Files
(x86)\ADVA Optical Networking\FSP Network Manager.
l In Linux, you can pick up the file from /opt/adva/fsp_nm to use it then in
Windows.
2. Launch a command prompt window as administrator.
3. Go to the directory where the files are located.
4. Type this command:
<ENC-version>.exe –i silent –f fnmclientinstall.properties

Ensemble Controller R15.2 Administrator Manual - Issue: A 84

Adtran Installing and Logging into Ensemble Controller

This example shows the command if the files are located in the Ensemble Controller
installation directory:
c:\FNM\ FSP_Network_Manager_for_Windows_v9.5.1-64bit.exe -i silent
–f c:\FNM\fnmclientinstall.properties

Verifying Services in Windows

Complete these steps to verify whether services that Ensemble Controller requires to
work properly, successfully started in a Windows operating system.

1. Go to Start > Control Panel > Administrative Tools > Services. The Services
window opens:

2. In the Status column, verify that these mandatory services display Running, which
means that they started successfully:
l ADVA: JMS Server

l ADVA: Mediation Server

l ADVA: PostgreSQL Server
3. If you find any discrepancies that is, some services listed in Step 2 have not started,
use one of these options to enable them:

Ensemble Controller R15.2 Administrator Manual - Issue: A 85

Adtran Installing and Logging into Ensemble Controller

Option Description or Steps

Restarting the Use either of these procedures:
Ensemble 1. Stop the server as described in Procedure for Stopping the
Controller Server in Windows.
Server.
2. Restart the server as described in Procedure to Start the Server
in Windows.
–or–
1. Run the nmsadmin script located in the Ensemble Controller
bin installation directory.

2. Type b to select Shutdown Server.

3. Type s to select Start Server.

After the server restarts, in the Services window, verify the service
status once more. If the required services still have not started,
enable them manually. See the next option Enabling Individual
Services.

Ensemble Controller R15.2 Administrator Manual - Issue: A 86

Adtran Installing and Logging into Ensemble Controller

Option Description or Steps

Enabling In the Services window:
Individual l Right-click the service that you want to start, and then select
Services Start. You must repeat this step every time you log into
Ensemble Controller if you want the service to run.
–or–
l To configure the service to automatically start every time you
log in:
1. Right-click the service, and then select Properties.
2. In the Startup type field, select Automatic.
3. In the Service status field, verify the status. If required,
select Start to start the service. After you start the service,
the status changes to Running.
4. Select Apply, and then OK to confirm your settings, or
Cancel.

Ensemble Controller by default disables the SNMP Forwarder and proxy server
services because they are irrelevant for its general operation. However, for the
features that require these services to run, you can enable them. See the relevant
sections:
l You require the proxy server to access the WEB Manager using HTTP or HTTPS.

l You require the SNMP Forwarder to access the Element Managerto manage FSP
1500 devices.

Changing the Memory Settings of the Mediation Server

in Windows (64 Bit)
Xmx is the configuration parameter controlling the maximum amount of memory that
Java uses on a system.

Follow this procedure to set the FNM Mediation Server Xmx value to your Windows (64
bit) operating system:

Change the Xmx value according to your system size:

l S – Xmx3000M
l M – Xmx6000M
l X – Xmx8000M
l XL – Xmx16000M

Ensemble Controller R15.2 Administrator Manual - Issue: A 87

Adtran Installing and Logging into Ensemble Controller

Requirement
You are informed about the installation requirements of the Required Minimum Server
Hardware.

Procedure
1. Shut down the Ensemble Controller Server.
2. Edit the fspnm.vmoptions file located in:
ENC Installation Directory/fspnm.vmoptions using Notepad or
Wordpad.
3. Change the first line -Xmx3000M to a value appropriate to your system requirements
(see the note box in the beginning of this section).
4. Save the file.
5. Run the script SetVMOptions.bat as administrator.
6. Start the Ensemble Controller Server.

Installing Ensemble Controller Client Only

Complete these steps to install the client software only without the Ensemble Controller
Server and Embedded License Server:

1. Download the client installer file from the Salesforce Customer Portal: Ensemble_
Controller_for_Windows_v[xx.x.x]-B[xxxxx]-Client-[xx]bit.exe.
You can also download the client installer file from a web page
https://<servername>:8443/client. To make this action possible, complete these
steps:
a. Copy the client installer file to these directories in the Ensemble Controller
Server:
l For Windows: C:\Program Files (x86)\ADVA Optical Networking\FSP

Network Manager\ws\webapps\client
l For Linux: /opt/adva/fsp_nm/ws/webapps/client

b. Rename the client installer file to Ensemble_Controller_for_Windows-Client.exe.

Ensemble Controller R15.2 Administrator Manual - Issue: A 88

Adtran Installing and Logging into Ensemble Controller

2. Run the client installer file. The InstallAnywhere window appears with a status bar to
show progress:

1. Click Next. The Choose Install Folder window appears:

2. To choose the installation folder, proceed with one of these options:

l Click Next to accept the default installation folder.

l Click Choose to browse and select an alternate folder.

l Click Restore Default Folder to reset to the default folder.

Ensemble Controller R15.2 Administrator Manual - Issue: A 89

Adtran Installing and Logging into Ensemble Controller

3. Click Next. The Choose Install Set window appears:

Ensemble Controller R15.2 Administrator Manual - Issue: A 90

Adtran Installing and Logging into Ensemble Controller

4. Click Next. The Pre-Installation Summary window appears:

5. Review the installation details. If incorrect, click Previous to step back through the
wizard windows, and then change any details. After you correct the installation
details, click Install. After the installation completes, the Installation Complete
window appears:

Ensemble Controller R15.2 Administrator Manual - Issue: A 91

Adtran Installing and Logging into Ensemble Controller

6. Click Done to finalize the installation.

7. If you completed this procedure because of the Ensemble Controller Client upgrade,
restart your computer. For clean installations, the restart is not necessary.
8. Start the Ensemble Controller Server on the computer that has the Ensemble
Controller Server installed as described in Starting the Ensemble Controller Server.
9. Verify that all services run on that computer as described in Verifying Services in
Windows. These services incorporate the Ensemble Controller Server.
10. Start the Ensemble Controller Client as described in Logging Into the Ensemble
Controller Client.

Installing Ensemble Controller in Linux

Complete these steps to install Ensemble Controller (ENC) in a Linux operating system
(OS).

Requirements for Installing Ensemble Controller in Linux 93

Steps to Installing Ensemble Controller in Linux 94
Verifying Services in Linux 99

Ensemble Controller R15.2 Administrator Manual - Issue: A 92

Adtran Installing and Logging into Ensemble Controller

Changing the Memory Settings of the Mediation Server in Linux 100

Requirements for Installing Ensemble Controller in Linux

Area Requirement Description
Application l In the Salesforce Customer Portal, make sure to download both of
Software these software installation files:
o Ensemble_Controller_for_Linux_v[xx.x.x]-B[xxxxx].tar.aa

o Ensemble_Controller_for_Linux_v[xx.x.x]-B[xxxxx].tar.ab
The system requires both of these files to completely install Ensemble
Controller.
l The PostgreSQL database requires the libssl.so.10 library file. Make
sure that the file is located in the /usr/lib64 or /lib/64 directory. If it is
not in these directories, complete one of these steps:
o From Operating System packages, install compat-openssl10

library.
o If ENC server has internet access, use yum to install compat-

openssl10.

Memory Adjust the memory settings according to your system size. See Changing
Settings the Memory Settings of the Mediation Server in Linux and Setting the
Shared Buffer Size.
Partition If you use the suggested partition sizes, make sure that the partition for
Sizes the /var directory and /opt directory provides enough space to install
Ensemble Controller. We recommend the partition for /opt and /var to
be at least 50% in total of the hard disk space.
nmsadmin For the nmsadmin and healthcheck scripts to run properly, install the
and sysstat package from Linux.
healthcheck
Scripts
XL Systems For XL systems, edit the /etc/pam.d/login file, and then add or modify
the session required pam_limits.so line.

Ensemble Controller R15.2 Administrator Manual - Issue: A 93

Adtran Installing and Logging into Ensemble Controller

Area Requirement Description

Software Before you upgrade to software version 9.3.1, make sure that these two
Upgrade to Linux libraries are available in the /lib/64/ directory. The PostgreSQL
9.3.1 database requires these libraries:
l libncurses.so.5
l libreadline.so.6

If these directories are not available in the /lib/64/directory, upload

them to the /lib/64/ directory.
Centralized Install Docker CE 20.10 on the destination system and create a Docker
Control swarm. For information about how to install and configure the Docker CE,
Plane see Installing the Docker-Community Edition Application in Linux. The
system user account must belong to a docker group or needs
permissions to operate.

Save and close all files that you edit. Log off, then on, or restart the server for changes to
take effect.

Spaces are NOT permitted in the Ensemble Controller installation

directory or in the tar directory where you plan to copy and run the
installation package.

Steps to Installing Ensemble Controller in Linux

1. Switch to the root user:
su -
2. If you installed an earlier version of Ensemble Controller:
a. Enter this command to uninstall your previous Ensemble Controller version:
cd /opt/adva
./uninstall-fsp_nm
b. Remove the Ensemble Controller installation folder, for example,
/opt/adva/fsp_nm

3. After you download the required software installation files as described in the
Application Software requirement, concatenate these files using this command:
cat Ensemble_Controller_for_Linux_v[xx.x.x]-B[xxxxx].tar.* >
Ensemble_Controller_for_Linux_v[xx.x.x]-B[xxxxx].tar
4. Unpack the concatenated TAR file:
tar xf <Ensemble_Controller_for_Linux_v[xx.x.x]-B[xxxxx].tar>

Ensemble Controller R15.2 Administrator Manual - Issue: A 94

Adtran Installing and Logging into Ensemble Controller

5. Start the installation process:

./install
After the installation process begins, complete the instructions that display.
6. To select one of these options, type the associated number:
1) ENC
2) CPc
3) Embedded License Server
4) ENC/CPc
5) ENC/Embedded License Server
6) ENC/CPc/Embedded License Server
7) Quit

l You can install the Centralized Control Plane (CPc) or the

Embedded License Server (ELS) only if Ensemble Controller
(ENC) is already installed in your system. You might want ELS to
be on the same server. If so, we recommend that you select the
option to simultaneously install the applications, which can be
option number 5 or 6.
l You can separately install the ELS as a standalone application
on a natively-compatible Linux operating system. Select the
standalone option number 3. CPc cannot work as a standalone
application.
l Starting with the ENC version 12.1, you must also install the ELS.
Unless you already installed the ELS, make sure that you select
the option that includes the Embedded License Server.
l If you installed a previous CPc version on your system, before
you install the newer version, first uninstall the old version. See
Uninstalling Linux Applications. Remove any installation folder
remnants.

l For information about the ELS, see The Embedded License Server.
l For information about the CPc, see Managing the Centralized Control Plane.
After you select an option, this message displays:
You have selected option <number>. Do you want to continue (y/Y) or change
option (C/c)?
7. Decide:
l To redisplay the menu in Step 6, select c/C.

l To continue the installation:

a. Select y/Y, and then type the user password.
b. Retype the password in the next field.

Ensemble Controller R15.2 Administrator Manual - Issue: A 95

Adtran Installing and Logging into Ensemble Controller

After a few command lines later, this message displays: Do you want to start the
ENC server application now?
c. Select n to NOT start the ENC server in any of these cases:
o You still must modify the fnm.properties file.

o The required ENC licenses are not yet available in the ELS.
o You will use a different account than root.
–or–
Select y to start the ENC server if the above cases do not apply.
8. If you select the option that includes the ELS in Step 6, before you proceed with this
procedure, first prepare and enable the ELS as described in Preparing and Enabling
the Embedded License Server.
9. Decide on the account you want to use:
l To use the root account, go to Step 12.

l To use an account other than root, proceed with the steps that follow.

To control Ensemble Controller services for non-root accounts,

you must have the sudo application available.

10. Make sure that no services are running and the Ensemble Controller Server is shut
down. For information, see the relevant topics:
l Verifying Services in Linux

l Procedure for Stopping the Server in Linux

11. Create a user account to use for remote communication:
a. Set the user password:
passwd username
b. Change to the current directory:
cd/opt/adva/fsp_nm
c. If you followed Step 6 to install both the ELS and ENC on the same computer,
change the owner and group of the ELS services. If not, continue with Step 11d.
To change the owner and group of the ELS services, run the elschangeuser.sh
script:
/opt/adva/fsp_nm/els/elschangeuser.sh <username> <groupname>
d. Run the changeUser.sh script:

Ensemble Controller R15.2 Administrator Manual - Issue: A 96

Adtran Installing and Logging into Ensemble Controller

/opt/adva/fsp_nm/bin/changeUser.sh <username> <groupname>

Make sure that you use the same <username> and

<groupname> for both the changeUser.sh and elschangeuser.sh
scripts. The names must be identical.

e. Restart the server computer for the changes to take effect.

12. To start the ENC GUI, run fnm.

To run fnm, you must first install a graphical desktop environment, for
example the desktop managers GNOME or KDE. Otherwise, when you
execute fnm, a failure message displays.

For Red Hat Enterprise Linux 7.x and 8.x

Only for Red Hat Enterprise Linux 7.x and 8.x, configure the firewalld script as described
here. The command lines in these steps are examples. Your configuration settings might
differ.

1. Verify that the firewalld script is running:

firewall-cmd --state
running
2. Make a note of the firewalld default zone, which you need later in this procedure:
firewall-cmd --get-default-zone
public
3. Verify which zones are active on the available Ethernet interfaces:
firewall-cmd --get-active-zones
4. Verify the open ports and services.
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: ssh dhcpv6-client
ports
protocols
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Ensemble Controller R15.2 Administrator Manual - Issue: A 97

Adtran Installing and Logging into Ensemble Controller

5. In the firewalld script, open these ports and services:

Service ssh

Ports l 162/udp
l 8080/tcp
l 9090/tcp
l 8443/tcp
l 9543/tcp
l 33028/tcp

firewall-cmd --permanent --zone=public --add-service=snmptrap

firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --permanent --zone=public --add-port=8443/tcp
firewall-cmd --permanent --zone=public --add-port=9543/tcp
firewall-cmd --permanent --zone=public --add-port=33028/tcp
firewall-cmd --permanent --zone=public --add-port=9090/tcp

If you use the ELS and you installed ELS on the same computer as ENC, also open
these ports:
l 7071/tcp
l 8444/tcp
firewall-cmd --permanent --zone=public --add-port=7071/tcp
firewall-cmd --permanent --zone=public --add-port=8444/tcp
6. Reload the firewalld configuration:
firewall-cmd –-reload
7. Verify that all necessary ports and services are open:
firewall-cmd -- list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens 192
services: ssh dhcpv6-client snmptrap
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Ensemble Controller R15.2 Administrator Manual - Issue: A 98

Adtran Installing and Logging into Ensemble Controller

Verifying Services in Linux

Complete these steps to verify whether services that Ensemble Controller requires to
work properly, successfully started in a Linux operating system.

1. To switch to the root account, at the command prompt, type:

su -

2. To verify the Ensemble Controller Server status, type:

./opt/adva/fsp_nm/bin/fnm.server status

The Ensemble Controller status displays as this example shows:

Ensemble Controller status:
NM Server running, PID = 12688
NM JMS Server running, PID = 12686
NM SNMP Forwarder NOT running
NM proxy server NOT running

l You require the SNMP Forwarder to access the Element Managerto manage FSP
1500 devices.

3. If services are not listed as shown in the example in Step 2, use these commands to
restart the Ensemble Controller Server:
./opt/adva/fsp_nm/bin/fnm.server stop
./opt/adva/fsp_nm/bin/fnm.server start

4. The fnm.server script cannot process the PostgreSQL server. To verify it separately,
type:
ps -ef|grep postgres

A long data list occurs:

5. If the data list does not appear, use this command to restart the PostgreSQL server:
./opt/adva/fsp_nm/postgres/support-files/postgres.server start

Ensemble Controller R15.2 Administrator Manual - Issue: A 99

Adtran Installing and Logging into Ensemble Controller

6. You can now log into Ensemble Controller as described in Logging Into the Ensemble
Controller Client.

Changing the Memory Settings of the Mediation Server

in Linux
Xmx is the configuration parameter controlling the maximum amount of memory that
Java uses on a system.

Follow this procedure to set the FNM Mediation Server Xmx value to your Linux
operating system:

Change the Xmx value according to your system size:

l S – 4000M
l M – 6000M
l X – 8000M
l XL – 32000M

Requirement
You are informed about the installation requirements of the Required Minimum Server
Hardware.

Procedure
1. Shut down the Ensemble Controller Server.
2. Edit the customprop.sh file located in: /opt/adva/fsp_nm/bin/customprop.sh:
a. Remove # and change the memory to a value appropriate to your system
requirements (see the note box in the beginning of this section) in this line:
#NMS_XMX=4000M
b. Remove # in this line:
#export NMS_XMX

3. Save the file.

4. Start the Ensemble Controller Server.

Troubleshooting Client Download Errors

This section describes possible error messages, and their importance and remedial
action, which can display while you download the client version.

Ensemble Controller R15.2 Administrator Manual - Issue: A 100

Adtran Installing and Logging into Ensemble Controller

"Cannot write to download directory" 101

"Cannot create installation directory" 101
"Error while updating or uncompressing" 102

After you resolve the described issues but are still unable to connect to the server, send
the error logs created during the installation to the ADVA Technical Services.

The log files are stored in the user directory for both ClientUpdater and Ensemble
Controller:
l C:\Users\<user>\ClientUpdater\log\ClientUpdater.error.log
l C:\Users\<user>\FSP Network Manager\log\frontend.error.log

"Cannot write to download directory"

After you install Ensemble Controller, a confirmation dialog box might open to ask you to
download a different client version. After the software confirms the download, it
temporarily stores the version file in the user directory:
c:\users\<user>\clientupdater\downloads.
If you log in and have no write access to the respective folder, this dialog box opens:

Use the property launcher.download.directory=[...] defined in the launch.properties file to

specify the directory with write access. Make sure to use correct path separators for the
directory, which are slash "/" and double backslash "\\" only, for example:
l launcher.download.directory=d:/myFolder
l launcher.download.directory=d:\\myFolder

The launch.properties file is stored in the installation directory, for example:

C:\Program Files (x86)\ADVA Optical Networking\FSP Network
Manager\clientupdater

"Cannot create installation directory"

After you download the version file, the installation process installs the client at
C:\ProgramData\clientupdater\nmclients. If the user who is currently logged in has

Ensemble Controller R15.2 Administrator Manual - Issue: A 101

Adtran Installing and Logging into Ensemble Controller

no write access to the respective folder, this dialog box opens:

Use the property launcher.program.directory=[...] defined in the launch.properties file to

specify the directory with write access. Make sure to use correct path separators for the
directory, which are slash "/" and double backslash "\\" only, for example:
l launcher.program.directory=d:/myFolder
l launcher.program.directory=d:\\myFolder

The launch.properties file is stored in the installation directory, for example:

C:\Program Files (x86)\ADVA Optical Networking\FSP Network Manager\clientupdater

"Error while updating or uncompressing"

In some rare cases the downloaded file might become corrupted while you re
downloading or installing the client. If so, these dialog boxes will open (Windows
operating systems only):

Ensemble Controller R15.2 Administrator Manual - Issue: A 102

Adtran Installing and Logging into Ensemble Controller

In these cases, repeat the action.

Viewing and Deleting Installed Clients

Complete these steps to view installed client versions and to delete certain clients by
using the Client Version Management Tool.

You delete clients in these types of situations:

l Clients are corrupted.
l You want to increase available space.
l You plan to uninstall the current Ensemble Controller Client and Server.
l You plan to install another or a new Ensemble Controller Client.

1. To open the Client Version Management Tool, click the Windows Start button,
and then select Ensemble Controller Client Cleanup Tool.
The Client Version Management Tool window opens:

The Client Version Management Tool window lists the clients that you installed up
to now in tabular form. The table provides this information:

Column Description
Version The release number with the relevant build number in the format
<release no.>-<build no.>.

Ensemble Controller R15.2 Administrator Manual - Issue: A 103

Adtran Installing and Logging into Ensemble Controller

Column Description
Status The client is:
l Unused, Idle.
-or-
l currently in use, Last used.

Location The path where the client is located.

Last Modified The date when you last modified the client.

2. Delete a client from your computer as follows:

a. From the list, select the relevant client, and then click Delete.
The Delete Client dialog box opens:

b. Click Yes to confirm.

The respective client is removed from the list.
-or-
Select No to stop the action.
c. Click Close to exit the window.

Preparing and Enabling the

Embedded License Server
1. After you installed the Embedded License Server, you must prepare it to provide the
set of licenses that your Ensemble Controller requires. For information about the
installation options for the Embedded License Server, see The Embedded License
Server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 104

Adtran Installing and Logging into Ensemble Controller

Figure 1: Schematic Representation of Step 1

a. Log in to the ADVA License Portal as described in the Customer License Portal
Access documentation available on the Customer Portal.
b. In the ADVA License Portal, generate the BIN file from your obtained license
entitlements to bind them to the Embedded License Server that your Ensemble
Controller will connect to. The ADVA License Portal automatically creates the
license entitlements after you placed your order with the ADVA Customer Focus
Team.
For information about how to generate the BIN file in the ADVA License
Portal, see the ADVA license portal Training for Endcustomer documentation
available on the Customer Portal.
c. Log in the Embedded License Server as described in the User Manual.
d. In the Embedded License Server, activate the BIN file that you generated in Step
1b, as described in the Embedded License Server Administrator Manual.
If you use a second Embedded License Server as backup server in a high-
availability configuration, you must also activate the BIN file on that backup
server.
For information about how to configure high availability for two Embedded
License Servers, see the Embedded License Server Administrator Manual.
2. From the Ensemble Controller installation directory, open the fnm.properties file,
and then edit these license-server related properties to enable the Embedded
License Server for Ensemble Controller.
l If you installed the Embedded License Server standalone on a separate server,
add the IP and port of that server to
com.adva.fnm.option.flexeraServer.ipaddress. If you installed the Embedded
License Server locally on the same server as the Ensemble Controller, you do
NOT need to change this property.

Ensemble Controller R15.2 Administrator Manual - Issue: A 105

Adtran Installing and Logging into Ensemble Controller

l If you use a second Embedded License Server as a backup server, add the IP and
port of that server to com.adva.fnm.option.backupFlexeraServer.ipaddress.
l To specify the feature licenses that you want Ensemble Controller to acquire,
add the feature license names to com.adva.opt.flexera.requestLicenses.
For general information about how to edit the fnm.properties file, see Editing the
fnm.properties File.
3. Start the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.
–or–
Proceed with the remaining installation steps in Installing Ensemble Controller.

Importing Ensemble Controller Server

Certificates to the Client
The Ensemble Controller Client displays the Ensemble Controller Server certificate when
you first log in. To prevent this certificate message from displaying, you can store the
certificate in a local Ensemble Controller-owned certificate storage during installation.

Complete the steps in this section to place the server certificate in the client truststore.
You need to place the certificate in a truststore for secure communications. A server
always has one certificate which ensures that the server is trustworthy.

When a client connects to this server, the client looks at the truststore and verifies
whether it can trust the server. If the client finds no corresponding certificate, Ensemble
Controller displays the received certificate and prompts you to trust this server and
accept this certificate.

To avoid this prompt, install the certificate directly in the Ensemble Controller Client
truststore after you install the client.

1. After the server installation successfully completes, export the Ensemble Controller
Server certificate to a file.
a. Linux: keytool -exportcert
-alias nms-server-key
-file ~/nms-server-key.cert
-keystore /opt/adva/fsp_nm/certs/fnmserver.ks
b. Windows: keytool -exportcert
-alias nms-server-key
-file “%HOMEDRIVE%%HOMEPATH%\nms-server-key.cert

Ensemble Controller R15.2 Administrator Manual - Issue: A 106

Adtran Installing and Logging into Ensemble Controller

-keystore “%HOMEDRIVE%%HOMEPATH%\FSP Network

Manager\certs\fnmserver.ks”
c. Enter the password NeverChange.
2. Transfer the certificate file to the client computer, if necessary.
3. After the client installation successfully completes, import the certificate to the client
truststore.
a. Linux: keytool -importcert
-alias <hostname of the server the certificate is from>
-file ~/nms-server-key.cert
-keystore /opt/adva/fsp_nm/certs/client.ts
b. Windows: keytool -importcert
-alias <hostname of the server the certificate is from>
-file “%HOMEDRIVE%%HOMEPATH%\nms-server-key.cert
-keystore “%HOMEDRIVE%%HOMEPATH%\FSP Network
Manager\certs\client.ts”
c. Enter the password NeverChange.
d. At the prompt, type y [Yes] to confirm the import operation, or n [Enter] to stop
the operation.

(Optional) Installing Additional

Programs
This section describes how to install and configure additional programs or features that
can be useful in supporting your system with certain operations in terms of Ensemble
Controller.

Installing FileZilla 107

Installing PuTTY 111
Installing CopSSH 116

Installing FileZilla
FileZilla is a free, open source, cross-platform FTP software that consists of a FileZilla
client and a FileZilla server. It is included in the Ensemble Controller installation package
to be installed off the directory at any time.

Complete this procedure to install FileZilla.

Ensemble Controller R15.2 Administrator Manual - Issue: A 107

Adtran Installing and Logging into Ensemble Controller

1. Find the FileZilla installation file at:

ENC Installation Directory\filezilla-install.
2. Right-click the FileZilla_Server-[...].exe (application) file and select Run as
administrator.
The License Agreement window opens:

3. Click I Agree to continue.

The Choose Components window opens:

Ensemble Controller R15.2 Administrator Manual - Issue: A 108

Adtran Installing and Logging into Ensemble Controller

4. To choose the FileZilla features to be installed, follow either way:

l In the Select the type of install field, select the appropriate installation
package.
Each package contains its set of features. If you select a package, the software
selects the corresponding feature components in the list and the Space
required area displays relevant information.
-or-
l From the list, select the feature components as appropriate.
If you hover over a component, the Description area displays corresponding
information about it.
5. Click Next.
The Choose Install Location window opens:

6. Select either way to proceed:

l In the Destination Folder field, type a relevant folder path.

-or-
To search for the appropriate folder, click Browse.
Then click Next.
-or-
l Click Next to use the default destination folder as stated in the Destination
Folder field.
The Startup settings window opens:

Ensemble Controller R15.2 Administrator Manual - Issue: A 109

Adtran Installing and Logging into Ensemble Controller

7. From the list, select how you want the FileZilla server to start.
8. Verify the server listening port and change it if necessary.
9. If appropriate, select Start Server after setup completes.
10. Click Next.
This window opens:

11. From the list, select how you want the server interface to start:
12. If appropriate, select Start Interface after setup completes.

Ensemble Controller R15.2 Administrator Manual - Issue: A 110

Adtran Installing and Logging into Ensemble Controller

13. Click Install.

The Installation Complete window opens. A change bar indicates progress while
the application installs:

14. After the installation completes, click Close.

Installing PuTTY
Complete these steps to install the terminal emulation program PuTTY, and then to
configure it so as to use the SSH protocol to access network elements (NEs) through an
Ethernet connection.

To make PuTTY the default SSH client program that is automatically opened by the
Ensemble Controller (ENC) when needed, see the User Manual, Browsers for more
information about how to specify the appropriate browser to be used by the Ensemble
Controller Client.

Requirements
l Have the IP address of the NE at hand to which you wish to connect.
l Generate SSH2 RSA and DSA keys prior to using PuTTY with the SSH protocol.
These keys are generated automatically the first time you access the NE with the
craft interface over a serial line.
To force the key generation on the NE, if prompted, type this command:
/etc/init.d/sshd force_keygen

Ensemble Controller R15.2 Administrator Manual - Issue: A 111

Adtran Installing and Logging into Ensemble Controller

Procedure
1. Access the website:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
The PuTTY Download Page opens.
2. Click the putty.exe file relevant for your operating system (OS) and save it.
By default, the file saves to the Downloads folder.

If you set the User Settings to use PuTTY by default, make sure that
the PuTTY installation path is correctly specified in the Browsers
window.

3. Go to the installation folder and double-click the putty.exe file.

Should a security warning appear, accept it by clicking Run.
The PuTTY Configuration window displays:

4. Set these parameters to configure PuTTY for using the SSH protocol:
a. Select SSH from the 'Connection type' buttons.
Depending on the connection type selected, the Port value adapts accordingly.

Ensemble Controller R15.2 Administrator Manual - Issue: A 112

Adtran Installing and Logging into Ensemble Controller

b. Expand the 'Connection' tree pane option and select SSH.

The 'Options controlling SSH connections' pane displays:

c. Select 2 only from the 'Preferred SSH protocol version' buttons.

5. To optimize the menu appearance in the craft:
a. Select Data from the 'Connection' tree pane option.
The 'Data send to the server' pane displays:

Ensemble Controller R15.2 Administrator Manual - Issue: A 113

Adtran Installing and Logging into Ensemble Controller

b. Type vt100 in the 'Terminal-type string' box.

6. To save the settings made so they will automatically appear next time that PuTTY is
started, complete these steps:
a. In the Category tree pane, select Session.
You return to the Basic options for your PuTTY session pane:

Ensemble Controller R15.2 Administrator Manual - Issue: A 114

Adtran Installing and Logging into Ensemble Controller

b. Specify a name for this particular PuTTY configuration, and then type it in the
Saved Sessions field, for example SSH.
Alternatively, in the Saved Sessions list, select Default Settings for this
configuration to become the default session.
c. Click Save. The saved session is added to the list.
d. To remove a saved session from the list, select it, and then click Delete.
7. To assign a certain PuTTY configuration to an NE so that it opens in accordance with
these settings, create a saved session:
a. In the Category tree pane, select Session.
You return to the Basic options for your PuTTY session pane:

Ensemble Controller R15.2 Administrator Manual - Issue: A 115

Adtran Installing and Logging into Ensemble Controller

b. Type the IP address of the respective NE in the Host Name (or IP address)
field.
c. Specify a name for this host and PuTTY configuration, and then type it in the
Saved Sessions field.
d. Click Save. The saved session is added to the list.

Installing CopSSH
For secure communication, the command line interface (CLI) client requires that you
install and configure a secure shell server. CopSSH is an OpenSSH server and client
implementation for Windows systems with an administration GUI.

Complete this procedure to install CopSSH.

For information about how to specify an appropriate SSH-client program that the
Ensemble Controller Client can use, see the User Manual.

1. In Control Panel > User Accounts, turn OFF the Windows User Account Control
(UAC).
2. Restart your computer.

Ensemble Controller R15.2 Administrator Manual - Issue: A 116

Adtran Installing and Logging into Ensemble Controller

3. In the console, type lusrmgr.msc to create a new system user account for later use
with the SSH server.
4. Add a new user as shown here:
Figure 2: New User Window

5. Edit the New User window as follows:

Field Description
User name Type an appropriate user name, for example,
advaremote.
Full name Type the full name of the user.
Description Type a user description.
Password Type a password, for example, secret123.
Confirm password Repeat the password from the Password field.
User cannot change Select this field so that the user cannot change his or
password her password.
Password never expires Select this field so that the password never expires.

6. Click Create to create the new user.

The process adds the new user as shown here.

Ensemble Controller R15.2 Administrator Manual - Issue: A 117

Adtran Installing and Logging into Ensemble Controller

Figure 3: New User Added and Selected

7. Grant the new user administrator rights:

Right-click Properties > Member Of > Add.
8. Add the user to the administrators group as shown here.
Figure 4: New User Added to Administrators Group

9. Install CopSSH:
a. Double-click the installer of copssh to install CopSSH. For example, the installer
can be copssh_server_7.10.1_x64_prod_installer.
b. During installation process, provide the license key and finish installation with
default settings.

Ensemble Controller R15.2 Administrator Manual - Issue: A 118

Adtran Installing and Logging into Ensemble Controller

Continue with these steps:

1. Open the COPSSH Control Panel.

2. Verify that the SSH service runs and no active connections exist.
3. Select Users to activate the user for who will use the SSH access.

Ensemble Controller R15.2 Administrator Manual - Issue: A 119

Adtran Installing and Logging into Ensemble Controller

4. Click Add.

5. From the User list, select the relevant user name.

6. Click Forward twice, and then Apply by using default values.
The CopSSH Control Panel window re-opens.

Ensemble Controller R15.2 Administrator Manual - Issue: A 120

Adtran Installing and Logging into Ensemble Controller

7. Click Apply to complete user activation.

8. Select Status.

9. To restart the SSH service, first stop it by clicking on the green ball icon.
10. Wait for the icon to turn red, and then reclick it to start the service again.
11. To verify that the connection uses CopSSH, start PuTTY by using the remote host IP
and the login and password of the user that you created. A typical PuTTY screen is
shown here. If the connection succeeds, the connection will operate correctly.

Ensemble Controller R15.2 Administrator Manual - Issue: A 121

Adtran Installing and Logging into Ensemble Controller

Figure 5: PuTTY Window

If you cannot connect to the remote server through PuTTY by using

IPv4, try to connect through PuTTY or another SSH client by using
IPv6.
If you can connect to the remote server through PuTTY by using
IPv6, repeat the commands from Step 2 in this procedure. This
action helps to connect to the remote server through Ensemble
Controller Server HA.

12. Verify that the created user for the SSH access has full security rights to the folder
and the sub folders of c:\Program Files\ADVA Optical Networking.
13. In Control Panel > User Accounts, turn ON the Windows User Account Control
(UAC).

Starting the Ensemble Controller

Server
These procedures describe how to start the Ensemble Controller Server in a Windows or
Linux environment.

You must start the Ensemble Controller Server before the Ensemble
Controller Client.

Procedure to Start the Server in Windows 123

Ensemble Controller R15.2 Administrator Manual - Issue: A 122

Adtran Installing and Logging into Ensemble Controller

Procedure to Start the Server in Linux 124

Procedure to Start the Server in Windows

You can use either of these methods:

Using the Windows Start Menu 123

Using the Windows Command Prompt 123

Using the Windows Start Menu

Click Start, and then from your Windows environment, select Launch Ensemble
Controller Server.

Using the Windows Command Prompt

1. Click Start, and then select Control Panel > User Accounts.
2. In the User Accounts window, verify whether your system deploys user account
control (UAC).
3. According to the UAC settings, continue with one of these options to start the
Ensemble Controller Server:
l If UAC is enabled, you can start the Ensemble Controller Server only as

administrator as described here:

a. Click Start.
b. Type CMD. Do NOT press Enter yet.
c. Right-click Command Prompt, and then select Run as administrator.
d. CD to the Ensemble Controller bin installation directory, for example:
C:\Program Files (x86)\ADVA Optical Networking\FSP Network
Manager\bin
e. Type StartServer, and then press Enter.
f. Ignore the error message isAdmin.vbs not found.
l If UAC is disabled, complete these steps:
a. Click Start.
b. Type CMD, and then press Enter.
c. CD to the Ensemble Controller bin installation directory, for example:
C:\Program Files (x86)\ADVA Optical Networking\FSP Network
Manager\bin.
d. Type StartServer, and then press Enter.

Ensemble Controller R15.2 Administrator Manual - Issue: A 123

Adtran Installing and Logging into Ensemble Controller

Procedure to Start the Server in Linux

1. To start the PostgreSQL server, at the command prompt, type:
/opt/adva/fsp_nm/postgres/support-files/postgres.server start
2. To start the Ensemble Controller Server, at the command prompt, type:
/opt/adva/fsp_nm/bin/fnm.server start

Stopping the Ensemble Controller

Server
These procedures describe how to stop the Ensemble Controller Server in a Windows or
Linux environment.

Procedure for Stopping the Server in Windows 124

Procedure for Stopping the Server in Linux 125

Procedure for Stopping the Server in Windows

You can use either of these methods:

Using the Windows Start Menu 124

Using the Windows Command Prompt 124

Using the Windows Start Menu

1. Click Start, and then from your Windows environment, select Shut down Ensemble
Controller Server.
A window opens to confirm the shutdown.
2. Type y to shut down the Server, or n to cancel.

Using the Windows Command Prompt

Ensemble Controller R15.2 Administrator Manual - Issue: A 124

Adtran Installing and Logging into Ensemble Controller

l If UAC is enabled, you can stop the Ensemble Controller Server only as
administrator as described here:
a. Click Start.
b. Type CMD. Do NOT press Enter yet.
c. Right-click Command Prompt, and then select Run as administrator.
d. CD to ENC Installation Directory\bin.
e. Type StopServer, and then press Enter.
f. Ignore the error message isAdmin.vbs not found
l If UAC is disabled, complete these steps:
a. Click Start.
b. Type CMD, and then press Enter.
c. CD to ENC Installation Directory\bin.
d. Type StopServer, and then press Enter.

Procedure for Stopping the Server in Linux

1. To stop the Ensemble Controller Server, at the command prompt, type:
/opt/adva/fsp_nm/bin/fnm.server stop
2. To stop the PostgreSQL server, at the command prompt, type:
/opt/adva/fsp_nm/postgres/support-files/postgres.server stop

Logging Into the Ensemble Controller

Client
Complete the steps in this procedure to log into the Ensemble Controller Client.

Requirements to Log Into the Ensemble Controller Client 126

Supported Encryption Protocols and Ciphers 126
Procedure to Log Into the Ensemble Controller Client 128
Taking Remedial Action for Failed Login Attempts 133

Ensemble Controller R15.2 Administrator Manual - Issue: A 125

Adtran Installing and Logging into Ensemble Controller

Requirements to Log Into the Ensemble

Controller Client
l To connect to the computer that has the Ensemble Controller Server installed, you
must know the host name or IP address of that computer, unless it is your own.
l For MTOSI, if you prefer to use a different web server port other than the default
8080, in the fnm.properties file, add the relevant port to the property
com.adva.fnm.option.webserver.port=[...].

By default, the Ensemble Controller Client attempts to connect to the

web server ports 80, 8080, and 9000. If you configured the web server
to use a different port, in the Ensemble Controller installation
directory, clientupdater folder, you must adapt the
launch.properties file accordingly. For example, add the property
launcher.webserver.port_4=9999, where 9999 represents the
port that the server uses.

For more information about server and client communication ports, see
Configuring Server and Client Communication Ports.
l Make sure that you prepared and enabled the Embedded License Server as
described in Preparing and Enabling the Embedded License Server. The Embedded
License Server stores the licenses that you purchased, and thus determines the
scope of system functions and features in Ensemble Controller, and also whether
you have unimpeded access to all network objects within a particular network.

Supported Encryption Protocols and Ciphers

HTTPS and JMS 126
Public/Private Keys x.509 (HTTP, JMS) 127
SSH: server-server, server-ftp server 128
Persistent password encryption 128
Server-NE Communication (SNMP, HTTP) 128

HTTPS and JMS

HTTPS

Ensemble Controller R15.2 Administrator Manual - Issue: A 126

Adtran Installing and Logging into Ensemble Controller

l GUI clients use TLSv1.3 by default.

l Clients that do not support TLSv1.3 can still communicate with the server with use
of TLSv1.2.
l The server does not support protocols: SSLv2Hello, SSLv3, TLSv1, TLSv1.1.
l The jetty.xml file defines excluded cipher suites that you can find under elements
with IDs " sslContextFactory" and "sslContextFactoryWithMutualAuth".

TLS 1.2 TLS 1.3

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CCM TLS_AES_128_CCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CCM TLS_AES_128_CCM_8_
SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

JMS
l GUI clients use TLSv1.3 with TLS_AES_256_GCM_SHA384 cipher suite by default.
l Clients that do not support TLSv1.3 can still communicate with the server with use
of TLSv1.2 with TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.
l You can configure the JMS server (ActiveMQ) via the activemq.xml file and the
"transportConnector" element.

These rules apply to all the clients that connect to Ensemble Controller,
for example ENC GUI, MTOSI, TAPI, GNSS.

Public/Private Keys x.509 (HTTP, JMS)

Java Cryptography Architecture JCA, Protocol SHA256withRSA

Ensemble Controller R15.2 Administrator Manual - Issue: A 127

Adtran Installing and Logging into Ensemble Controller

SSH: server-server, server-ftp server

server = ssh client (JCraft), dependent on SSH server, for example CopSSH5: AES128-CTR,
HMAC-SHA1

Persistent password encryption

l Encryption algorithm: AES 256
l Mode: GCM (Authenticated Encryption with Associated Data)

Server-NE Communication (SNMP, HTTP)

server = http/snmp client
l (snmp Privacy) DES (F3), AES128 for backward compatibility, AES192, and AES256
l (snmp Authentication) MD5, SHA, SHA256, and SHA512
l (http) TLSv1.2

Procedure to Log Into the Ensemble Controller

Client
1. Log into the Ensemble Controller Client according to your operating system:
l If you use Windows, from your Windows environment, select Ensemble

Controller Client. Alternatively, if available in your Start menu or taskbar, click

the Ensemble Controller Client icon.
l If you use Linux, in the console, type fnm.

Ensemble Controller R15.2 Administrator Manual - Issue: A 128

Adtran Installing and Logging into Ensemble Controller

The login window opens:

2. In the login window, edit the fields as described here. The field name displays when
you focus or click the field.

Field Description or Steps

Host Proceed with one of these options:
l If you run the Ensemble Controller Server locally on your
computer, select localhost.
l If you run the Ensemble Controller Server on a different
computer, type the IP address or host name.
l If you run the Ensemble Controller Server with IPv6, type the
defined alias name. For information about how to define an
alias name to connect to the server using IPv6, see Enabling
IPv6.
l If you run an Ensemble Controller Server pair in a high-
availability configuration, type the IP address of the computer
that runs the main Ensemble Controller Server. For more
information, see High-Availability Solution with a Redundant
Server.

Ensemble Controller caches your selection for your next session.

Ensemble Controller R15.2 Administrator Manual - Issue: A 129

Adtran Installing and Logging into Ensemble Controller

Field Description or Steps

Username Type your login account name. By default, this is admin.
If you log in remotely, for example, from a Citrix system, Ensemble
Controller retrieves the user name from that system and populates
the field accordingly. You cannot edit the field.
For more information, see Remote User Options.
Password Type your password. By default, this is ChgMeNOW.
If required, click the crossed-out eye to reveal the characters
that you type into the field.
Auto redirect Only select it if you want to use the High-Availability Solution with
to Master a Redundant Server.
server

3. Click LOG IN to start the Ensemble Controller Client. Wait for the process to
complete.
l If you see an unexpected error message during startup, see Resolving Access
Issues.
l If your attempt to start Ensemble Controller fails, see Taking Remedial Action for
Failed Login Attempts for information.
4. If your Ensemble Controller Client uses secure communication (HTTPS), a server
certificate appears asking for acceptance:
a. Proceed with one of these options:
l Click Accept to permanently accept the certificate. Ensemble Controller

stores the file with the accepted certificate locally to the

//<localUser>/Ensemble Controller/certs directory according to your
operating system.
This certificate will not appear again unless somebody deletes the content
of the certs folder, then the certificate examination window displays again
for you to take a decision.
–or–
l Click Accept Temporary to temporarily accept the certificate that is, only
for the current client session. You will again be asked to accept this
certificate when you log in next time.
–or–

Ensemble Controller R15.2 Administrator Manual - Issue: A 130

Adtran Installing and Logging into Ensemble Controller

l Click Cancel to stop the action, or close the dialog box. A message
confirms that you have not accepted the certificate. Select OK, and then
repeat this procedure from Step 2 for another login attempt.
b. If your Ensemble Controller is connected to any other servers, which you can
verify in the Multi-server Management window after you log in, additional
server certificates open one by one for each of them. Proceed with them using
the options described in the previous step.
If you cancel the action of accepting the certificates, after you log in, a
notification displays in the message pane, which allows to accept the certificates
of the servers in the Multi-server Management window later.
c. To accept server certificates from the message pane, double-click the
notification. The Multi-server Management window appears. For further
instructions about the Multi-server Management window and how to accept
the relevant server certificates, see Refreshing Selected Servers.
5. After you take care of the server certificates, and you successfully log in, this Login
Successful dialog box displays if you logged in before. If you log in for the first time,
proceed with Step 7.

This dialog box shows your login status and other login details.
6. Click Continue to open Ensemble Controller, or Logout to cancel.
7. If you log in for the first time, consider these events, which show once with your first
login. Ensemble Controller remembers the settings next time you log in, and they do
not show again.

Ensemble Controller R15.2 Administrator Manual - Issue: A 131

Adtran Installing and Logging into Ensemble Controller

l The Change Password dialog box opens:

Edit the fields as required, and then click OK to log in. If you click Cancel,
Ensemble Controller aborts the login process and a respective message shows:

For details about how to change the password again in a later session, see the
User Manual.
l The Windows Security Alert window might appear if you use a firewall:

As recommended in the field description, do not select the Public networks,

[...] field, and then click Allow access. If you click Cancel, the firewall might
block some features in Ensemble Controller, and you can use the Client only to a
limited extend, or not at all.

After the Ensemble Controller Client opens, you can view login-related notifications in
the message pane. To open the message pane, in the primary application bar, select
Messages. If you logged in using RADIUS or TACACS+ authentication, the message pane
Security tab does not appear.

Ensemble Controller R15.2 Administrator Manual - Issue: A 132

Adtran Installing and Logging into Ensemble Controller

Taking Remedial Action for Failed Login

Attempts
After you click Login in the Ensemble Controller Login dialog box, you might experience
these scenarios, which inform you about failed login attempts:
l This Message dialog box opens:

o Select OK, and then verify your login credentials. Re-enter them and try again
to log in.
–or–
o Stop and start the Ensemble Controller Server, and then try again to log in.
For information, see Stopping the Ensemble Controller Server and Starting
the Ensemble Controller Server.
l A warning message shows that Ensemble Controller is unable to acquire the basic
license from the Embedded License Server:

This message also shows if your license expired although it says that Ensemble
Controller cannot acquire the basic license. You can take these actions to
troubleshoot:
o In the Ensemble Controller installation directory, fnm.properties file, verify the

property com.adva.fnm.option.flexeraServer.ipaddress whether you specified

the correct Embedded License Server IP address. For information about the

Ensemble Controller R15.2 Administrator Manual - Issue: A 133

Adtran Installing and Logging into Ensemble Controller

license-related properties, see Embedded License Server Options.

o Test whether you can reach the Embedded License Server with ping.
o Log in the Embedded License Server as described in the User Manual,
Accessing the Embedded License Server, and then verify whether you have an
available basic license, for example ENC-SERVER-R12.X.
l If your current Ensemble Controller Client version is older than or incompatible
with the Ensemble Controller Server, a message displays where we recommend or
asks you to upgrade or downgrade to a different software version. Click Yes.
If the download or upgrade is defective or fails, which error messages show, take
these options into account, and then try to log in again:
o The fnm.properties file contains a parameter that controls whether the server

version is verified against the client. If set to true, the system prevents the
client from being upgraded. For more information, see the parameter
description com.adva.fnm.option.disableClientUpdates.
o See Troubleshooting Client Download Errors or Resolving Installation Issues.

o To view and delete clients that you already installed, see Viewing and
Deleting Installed Clients.
After the download or upgrade completes, Ensemble Controller starts.
l Invalid authentication message displays. The second failed login attempt results in
a 5 seconds login delay. Every next failed attempt doubles the previous login delay
until it reaches maximum of 15 minutes. In case of any login attempts during the
temporary delay period, the system will reject the attempt and display the invalid
authentication message along with the remaining delay time. The administrator
account is not locked permanently at any point.

Ensemble Controller R15.2 Administrator Manual - Issue: A 134

Adtran Installing Ensemble Controller for Pro-Vision

Chapter 2

Installing Ensemble
Controller for Pro-Vision
You can install Ensemble Controller for Pro-Vision to operate in Linux or Windows.

Installation Procedure for Linux 135

Installation Procedure for Windows 136

For information about how to operate and maintain Pro-Vision, see the Appendix C, Pro-
Vision – Service Provisioning and Management Platform.

Installation Procedure for Linux

1. In the CLI, untar the image into a directory of your choice.
tar xvf Ensemble_Controller_for_Linux_v11.3.1.tar
If you run an OS-installed postgres service, shut it down before you install the
software. If you leave the postgres service running, that can interfere with the
installation. To stop the service, enter sudo service postgresql stop or kill all
postgres processes.
2. Navigate to the root directory, and then run the Ensemble installer script as root.
Untar the file to this directory.
3. Use the root issue:
./install, which installs the installer script in /opt/adva/fsp_nm
4. Select #1(ENC), and then enter answer y for yes to install it.
5. After the prompt, enter any valid password that you create, which is the Postgres
database password.

Ensemble Controller R15.2 Administrator Manual - Issue: A 135

Adtran Installing Ensemble Controller for Pro-Vision

6. After the prompt, enter n for no to start the server because you need to complete
other steps first.
7. To edit the /opt/adva/fsp_nm/fnm.properties file, search for #
com.adva.nlms.mediation.pv.startModule=true.
Delete the # and the space after it.
8. You can increase the event log maximum size of 200,000 by changing the property
com.adva.nlms.mediation.event.maxEventLogSize located in the
fnm.properties file. See the appendix
com.adva.nlms.mediation.event.maxEventLogSize for more information.
9. As root, start the server.
/opt/adva/fsp_nm/bin/fnm.server start
The pvlog file no longer exists. It is now named mediation.log and located in the
/opt/adva/fsp_nm/var/log.
10. In your browser, access Pro-Vision using this URL:
https://<ip-address>:8443/pv
11. Enter your license name and key.
12. Login with the administrator password.
ChgMeNOW

Installation Procedure for Windows

1. Download the Pro-Vision software to a local directory.
2. From your Windows desktop, open the folder where you downloaded the Pro-Vision
software.
3. From the folder:
a. Right-click the Ensemble_Controller_for_Windows-v.11.2.1-64bit.exe.
b. Select Run as administrator.
The InstallAnywhere window opens and shows the progress of the installation.
After the installation completes, the Introduction window opens.
4. In the Introduction window, click Next. The Choose Install Folder window opens.
You can install the file where you choose or accept the default.
5. Click Next. The Choose Install Set window opens.
6. Click Next. The Pre-Installation Summary window opens.

Ensemble Controller R15.2 Administrator Manual - Issue: A 136

Adtran Installing Ensemble Controller for Pro-Vision

7. Review the Pre-Installation Summary, and then click Install. An Ensemble

Controller window opens and shows the progress of the installation. After the
installation completes, the Post Install Process - ENC Server window opens.
8. Click Next to open the Installation Complete window.
9. Click Done. ENC should now be successfully installed.
You must now perform the next step because the Windows installation process starts
the ENC server before you can edit the fnm.properties file (see Editing the
fnm.properties File).
10. From the bin directory, right-click the StopServer application to stop the server, and
then run as administrator.
11. Proceed with these topics:
Enabling User Permissions 137
Configuring FSP Network Manager Files 137
Starting the Server 138

Enabling User Permissions

1. From the Program Files (x86) folder, double-click the ADVA Optical Networking
folder to open it.
2. Right-click the FSP Network Manager folder, and then select Properties to open
the FSP Network Manage Properties window.
3. Select the Security tab.
4. Click Edit to open the Permissions for FSP Network Manager window.
5. From the Group or user names list, click Users to highlight it.
6. From the Permissions for Users list, make sure that Full control and Modify are
enabled.
7. Click Apply to change all the file permissions.
8. After the software changes the file permissions, click OK to close the Permissions
for FSP Network Manager window.

Configuring FSP Network Manager Files

1. From the FSP Network Manager folder, open the fnm.properties file.
2. In the fnm.properties file, search for
# com.adva.nlms.mediation.pv.startModule=true
3. Delete the # and the space after it.

Ensemble Controller R15.2 Administrator Manual - Issue: A 137

Adtran Installing Ensemble Controller for Pro-Vision

Starting the Server

1. From the ADVA Optical Networking folder, open the FSP Network Manager
folder and then double-click the bin directory.
2. From the bin directory, right-click the StartServer.bat file and select Run as
administrator. The server can take a few minutes to start.
3. After Pro-Vision completes loading, enter this URL.
https://ip-address or localhost:8443/pv
4. At the URL, you are prompted to enter your license information.
5. At the prompt, enter your License Name and Key, and then click Install. The License
Installed Successfully window opens.
6. Click Close. The Login window opens.
7. Enter your Username and Password, select Please select to confirm, and then click
LOG IN. The Pro-Vision map window opens.

Ensemble Controller R15.2 Administrator Manual - Issue: A 138

Adtran Configuring Ensemble Controller

Chapter 3

Configuring Ensemble
Controller
This chapter describes actions to manage security and administrate Ensemble Controller.

Security 139
High Availability 176
System Settings 236
Configuring Operations from the fnm.properties File 268
Script or Command-based Operations 288
Installing the Docker-Community Edition Application in Linux 315
Configuring Sync Assurance and the Ensemble Fiber Director Server 324
Consolidating Ensemble Controller Servers 356
Accessing Management Tools 371
Fault Management 390

Security
This chapter discusses operations that contribute to support security-relevant topics in
Ensemble Controller.

Hardening the Ensemble Controller Application 140

Security Manager 143
Changing Passwords on Network Elements Using SNMP 158

Ensemble Controller R15.2 Administrator Manual - Issue: A 139

Adtran Configuring Ensemble Controller

Enabling a Connection of One Ensemble Controller Client to Multiple

Servers 163
Enabling Two-Man Approval for Actions 164
Granting Temporary Admin User Rights on Network Elements 168
SSH Settings 175
SFTP Settings 175

Hardening the Ensemble Controller Application

Hardening a computer system is also known as defense in depth, and refers to providing
various means of protection on several layers, for example, on the host level, the
application level, the operating system level, the user level, the physical level, or any other
sublevels. Each level requires a unique method of security.

This table provides an overview of the supported options to enhance the security of
Ensemble Controller on the application level exclusively. Each option provides a link to
the section for more information.

Hardening Options More Information

Usage of SNMPv3 with encryption for a User Manual
secure communication to network elements.
Changing the default password of the User Manual
Ensemble Controller admin user.
Configuring the password rules for users. Editing Security Parameters
Setting Auto Lock and Auto Logoff. Setting Auto Lock and Auto Logout
Enabling RADIUS. Setting Up RADIUS Authentication
Enabling the 4-eyes principle. Enabling Two-Man Approval for Actions
Displaying a message after the client login Post-Login Dialog Box Message
to show important notifications.
Usage of secure protocols to transfer files. User Manual
Enabling secure protocols if you use the CLI Using a Secure Protocol
interface as craft to manage network
elements.
Closing all ports not used for Communication Ports
communication on an external firewall.

Ensemble Controller R15.2 Administrator Manual - Issue: A 140

Adtran Configuring Ensemble Controller

Hardening Options More Information

Disabling unsecure HTTP communication com.adva.fnm.option.webserver.port
(client / server and MTOSI) and enforcing =none
transport layer security (TLS) (HTTPS).
Using customer-specific certificates for TLS Using Customer Certificates
(HTTPS).
Running Ensemble Controller services using Steps to Installing Ensemble Controller in
a non-root account. Linux, especially Step 8.
Disabling JMX for the ActiveMQ JMS server. Properties for Configuring the Java
Messaging System (JMS)
Changing the database password. This Changing the Database Password
operation causes the Ensemble Controller
Server to automatically restart.

The Diffie-Hellman Epheremal Key Agreement Protocol can be used for an attack on
network facing SSL / TLS / HTTPS / SSH services leading to excessive compute time
usage. Therefore the DHE cypher suite is deactivated by default for ENC mediation
service. In case that the protocol needs to be enabled, the following procedure shall be
applied: Edit the jetty.xml, and delete all the occurrences of the line (2 occurrences
currently): <Item>(TLS_DHE)_.*</Item>

Increasing the Entropy of a Virtual Machine or Headless

Server
On a virtual machine or headless server, the available randomness is much lower than on
a real machine, due to for example: the lack of access to hardware, or lack of mouse and
keyboard activity. Information about the server low entropy can be obtained if the
command "cat /proc/sys/kernel/random/entropy_avail" returns a small number (lower
than 1000).

Adequate randomness in virtual machines or headless servers is a general issue and there
is more than one solution to fix it. You may choose a solution of your preference. The
goal for hardening is to increase the entropy and keep it high at all times.

ENC has been tested using a service called “haveged” for increasing the entropy. The
haveged project provides an easy to use, unpredictable random number generator based
upon an adaptation of the HAVEGE algorithm and can be installed with the Linux
package manager.

Follow these steps to install haveged:

Ensemble Controller R15.2 Administrator Manual - Issue: A 141

Adtran Configuring Ensemble Controller

1. Install EPEL for release 7 or 8:

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-
7.noarch.rpm or https://dl.fedoraproject.org/pub/epel/epel-release-
latest-8.noarch.rpm
yum install epel-release-latest-7.noarch.rpm or yum install epel-
release-latest-8.noarch.rpm
2. Install heveged:
yum install haveged
3. Start and enable the service:
systemctl start haveged
systemctl enable haveged

l A solution for the randomness/entropy is only required for the

ENC servers that run on Linux. There is no need to install haveged
on the machines that only run ENC GUI client.
l For more information about EPEL, see
https://www.redhat.com/en/blog/whats-epel-and-how-do-i-use-
it.

Ensemble Controller R15.2 Administrator Manual - Issue: A 142

Adtran Configuring Ensemble Controller

Security Manager

User Authentication 143

Users Tab 144
Groups Tab 149
Roles Tab 153
Action Log Tab 156
Sessions Tab 157

User Authentication
To avoid unauthorized access to the system, users must log in to the Ensemble
Controller. Each user has a unique name for identification and a password for
authentication.

Ensemble Controller R15.2 Administrator Manual - Issue: A 143

Adtran Configuring Ensemble Controller

Each user password including the administrator password, is valid for a specific length of
time. When that time has passed, the password has aged and the user or administrator is
prompted to change it.

Password blacklists regulate when an old password can be re-used. This enables
administrators to enhance security by ensuring that old passwords are not used
continually.

After a certain time of in-activity, a logged in user is logged off by the system. Also, there
is a requirement to have a minimum length of both, user account names and passwords.

All these settings are stored on the Ensemble Controller Server and are valid for all users
connected to that Ensemble Controller Server. See the appendix > Security Options for
information about how to change these settings.

In addition, all users are members of one or more groups. A role and a view are assigned
to each group. The actions each user is allowed to perform, are deduced from the role
and the view defined for the groups of which the user is a member.

The user that will do network element backups or restoring needs to

have full user rights on the FTP or SFTP server - that is read, write,
modify, or delete.

Users Tab
In the Users tab, you can manage the user accounts.

You cannot manage any remote user accounts (RADIUS, TACACS+, or LDAP) in Ensemble
Controller. However, if remote users log in at least once, the remote user account
displays in the Table.

Generic Information about Users 144

Ribbon Menu 145
Table 147
Details Pane 148

Generic Information about Users

By default, the Security Manager includes an administrator account with the user name
admin and the password ChgMeNOW.

An administrator can add user accounts as required. For each user account, you assign a
group to suit the user needs; see Groups Tab for information. Each user account can be a

Ensemble Controller R15.2 Administrator Manual - Issue: A 144

Adtran Configuring Ensemble Controller

member of several groups. The permissions that this user account has, is then the union
of these groups.

The user that will do network element backups or restoring needs to

have full user rights on the FTP or SFTP server - that is read, write,
modify, or delete.

If error messages appear after you log in to a user account, this account might impose
restrictions towards permissions (roles). For example, you are not allowed to log in to an
account more than once. An administrator can set account permissions in the Roles tab.
For more information about how to configure roles, see Roles Tab.

For an overview of the default roles and allocated actions supported, see the appendix >
Roles and Allocated Actions.

Ribbon Menu
Use the ribbon menu in the Users tab to manage user accounts as described in these
topics:

Adding Users 146

Editing Users 146
Deleting Users 146
Exporting the Users Table 147
Resetting to Factory Default 147

Ensemble Controller R15.2 Administrator Manual - Issue: A 145

Adtran Configuring Ensemble Controller

Adding Users
1. In the Users tab ribbon menu, Options area, select Add. The Identity accordion in
the details pane opens.
Mandatory attributes that you must specify, display in red and provide clear
instructions about how to enter the required text. If you enter text that does not
comply to the instructions, a respective error message displays.
l To verify the entered password, next to the Password field, click and hold the
eye button.
l To enable or disable these features, select its switch:
o User must change password at next logon

o Account is enabled
2. Select the Groups accordion to expand it, and then select the appropriate group for
this user.
3. Click Save changes to add the user.
The Security Manager adds the new user to the Users table.
–or–
Click Cancel to stop the operation.

Editing Users
1. In the Users Table, select the user account that you want to edit.
2. In the Users tab ribbon menu, Options area, select Edit.
You can now edit the Details Pane.
3. In the Details Pane, modify the relevant attributes as appropriate.
4. Click Save changes to apply your changes.
The Security Manager updates the user account in the Users table according to your
changes.
–or–
Click Cancel to stop the operation.

Deleting Users
1. In the Users Table, select the user account that you want to delete.
2. In the Users tab ribbon menu, Options area, select Delete.
A Confirmation dialog box displays.
3. Click Yes to confirm the deletion.
The Security Manager removes the user account from the Users table.
–or–
Click Cancel to stop the operation.
Ensemble Controller R15.2 Administrator Manual - Issue: A 146
Adtran Configuring Ensemble Controller

Exporting the Users Table

Complete these steps to export the Users table to a comma-separated value (CSV) file.
Table rearrangements such as sorting, filtering, or hidden columns are taken into
account.

1. In the Users tab ribbon menu, Export area, select Table (CSV).
The Save dialog box displays:

2. As appropriate, change the file name and location of storage. The file name length
must not exceed 255 characters. If it does, an error occurs if you click Save.
3. Click Save to complete the export, or Cancel to stop the operation.
4. See the message pane for any result messages about this action.

Resetting to Factory Default

To reset the settings for users, groups, and roles to factory default, in the Users tab
ribbon menu, Other area, select Restore. After you select Restore, the Security Manager
restores:
l The admin user password to ChgMeNOW.
l Groups and roles if you deleted them.

This operation does not affect group visibility settings for networks or services.

Table
The Users table contains these columns:

Column Description
Account is Enabled The user account status.

Ensemble Controller R15.2 Administrator Manual - Issue: A 147

Adtran Configuring Ensemble Controller

Column Description
User Name The login name of the user account.
Full Name The full name of the user. This is an optional field.
Description A description of the user account, if one had been added when the
user was created.
Group The group to which this user belongs.
Last Login The time when the user last logged on.
Authentication The type of authentication mechanism used:
Type l Local - authentication through Ensemble Controller (ENC) user
database
l External - authentication through RADIUS or TACACS+ for
example

Details Pane
The Users tab includes these accordion containers in the details pane:

Identity 148
Groups 148

Identity
The Identity accordion container provides these attributes:
l User Name - text box
l Full Name - text box
l Description - multiline text box
l Email Address - text box
l Password - text box and mandatory in the course of creating a new user
l Change password flag - switch
l Account activation status (Account is enabled) - switch

Groups
The Groups accordion container shows a list of the available user groups that you can
select.

Ensemble Controller R15.2 Administrator Manual - Issue: A 148

Adtran Configuring Ensemble Controller

Groups Tab
You can manage user groups in the Groups tab.

Ribbon Menu 149

Table 150
Details Pane 150

Ribbon Menu
Use the ribbon menu in the Groups tab to manage groups as described in these topics:

Adding Groups 149

Editing Groups 150
Deleting Groups 150

Adding Groups
1. In the Groups tab ribbon menu, Options area, select Add. The Identity accordion in
the details pane opens.
Mandatory attributes that you must specify, display in red and provide clear
instructions about how to enter the required text. If you enter text that does not
comply to the instructions, a respective error message displays.
2. Specify attributes for this group as required.
The Identity accordion, Role field shows a list of the roles that you create and
maintain in the Roles Tab.
3. Select the Members accordion to expand it, and then select the appropriate user for
this group. You can select several users for a group. The number of users that a
group can have is unlimited. You create and maintain these users in the Users Tab.
4. Select the Network accordion to expand it, and then give permission ( ) or restrict
the network view ( ). Select the appropriate symbol for subnetworks or parts of it.
With each click, the symbol changes.
5. Select the Services accordion to expand it, and then give permission or restrict the
services view for customers and also its services as described in the previous Step 4.
6. Click Save changes to add the group.
The Security Manager adds the new group to the Groups table.
–or–
Click Cancel to stop the operation.

Ensemble Controller R15.2 Administrator Manual - Issue: A 149

Adtran Configuring Ensemble Controller

Editing Groups
1. In the Groups Table, select the group that you want to edit.
2. In the Groups tab ribbon menu, Options area, select Edit.
You can now edit the Details Pane.
3. In the Details Pane, modify the relevant attributes as appropriate.
4. Click Save changes to apply your changes.
The Security Manager updates the group in the Groups table according to your
changes.
–or–
Click Cancel to stop the operation.

Deleting Groups
1. In the Groups Table, select the group that you want to delete.
2. In the Groups tab ribbon menu, Options area, select Delete.
A Confirmation dialog box displays.
3. Click Yes to confirm the deletion.
The Security Manager removes the group from the Groups table.
–or–
Click Cancel to stop the operation.

Table
The Groups table contains these columns:

Column Description
Group name The name of the group. The groups Operator, Monitor, Configurator,
and Administrator are predefined.
Role The role that is assigned to the group. Roles are created and
maintained in the Roles Tab tab.
Description A description of the group provided that one was added in the course
of creating the group.

Details Pane
The Groups tab includes these accordion containers in the details pane:

Identity 151
Members 151

Ensemble Controller R15.2 Administrator Manual - Issue: A 150

Adtran Configuring Ensemble Controller

Network 151
Services 152

Identity
The Identity accordion container provides these attributes:
l Group name - text field
l Role - list
The role options in this list are according to the roles created and maintained in
the Roles Tab tab.
l Description - text field

Members
The Members accordion container shows a list of available group members (users). You
create users in the Users Tab. A group can have an unlimited number of members that is,
you can select several members.

Network
The Network accordion container allows to give or not to give permission for viewing all
parts of a network, just a selection, or nothing at all.

It is structured in a tree-like fashion as known from the tree pane.

A green icon (permission is given) is replaced by a red icon (permission is not given)
when clicked and the other way around.

If viewing is disabled at the network group, it is not possible to enable permissions for
one or more networks below it. However, if viewing is enabled at network group level, it
is possible to disable viewing for one or more networks below it.

Not only the visibility of the selected objects themselves such as networks is affected, but
also the visibility of all associated resources such as network elements, links, events,
alarms, reports, and so on, is affected.

Ensemble Controller R15.2 Administrator Manual - Issue: A 151

Adtran Configuring Ensemble Controller

If group view properties are changed, group users must log off, and
then log in again to synchronize with the new view settings.

Historical alarms or events might still be displayed for user groups with a restricted view.
This is because respective network elements had been created before the restricted view
was applied.

Services
The Services accordion container allows to give or not to give permission for viewing
services.

It is structured in a tree-like fashion as known from the tree pane.

A green icon (permission is given) is replaced by a red icon (permission is not given)
when clicked and the other way around.

If viewing is disabled at the customer group, it is not possible to enable permissions for
one or more customer groups below it. However, if viewing is enabled at a customer
group level, it is possible to disable viewing for one or more customer groups
underneath it.

Not only the visibility of the selected objects themselves such as services is affected, but
also the visibility of all associated resources such as network elements, links, events,
alarms, reports, and so on, is affected.

If group view properties are changed, group users must log off, and
then log in again to synchronize with the new view settings.

Historical alarms or events might still be displayed for user groups with a restricted view.
This is because respective services had been created before the restricted view was
applied.

Ensemble Controller R15.2 Administrator Manual - Issue: A 152

Adtran Configuring Ensemble Controller

Roles Tab
You can manage roles in the Roles tab. For an overview of the default roles and allocated
actions that the Security Manager supports, see the appendix > Roles and Allocated
Actions.

Ribbon Menu 153

Table 154
Details Pane 154

Ribbon Menu
Use the ribbon menu in the Roles tab to manage roles as described in these topics:

Adding Roles 153

Editing Roles 153
Deleting Roles 154

Adding Roles
1. In the Roles tab ribbon menu, Options area, select Add. The Identity accordion in
the details pane opens.
Mandatory attributes that you must specify, display in red and provide clear
instructions about how to enter the required text. If you enter text that does not
comply to the instructions, a respective error message displays.
2. Specify attributes for this role as required.
3. Select the Permissions accordion to expand it, and then allow ( ) or disallow ( )
certain actions to be performed by this role. Select the appropriate symbols.
For some actions, a third symbol option (needs approval) is available. This action
requires approval from an authorized second person before it can be carried out.
With each click, the symbol changes.
4. Click Save changes to add the role.
The Security Manager adds the new role to the Roles table.
–or–
Click Cancel to stop the operation.

Editing Roles
1. In the Roles Table, select the role that you want to edit.
2. In the Roles tab ribbon menu, Options area, select Edit.
You can now edit the Details Pane.

Ensemble Controller R15.2 Administrator Manual - Issue: A 153

Adtran Configuring Ensemble Controller

3. In the Details Pane, modify the relevant attributes as appropriate.

4. Click Save changes to apply your changes.
The Security Manager updates the role in the Roles table according to your changes.
–or–
Click Cancel to stop the operation.

Deleting Roles
1. In the Roles Table, select the role that you want to delete.
2. In the Roles tab ribbon menu, Options area, select Delete.
A Confirmation dialog box displays.
3. Click Yes to confirm the deletion.
The Security Manager removes the role from the Roles table.
–or–
Click Cancel to stop the operation.

Table
The Roles table contains these columns:

Column Description
Role The role name.
Description A description of the role provided that one was added in the course of
creating the role.

Details Pane
The Roles tab includes these accordion containers in the details pane:

Identity 154
Permissions 155

Identity
The Identity accordion container provides these attributes:
l Role name - text box
l Description - text box that can contain multiple lines

Ensemble Controller R15.2 Administrator Manual - Issue: A 154

Adtran Configuring Ensemble Controller

Permissions
In the Permissions accordion container you can manage the permissions to perform
certain tasks.

To allow or disallow an action, click the icon for that action. The icon changes with
each click. Some actions show a 3rd needs-approval icon . If you select the needs-
approval icon, an authorized second person must first approve this action before the user
can apply it.

If you disallow an action, Ensemble Controller disallows also its dependent actions. If you
revert the action back to be allowed, Ensemble Controller does not revert the dependent
actions. If required, you must change each of the dependent actions individually.

For an overview of the actions supporting the second-person or two-man approval

permission, see Roles and Allocated Actions.

For general information about the two-man approval feature including the authorization
of a second person, see Enabling Two-Man Approval for Actions.

Ensemble Controller R15.2 Administrator Manual - Issue: A 155

Adtran Configuring Ensemble Controller

Action Log Tab

You can manage the security event severities in the Action Log tab.

Changing Event Severities 156

Table 156
Details Pane 156

Changing Event Severities

Complete these steps to change event severities:

1. In the Action Log Table, select the event group that you want to edit.
2. In the Action Log ribbon menu, Options area, select Edit.
–or–
In the Details Pane, click the pen.
The Details Pane displays the events and its severities for the selected event group
that you now can edit.
3. In the Details Pane, use the slider to change the severity for a security event. The
severity icon and label changes while you move the slider. For keyboard navigation,
use the Left or Right Arrow keys to move the slider. To navigate in the details pane,
use the Up or Down Arrow keys.

4. Click Save changes to apply your changes.

–or–
Click Cancel to stop the operation.

Table
The Action Log table displays the supported event groups and contains these columns:

Column Description
Event Group The event group containing the event-related actions.
Description A brief description of the event group content.

Details Pane
After you select an event group in the Action Log Table, the details pane displays the
supported security events and its severities. For information about how to change the
severity for a security event, see Changing Event Severities.

Ensemble Controller R15.2 Administrator Manual - Issue: A 156

Adtran Configuring Ensemble Controller

Sessions Tab
You can manage the user sessions in the Sessions tab.

Ribbon Menu 157

Table 157
Details Pane 157

Ribbon Menu
Select a session in the Sessions Table and then use the Sessions ribbon menu to:
l Terminate the session.
–or–
l Refresh the data in the Table.

Table
The Sessions table contains these columns:

Column Description
User name The login name of the user account.
Host The name of the host.
IP Address The IP address of the computer on which the client application runs.
Logged In At The time when the user logged in.

Details Pane
After you select a session in the Sessions Table, the details pane (read only) updates and
presents the session-related attributes:
l User Name - text box
l Host - text box
l IP Address - text box
l Logged In At - text box
l Last Action - text box - displays up to five security events with time and
description. Should there be more than five events, a scroll bar is made available.

Ensemble Controller R15.2 Administrator Manual - Issue: A 157

Adtran Configuring Ensemble Controller

Changing Passwords on Network Elements Using

SNMP
This feature uses SNMP to modify the non-SNMP password on a given network element.
Network elements use SNMPv3 to communicate, which must be enabled on the network
element. For more information about how to configure SNMP properties, see the User
Manual.

The password-change action (PCA) manager also provides:

l Scheduling
l Fault update
l Overall PCA status
l PCA network element status
l Log information
l Log summary
l Email notification
l Background mode

These network elements support the password change through SNMP:

l FSP 150CM
l FSP 150CC-GE20x
l FSP 150CC-T
l FSP 150CP 2.7.01BT
l FSP 150EG-M2
l FSP 150EG-M4
l FSP 150EG-M8
l FSP 150EG-X
l FSP 150-GE11x
l FSP 150-XG116Pro
l FSP 150-XG120Pro
l FSP 150-XG120Pro-SH
l FSP 150-XG210
l FSP 3000R7
l Hatteras HN400, HN4000
l OSA 541x

Ensemble Controller R15.2 Administrator Manual - Issue: A 158

Adtran Configuring Ensemble Controller

l OSA 542x
l OSA 5430
l OSA 5440
l OSA 5548C
l OSA Softsync

Requirements to Change Passwords Using SNMP 159

Procedure to Change Passwords Using SNMP 159
Activating a Log File 161

Requirements to Change Passwords Using SNMP

l To change network element passwords through SNMP, you need to have the
permission Modify Network Element Password. This permission is by default
granted only to the roles of administrators.
The administrator sets permissions and corresponding user roles in the Security
Manager. To open the Security Manager, in the Ensemble Controller Settings,
select Security, and then Security Manager. For more information about user roles
and allocated privileges, see Roles and Allocated Actions.
l The Security Manager user group that relates to the permission Modify Network
Element Password must have a non-restricted view that is, the Network and
Services are fully available to that user group. For information about how to edit
user groups in the Security Manager, see Editing Groups.

Procedure to Change Passwords Using SNMP

Complete these steps to change the network element passwords through SNMPv3:

1. To verify that SNMPv3 is enabled on the relevant network elements, use either way:
l To verify the SNMP settings for individual network elements, in the Networks
tree pane, select the network element, and then in the tab pane, open the
Overview tab, SNMP Configuration area.
l To verify the SNMP settings that apply to your entire network, in the Networks
tree pane, select the network, and then in the tab pane, open the SNMP Profiles
Tab. To verify the configuration for a profile, in the ribbon menu Action area,
select SNMP Profiles Manager. For information about the SNMP Profiles
Manager window, see the User Manual.
2. Verify these fields or areas and its values:

Ensemble Controller R15.2 Administrator Manual - Issue: A 159

Adtran Configuring Ensemble Controller

Field or Area Description or Steps

SNMP Version You set the value to v3.
SNMPv3 Settings You specified the relevant user settings.

For more information about how to configure SNMP, see the User Manual and the
appropriate topic:
l To configure SNMP settings for individual network elements, see Configuring
SNMP for a Network Element.
l To configure SNMP settings that apply to all network elements included in your
network, see Managing SNMP Profiles.
3. From the application bar Settings menu, select Security, and then Change
Password on NEs. The Password Change Action dialog box opens divided in two
panes vertically aligned. The left pane is set up as table summarizing existing
configurations. The right pane is the configuration pane.
4. In the Network Element table column, expand the relevant network tree to view its
network elements.
5. Proceed with the Select table column in either way:
l To change passwords for all network elements included in your network, select
the option for the root Network.
l To change passwords for all network elements in a network, select the option
for that network.
6. In the configuration pane, New Password area, type the User Name and the new
Password for the selected network.
7. In the Confirm field, re-enter the password.
8. In the Scheduled Change area, select one of these options:
l Immediate: To change the password now.
l Delayed: To change the password on the date and time that you specify.
9. Click Start to begin the password change.
The Password Change Status area shows the state of the command. These values
are supported: Idle, Scheduled, Running, or Completed.
The Execution Status table column shows one of these options:
l Idle: The PCA does not cover the network element.
l Pending: The PCA covers the network element, but the password is not
changed yet.

Ensemble Controller R15.2 Administrator Manual - Issue: A 160

Adtran Configuring Ensemble Controller

l Complete: The PCA covers the network element, and the password was
successfully changed.
l Fail: The PCA covers the network element, but the password was not
successfully changed.
The Error Description table column provides a failure reason for each network
element that has a FAIL status as follows:
l Internal Ensemble Controller errors.
l SNMPv3 not supported - the network element does not support SNMPv3.
l SNMPv3 supported but not used - SNMPv3 is supported by the network
element but currently not used.
l SNMPv3 security level is incorrect - an incorrect SNMPv3 security level was used.
l SNMP communication timed out - no response from network element.

Activating a Log File

The user can activate a log file that will be stored in the LOG subdirectory and can be sent
to a specific email address. See Password Change Action Manager Options for activation
details. This log file is a plain ASCII file. It provides these attributes:
l <Date> <Time> <Category> - <Result>: <Description>
o Date - yyyy-mm-dd (yyyy - year, mm - month, dd - day)
o Time - hh:mm:ss,ms (hh - hour, mm - minute, ss - second, ms - millisecond)
o Category - always <INFO>
o Result
n empty

n <SUCCESS>
n <ERROR>

The log file consists of these blocks:

l Configuration section
o Start date and time

n Category - <INFO>

n Result - empty
n Description - “PCA started at <date and time>”

Ensemble Controller R15.2 Administrator Manual - Issue: A 161

Adtran Configuring Ensemble Controller

o Number of assigned NEs

n Category - INFO

n Result - empty
n Description - <number> of NEs assigned to the PCA
l Details section
o Change Result, given for each covered NE

o Category - <INFO>
o Result
n <SUCCESS> - if password change was successful

n <ERROR> - if password change failed

o Description
n <SUCCESS> - The password was successfully changed for <name> (<ip_

address>)
n <ERROR> - The password change failed for <name> (<ip_address>)
l Summary section
o Number of covered NEs

n Category - <INFO>

n Result - empty
n Description - “<number> of NEs were covered by the PCA”
o Number of successful Password Changes
n Category - <INFO>

n Result - empty
n Description - “Password successfully changed for <number> NEs”
o Number of failed Password Changes
n Category - <INFO>

n Result - empty
n Description - “Password change failed for <number> of NEs.”
o End date and time
n Category -< INFO>

n Result - empty
n Description - “PCA finished at <date and time>”

Ensemble Controller R15.2 Administrator Manual - Issue: A 162

Adtran Configuring Ensemble Controller

Enabling a Connection of One Ensemble

Controller Client to Multiple Servers
To navigate between multiple Ensemble Controller Servers using a Client, you must adapt
security settings for the user to have permission to perform this action. This procedure
addresses setting these permissions.

After you completed this procedure, you can connect to different servers from your
client. Meet these requirements:
l The servers that you connect to must have the same software version.
l Log in with the same user account with equal or lower privileges.

If you disregard these requirements, you could experience unwanted effects and we
cannot guarantee proper operation anymore.

For information about how to connect to different servers, see the User Manual.

If you use RADIUS and RSA SecurID tokens to set up a one-time-

password (OTP) to log in, then you cannot connect to multiple
Ensemble Controller Servers anymore. For more information about
how to log in through RSA SecureID tokens, see RADIUS Access-
Challenge.

Follow this procedure to connect to multiple servers.

1. Open the Security Manager, and then select the Roles Tab.
2. In the Roles Table, select the role of which you want to change action properties,
and then in the ribbon menu (Ctrl + F1) select Edit.
Alternatively to edit an existing role, you can add a new role as described in Adding
Roles, and then assign this role to a new group as described in Adding Groups.
The Role Details Pane is made editable.

Ensemble Controller R15.2 Administrator Manual - Issue: A 163

Adtran Configuring Ensemble Controller

3. In the Permissions accordion container, expand Application:

4. Navigate to Modify Connected Servers, and then click its red cross to the right,
which turns into a green checkmark indicating that the action is now permitted.
5. Select Save changes .

Enabling Two-Man Approval for Actions

When the two-man approval feature is enabled, then a respective action first has to be
approved by an authorized second person before it can be carried out.

For example: A user wants to modify a connectivity service. However, this action is
subject to the two-man approval (or rule) permission.

An approval request is automatically sent from the user, the "requester" to the
person authorized to approve such a task, the "approver".

The approver may now decide whether to reject or allow the user to carry out the
respective task.

The procedure to enable the two-man approval feature is carried out in the sequence as
follows. It is an overview of the overall approach for this procedure. For detailed
information, follow the referenced sections provided in each step:

1. Apply the two-man rule permission to user actions as described in Applying the Two-
Man Rule Permission to User Actions.

Ensemble Controller R15.2 Administrator Manual - Issue: A 164

Adtran Configuring Ensemble Controller

2. Assign a user for approver as described in Assigning a User for Approver.

Settings made in Step 1 and 2 result in these three phases when user actions are
carried out that are subject to the two-man rule permission:
l Request Phase - For details about this phase, see About the Request Phase.
l Decision Phase - for details about this phase, see About the Decision Phase.
l Response Phase - for details about this phase, see About the Response Phase.

Applying the Two-Man Rule Permission to User Actions

The two-man rule permission is applied to actions of a relevant user role as described in
Editing Roles.

Should there be no role available to be edited, a new role can be added as described in
Adding Roles and the actions list adapted accordingly.

For an overview of the actions supporting the two-man rule permission, see Roles and
Allocated Actions.

As a result, the user with this role edited has to ask for approval to carry out the actions
that are subject to the two-man rule permission.

Assigning a User for Approver

Follow this procedure to assign a user for approver who then has the privilege to approve
actions that are subject to the two-man rule permission.

For information about how to apply the two-man rule permission to user actions, see
Applying the Two-Man Rule Permission to User Actions.

1. For the user that is to be an approver, navigate to the role assigned to that user as
described in Editing Roles.
2. In the Actions column, expand the Application action group.
3. For the action Second Approval, change the permission symbol to (allowed).
4. Click OK to apply your settings or Cancel to stop the action.
After you click OK, this user is now authorized to approve requests for actions where
the two-man approval permission is set.

About the Request Phase

The requester initiates an action that is subject to the two-person approval permission,
for example Delete Service.

Ensemble Controller R15.2 Administrator Manual - Issue: A 165

Adtran Configuring Ensemble Controller

The ENC Client of the requester, which is referred to as the requester client, suspends the
corresponding action. The system sends an approval request to all ENC Clients that
approvers run, which are referred to as approver clients.

In the requester client, status bar progress indicator, this message indicates the approval
request: "Requesting approval to Delete Service."

Clicking the close button (X), a confirmation dialog box opens. In the dialog box, click Yes
to cancel the request.

An approver client must be logged in to the server for the software to process this
request. If no approver client is logged in, this message displays: "No other approvers are
currently logged in."

About the Decision Phase

Opening the Approval Requests Dialog Box 166
Viewing the Approval Requests Dialog Box 166
Deciding on the Requests in the Approval Requests Dialog Box 167

Opening the Approval Requests Dialog Box

l Automatically: After the system successfully sends the approval request, the
Ensemble Controller approver Clients automatically display the Approval Requests
dialog box.
l Manually: To open the Approval Requests dialog box again at a later time, from
the application bar Settings menu, select Security, and then Approval Requests.

Viewing the Approval Requests Dialog Box

The Approval Requests dialog box lists requests that users (or requesters) sent to you (or
approvers) for approval. The dialog box includes these columns:

Columns Description
Requester User Id The name or identification of the user who requests
approval.
Permission Requested The operation that the user request permission for.
Time of Request The time when the user requested the approval.

Ensemble Controller adds incoming requests as a new row at the top of the list and
orders them by time. The number of requests is unlimited in the Approval Requests

Ensemble Controller R15.2 Administrator Manual - Issue: A 166

Adtran Configuring Ensemble Controller

dialog box. You can configure a sound for incoming requests as described in the User
Manual.

Deciding on the Requests in the Approval Requests Dialog Box

Use the appropriate button to decide on the requests that display in the Approval
Requests dialog box:

Button Description
Approve Click to approve the selected requests.
Deny Click to deny the selected requests.
Ignore Click to ignore the selected requests.
After you click Ignore:
l Ensemble Controller removes the selected approval request from the
dialog box.
–or–
l The dialog box closes if the entry is the last one.

If the Approval Requests dialog box still contains requests and you close it, the dialog
box hides but remains active in the background as long as there are open requests. The
requests remain valid for two minutes, which a Progress dialog box indicates. If the
approver takes no decision or the requester does not abort the request within these two
minutes, the Progress dialog box displays the message TIMEOUT request to Delete
Service, for example.

If the timeout message displays, or you aborted, approved, or denied requests, the
system removes the respective rows from the Approval Requests dialog box for all
eligible Ensemble Controller approver Clients. The dialog box closes after the system
removed the last request. Progress results display in the message pane.

About the Response Phase

This table describes the approval requests. See the user manual for information about the
message pane.

Ensemble Controller R15.2 Administrator Manual - Issue: A 167

Adtran Configuring Ensemble Controller

Approval
Description
Request
Approved The user action is enabled, resumed, and executed.
For this type of action, no new approval is required within the two-
minute validity period. This message displays in the message pane:
"Request for approval to Delete Service: APPROVED."
Denied The user action remains disabled for the two-minute validity period
and does not execute. This message displays in the message pane:
"Request for approval to Delete Service: DENIED."
Wait 10 minutes to start another approval request for the same
action. A window displays with this message to the requester: "An
approval request to Delete Service was recently DENIED. Please wait
before retrying."
Not approved, The request by the requester is not approved, denied, or aborted
denied, or within the validity period of two minutes. This message displays in
aborted the message pane: "Request for approval to Delete Service:
TIMEOUT." The process is unable to execute the user action.
Not started Implies that no approver client who can approve the user action is
logged in to the server. This message displays in the message pane:
"Request for approval to Delete Service: NO_APPROVERS." The
process is unable to execute the user action.

If multiple Ensemble Controller approver Clients are logged in the server, the process first
approves the approver who responds first.

Granting Temporary Admin User Rights on

Network Elements
This section describes how to obtain administrative user rights (privileges) on network
elements (NEs) temporarily. That is, the temporary administrative privilege is requested
and granted for the current user session on the network element.

These network elements are supported:

l WDM:
FSP 3000R7

Ensemble Controller R15.2 Administrator Manual - Issue: A 168

Adtran Configuring Ensemble Controller

l Ethernet:
FSP 150-XG210
FSP 150-XG210C
FSP 150CC-GE201
FSP 150CC-GE201SE
FSP 150CC-GE206V
FSP 150-XG116Pro
FSP 150-XG120Pro
FSP 150-XG120Pro-SH

This action involves these three phases:

l Requesting approval through SNMP trap from the NE to the Ensemble Controller
(ENC).
An operator with lower privileges requests an upgrade from the Network Element
Director (NED) client. That is, these privilege upgrade requests originate from a
particular device externally and not from the Ensemble Controller.
This phase corresponds to the general processing of a request phase as described
in About the Request Phase.
l Taking a decision by an authorized person (administrator) through Approval
Request window.
This phase corresponds to the general processing of a decision phase as described
in About the Decision Phase.
l Responding through SNMP set request from the Ensemble Controller to the
network element.
This phase corresponds to the general processing of a response phase as
described in About the Response Phase.

For information about how to view or revoke approved requests, see Viewing or
Revoking Approved Requests.

For information about a fallback solution if the connection between the Ensemble
Controller and the network element inadvertently interrupts or fails, see Fallback Solution
if the Network Element Connection Fails.

Viewing or Revoking Approved Requests

This section presents the option to either view or revoke an approved request of granting
administrative user privileges on network elements.

Requirement to Revoke Approved Requests 170

Opening the Approved Temporary Privileges Dialog Box 170
Revoking an Approved Request 170

Ensemble Controller R15.2 Administrator Manual - Issue: A 169

Adtran Configuring Ensemble Controller

Requirement to Revoke Approved Requests

To revoke an approved request, you need to have the permission Temporary Privilege
Session Kill. This permission is by default granted to the roles of administrators or
configurators.
The administrator sets permissions and corresponding user roles in the Security
Manager. To open the Security Manager, in the Ensemble Controller Settings, select
Security, and then Security Manager. For more information about user roles and
allocated privileges, see Roles and Allocated Actions.

Opening the Approved Temporary Privileges Dialog Box

In the Networks tree pane, right-click the relevant network element, and then select
Approved Temporary Privileges.

The network element name that displays in the Permission Requested column, is based
on the NE identity type settings. For more information about how to set the NE identity
type, see the User Manual, Configuring the Network Element Identity.

Revoking an Approved Request

In the Approved Temporary Privileges dialog box, select the relevant request, and then
click the icon to remove that request . An informational dialog box displays when the
system successfully revoked the selected request.

Fallback Solution if the Network Element Connection

Fails
If the connection between Ensemble Controller and the network element (NE) interrupts
or fails, the NE-fallback password management tool ensures that the system can still
grant administrative privileges. It is assumed that the connection between the NE and a
RADIUS server is interrupted, too. The fallback user is available only if the NE cannot
reach the RADIUS server because the system stores the fallback user in the NE local user
database.

Ensemble Controller R15.2 Administrator Manual - Issue: A 170

Adtran Configuring Ensemble Controller

The NE-fallback password management tool handles the password of the fallback user,
the user of "last resort" for each NE individually.

Requirement to Use the Fallback Solution 171

Enabling the Network-Element Fallback User-Password Management Tool 171
Opening the Management Tool 173
Revealing a Fallback User Password 173

Requirement to Use the Fallback Solution

These network elements support the fallback user password if they have the software
version as specified in this table:

Required
Network Element Software
Version
Ethernet including XG, GE, EGX, and OSA 8.5.1
FSP 3000R7 15.1.2

Enabling the Network-Element Fallback User-Password Management

Tool
Complete these steps to enable the management tool for the network element (NE)
fallback user password.

1. In the fnm.properties file, locate the property

com.adva.fnm.option.FallbackNEUserID, and then specify the user name that
relates to the randomly created fallback password. An acceptable user name must
conform to character rules. The rules differ according to the network-element type
and any configured security policies. For FSP 3000R7 network elements, the fallback
user name must:
l Have 4 to 10 characters.
l Contain only these alphanumeric characters: a to z; A to Z; 0 to 9.
l Contain only these special characters: “.” and “_”. No other special characters are
allowed.
For information about the user name policies for other NEs, see the associated
product manual.
For information about how to configure properties in the fnm.properties file, see
Editing the fnm.properties File.

Ensemble Controller R15.2 Administrator Manual - Issue: A 171

Adtran Configuring Ensemble Controller

2. Configure the relevant NE that will use SNMPv3 to communicate to the Ensemble
Controller, as described in the User Manual.
If you miss to customize the SNMP settings, Ensemble Controller will continuously
clutter you with error messages in the message pane until you have changed to
SNMPv3.

Effect of Enabling the Management Tool

After you enable the management tool, these events take place:
l After Ensemble Controller discovers the network element, the system randomly
creates the fallback password for the user that you configure in the fnm.properties
file. Because of keep alive polling (KAP), Ensemble Controller repeatedly attempts
to create these passwords while the network element is online.
If the user that you configure in the fnm.properties file already exists on the
network element, one of these results will occur:
o If the user is unlocked and has administrative user rights, the fallback

password changes.
o If the user is locked or has no administrative user rights, the fallback password
remains the same and the message pane displays a related error message.

Rules that Ensemble Controller follows when generating a random

fallback password:
l Contains at least one alphabetic character (a..z; A..Z).
l Contains at least one numeric character (0..9).
l Contains at least one special character ( ! , @ , # , $ , % , ^ , ( , ) , _ ,
+ , | , ~ , { , } , [ , ] , - , . ).

l The message pane displays success or failure messages when you try to create the
password, and the management tool presents these messages as the status for
each network element. Ensemble Controller saves and displays both the previous
and the new password for password creation failures that result in an Unknown
password status (see Figure 6).
l You can use the management tool to reveal the stored fallback-user password for
a particular network element, as described in Revealing a Fallback User Password.
l The management tool automatically updates the network element and password
statuses, and the presence of network elements that you add or delete.

Ensemble Controller R15.2 Administrator Manual - Issue: A 172

Adtran Configuring Ensemble Controller

Opening the Management Tool

Sorting Table Content 173
Filtering Table Content 173

You can open the management tool in either of these ways:

l In the Ensemble Controller Settings, select Security, and then NE Fallback User
Passwords.
l In the Networks tree pane, right-clicking the relevant network element, and then
select NE Fallback User Passwords. If you open the management tool from the
network element, then Ensemble Controller preselects that network element in the
Fallback User Passwords window.

The Fallback User Passwords window displays the status for each password and its
corresponding network element in tabular form.

Sorting Table Content

You can sort the content of the management tool table. The sorting in this table follows
the usual behavior for sorting tables in Ensemble Controller. For more information about
sorting, see the User Manual, Sorting Table Columns.

By default, the management tool table sorts its content by the NE column. To change the
default sorting, right-click the relevant column header, and then select Sort by default.

Filtering Table Content

You can filter the management tool table by the information that each column provides.
The filtering in this table follows the usual behavior for filtering table content in Ensemble
Controller. For more information about how to filter table content, see the User Manual,
Filtering Table Columns.

Revealing a Fallback User Password

Complete the steps in this procedure to reveal a fallback user password.

Requirements to Reveal a Fallback User Password 173

Procedure to Reveal a Fallback User Password 174

Requirements to Reveal a Fallback User Password

l To reveal a fallback user password, you need to have the permission Reveal
Fallback NE Password. This permission is by default only granted to the roles of
administrators, and is also subject to the two-man rule. For information about the

Ensemble Controller R15.2 Administrator Manual - Issue: A 173

Adtran Configuring Ensemble Controller

two-man rule, see Enabling Two-Man Approval for Actions.

The administrator sets permissions and corresponding user roles in the Security
Manager. To open the Security Manager, in the Ensemble Controller Settings,
select Security, and then Security Manager. For more information about user roles
and allocated privileges, see Roles and Allocated Actions.
l You enabled the fallback user password management tool as described in
Enabling the Network-Element Fallback User-Password Management Tool.
l The network element does temporarily NOT connect to a RADIUS server. The
fallback user is available only if the network element cannot reach the RADIUS
server because the system stores the fallback user in the network element local
user database.

Procedure to Reveal a Fallback User Password

1. Open the management tool as described in Opening the Management Tool.
2. In the management tool table, select the row that contains the relevant network
element and corresponding password that you want to reveal.
3. Click the Reveal password button .
A window displays with the required password information:

If the system could not set the password in the network element because of, for
example connectivity problems, this window also shows the previous password as
illustrated here:
Figure 6: Revealed, new Password and Previous Password

4. Inform the requesting user about the revealed password.

Ensemble Controller R15.2 Administrator Manual - Issue: A 174

Adtran Configuring Ensemble Controller

5. Click OK to close the revealed password information window.

Ensemble Controller creates a new fallback password when you reveal the current
fallback password. If the network element is offline, Ensemble Controller creates a
new fallback password as soon as the network element is back online. After the
network element is online for approximately two minutes, Ensemble Controller sets
the fallback password in the network element.

SSH Settings
Complete these steps on the primary and secondary Ensemble Controller Servers to
access the SSH servers:

1. Change the location of the user non-root or root home directory to:
/opt/adva/fsp_nm: sudo vipw
2. From the OpenSSH installation bin directory, select ssh-keygen to generate
public/private key pair /usr/bin/ssh-keygen. Use either of these methods:
l Generate public/private key pair of either DSA or RSA type without a pass

phrase. For OpenSSH 7.8 and higher, extend the generated RSA key pair with
-m PEM: ssh-keygen -t rsa -m PEM.
l Generate public/private key pair of either DSA or RSA type with a pass phrase.
This step requires that you populate the property com.adva.fnm.ssl.passphrase
as described in com.adva.fnm.ssl.passphrase.
For OpenSSH 7.8 and higher, extend the generated RSA key pair with -m PEM:
ssh-keygen -t rsa -m PEM.
3. In the fnm.properties file, located in the Ensemble Controller installation directory,
use the property com.adva.fnm.ssl.keyfile to specify the path of the private key file.
com.adva.fnm.ssl.keyfile=/opt/adva/fsp_nm/.ssh/id_rsa
For information about how to edit the fnm.properties file, see Editing the
fnm.properties File.
4. In the SSH user home directory, change the name of the file with the public key from
id_rsa.pub to authorized_keysto:
/opt/adva/fsp_nm/.ssh/authorized_keys
5. Exchange the public keys by moving the authorized_keys file from the primary
server to the secondary server and from the secondary server to the primary server.

SFTP Settings
FTP operations performed by ENC should be authenticated by key-based authentication
if com.adva.fnm.option.useKeyBasedAuthenticationForFileTransfer in

Ensemble Controller R15.2 Administrator Manual - Issue: A 175

Adtran Configuring Ensemble Controller

fnm.properties is set to true. SCP/SFTP connect method uses user-name and private-key
file instead of user-name and password. See SSH Settings for more information on the
SSH settings.

High Availability
To continuously deploy, monitor, or maintain Ensemble Controller, you can use the high-
availability mode of operation. It secures your system 24/7 even if hardware or software
outages occur, for example, in situations where unplanned faults or planned maintenance
activities cause downtimes.

Ensemble Controller supports these high-availability solutions:

Solution Basic Feature Overview

Standard High l Available natively in Windows and Linux operating systems.
Availability
l Only supports two-node clusters with a primary-secondary server
concept. For an overview of the two-node cluster structure, see
Figure 7 on p. 179.
l Copies the entire database from the primary to the secondary server
at a configured periodic interval, for example, once a day, or every 8
hours. After each database copy, the secondary server restarts
against the new database, which causes a downtime.
l The primary and secondary servers are both operational (hot
standby) and both receive notifications from the network elements
to stay synchronized with the network.
l Supports manual and automatic server-side failover.
l The client typically connects to the primary server in normal
situations and will reconnect to a newly elected primary server after
failover.

Streaming l Available natively in Linux operating systems.

Replication
High l Supports three-node clusters but not two-node clusters. For an
Availability overview of the three-node cluster structure, see Figure 12 on p. 206.

Ensemble Controller R15.2 Administrator Manual - Issue: A 176

Adtran Configuring Ensemble Controller

Solution Basic Feature Overview

l All three nodes host a distributed configuration store (DCS) that
provides quorum determination and reliable leader election for the
cluster. Two of the nodes are designated to host the Ensemble
Controller core server and database; these operate in a primary-
standby concept with assistance from the DCS.
l Uses incremental, asynchronous database replication. As changes
are made on the primary server, these are incrementally applied to
update the standby database. This significantly reduces the window
for data loss between systems.
l Only the primary server is operational against the primary database.
The standby server is only partly initialized; it cannot use the standby
database in any meaningful way until the system has failed over.
l Manual and automatic switchover with reliable quorum
determination avoids split-brain scenarios in network partitions and
allows the solution to operate autonomously at least with respect to
switchover.
l You can manually split the cluster for rolling upgrades, and enable a
single node to continue operation as primary server even in light of
multiple concurrent failures.

The streaming replication high-availability solution has these benefits over the standard
version:
l Asynchronous streaming database replication, which guarantees that data
changes are almost immediately copied to the standby server.
l Handles network partitions and thus avoids situations where you have multiple
primary servers (split brain).

Regardless of the high-availability solution that your system uses, you

must make sure that you maintain identical fnm.properties settings on
the primary and secondary or standby servers.
For information about the properties related to high-availability, see
High Availability Options.
For general information about how to edit the fnm.properties file, see
Editing the fnm.properties File.

See these topics for more information about the high-availability solutions:

Ensemble Controller R15.2 Administrator Manual - Issue: A 177

Adtran Configuring Ensemble Controller

Standard High Availability 178

Streaming Replication High Availability 205
Migrating from Standard to Streaming Replication High Availability 234

Standard High Availability

General Information 178
Preparing to Configure Standard High Availability 185
Maintaining Standard High Availability 198

General Information
The Two-Node Cluster Concept 178
Server-Mode Switchover Behavior for Standard High Availability 180
Server Status 182
Comparing the Primary-to-Secondary Server Activity 183

The Two-Node Cluster Concept

The standard high-availability version requires two Ensemble Controller Servers (ENC
Servers) that must operate in parallel.
You configure one server to be the primary server and the other server to be the
secondary server. That makes the servers intercommunicate. Both servers receive events
from the network elements (NEs) as shown in Figure 7. After you log in to the Ensemble
Controller Client (ENC Client), the system will always redirect you to the primary server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 178

Adtran Configuring Ensemble Controller

Figure 7: Standard High Availability – Two-Node Cluster Concept

Most of the time, the primary server operates in master mode, and the secondary server
operates in slave mode.
l The Ensemble Controller primary server has full read-and-write access to its
database (DB) and reports.
l An Ensemble Controller secondary server cannot write to its database and reports.
l Only one Ensemble Controller Server can be the primary server at a time. If both
servers are in master mode, the system raises an alarm.

The administrator must change the secondary Ensemble Controller Server to slave mode.
However, you can configure the Ensemble Controller Servers to work in automatic
changeover mode. If you specify this configuration, the system automatically changes
servers without administrator intervention.

The database and reports of the secondary server are identical to the primary server
database and reports. The recurring database-backup feature creates this identical copy.
The system automatically copies the primary database backup file to the secondary
server in a controlled manner. To avoid large backups, back up only the database but not
the reports. See Changing the Ensemble Controller Server Work Mode for more
information.

In case of HA switchover when using REST NBI, the connection would

work with the wrong information. Therefore, if a server is in slave mode,
REST API is blocked and 409 error-code displays.

Ensemble Controller R15.2 Administrator Manual - Issue: A 179

Adtran Configuring Ensemble Controller

Server-Mode Switchover Behavior for Standard High Availability

Implications if Primary Servers Stop Working 180
Implications After Restoring Primary Servers 180
Manually Changing the Server Mode 181
Configuring Server Shell Scripts 181

Implications if Primary Servers Stop Working

If the primary Ensemble Controller Server, which works in master mode, stops working,
these results occur:
l The server sends an event to the connected Ensemble Controller Clients.
l If you enable Automatic Switchover, the secondary Ensemble Controller Server
automatically changes to master mode after it loses contact to the primary
Ensemble Controller Server. Thereafter, the secondary Ensemble Controller Server
continuously attempts to connect to the primary Ensemble Controller Server to
change it to slave mode.
l If you disable Automatic Switchover in the Ensemble Controller Client, you must
then manually change the secondary Ensemble Controller Server to master mode.
Thereafter, the secondary Ensemble Controller Server continuously attempts to
connect to the primary Ensemble Controller Server to change it to slave mode. If
the secondary server fails to change the primary server to slave mode, connected
Ensemble Controller Clients cannot reconnect to any Ensemble Controller Server.

For information about how to enable or disable automatic switchover, see Enabling or
Disabling Automatic Switchover for Standard High Availability.

Implications After Restoring Primary Servers

If you re-establish the primary Ensemble Controller Server that no longer works correctly
and thus works in slave mode, these results occur:
l The server sends an event to the connected Ensemble Controller Clients.
l If you enable Automatic Switchover, the primary Ensemble Controller Server
detects that the secondary Ensemble Controller Server is in master mode.
However, the primary server does not automatically change back to master mode.
You must first identify the server that has the most accurate database, and then if
appropriate, manually change the primary server back to master mode.
l If you disable Automatic Switchover, the primary Ensemble Controller Server
detects that the secondary Ensemble Controller Server is in master mode. You
must identify the server that has the most accurate database. Then, if appropriate,
use the Ensemble Controller Client to manually change the primary server back to

Ensemble Controller R15.2 Administrator Manual - Issue: A 180

Adtran Configuring Ensemble Controller

master mode, and the secondary server to slave mode. If no client is connected,
the primary server continues to run in slave mode and the secondary server in
master mode. If the secondary server no longer functions, the primary server does
NOT automatically change back to master mode.
l After the primary Ensemble Controller Server changes back to master mode, all
Ensemble Controller Clients that connect to the server display a message. This
message informs you that your client will be connected to a server that runs in
slave mode, and you must change to the server that runs in master mode.

Manually Changing the Server Mode

You must manually change the Ensemble Controller Server mode in these situations:

Situation Description
Maintenance You need to perform maintenance work on the primary server, which
requires administrator privileges to change the primary server to slave
mode. The secondary server automatically changes to master mode, and
the Ensemble Controller Client can connect to that secondary server that
now works in master mode.
During this changeover, you must configure the system so that the
secondary server is identical to the primary server database. After you
complete the maintenance work, you must change the primary server
back to master mode and replicate the database again.
Corrupt The database on the primary server is corrupt or not current. This
database situation requires you to change the primary server to slave mode
WITHOUT replicating the primary server database onto the secondary
server during the changeover.
Disabled The Ensemble Controller Client cannot connect to the primary server,
automatic and you disabled automatic switchover. The primary server detects this
switchover situation and prompts you to connect to the secondary server. In the
status bar, you can verify the Server Status. This status shows whether
your client connects to a server that runs in slave mode. If you disable
automatic switchover on the secondary server, you must manually
change the secondary server to master mode. During this changeover,
you cannot replicate the primary server database to the secondary server
because your client is not connected to the primary server.

Configuring Server Shell Scripts

In the fnm.properties file, you can use these properties to configure shell scripts for both
the primary and secondary servers:

Ensemble Controller R15.2 Administrator Manual - Issue: A 181

Adtran Configuring Ensemble Controller

Shell Script Description

com.adva.fnm.option.afterSwitchoverPrimaryScript Points to the script that the
system uses after the server
changes to master mode.
com.adva.fnm.option.afterSwitchoverSecondaryScript Points to the script that the
system uses after the server
changes to slave mode.

You are fully accountable for the content of your scripts. The Ensemble
Controller Server does NOT analyze or verify scripts for errors.

After you configure scripts in the fnm.properties file, and after you complete the
procedure to change servers, the system runs the scripts.

Server Status
The Ensemble Controller Client status bar displays information about the Ensemble
Controller Server that the client connects to.

If you configure a high-availability server pair, the server status information includes the
IP address and the mode for the two servers. If the system loses its connection to the
Ensemble Controller Server, the system displays, Not responding.

Ensemble Controller R15.2 Administrator Manual - Issue: A 182

Adtran Configuring Ensemble Controller

Comparing the Primary-to-Secondary Server Activity

This table provides an overview of Ensemble Controller features in a standard high-
availability configuration and whether these features are activated or disabled on the
primary and secondary servers.

Standard Operation
After Switchover: Failure Case
Environment

Active on
Ensemble
the Active on the
Controller Active on the Active on the
Primary Secondary
Feature Secondary Server Primary Server in
Server in Server in
in Slave Mode Slave Mode
Master Master Mode
Mode
Trap reception Yes Yes Yes Yes
and processing
Event forwarding Yes No No Yes
through SNMP
to OSS
CSV event Yes Yes Yes Yes
reporting

Ensemble Controller R15.2 Administrator Manual - Issue: A 183

Adtran Configuring Ensemble Controller

Standard Operation
After Switchover: Failure Case
Environment
Active on
Ensemble
the Active on the
Controller Active on the Active on the
Primary Secondary
Feature Secondary Server Primary Server in
Server in Server in
in Slave Mode Slave Mode
Master Master Mode
Mode
Event Yes No No Yes
notification
through email,
script, or an
Internet Control
Message
Protocol (ICMP)
message
Scheduled Yes No. No. Yes
performance To enable it on To enable it on
monitoring data demand, in the demand, in the
collection fnm.properties fnm.properties
file, edit the file, edit the
applicable applicable
property. property.
Scheduled Yes Yes Yes Yes
performance
monitoring data
comma-
separated values
(CSV) file
reporting
Scheduled Yes Yes Yes Yes
inventory report
Scheduled Yes Yes Yes Yes
service inventory
report

Ensemble Controller R15.2 Administrator Manual - Issue: A 184

Adtran Configuring Ensemble Controller

Standard Operation
After Switchover: Failure Case
Environment
Active on
Ensemble
the Active on the
Controller Active on the Active on the
Primary Secondary
Feature Secondary Server Primary Server in
Server in Server in
in Slave Mode Slave Mode
Master Master Mode
Mode
Scheduled Yes No No Yes
backup of the
network element
configuration
Processing Yes No No Yes
incoming Multi-
Technology
Operations
Systems
Interface
(MTOSI) requests
Scheduled Yes N/A N/A Yes.
database backup But no
and automated automatic
sync to sync to
secondary server secondary
server occurs.

Preparing to Configure Standard High Availability

Complete these tasks first on each server to prepare two Ensemble Controller Servers to
work together to provide high availability:
l Install Ensemble Controller as described in Installing Ensemble Controller.
l Set up an SSH server as described in Installing CopSSH. This step is necessary for
the secondary Ensemble Controller Server to update its database from the primary
Ensemble Controller Server.
l Define IP addresses for the primary and the secondary Ensemble Controller Servers
so that they can intercommunicate, and the Ensemble Controller Clients can reach
the servers.

Ensemble Controller R15.2 Administrator Manual - Issue: A 185

Adtran Configuring Ensemble Controller

l For the servers to properly communicate, you must install both the primary and
the secondary Ensemble Controller Servers on computers that run the same
operating system, version, and architecture such as a 64-bit system. For example,
you can run Linux + Linux or Windows + Windows, and so on. In general, the
Ensemble Controller Servers support Windows and Linux.

While you are in the process of configuring high availability, avoid any
database-intensive activities such as a database backup.

See these procedures according to your operating system:

Configuring Standard High Availability in Windows 186

Configuring Standard High Availability in Linux Systems 191
Applying and Testing the New Standard High-Availability Configuration 193

Configuring Standard High Availability in Windows

Complete these steps to configure high availability for Ensemble Controller in a Windows
environment on both the primary and the secondary server. High availability requires
either password or key authentication. This procedure focuses on password
authentication. To use key authentication, start with Step 20 in this procedure.

1. Install Ensemble Controller on the two computers where you want the primary and
the secondary servers to run. The Ensemble Controller Server automatically installs at
the same time.
2. Ensure that the Ensemble Controller Servers shut down on both computers. If they
do not, shut them down manually as described in Stopping the Ensemble Controller
Server.
3. Turn OFF the Windows User Account Control (UAC). Navigate to the Windows Start
menu, Control Panel > User Accounts.
4. Restart your computer.
5. In the console, type lusrmgr.msc to create a new system user account for later use
with the SSH server.
6. In the New User window, add a new user, for example, advaremote, with password
secret123. The New User window is shown here:

Ensemble Controller R15.2 Administrator Manual - Issue: A 186

Adtran Configuring Ensemble Controller

Figure 8: New User Window

7. Select both User cannot change password and Password never expires as shown
in Figure 8.
8. Click Create to create the new user.
The system adds the new user as shown in Figure 9.
Figure 9: New User Added and Selected

9. To grant administrator rights to the new user:

a. Right-click Properties > Member Of tab, and then click Add.
b. In the Select Groups window, add the user to the administrators group as
shown in Figure 10.

Ensemble Controller R15.2 Administrator Manual - Issue: A 187

Adtran Configuring Ensemble Controller

Figure 10: Adding a New User to the Administrators Group

10. If the CopSSH version is a version 3.1.1 or later, complete these steps:
a. Uninstall CopSSH.
b. Delete the user SvcCOPSSH.
c. Restart the computer.
11. Double-click the installer of copssh to install CopSSH. For example, the installer can
be copssh_server_7.10.1_x64_prod_installer.
During installation process, provide the license key and finish the installation using
the default settings.

Continue with these steps:

Ensemble Controller R15.2 Administrator Manual - Issue: A 188

Adtran Configuring Ensemble Controller

1. Open the COPSSH Control Panel.

2. Verify that the SSH service runs successfully and that no active connections exist.
3. Select Users to activate the user for the SSH access.
4. Click Add.

Ensemble Controller R15.2 Administrator Manual - Issue: A 189

Adtran Configuring Ensemble Controller

5. From the User list, select the relevant user name.

6. Click Forward twice, and then Apply by using default values.
The CopSSH Control Panel window opens again.

7. Click Apply to finish the user activation.

8. To verify the connection by using CopSSH, enter the remote host IP address to start
PuTTY. Use the login credentials or password of the user that you created.
A typical PuTTY screen is shown in Figure 11. If the connection succeeds, the process
completes successfully.

Ensemble Controller R15.2 Administrator Manual - Issue: A 190

Adtran Configuring Ensemble Controller

Figure 11: PuTTY Dialog

l If you CANNOT connect to the remote server through PuTTY using

IPv4, change to IPv6. Try again and to connect through PuTTY or
another SSH client.
l If you CAN connect to the remote server through PuTTY using
IPv6, run commands from Step 4 of this procedure to connect to
the remote server through Ensemble Controller Server High
Availability.

9. Verify that the user you set up to have SSH access has full security rights to the folder
and the sub-folders of c:\Program Files\ADVA Optical Networking.
10. Turn ON the Windows User Account Control (UAC) located in Control Panel > User
Accounts.
11. To use key authentication instead of password authentication, go to the CopSSH bin
directory. The default directory is C:\Program Files (x86)\ICW\bin.
12. Follow the procedure for key authentication described in Configuring Standard High
Availability in Linux Systems.
After you complete the procedure, the password field in the high availability setup
wizard becomes unavailable, and you can use key authentication instead.
13. You can test your high availability configuration as described in Applying and Testing
the New Standard High-Availability Configuration.

Configuring Standard High Availability in Linux Systems

Complete these steps to configure high availability for Ensemble Controller in Linux.

1. Install Ensemble Controller on the computers where you want the primary and
secondary servers to run.

Ensemble Controller R15.2 Administrator Manual - Issue: A 191

Adtran Configuring Ensemble Controller

2. Decide if you want to configure high availability using the SSH password or the SSH
key.
Configuring High Availability with the SSH Password 192
Configuring High Availability with the SSH Key 192

Configuring High Availability with the SSH Password

1. Decide if you want to use the root account, and if so, see Applying and Testing the
New Standard High-Availability Configuration.
–or–
If you want to use an account other than root, complete these steps on both the
primary and secondary server:
2. Shut down all Ensemble Controller Servers. See Procedure for Stopping the Server in
Linux.
3. Create a user account to use for remote communication:
a. Set the user password: passwd username
b. Change to the current directory: cd/opt/adva/fsp_nm
c. If you used the Ensemble Controller installation software to install both the
Embedded License Server and Ensemble Controller on the same computer,
change the owner and group of the ELS services. If not, continue with Step 3d.
To change the owner and group of the ELS services, run the elschangeuser.sh
script:
/opt/adva/fsp_nm/els/elschangeuser.sh <username> <groupname>
d. Run the changeUser.sh script:
/opt/adva/fsp_nm/bin/changeUser.sh <username> <groupname>

Make sure that you use the same <username> and

<groupname> for both the changeUser.sh and elschangeuser.sh
scripts. The names must be identical.

e. Reboot the Ensemble Controller Servers to apply the changes.

4. To continue your high-availability configuration, see Applying and Testing the New
Standard High-Availability Configuration.

Configuring High Availability with the SSH Key

1. Decide if you want to use the root account, and if so see Step 4.
–or–
If you want to use an account other than root, complete these steps on both the
primary and secondary server:

Ensemble Controller R15.2 Administrator Manual - Issue: A 192

Adtran Configuring Ensemble Controller

2. Shut down all Ensemble Controller Servers. See Procedure for Stopping the Server in
Linux.
3. Create a user account to use for remote communication:
a. Set the user password: passwd username
b. Change to the current directory: cd/opt/adva/fsp_nm
c. If you used the Ensemble Controller installation software to install both the
Embedded License Server and Ensemble Controller on the same computer,
change the owner and group of the ELS services. If not, continue with Step 3d.
To change the owner and group of the ELS services, run the elschangeuser.sh
script:
/opt/adva/fsp_nm/els/elschangeuser.sh <username> <groupname>
d. Run the changeUser.sh script:
/opt/adva/fsp_nm/bin/changeUser.sh <username> <groupname>

Make sure that you use the same <username> and <groupname>
for both the changeUser.sh and elschangeuser.sh scripts. The
names must be identical.

Ignore any request to reboot the server for now because the step
that follows also requires a reboot.

4. See SSH Settings for more information on the SSH settings.

5. Reboot the Ensemble Controller Server to apply the changes.
6. To continue your high-availablity configuration, see Applying and Testing the New
Standard High-Availability Configuration for information.

Applying and Testing the New Standard High-Availability

Configuration
Requirements
l The account that you use to configure standard high-availability must be the same
account that you use to log into ENC GUI. If you use a RADIUS account, also make
sure that you can log into the ENC GUI on the secondary server with this account.
l If you use ENC 14.3.1 version or later, make sure that port 9543 is set in this
property in the fnm.properties file:
com.adva.fnm.option.rest.securePortWithMutualAuth=9543

Ensemble Controller R15.2 Administrator Manual - Issue: A 193

Adtran Configuring Ensemble Controller

Procedure
l Complete this task only on the primary server, which usually
works in master mode. The secondary server currently works as a
standalone server in this high-availability configuration.
l If the remote server receives a new host key, the system generates
the security event:
S-HOSTKEY “HA SSH Host Key Changed (potential security threat,
if unexpected).”
If this event occurs because you changed the high-availability
server configuration, for example, if you installed new server
hardware or a new operating system, you can ignore the event. If
the event occurs for another reason, the event might indicate a
potential security threat, for example a man-in-the-middle attack.

Complete these steps to apply and test the new standard high-availability configuration.

1. On the primary Ensemble Controller Server, from the application bar Settings menu,
select System, and then High Availability. The High Availability Setup Wizard
opens:

Ensemble Controller R15.2 Administrator Manual - Issue: A 194

Adtran Configuring Ensemble Controller

2. If you are setting up high availability for the first time, click Get Defaults, which
populates the Primary Server area, IP Address field and Port field.
3. In the Secondary Server area, edit these fields:
l IP Address - the IP address of the secondary server.

l ENC user - the user name of the secondary server.

l ENC password - the user password of the secondary server.
4. In the Server Account area, Server account and Server password fields, type the
server account credentials for the SSH connection. For details, see Preparing to
Configure Standard High Availability.
5. Click Next. The test begins:

The High Availability Test Process wizard indicates in real time which of these tests
are running:
l The connection
l SSH
l SFTP
6. The High Availability information area shows the results of the test:
l If the test is successful, click Next.

Ensemble Controller R15.2 Administrator Manual - Issue: A 195

Adtran Configuring Ensemble Controller

l If the test fails, the Description area provides failure details. Correct any
configuration problems and retest.

7. After the High Availability information area shows COMPLETED and All tests
passed, click Next. The remote high-availability server reboots.

Ensemble Controller R15.2 Administrator Manual - Issue: A 196

Adtran Configuring Ensemble Controller

8. If the SSH or SFTP connection test fails, to increase the connection attempts, in the
fnm.properties file, modify this property
com.adva.fnm.ssl.connectionAttempts.

Ensemble Controller R15.2 Administrator Manual - Issue: A 197

Adtran Configuring Ensemble Controller

9. After the remote server reboots and resynchronizes with the local server, the High
Availability Apply Configuration Setting wizard opens:

10. Click Close.

Maintaining Standard High Availability

This section provides information about how to maintain an existing high-availability
configuration.

Upgrading Ensemble Controller Servers that Use Standard High Availability 198
Changing an Existing Standard High-Availability Configuration 200
Changing the Ensemble Controller Server Work Mode 202
Enabling or Disabling Automatic Switchover for Standard High Availability 203
Disabling a Standard High-Availability Configuration 204

Upgrading Ensemble Controller Servers that Use Standard High

Availability
Complete these steps to upgrade Ensemble Controller Servers that run in a standard
high-availability configuration, and especially if you want to upgrade from an earlier
version, for example 11.2, to 12.x.

Ensemble Controller R15.2 Administrator Manual - Issue: A 198

Adtran Configuring Ensemble Controller

With 12.1, the Embedded License Server manages the licenses that the Ensemble
Controller requires. To guarantee a consistent high availability licensing operation, you
must follow this procedure.

To upgrade servers that do not use high availability, see Upgrading Ensemble Controller.

1. Disable the high-availability configuration as described in Disabling a Standard High-

Availability Configuration.
2. For both servers, back up the database to a directory outside of the Ensemble
Controller installation folder:
a. On the one server, start the nmsadmin script located in the Ensemble
Controller installation bin directory, and then type J to select Backup
Database.
b. Follow the displayed commands.
c. Repeat Step 2a-b for the other server.
3. On the primary server:
a. (Optional) Uninstall the dated version as described in Uninstalling Ensemble
Controller.
b. Install the target version as described in Installing Ensemble Controller.
c. Only if you uninstalled Ensemble Controller in Step 3a:
i. Stop the server as described in Stopping the Ensemble Controller Server.
ii. Restore the database as described in Restoring the Ensemble Controller
Database.
iii. Start the server as described in Starting the Ensemble Controller Server.
4. On the secondary server:
a. (Optional) Uninstall the dated version as described in Uninstalling Ensemble
Controller.
b. Install the target version as described in Installing Ensemble Controller.
c. Only if you uninstalled Ensemble Controller in Step 4a:
i. Stop the server as described in Stopping the Ensemble Controller Server.
ii. Restore the database as described in Restoring the Ensemble Controller
Database.
iii. Start the server as described in Starting the Ensemble Controller Server.
5. Log in the Ensemble Controller Client to connect to the primary server, and then re-
enable high availability:

Ensemble Controller R15.2 Administrator Manual - Issue: A 199

Adtran Configuring Ensemble Controller

a. From the Ensemble Controller application bar Settings menu, select System,
and then High Availability.
b. In the High Availability Setup Wizard, select Enable High Availability, and
then click Next.

Changing an Existing Standard High-Availability Configuration

Requirements to Change a Standard High-Availability Configuration 200
Procedure to Change a Standard High-Availability Configuration 200

Requirements to Change a Standard High-Availability Configuration

l This procedure applies only to servers in master or standalone mode except if the
master or primary server fails.
If the primary server fails, you can use the non-standard method to exchange
server roles, that is, only in case of emergency. For more details about this
emergency method, see Exchanging Server Roles if the Primary Server Fails -
Emergency Method Only.
We recommend that you use the safer method, which is to configure high
availability only on a primary server, and then the system automatically sets the
secondary server.
l This procedure assumes that the servers currently operate in high-availability
mode.
l You cannot change an existing high-availability configuration. Before you can
create a new high-availability configuration, you must disable the previous high-
availability configuration. See Disabling a Standard High-Availability
Configuration.

Procedure to Change a Standard High-Availability Configuration

1. From the application bar Settings menu, select System, High Availability. The High
Availability Setup Wizard opens and auto-populates the current settings:

Ensemble Controller R15.2 Administrator Manual - Issue: A 200

Adtran Configuring Ensemble Controller

For an existing configuration, you can change the values in the Secondary Server
area only for these fields:
l IP Address
l Port
l ENC user
l ENC password

and the Server Account area fields. All other values are unavailable (appear
dimmed).

2. Change the values as required, and then click Next. The system tests the new
settings. If the tests succeed, the system stores the settings in the database and the
remote server reboots and synchronizes. For more information about how to test
and apply settings, see Applying and Testing the New Standard High-Availability
Configuration.
3. To change the settings of the Primary Server, you must retrieve the default values.
Click Get Defaults.
The Primary Server area fields automatically populate with the default values.

Ensemble Controller R15.2 Administrator Manual - Issue: A 201

Adtran Configuring Ensemble Controller

Exchanging Server Roles if the Primary Server Fails -

Emergency Method Only
If you perform the Get Defaults action on a secondary server that is
running in master mode, the local secondary server settings
populate the Primary Server area fields into the wizard.
Consequently, the local secondary server now becomes the primary
server. In this case, you must manually specify a new secondary
server for Ensemble Controller.

4. Click Close to save all changes.

Changing the Ensemble Controller Server Work Mode

You must log in as administrator to change the Ensemble Controller

Server mode.

If you configure a high-availability concept with a primary and secondary Ensemble

Controller Server, and you have administrator rights in the Ensemble Controller Client,
you can change the server work mode between the master and the slave. You can verify
the Server Status in the status bar. The server status shows the server IP address and
mode.

If you disabled automatic switchover as described in Enabling or Disabling Automatic

Switchover for Standard High Availability, you must manually change the server mode in
these situations:
l If your Ensemble Controller Client disconnects from the primary server, change the
secondary or standby server to master mode.
l If you need to perform maintenance work on the primary server, change the
secondary or standby server to master mode.
l If the primary server database is corrupt, change the secondary or standby server
to master mode.
l If both servers run in slave mode, change the primary server to master mode.

If you manually perform a changeover after you schedule a software

update for at least one network element, you can cancel the
changeover.

Complete these steps to change the work mode of the Ensemble Controller Server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 202

Adtran Configuring Ensemble Controller

1. In the Ensemble Controller Settings, select System, and then Change Server Mode.
2. Select the appropriate mode for your server, either Slave or Master.
3. If you want to make an exact copy of the database and all reports and copy them to
the other server, select Replicate.

If the server database is corrupt, do NOT select Replicate.

4. Click OK to save your changes, or Cancel. The Progress window opens.

a. If necessary, click Abort to stop the changeover.
A confirmation dialog box opens.
–or–
Click Hide so that the Progress window will move to and finish in the
background.
b. If you clicked Abort:
In the dialog box, click Yes to stop the changeover.
–or–
Click No, and the changeover will finish.
The message pane displays a related message.
5. After the changeover completes, connect to the new master server.

Enabling or Disabling Automatic Switchover for Standard High

Availability
If you configure standard high availability using a primary and secondary Ensemble
Controller Server, you can enable or disable the automatic switchover to the master
mode. This change might become advantageous if, for example, the servers disconnect
from each other. At that point, the server in slave mode automatically elevates itself to
the master mode.

If the high availability-configured servers disconnect from each

other, the Ensemble Controller Clients show a related notification
with a delay of one minute after the connection fails.

You must configure the automatic switchover equally on both the primary and secondary
Ensemble Controller Server.

Complete these steps to enable or disable automatic switchover for standard high
availability.

Ensemble Controller R15.2 Administrator Manual - Issue: A 203

Adtran Configuring Ensemble Controller

On the primary server:

1. Stop the Ensemble Controller Server as described in Stopping the Ensemble

Controller Server.
2. Use your preferred text editor to open the fnm.properties file located in the
Ensemble Controller installation directory.
3. In the fnm.properties file, edit the property
com.adva.fnm.option.automaticSwitchover:
l To enable automatic switchover, type enabled:
com.adva.fnm.option.automaticSwitchover=enabled
l To disable automatic switchover, type disabled:
com.adva.fnm.option.automaticSwitchover=disabled

4. Save and close the fnm.properties file.

5. Restart the Ensemble Controller Server as described in Starting the Ensemble
Controller Server.

On the secondary server:

6. Repeat this procedure.

Disabling a Standard High-Availability Configuration

The standard high-availability configuration window is available only

on the server that works in master or standalone mode.
If you must disable high availability on the server that works in slave
mode, change the work mode to master as described in Changing
the Ensemble Controller Server Work Mode.

Complete these steps to disable high availability for the master or standalone server.

1. From the Ensemble Controller application bar Settings menu, select System, and
then High Availability.
2. In the High Availability Setup Wizard, clear the Enable High Availability field,
and then click Next.
l If servers work in high-availability mode, the master server stores new settings in
the database, and then populates, synchronizes, and restarts the slave server.
Both servers then work in standalone mode.
l If servers do not work properly in high-availability mode, for example if one of
them fails, but you set high availability, you must separately clear the Enable

Ensemble Controller R15.2 Administrator Manual - Issue: A 204

Adtran Configuring Ensemble Controller

High Availability field for each server. The High Availability information
window Description area shows the status Finished with errors.

Streaming Replication High Availability

General Information 205
Installation Requirements 212
Installation Software 215
Installation Overview 216
Maintaining Streaming Replication High Availability 221

General Information
The Three-Node Cluster Concept 205
Primary and Standby Server Coordination 206
Resilience to Outages 206
Dividing a Cluster in Availability Zones 207
Server-Mode Switchover Behavior for the Streaming Replication High
Availability 208
Comparing the Primary-to-Standby Server Activity 208
Effects of nmsadmin Operations on the Primary and Standby Server 210

The Three-Node Cluster Concept

The streaming replication high-availability version requires two Ensemble
Controller Servers (ENC Servers) and at least one more server that hosts the distributed
configuration store (DCS). The ENC Servers operate in a primary-standby concept with
assistance from the DCS quorum server to provide resilience to outages.

Ensemble Controller R15.2 Administrator Manual - Issue: A 205

Adtran Configuring Ensemble Controller

Figure 12: Streaming Replication High Availability - Three-Node Cluster Concept

The ENC Servers also host a DCS instance each that the system uses for reliable cross-
cluster configuration data storage, quorum determination, and leader election.

Primary and Standby Server Coordination

The Ensemble Controller Servers coordinate to elect the leader, which will function as the
primary server. The non-leader will function as the standby server and will not become
fully active until a switchover happens. The primary server has full read-and-write access
to its database whereas the standby server cannot write to its database because it
receives a consistent stream of updates from the primary server.

After an initial synchronization of the entire database, the standby database (DB) uses the
PostgreSQL asynchronous streaming replication to incrementally synchronize with the
primary database.

Resilience to Outages
Server Outages 207
Network Outages 207

Ensemble Controller R15.2 Administrator Manual - Issue: A 206

Adtran Configuring Ensemble Controller

Server Outages
If the primary server experiences an outage, the system automatically starts to coordinate
amongst the remaining cluster members to change to a different server to become the
new primary. While the system changes to the new primary server, the Ensemble
Controller Clients might be unable to connect to any servers until they recognize the new
primary server.

Even if the failed server becomes operative again, the system does not change back and
the current primary server remains in this position.

If required, you can disable the automatic switchover feature, which makes the system to
not change servers automatically when an outage occurs. You must then change servers
manually. For information, see the appropriate topic:
l Enabling or Disabling Automatic Switchover for Streaming Replication High
Availability
l Initiating a Server Work Mode Switchover

Network Outages
The system is designed to ensure that only one server is running as Primary at any point
in time even if network problems prevent the servers from communicating fully with each
other. They might assume that the other server is down and both could attempt to
become Primary. Commonly this is known as the split-brain problem and the streaming
replication high-availability solution uses the DCS cluster to determine whether a quorum
that is, the majority of nodes, is still in communication. If so, then the Primary will
consistently be elected with the quorum-side of the cluster.

In the rare case that all machines become isolated, none will participate in a quorum and
no Primary will be elected. In this case, we recommend resolving the network partition to
allow the quorum to be determined correctly. If this is not be possible and multiple
failures occur that you cannot easily resolve, you can run the cluster in a single-server
mode as described in Enabling the Single-Server Mode.

Dividing a Cluster in Availability Zones

An availability zone is commonly defined as a distinct location that is insulated from
failures in other availability zones, and provides sufficient, low-latency, high-bandwidth
network connectivity to servers in other availability zones. We further recommend to use
a redundant network interconnect between availability zones.

Situate the servers or virtual machines in different availability zones so that a disaster or
power outage in one zone does not impact the correct operation of the servers in other
zones.
You can have multiple availability zones within a single data center if power distribution
Ensemble Controller R15.2 Administrator Manual - Issue: A 207
Adtran Configuring Ensemble Controller

and network communication are diverse from other nodes of the cluster within the same
data center.

For more information about bandwidth and latency parameter requirements to support
the communication within availability zones in a streaming replication high-availability
configuration, see Installation Requirements.

Server-Mode Switchover Behavior for the Streaming Replication

High Availability
If the primary Ensemble Controller Server stops working or is partitioned from the
quorum side of the cluster, these results occur:
l If you have enabled automatic switchover, the standby Ensemble Controller Server
automatically:
o Becomes the primary.
o Reconfigures its PostgreSQL database as the primary.
o Completes initialization and starts managing the network.
l If you have disabled automatic switchover, your administrator must trigger a
switchover to the standby node to allow it to become primary.
l Ensemble Controller Clients detect the situation and offer to reconnect to the next
available primary. As a switchover can take some time, the client can not
immediately be able to connect.
l Thereafter, when the prior primary returned to service, it is configured as the
standby.

For information about how to enable or disable automatic switchover, see Enabling or
Disabling Automatic Switchover for Streaming Replication High Availability.

For information about how to manually initiating a switchover, see Initiating a Server
Work Mode Switchover.

Comparing the Primary-to-Standby Server Activity

This table provides an overview of Ensemble Controller features in a streaming
replication high-availability configuration and whether these features are activated or
disabled on the primary and standby servers.

Ensemble Controller R15.2 Administrator Manual - Issue: A 208

Adtran Configuring Ensemble Controller

Standard Operation
After Switchover: Failure Case
Environment
Ensemble Active on
Controller Active on the Active on the Active on the
the Primary
Feature Standby Server Standby Server Primary Server
Server on
on Node B on Node A on Node B
Node A
Trap reception and Yes No No Yes
processing
Event forwarding Yes No No Yes
through SNMP to
OSS
CSV event Yes No No Yes
reporting
Event notification Yes No No Yes
through email,
script, or an
Internet Control
Message Protocol
(ICMP) message
Scheduled Yes No No Yes
performance
monitoring data
collection
Scheduled Yes No No Yes
performance
monitoring data
comma-separated
values (CSV) file
reporting
Scheduled Yes No No Yes
inventory report
Scheduled service Yes No No Yes
inventory report

Ensemble Controller R15.2 Administrator Manual - Issue: A 209

Adtran Configuring Ensemble Controller

Standard Operation
After Switchover: Failure Case
Environment
Ensemble Active on
Controller Active on the Active on the Active on the
the Primary
Feature Standby Server Standby Server Primary Server
Server on
on Node B on Node A on Node B
Node A
Scheduled backup Yes No No Yes
of the network
element
configuration
Processing Yes No No Yes
incoming Multi-
Technology
Operations Systems
Interface (MTOSI)
requests
Scheduled Yes No No Yes
database backup
Streaming Yes N/A N/A Yes
replication to
Standby

Effects of nmsadmin Operations on the Primary and Standby Server

The nmsadmin script that Ensemble Controller stores in the installation directory, is
available on both the primary and standby servers. The behavior can slightly vary
between servers as described in this table:

Option Primary Standby Description

[A] Thread Dump Yes Yes Shows threads of the local server.
[B] Shutdown Yes Yes Shuts down the local server.
Server
[C] Monitor Yes Yes Monitors the log on the local server.
Server Log
[D] SNMP Yes No Only applicable on the primary server.
detailed NE data

Ensemble Controller R15.2 Administrator Manual - Issue: A 210

Adtran Configuring Ensemble Controller

Option Primary Standby Description

[E] Backup Config Yes Yes Backs up the configuration files of the local
Files server.
[F] Machine Yes Yes Shows the machine architecture of the local
Architecture server.
[G] ENC Info Yes Yes Shows Ensemble Controller common
information although it is retrieved from the
database on the local server.
[H] System Health Yes Yes Includes system and database information of
Report the local server.
l If you run this option on the primary, it
includes a copy of the master database.
l If you run this option on the standby, it
includes a copy of the standby database.

[I] Display Yes No Shows configurable, internal metrics and

RapidTerm counters from the Ensemble Controller Server.
Monitor'g State Only available on the primary server.
[J] Backup Yes No
Database
[K] Reinitialize Yes No
Database
[L] Restore Yes No
Database Backup
[M] Machine Yes Yes Shows resources of the local server.
Resources
[N] Start Rapid Yes No Starts monitoring on the primary Ensemble
Term Monitoring Controller Server.
[O] Bundle Log Yes Yes Bundles logs of the local server.
Files
[P] Process Status Yes Yes Shows the process status of the local server.
[Q] Query DB Yes Yes Performs queries against the local database,
which might be the standby/replica.

Ensemble Controller R15.2 Administrator Manual - Issue: A 211

Adtran Configuring Ensemble Controller

Option Primary Standby Description

[R] Reset Yes No Resets the application password on the
Application primary server.
Password
[S] Start Server Yes Yes Starts the local server processes.
[T] Remove Log Yes Yes Removes log files from the local server.
Files
[U] Stop Rapid Yes No Stops monitoring on the primary Ensemble
Term Monitoring Controller Server.
[V] Exit Yes Yes Exits the utility.
[W] On Demand Yes No Shows on-demand internal metrics and
Monitoring counters from the Ensemble Controller Server.
Only available on the primary server.
[X] Synchronize Yes No Synchronizes the database secondary cache
Cache on the primary server.
[Y] Change Yes No This option changes the PostgreSQL password
Database and the content of dbaccess.txt file on the
Password local server.
To provide a cluster-wide change, you must
manually copy the dbaccess.txt file to the
standby server, and then restart the server. See
Changing an Existing Streaming Replication
High-Availability Configuration for the
recommended sequence to change a working
cluster.
[Z] Heap Dump Yes Yes Shows the heap dump for the local server.

Installation Requirements
Area Requirement Description
Supported You can install the streaming replication high-availability solution
Operating only on servers that run CentOS/Red Hat Enterprise Linux (RHEL)
Systems operating system versions 7.8, 7.9, 8.4 and 8.6.

Ensemble Controller R15.2 Administrator Manual - Issue: A 212

Adtran Configuring Ensemble Controller

Area Requirement Description

Linux packages Install these Linux packages on all three servers using the yum
package management tool or source code:
l Python 3.6.8 or later compatible version.
l OpenSSL 1.0.2 or later compatible version. You can preinstall
OpenSSL on CentOS/RHEL in various versions. To verify which
version the system currently uses, type: "openssl version". Make
sure that all servers have an installed, compatible OpenSSL
version.
Server IP Create a cluster plan that identifies the IP addresses or host names of
Addresses the three required servers, which can be physical hardware or virtual
Overview machines. For information about servers required for streaming
replication high availability, see The Three-Node Cluster Concept.
Server Time Verify that the cluster servers use NTP or equivalent to synchronize
Synchronization their system time with an external source. A time deviation greater
than 0.8 seconds between the servers can result in the streaming
replication high-availability feature to operate incorrectly.
Availability In the event of a power outage, to avoid negatively impacting correct
Zones server operation in other zones, situate servers or virtual machines in
different availability zones. Ideally, configure a protected network
between availability zones to minimize the effect of network
partitions on cluster operation. See Dividing a Cluster in Availability
Zones.
The communication network between data centers or availability
zones must have sufficient bandwidth and latency parameters. These
requirements are necessary to support the communication
requirements for the streaming replication high-availability solution.
The requirements on network capacity varies with system size and
usage. We recommend this minimum connectivity for small or extra
large systems:

Table 9: Availability Zone Connectivity Requirements

Extra Large
Connectivity Parameters Small Systems
Systems
Maximum Latency 500 ms 400 ms
Minimum Bandwidth 1 Mbps 2 Mbps

Ensemble Controller R15.2 Administrator Manual - Issue: A 213

Adtran Configuring Ensemble Controller

Area Requirement Description

Hardware Server Use an appropriately sized hardware server (S/M/L/XL) to host the
Size Ensemble Controller Servers.
DCS Quorum The distributed configuration service (DCS) quorum server supports
Server these deployment options:
Deployment l Installation on a dedicated hardware server.
Options To minimize cost, we recommend that you use a class S server.
l Installation on a virtual machine.
The virtual machine can share physical hardware resources with
components from other clusters. Any virtual machines you use
within the same cluster must also follow the Availability Zone
Connectivity Requirements. See Dividing a Cluster in Availability
Zones.
l Installation on an existing infrastructure server.
You can use an available hardware server that you already use for
other infrastructure services such as a file server, authentication
server, and so on. Verify that this existing server has sufficient
resources and appropriate network connectivity to adequately run
the DCS component.
Required TCP Ports for the primary and standby servers:
Ports to be Open l
2379
l 2380
l 5432
l 8008
The ports for the quorum server depend on the number of pairs or
clusters that the server manages. One quorum server can manage
several clusters. The ports differ accordingly as follows:

Ensemble Controller R15.2 Administrator Manual - Issue: A 214

Adtran Configuring Ensemble Controller

Area Requirement Description

Table 10: Overview of Quorum Server
Ports
Cluster Quorum Server Ports
Number Port 1 Port 2
Cluster 1 12379 12380
Cluster 2 22379 22380
Cluster 3 32379 32380
Cluster 4 33379 33380
Cluster 5 34379 34380
Cluster 6 35379 35380
Cluster 7 36379 36380
Cluster 8 37379 37380
Cluster 9 38379 38380
Cluster 10 39379 39380

For information about how to open these ports, see Steps to

Installing Ensemble Controller in Linux, especially For Red Hat
Enterprise Linux 7.x and 8.x.
Required You need these licenses:
Licenses l 2 of each basic license.
l 2 of the feature license for ENC-HA-STREAM.
l 2 of any other feature license to use with the Ensemble Controller
Server.
l 2 of each connection license in various sizes.

Installation Software
The streaming replication high-availability software is a separate package named HA_
Stream_for_Linux-vXX.X.X-SNAPSHOT.tgz that is included in the core Ensemble
Controller installation package.

After you extract the streaming replication high-availability software, the system creates a
new ha-stream directory to avoid any overlap or conflict with other optional packages.

Ensemble Controller R15.2 Administrator Manual - Issue: A 215

Adtran Configuring Ensemble Controller

The extracted files include the install-ha-stream installer script that helps to install the
streaming replication high-availability software on each server in the three-node cluster
in a specific sequence that you must follow. For more information about the sequence,
see Installation Overview.

Installation Overview
Complete these steps to install the streaming replication high-availability software on
each server in the three-node cluster in this specific sequence. Some of the steps include
links to more detailed instructions if required.

1. Configure the server that you intend to use for the primary Ensemble Controller. See
Installing and Configuring the Intended Primary Ensemble Controller Server for
detailed instructions.
2. Configure the server that you intend to use as the quorum server that only hosts the
distributed configuration service (DCS). See Installing and Configuring the Intended
DCS Quorum Server for detailed instructions.
3. Configure the server that you intend to use for the standby Ensemble Controller. See
Installing and Configuring the Intended Standby Ensemble Controller Server for
detailed instructions.
4. After you configured all required servers (Step 1 to 3), wait for the cluster to become
fully operational. To verify whether the cluster completed synchronization between
the primary and the standby Ensemble Controller Servers, you can use either option:
l From the Ensemble Controller installation bin directory, run the nmsadmin
script, and then type the option number for Steaming Replication HA Cluster
Status.
–or–
l From the Ensemble Controller application bar Settings menu, select System,
and then Streaming Replication HA Status. The Streaming Replication High
Availability Cluster Status dialog box opens.
5. To secure the cluster and prevent access from servers other than the cluster
members, complete these steps:
a. Log into each cluster member that is, the primary, the quorum, and the standby
server one at a time, and open the Linux CLI.
b. Type the command iptables -I INPUT ! --src <cluster member IP> -
m tcp -p tcp --dport 5432 -j DROP, once for each cluster member. The
command closes the PostgreSQL database port for all servers that are not part
of the cluster.

Ensemble Controller R15.2 Administrator Manual - Issue: A 216

Adtran Configuring Ensemble Controller

For example, if your cluster members have these IPs, type the commands as
shown:
Primary 10.143.170.99
Quorum 10.143.170.100
Standby 10.143.170.101

On the primary server:

iptables -I INPUT ! --src 10.143.170.99 -m tcp -p tcp --dport
5432 -j DROP
iptables -I INPUT ! --src 10.143.170.100 -m tcp -p tcp --dport
5432 -j DROP
iptables -I INPUT ! --src 10.143.170.101 -m tcp -p tcp --dport
5432 -j DROP
On the quorum server:
iptables -I INPUT ! --src 10.143.170.99 -m tcp -p tcp --dport
5432 -j DROP
iptables -I INPUT ! --src 10.143.170.100 -m tcp -p tcp --dport
5432 -j DROP
iptables -I INPUT ! --src 10.143.170.101 -m tcp -p tcp --dport
5432 -j DROP
On the standby server:
iptables -I INPUT ! --src 10.143.170.99 -m tcp -p tcp --dport
5432 -j DROP
iptables -I INPUT ! --src 10.143.170.100 -m tcp -p tcp --dport
5432 -j DROP
iptables -I INPUT ! --src 10.143.170.101 -m tcp -p tcp --dport
5432 -j DROP
c. Make sure to add these commands to all servers that are part of the cluster.
6. (Optional) To finalize the procedure, test a subset of switchover and fault handling
scenarios, for example:
l Initiating a Server Work Mode Switchover
l Stopping the Ensemble Controller Server
l Starting the Ensemble Controller Server
For all these operations, you can use the nmsadmin script located in the Ensemble
Controller installation bin directory.

Ensemble Controller R15.2 Administrator Manual - Issue: A 217

Adtran Configuring Ensemble Controller

Installing and Configuring the Intended Primary Ensemble Controller

Server
Requirements to Install and Configure the Intended Primary Ensemble
Controller Server 218
Procedure to Install and Configure the Intended Primary Ensemble
Controller Server 218

Requirements to Install and Configure the Intended Primary Ensemble

Controller Server
l You meet the Installation Requirements to install and configure a streaming
replication high availability cluster.
l You are acquainted with and follow the required sequence as described in
Installation Overview to configure the servers in a three-node cluster that you
need for streaming replication high availability.

Procedure to Install and Configure the Intended Primary Ensemble

Controller Server
1. Log in the server that you intend to use as the primary server, and then install
Ensemble Controller as described in Installing Ensemble Controller. The Ensemble
Controller installation package includes the optional software package for streaming
replication high availability.
2. In the Ensemble Controller installation directory, extract the HA_Stream_for_Linux-
vXX.X.X-SNAPSHOT.tgz streaming replication high-availability software package.
The extracted files include the install-ha-stream installer script for streaming
replication high availability. For more information, see Installation Software.
3. Run install-ha-stream.
4. Type 1 to select Install a first HA host, and then complete the installer command
requests that follow.

Ensemble Controller R15.2 Administrator Manual - Issue: A 218

Adtran Configuring Ensemble Controller

Installing and Configuring the Intended DCS Quorum Server

See these topics for instructions about how to install and configure the intended
distributed configuration service (DCS) quorum server:

Requirements to Install and Configure the Intended DCS Quorum Server 219
Procedure to Install and Configure the Intended DCS Quorum Server 219

Requirements to Install and Configure the Intended DCS Quorum Server

l You meet the Installation Requirements to install and configure a streaming
replication high availability cluster.
l You already configured the intended primary Ensemble Controller Server as
described in Installing and Configuring the Intended Primary Ensemble Controller
Server. If not, become acquainted with and follow the required sequence to
configure the servers in a three-node cluster that you need for streaming
replication high availability as described in Installation Overview.

Procedure to Install and Configure the Intended DCS Quorum Server

1. Log in the server that you intend to use as the quorum server, and then extract the
HA_Stream_for_Linux-vXX.X.X-SNAPSHOT.tgz streaming replication high-
availability software package. The extracted files include the install-ha-stream

Ensemble Controller R15.2 Administrator Manual - Issue: A 219

Adtran Configuring Ensemble Controller

installer script for streaming replication high availability. For more information, see
Installation Software.
2. Run install-ha-stream.
3. Type 3 to select Install a quorum host, and then complete the installer command
requests that follow.
The values in square brackets are suggestions for what you can type. If the bracket
includes only one suggestion, you can press Enter to accept the suggested value
without having to type it and continue.
4. Proceed with Installing and Configuring the Intended Standby Ensemble Controller
Server.

Installing and Configuring the Intended Standby Ensemble

Controller Server
Requirements to Install and Configure the Intended Standby Ensemble
Controller Server 220
Procedure to Install and Configure the Intended Standby Ensemble
Controller Server 220

Requirements to Install and Configure the Intended Standby Ensemble

Controller Server
l You meet the Installation Requirements to install and configure a streaming
replication high availability cluster.
l You already configured the intended DCS quorum server as described in Installing
and Configuring the Intended DCS Quorum Server. If not, become acquainted with
and follow the required sequence to configure the servers in a three-node cluster
that you need for streaming replication high availability as described in Installation
Overview.

Procedure to Install and Configure the Intended Standby Ensemble

Controller Server
1. Log in the server that you intend to use as the standby server, and then install
Ensemble Controller as described in Installing Ensemble Controller. The Ensemble
Controller installation package includes the optional software package for streaming
replication high availability.
2. In the Ensemble Controller installation directory, extract the HA_Stream_for_Linux-
vXX.X.X-SNAPSHOT.tgz streaming replication high-availability software package.
The extracted files include the install-ha-stream installer script for streaming
replication high availability. For more information, see Installation Software.

Ensemble Controller R15.2 Administrator Manual - Issue: A 220

Adtran Configuring Ensemble Controller

3. Run install-ha-stream.
4. Type 2 to select Install a standby HA host, and then complete the installer
command requests that follow.
The values in square brackets are suggestions for what you can type. If the bracket
includes only one suggestion, you can press Enter to accept the suggested value
without having to type it and continue.
5. Verify that you completed all the sequential steps in Installation Overview that you
require to finalize the streaming replication high-availability configuration. If not,
complete remaining steps.

Maintaining Streaming Replication High Availability

Checking the Cluster Status 221
Pausing or Resuming the Streaming Replication High-Availability Control 222
Changing an Existing Streaming Replication High-Availability Configuration 223
Enabling the Single-Server Mode 223
Upgrading Streaming Replication High Availability 224
Updating High Availability Stream Package 227
Enhancing the Database Password Encryption Security 228
Initiating a Server Work Mode Switchover 232
Enabling or Disabling Automatic Switchover for Streaming Replication High
Availability 233
Reverting to a Non-Resilient Configuration or Disabling Streaming
Replication High Availability 233

Checking the Cluster Status

You can verify the status for:
l The servers included in the cluster
l The overall cluster
l The replication
l The last switchover

To verify the status, use either option:

l From the Ensemble Controller installation bin directory, run the nmsadmin script,
and then type the option number for Steaming Replication HA Cluster Status.
–or–

Ensemble Controller R15.2 Administrator Manual - Issue: A 221

Adtran Configuring Ensemble Controller

l From the Ensemble Controller application bar Settings menu, select System, and
then Streaming Replication HA Status. The Streaming Replication High Availability
Cluster Status dialog box opens. To refresh the dialog box with the latest data from
the database, close and re-open it.
l Verify the Server Status in the Ensemble Controller status bar.

Pausing or Resuming the Streaming Replication High-Availability

Control
To perform manual maintenance operations, you can temporarily pause the automatic
control of the cluster. This setting is not persistent and will clear if the cluster restarts.

To pause the cluster control can impair the automatic capabilities of

the streaming replication high availability feature. Only use it with
specific procedures or when the Adtran Technical Support
recommends it.

If you pause the cluster control:

l Cluster monitoring continues, but automatic control features are paused.
l Automatic switchover is disabled and automatic switchovers will not occur.
l There is no automatic read-only mode when the DCS is not accessible.
l Manual switchover is still possible.
l The pause mode affects all servers included in the cluster. The servers are not
changed to the pause mode simultaneously. Therefore, it might take a moment
until all servers change.

Complete these steps to pause the cluster control either on the primary or standby
Ensemble Controller Server. To resume the cluster control, see Step 3.

1. On the relevant server, from the Ensemble Controller installation bin directory, run
the nmsadmin script.
2. To start the option [3] Pause HA Control, type 3, and then press Enter.
Ensemble Controller Pause HA Control...
HA control is paused.
Press any key to continue . . .

To resume cluster control:

3. To start the option [4] Resume HA Control, type 4, and then press Enter.
Ensemble Controller Resume HA Control...

Ensemble Controller R15.2 Administrator Manual - Issue: A 222

Adtran Configuring Ensemble Controller

HA control is resumed.
Press any key to continue . . .

Changing an Existing Streaming Replication High-Availability

Configuration
Complete these steps to update the PostgreSQL credentials for a deployed streaming
replication high-availability cluster.

1. Log in to the server that hosts the primary Ensemble Controller Server, and then
pause the cluster control as described in Pausing or Resuming the Streaming
Replication High-Availability Control.
2. From the Ensemble Controller installation bin directory, run the nmsadmin script.
3. To change the password on the primary server, type Y to select Change Database
Password. The primary core server restarts (no switchover). After the restart, the
system automatically deactivates the pause mode.
4. On the primary Ensemble Controller Server, restart PostgreSQL and its monitoring
component (systemctl restart patroni) to activate the server with the new credentials.
l This restart will not cause a switchover because by now, PostgreSQL on the
standby server will be unable to access its database from the password change.
l It impairs replication temporarily because the standby server is not
authenticated using the new password.
5. Log in to the standby Ensemble Controller Server, and then copy the updated
dbaccess.txt file to the correct location.
6. On the standby Ensemble Controller Server, restart PostgreSQL and its monitoring
component (systemctl restart patroni). This restart will cause the server to use the
new credentials. Replication re-establishes and incrementally synchronizes.

Enabling the Single-Server Mode

If neither the primary nor the standby server can reliably determine quorum, for example
because of multiple failures, they will deactivate themselves rather than risk a multi-
master database situation. It is preferable to restore complete system functions by
resolving the underlying root cause, which allows proper quorum determination.
However, in some cases this repair can not be possible in a timely manner. To safeguard
the system operation in this situation, you can manually bring one Ensemble Controller
instance up, as a standalone primary server.

After you enable the single-server mode, some streaming replication high-availability
features might not be available:

Ensemble Controller R15.2 Administrator Manual - Issue: A 223

Adtran Configuring Ensemble Controller

l Monitoring components for failures.

l Switchover.
l The cluster-status display.
l Transient events for high availability.
l Alarms related to high availability clear and re-instate if the system still does not
operate correctly after you enable high availability again.

Complete these steps to enable the single-server mode on one of the servers in the
cluster that you consider most stable.

1. Stop nms service – systemctl stop fnmserver.

2. Stop and disable patroni service – systemctl stop patroni ; systemctl disable patroni.
3. Stop and disable Etcd service – systemctl stop etcd.<name of your etcd cluster> ;
systemctl disable etcd.<name of your etcd cluster>
4. Backup current configuration files without overwriting existing backups made by
patroni at bootstrapping.
5. Overwrite current configuration with Patroni-made backups.
6. Start and enable PostgreSQL service – systemctl start postgres ; systemctl enable
postgres.
7. Promote PostgreSQL server to master if it previously was a slave - pg_ctl promote -D
<path to postgres data> ; as a postgres user.
8. In the fnm.properties file, remove this property:
com.adva.nlms.mediation.ha-stream.enabled
9. Restart fnm service – systemctl start fnmserver.

Upgrading Streaming Replication High Availability

This section describes how to upgrade to a newer streaming replication high availability
version. The procedure also involves an update of Ensemble Controller and other
software such as PostgreSQL, Patroni, etcd, and so on.

Any scripts that you require to complete this procedure are included in the separate HA_
Stream_for_Linux-vXX.X.X-SNAPSHOT.tgz package within the core Ensemble Controller
installation package.

Complete these steps carefully:

1. Make sure you can reach the servers that host the primary and standby Ensemble
Controller Servers, and the quorum server.
2. Verify the status of the primary and standby Ensemble Controller Servers as
described in Checking the Cluster Status. The replication and overall cluster must

Ensemble Controller R15.2 Administrator Manual - Issue: A 224

Adtran Configuring Ensemble Controller

have the status Normal. Use the status also to become acquainted with the server
roles and distinguish the primary from the standby server.
------------
3. On the server that hosts the quorum Ensemble Controller Server, update High
Availability stream package as described in Updating High Availability Stream
Package.
4. On the server that hosts the standby Ensemble Controller Server, complete these
steps:
a. Run the server_fallback.sh script with super-user privileges:
sudo ./server_fallback.sh
b. Update High Availability stream package as described in Updating High
Availability Stream Package.
c. Upgrade the Ensemble Controller Server as described in Upgrading Ensemble
Controller.
d. At the end of the installation procedure, when the system asks you whether you
want to run the server, type y for yes. Wait for the server to completely restart.
e. After the restart completes, run the server_restore.sh script with super-user
privileges:
sudo ./server_restore.sh
------------

Here is the last moment to stop the procedure and undo the
changes - downgrade and restart standby and quorum server.
After proceeding to the next step, you have to complete the
procedure without going back.

5. On the server that hosts the primary Ensemble Controller Server, complete these
steps:
a. Turn off these services:
l sudo systemctl stop fnmserver
l sudo systemctl stop patroni
l sudo systemctl disable postgres

b. Update High Availability stream package as described in Updating High

Availability Stream Package.
c. Upgrade the Ensemble Controller Server as described in Upgrading Ensemble
Controller, however without starting it.
d. At the end of the installation procedure, when the system asks you whether you
want to run the server, type n for no.
e. Run the server_master.sh script with super-user privileges:

Ensemble Controller R15.2 Administrator Manual - Issue: A 225

Adtran Configuring Ensemble Controller

sudo ./server_master.sh
------------
6. On the server that hosts the standby Ensemble Controller Server, complete these
steps.

Work with the utmost caution while you use the Patroni software
in the subsequent steps.

a. Run this command with super-user privileges:

<nms-home-directory>/fsp_nm/ha/venv/bin/patronictl -c <nms-
home-directory>/fsp_nm/ha/postgres.yml remove <cluster-name>
l The <nms-home-directory> attribute is the Ensemble Controller
installation directory. The default is /opt/adva.
l You can verify the <cluster-name> attribute using the nmsadmin script

as described in Checking the Cluster Status. The default is ha-stream.

For example, the complete command might look as follows:
sudo /opt/adva/fsp_nm/ha/venv/bin/patronictl -c /opt/adva/fsp_
nm/ha/postgres.yml remove ha-stream

Type the commands with reasonable care in the subsequent

steps. Any typographical error causes the procedure to fail.

The system presents this cluster table:

b. Locate the line that starts with Please confirm [...], and then type the correct
cluster name, which also displays in the table Cluster column. The default is ha-
stream.
c. Locate the line that starts with You are about [...], and then type Yes I am
aware
d. Locate the line that starts with This cluster currently [...], and then type the
primary Ensemble Controller Server member name, which also displays in the
table Member column. The primary Ensemble Controller Server has the Leader
role as the Role column in the table shows.
e. Run this command with super-user privileges:

Ensemble Controller R15.2 Administrator Manual - Issue: A 226

Adtran Configuring Ensemble Controller

<nms-home-directory>/fsp_nm/ha/venv/bin/patronictl -c <nms-
home-directory>/fsp_nm/ha/postgres.yml list <cluster-name>
For example:
sudo /opt/adva/fsp_nm/ha/venv/bin/patronictl -c /opt/adva/fsp_
nm/ha/postgres.yml list ha-stream
f. Verify the cluster table. If the table has not changed and shows the exact
information as before in Step 6a, for example the same Leader, or rows, rerun
this list command, and then verify the table once more:
<nms-home-directory>/fsp_nm/ha/venv/bin/patronictl -c <nms-
home-directory>/fsp_nm/ha/postgres.yml list <cluster-name>
If the table still shows no changes, repeat all of Step 6.
------------
7. On the server that hosts the primary Ensemble Controller Server, turn on these
services:
l sudo systemctl start patroni
l sudo systemctl start fnmserver
------------
8. Verify the primary and standby Ensemble Controller Server status whether they kept
their role as described in Checking the Cluster Status. If required, you can do a role
switchover as described in Initiating a Server Work Mode Switchover.
9. If you upgraded your streaming replication high availability version to 13.3 or later,
make sure to enhance the database password encryption algorithm. Continue with
the steps described in Enhancing the Database Password Encryption Security.

Updating High Availability Stream Package

Complete these steps to update High Availability (HA) Stream Package:

1. Unzip new HA Stream package for Linux, for example:

tar -zxvf HA_Stream_for_Linux-vXX.X.X-SNAPSHOT.tgz
System will create "ha-stream" folder.
2. Run the install.sh installation script with super-user privileges, for example:
sudo ./install-ha-stream.sh
3. Type:
l 5 - if you want to update HA package on the first or standby HA host.

l 6 - if you want to update HA package on the quorum host.

Ensemble Controller R15.2 Administrator Manual - Issue: A 227

Adtran Configuring Ensemble Controller

4. Type Y and press enter.

Enhancing the Database Password Encryption Security

After you upgrade your streaming replication high availability version to 13.3 or later as
described in Upgrading Streaming Replication High Availability, you must enhance the
database password encryption algorithm from the potentially insecure MD5 to the secure
SHA256.

This password security enhancement is an obligatory step. If you miss

it, Ensemble Controller and the streaming replication high availability
configuration are inoperable.

With a clean installation to 13.3 or later, which means that any previous version does not
exist on the system, the database password is already configured to use the SHA256
encryption algorithm.

See one of these sections according to the version you upgraded, and then complete the
steps to enhance the password security:

Any 13.x Version Upgraded to 13.3 or Later 228

Any Supported Version Before 13.1 Upgraded to 13.3 or Later 231

Any 13.x Version Upgraded to 13.3 or Later

On the server that hosts the primary Ensemble Controller Server, complete these steps:

1. To add a valid password:

a. Open the postgres.yml file from here: /opt/adva/fsp_nm/ha/postgres.yml
b. In the restapi area, password field, change none to NeverChange as shown

Ensemble Controller R15.2 Administrator Manual - Issue: A 228

Adtran Configuring Ensemble Controller

here:

2. To add password encryption:

a. Run this command:
sudo /opt/adva/fsp_nm/ha/venv/bin/patronictl -c /opt/adva/fsp_
nm/ha/postgres.yml edit-config

b. After the lc_time parameter, in a new line, add:

password_encryption: scram-sha-256

Ensemble Controller R15.2 Administrator Manual - Issue: A 229

Adtran Configuring Ensemble Controller

3. To reload Patroni, type this command:

sudo /opt/adva/fsp_nm/ha/venv/bin/patronictl -c /opt/adva/fsp_
nm/ha/postgres.yml reload <cluster-name>

The default <cluster-name> is ha-stream, which you can change if required, for
example:
sudo /opt/adva/fsp_nm/ha/venv/bin/patronictl -c /opt/adva/fsp_
nm/ha/postgres.yml reload ha-stream

While Patroni reloads, the system automatically performs a switchover that is, the
primary server turns into the standby server, and the other way around.

Ensemble Controller R15.2 Administrator Manual - Issue: A 230

Adtran Configuring Ensemble Controller

4. Log into the server that now hosts the primary server. The root and Adtran user
passwords currently use the MD5 encryption algorithm.
5. To enhance the passwords to use SHA256, run the nmsadmin script file located here:
/opt/adva/fsp_nm/bin/nmsadmin.sh
l To enhance the Adtran user password:
a. Type Y, which starts the Change Database Password option.
b. Type a new password as requested.
c. Type V to exit the script.
After you change the password in the nms home directory
/opt/adva/fsp_nm, the dbaccess.txt file displays.
d. Copy the dbaccess.txt file to the server that now hosts the standby server.
l To enhance the root user password:
a. Type Q, which starts the Query DB option.
fnm-#
b. Type this command:
alter user root with password ‘new_password_here’;

Specify the new password by replacing new_password_here, for example:

alter user root with password ‘MyNewPassword#123’;

c. Type exit to exit the Query DB option.

d. Type V to exit the script.

Any Supported Version Before 13.1 Upgraded to 13.3 or Later

The Adtran user password currently uses the MD5 encryption algorithm. The root user
password by default uses SHA256 already. On the server that hosts the primary Ensemble
Controller Server, complete these steps to enhance the Adtran password to also use the
SHA256 algorithm.

1. Run the nmsadmin script file located here: /opt/adva/fsp_nm/bin/nmsadmin.sh

2. Type Y, which starts the Change Database Password option.
3. Type a new password as requested.
4. Type V to exit the script.
After you change the password in the nms home directory /opt/adva/fsp_nm, the
dbaccess.txt file displays.
5. Copy the dbaccess.txt file to the server that hosts the standby server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 231

Adtran Configuring Ensemble Controller

Initiating a Server Work Mode Switchover

You can apply a server work mode switchover manually even if you enabled automatic
switchover. This can be needed for testing, maintenance, upgrades, or other activities.
Furthermore, if you disabled automatic switchover as described in Enabling or Disabling
Automatic Switchover for Streaming Replication High Availability, you must manually
change the server mode in these situations:
l If your Ensemble Controller Client disconnects from the primary server, change the
secondary or standby server to master mode.
l If you need to perform maintenance work on the primary server, change the
secondary or standby server to master mode.
l If the primary server database is corrupt, change the secondary or standby server
to master mode.

Complete these steps to manually change the primary or secondary Ensemble Controller
Server work mode:

1. Identify and log in to the server where you will trigger the switchover.
l If both primary and standby are up and operating normally, you can trigger the
switchover from either server.
l If the primary is down or unreachable, you can trigger a switchover from the
standby server.
2. On the relevant server, from the Ensemble Controller installation bin directory, run
the nmsadmin script.
3. To start the option [2] Perform HA Switchover, type 2, and then press Enter.
Ensemble Controller HA Switchover...
Switch current primary <ip-address> to: <ip-address> [Y/N]:
4. Type y to confirm the command. After you type y, this message displays:
Switchover initiated; use "HA Cluster Status" to see status during
switchover.
Press any key to continue . . .
–or–
Type n to cancel the operation.
5. To see the status for this operation, type the appropriate option number for HA
Cluster Status.

Ensemble Controller R15.2 Administrator Manual - Issue: A 232

Adtran Configuring Ensemble Controller

Enabling or Disabling Automatic Switchover for Streaming

Replication High Availability
In the fnm.properties file that Ensemble Controller stores in the installation directory,
edit the property com.adva.nlms.mediation.ha-stream.automatic-switchover. Make sure
that you set the same property values on both the primary and standby server.

Reverting to a Non-Resilient Configuration or Disabling Streaming

Replication High Availability
Requirement to Revert to a Non-Resilient Configuration 233
Procedure to Revert to a Non-Resilient Configuration 233

Requirement to Revert to a Non-Resilient Configuration

l You have installed and operated a three-node cluster for the streaming replication
high-availability solution.
l You are aware that you downgrade your system to a non-resilient configuration
and disable streaming replication high availability.
l After you complete this procedure, be aware that the remaining Ensemble
Controller Server is the one that used to be primary and therefore, the database
content of the primary is preserved for the non-resilient configuration. If you want
to preserve the database content from the standby server instead, before you start
the procedure, perform a manual switchover as described in Initiating a Server
Work Mode Switchover to have the primary operate on the appropriate server.

Procedure to Revert to a Non-Resilient Configuration

1. (Optional) Before you start the downgrade, back up your Ensemble Controller
database as described in Immediate Database Backup.
2. Log in the quorum server that hosts the distributed configuration service (DCS), and
then complete these steps:
a. Run the install-ha-stream installer script located in the streaming replication
high-availability installation directory /opt/adva/fsp_nm/ha/bin/install-
ha-stream.sh
b. Type 4 to select Remove HA features on the host, and then complete the
installer command requests that follow.

Ensemble Controller R15.2 Administrator Manual - Issue: A 233

Adtran Configuring Ensemble Controller

The values in square brackets are suggestions for what you can type. If the
bracket includes only one suggestion, you can press Enter to accept the
suggested value without having to type it and continue.
3. Log in the server that hosts the standby Ensemble Controller, and then repeat the
Steps 2a. to 2b. While the system uninstalls the streaming replication high availability
from the standby server, the primary server experiences an outage.
4. Log in the server that hosts the primary Ensemble Controller, and then complete
these steps:
a. Repeat the Steps 2a. to 2b.
b. Restart the Ensemble Controller Server as described in Starting the Ensemble
Controller Server. After the restart, high availability is no longer available for
your system and you reverted to a non-resilient server that used to be the
primary server.
c. Test the non-resilient server.
5. Log in the server that used to host the standby Ensemble Controller, and then
uninstall the Ensemble Controller software as described in Uninstalling Ensemble
Controller.

Migrating from Standard to Streaming

Replication High Availability
Requirement to Migrate from Standard to Streaming Replication High
Availability 235
Procedure to Migrate from Standard to Streaming Replication High
Availability 235

Ensemble Controller R15.2 Administrator Manual - Issue: A 234

Adtran Configuring Ensemble Controller

Requirement to Migrate from Standard to Streaming

Replication High Availability
l You have installed and operated a two-node cluster for the standard high-
availability solution.
l You meet the Installation Requirements for the streaming replication high-
availability solution.
l Your Ensemble Controller holds a license for streaming replication high-availability
(ENC-HA-STREAM). You can verify your license coverage from the Ensemble
Controller application bar Help menu > Support > License Info. For information,
see the User Manual, Displaying License Information.
l After you complete this procedure, be aware that the remaining Ensemble
Controller Server is the one that used to be primary and therefore, the database
content of the primary is preserved for the streaming replication high-availability
configuration. If you want to preserve the database content from the standby
server instead, before you start the procedure, perform a manual switchover as
described in Initiating a Server Work Mode Switchover to have the primary operate
on the appropriate server.

Procedure to Migrate from Standard to Streaming

Replication High Availability
1. (Optional) Before you start the upgrade, back up your Ensemble Controller database
as described in Immediate Database Backup.
2. Log in the server that hosts the primary Ensemble Controller, and then disable the
standard high-available feature as described in Disabling a Standard High-
Availability Configuration.
3. Log in the server that hosts the standby Ensemble Controller, and then complete
these steps:
a. Disable the standard high-available feature as described in Disabling a Standard
High-Availability Configuration.
b. Shut down the Ensemble Controller Server as described in Stopping the
Ensemble Controller Server.
c. Delete the local database.
4. Log in to the server with the primary Ensemble Controller, and then complete these
steps:

Ensemble Controller R15.2 Administrator Manual - Issue: A 235

Adtran Configuring Ensemble Controller

a. Shut down the Ensemble Controller Server as described in Stopping the

Ensemble Controller Server. After you shut down the Ensemble Controller
Server, the outage associated with this upgrade begins.
b. In the Ensemble Controller installation directory, extract the HA_Stream_for_
Linux-vXX.X.X-SNAPSHOT.tgz streaming replication high-availability
software package. The extracted files include the install-ha-stream installer
script for streaming replication high availability. For more information, see
Installation Software.
c. Run install-ha-stream.
d. Type 1 to select Install a first HA host, and then complete the installer
command requests that follow. For more information, see Installing and
Configuring the Intended Primary Ensemble Controller Server. After the installer
completes the initialization, the outage associated with this upgrade ends.
5. Log in the server that you intend to use as the quorum server that hosts the
distributed configuration service (DCS), and then complete the steps in Installing and
Configuring the Intended DCS Quorum Server.
6. Log in to the server with the standby Ensemble Controller, and then complete these
steps:
a. In the Ensemble Controller installation directory, extract the HA_Stream_for_
Linux-vXX.X.X-SNAPSHOT.tgz streaming replication high-availability
software package. The extracted files include the install-ha-stream installer
script for streaming replication high availability. For more information, see
Installation Software.
b. Run install-ha-stream.
c. Type 2 to select Install a standby HA host, and then complete the installer
command requests that follow. For more information, see Installing and
Configuring the Intended Standby Ensemble Controller Server.
7. (Optional) Complete post-migration steps as described in Step 4 and 5 in Installation
Overview.

System Settings
The system settings apply to all users. See these topics for information about how to
adapt the system settings for Ensemble Controller.

Suppressing Noisy Events 237

Ensemble Controller R15.2 Administrator Manual - Issue: A 236

Adtran Configuring Ensemble Controller

Broadcasting Messages to Ensemble Controller Clients 242

Server Preferences 245
Configuring the NBI Trap Transmitter Settings 262
Configuring ENC-ELS Single Sign-On Connection 266

Suppressing Noisy Events

If network elements become unstable, they send an undesirable amount of events that
we consider as noise. These many, mostly irrelevant noisy events cause the event log to
fill up quickly and thus to purge the oldest but important events. To prevent this scenario,
you can suppress noisy events in the Event Severities window as described here.

For an overview of noisy events that network elements can emit, see Overview of Noisy
Events Per Network Element.

1. From the Ensemble Controller application bar Settings menu, select System, and
then Event Severities. The Event Severities window opens.
2. In the Event Severities ribbon menu, Products area, select the product from which
you want to see the events.
3. In the Event Severities ribbon menu, Noisy Events area, select Suspend. A
Confirmation dialog box opens.
After you select Yes, the system verifies all network elements that support noisy-
event identification, and then suppresses respective events. The Severity column
displays Not Reported for those events that Ensemble Controller suppressed. The
system does neither log suppressed events in the database nor forward them to the
northbound interface (NBI).
4. In the Confirmation dialog box, click Yes to suppress noisy events, or No to stop the
action.
After the unstable network elements return to normal operation, you might want to
revoke the suppression of noisy events.
5. To revoke the noisy event suppression, in the Event Severities ribbon menu, Noisy
Events area, select Resume. A Confirmation dialog box opens.

After you select Yes in the Confirmation dialog box, Ensemble

Controller irretrievably overwrites the settings for the severities that
you customized up to this point in time, and reverts them to factory
defaults.

6. In the Confirmation dialog box, click Yes to revert customized severities to factory
defaults, or No to stop the action.

Ensemble Controller R15.2 Administrator Manual - Issue: A 237

Adtran Configuring Ensemble Controller

After you select Yes, the table updates and shows default severity values, and
resumes database logging and NBI notifications.

Ensemble Controller R15.2 Administrator Manual - Issue: A 238

Adtran Configuring Ensemble Controller

Overview of Noisy Events Per Network Element

This section provides an overview of event traps that certain network element types emit that we consider as noise. You can suppress these
events as described in Suppressing Noisy Events. After you suppress the noisy events, the system does no longer log them in the database.

Device Type State Change Traps Authentication Traps Other Traps

FSP 150 cmStateChangeTrap authenticationFailure cmAttributeValueChangeTrap

(CC)-GExxx
FSP 150- f3SyncJClockProbeStatusChangeTrap cmObjectCreationTrap
XG210
FSP 150CM f3SyncJPTPClockProbeStatusChangeTrap cmObjectDeletionTrap

FSP 150EG- f3SyncJPTPNetworkProbeStatusChangeTra f3BulkTrap

X p
f3PtpTSStatusChangeTrap

linkDown

linkUp

coldStart

warmStart

cmSnmpDyingGaspTrap

Ensemble Controller R15.2 Administrator Manual - Issue: A 239

Adtran Configuring Ensemble Controller

Device Type State Change Traps Authentication Traps Other Traps

FSP 150CCf- nidStateChangeTrap authenticationFailure -
825
dsx1LineStatusChange
dsx3LineStatusChange
nidSnmpDyingGaspTrap
linkDown
linkUp
coldStart
warmStart
FSP 150EG- ovnNGTrapControlGroup - -
M2
FSP 150EG- linkDown
M4

FSP 150EG- linkUp

FSP 150- cmStateChangeTrap authenticationFailure cmAttributeValueChangeTrap

XG116Pro
FSP 150- linkDown cmObjectCreationTrap
XG120Pro
FSP 150- linkUp cmObjectDeletionTrap
XG120Pro-
SH

Ensemble Controller R15.2 Administrator Manual - Issue: A 240

Adtran Configuring Ensemble Controller

Device Type State Change Traps Authentication Traps Other Traps

coldStart f3BulkTrap
warmStart

cmSnmpDyingGaspTrap
FSP 3000R7 equipmentInserted authenticationNotification transientWorkingSwitchedtoProtection
equipmentRemoved authentication transientWorkingSwitchedBacktoWorking
neStateChange transientManualWorkingSwitchedtoProtection
entityStateChange transientManualWorkingSwitchedBacktoWorking
layer2EntityStateChange transientForcedWorkingSwitchedBacktoWorking
transientNeColdStart transientForcedWorkingSwitchedBacktoProtectio
n
snmpAgentStateChanged transientIntrusionRx
snmpAgentSynchronizationStageChanged transientIntrusionTx
transientFarEndDyingGasp
transientFarEndChanged

Ensemble Controller R15.2 Administrator Manual - Issue: A 241

Adtran Configuring Ensemble Controller

Broadcasting Messages to Ensemble Controller

Clients
Complete these steps to broadcast important messages to Ensemble Controller Clients
(ENC Clients). For example, you can broadcast that a server restart will occur soon. ENC
Clients that are currently logged in (online) will see this message immediately. Other ENC
Clients see this message as soon as they log in.

Requirement to Broadcast Messages 242

Procedure to Broadcast Messages 242

Requirement to Broadcast Messages

To broadcast messages, you need to have the permission Broadcast User Messages. The
system grants this permission only to the administrator role, as the default.
The administrator sets permissions and corresponding user roles in the Security
Manager. To open the Security Manager, in the Ensemble Controller application bar
Settings menu, select Security, and then Security Manager. For more information about
user roles and allocated privileges, see the Administrator Manual, Roles and Allocated
Actions.

Procedure to Broadcast Messages

1. From the application bar Settings menu, select System, and then Broadcast
Message. The Broadcast Messages window opens:

2. In the Broadcast Message window, select either of these tabs:

l Messages that you create and send from the Immediate tab receive the clients
only if they are currently online.

Ensemble Controller R15.2 Administrator Manual - Issue: A 242

Adtran Configuring Ensemble Controller

l Messages that you create and send from the Immediate and Login tab receive
online and offline clients after they log in, unless the message expired. Ensemble
Controller saves the message in the database. With each new message that you
send, Ensemble Controller overwrites the previous message.
3. Create a message as described in these steps:
a. Type a message that corresponds to the stated writing rule. If you type more
characters than allowed, an error message appears below the text field.
b. In the Immediate and Login tab, select a date and time when you want the
message to expire:

By default, the system presets the date/ time field with a value that is 24 hours
in the future from when the window opened.
For keyboard navigation, to specify date and time, these options are supported:
l Focus a digit that you wish to change and type the relevant date/ time

value.
l Focus a digit that you wish to change and use the Up/ Down Arrow keys on

your keyboard.
Depending on the digit you focus, this digit is incremented/ decremented
by one with the relevant key.
l Focus the calendar button adjacent to the field, and then press the
spacebar or Enter to open a one-month-at-a-time calendar.
Select the relevant date from the calendar.
For mouse navigation, to specify date and time, these options are supported:
l Select a digit that you wish to change and use the little up/ down arrows

next to the date/ time field.

Depending on the digit you select, this digit is incremented/ decremented
by one with the relevant arrow.
l Click the calendar button , which opens a one-month-at-a-time
calendar.
Select the relevant date from the calendar.
4. Select Send to broadcast the message. The Broadcast Messages window indicates
the client local time when you sent the message and additionally the expiration date
for the Immediate and Login tab:

Ensemble Controller R15.2 Administrator Manual - Issue: A 243

Adtran Configuring Ensemble Controller

The message will not appear to the user who sent the message.
5. Proceed with these actions as required:
l To reuse the message you just sent for another broadcast, edit the existing text
as required, which enables the Send button again and clears the Sent/ Expiration
time indication. You must wait for 10 seconds before you can send another
message.
l To immediately compose another message without closing the window, select
Clear, which removes the previous message from the text field. Repeat this
procedure from Step 3.
l If a message with expiration date is no longer valid and must not display to any
more clients that log in, select Expire Now, which removes the message from
the Ensemble Controller database. A respective information about the action
displays below the text field.
l To close the window, you can click Close, select x, or press Esc.
For clients currently online and for the ones that log in later, this Broadcast Message
from <username> window opens according to the message sent by the user:

6. Proceed with one of these options:

l Click OK to confirm the message.
l Close the message with x.

Ensemble Controller R15.2 Administrator Manual - Issue: A 244

Adtran Configuring Ensemble Controller

l Press Esc.
If a user sends multiple messages, the windows are all stacked on top of each other
and must be closed one by one. Each message displays just once and thus, when
confirmed the message disappears and will not appear again.
Messages created and sent from the Immediate tab endure only for that client
session. That is, when you log in to the client next time, the text field in the
Immediate tab is blank.
Messages created and sent from the Immediate and Login tab are saved to the
database and therefore are still available in the text field when you log in to the client
next time.

Server Preferences
See these topics for information about how to configure the Ensemble Controller Server
to conform to your network requirements.

Event Log Settings 245

Editing Security Parameters 250
Setting SMTP Properties 256
Setting the Default NE Identity Type 258
Changing the Network Element Icon Labeling 258
Setting the Client Time Zone 260

Event Log Settings

You use the event log settings to specify different thresholds and time periods for the
events in the live and history tables.

Ensemble Controller maintains:

l Live events in the Alarms, Events, and Security tab, also referred to as live tables.
l Historical events in the Alarm History tab, also referred to as history table.

For more information about alarms and events, see the User Manual.

Opening the Event Log Page 246

Event Log Parameters 247
Log Size Details of Live Events 249
Anonymization Details 249

Ensemble Controller R15.2 Administrator Manual - Issue: A 245

Adtran Configuring Ensemble Controller

Opening the Event Log Page

1. From the Ensemble Controller Settings, select System, and then Server
Preferences. The Server Preferences dialog box opens.
2. From the left menu, select Event Log:

The Event Log page divides into areas that contain parameters either for the live or
historical events. For each parameter, you have a field to set relevant values. Some
fields already show appropriate default values. For information about the Event Log
parameters, see Event Log Parameters.
3. To change a parameter, type a relevant value in the field. For the Anonymization
area, you can also use the up and down arrows to select an appropriate value.

Ensemble Controller R15.2 Administrator Manual - Issue: A 246

Adtran Configuring Ensemble Controller

Event Log Parameters

For an overview of all the parameters available in the Event Log page, see this table:

Settings for Default

Area Parameter Description
... Value

Live Events Truncation Maximum Event Log Size/ Records (< = 30,000 The maximum number of events that the live table
200,000) can hold.
The maximum size of 200,000 can be increased by
changing the property
‘com.adva.nlms.mediation.event.maxEventLogSize’
located in the fnm.properties file. See the appendix
>
com.adva.nlms.mediation.event.maxEventLogSize
for more information.
For details regarding the log size, see Log Size
Details of Live Events.
Wait Before Auto-Delete/ Minutes 30 The waiting time in minutes before events are
automatically deleted.
Event Log Size Warning Threshold/ % 95 The event log size in percentage that triggers a
warning to be raised.
Minimal Warning Interval/ Hours 24 The minimal interval in hours of sending out
warnings.
Remaining Log Size After Deletion/ % 90 The log size in percentage remaining after events
have been deleted.

Ensemble Controller R15.2 Administrator Manual - Issue: A 247

Adtran Configuring Ensemble Controller

Settings for Default

Area Parameter Description
... Value

Historical History History Retention Period/ Days (1..360) 211 The time period in days of retaining events in the
Events history table.
History Capacity/ Records (< 1.5 1,000,000 The maximum number of events that the history
Million) table can hold.
Live to History Alarm auto-acknowledge Threshold/ % 50 A threshold in percentage that triggers an alarm
Transfer of all Events in Log when the value of auto-acknowledged events has
been reached or is exceeded.
Waiting Time before Transfer to 1 The waiting time in hours before events are
History/ Hours (1..48) transferred to the history table.
Archive Default Start Age of Events to be 5 The minimum age in days before the event is
Archived/ Days (1..360) archived.
Default End Age of Events to be 0 The maximum age in days with which the event is
Archived/ Days (0..360) still archived.

Live Events Anonymization Removes Personal Information After/ 0 The time in days when personal information are
Days (0...360) removed from the event/ faulted service.
Historical
Events As long as the value is 0, anonymization is disabled
indicated by the red cross next to the spin box ( ).
Faulted
Services After you select a value, anonymization is enabled
indicated by the green icon ( ). When enabled,
anonymization is initialized once a day.
For details regarding anonymization, see
Anonymization Details.

Ensemble Controller R15.2 Administrator Manual - Issue: A 248

Adtran Configuring Ensemble Controller

Log Size Details of Live Events

To assist in monitoring the event log, warnings are issued when the log size is getting
close to the specified maximum size. These warnings are then issued regularly until the
event log size is reduced below the warning threshold or until the maximum size is
reached.

If the maximum size is reached, events are automatically deleted until the event log size
is reduced below a specified threshold. The oldest events will be deleted first. However,
deletion does not start immediately. This is due to the fact that during a trap storm the
maximum limit can very well be exceeded. In this situation it is desirable to refrain from
removing events at the same time to avoid overloading the system.

If you increase the parameter for the event log size to a large value (> 500,000), the
Ensemble Controller could have temporary problems in displaying new events. It can
happen at the time when the Ensemble Controller starts to delete old events to bring the
number below the specified threshold.

All settings regarding the event log size are stored on the Ensemble Controller server and
are valid for all users using this Ensemble Controller server.

Anonymization Details
Live events, historical events as well as faulted services can be anonymized and thus freed
from personalized information. This involves these tasks:
l The user name of the acknowledger is replaced by XXXX if the acknowledgment
date is older than the specified number of days.
The acknowledgment date and the anonymized user name XXXX stays in place so
that log inspection shows that acknowledgment did happen but not by whom.
l All events that are tagged to be security events and faulted services that are older
than the specified number of days are removed.

Anonymization of alarms, events and faulted services as described

here for the Ensemble Controller cannot guarantee full data
anonymization on itself. Other settings have to be made so the
combination of settings result in the overall required level of
anonymization. Such a setting is for example not to enable the
tagging of none-security events with user-specific data on the
FSP 3000R7.

Ensemble Controller R15.2 Administrator Manual - Issue: A 249

Adtran Configuring Ensemble Controller

Editing Security Parameters

Complete the procedures in this section to:
l Set the time of inactivity before Ensemble Controller locks itself automatically. To
regain access, log in again.
l Set the time of inactivity before Ensemble Controller automatically shuts down.
l Set user account policies for your entire network such as, the user name minimum
length, the password minimum number of digits, and so on.
l Set authentication parameters for RADIUS, TACACS+, or LDAP.

Opening the Security Page 250

Setting Auto Lock and Auto Logout 251
Setting User Account Policies 252
Setting Authentication Parameters 254

Opening the Security Page

1. In the Ensemble Controller Settings, select System, and then Server Preferences.
The Server Preferences dialog box opens.
2. From the left menu, select Security:
Parameters with a red icon ( ) are disabled. Parameters with a green icon ( ) are
enabled.

Ensemble Controller R15.2 Administrator Manual - Issue: A 250

Adtran Configuring Ensemble Controller

Figure 13: Server Preferences Security Options

See these topics for details about:

l Setting Auto Lock and Auto Logout
l Setting User Account Policies
l Setting Authentication Parameters

Setting Auto Lock and Auto Logout

1. Open the Server Preferences Security page as described in Opening the Security
Page.

Ensemble Controller R15.2 Administrator Manual - Issue: A 251

Adtran Configuring Ensemble Controller

2. To specify relevant values, edit these areas:

Area Description Steps

Auto Lock Specifies the length of user inactivity before l Type the number
Ensemble Controller becomes locked. By of minutes.
default this parameter is enabled and set to –or–
10 minutes. l Use the up and
If Ensemble Controller becomes locked, the down arrows.
Login window opens where you can log in
again and restore the last Ensemble
Controller session.
Auto Logout Specifies the user inactivity before the
Ensemble Controller Client, not the Server,
automatically shuts down and logs out users.
By default this parameter is disabled.

3. Click OK to save your settings, or click Cancel.

Setting User Account Policies

1. Open the Server Preferences Security page as described in Opening the Security
Page.
The User Account Policies area shows these parameters:
Figure 14: Server Preferences Security Page – User Account Policies

2. To specify the relevant values according to this table, you can either type in the fields
or use the up and down arrows. This table describes the fields and their value
requirements.

Ensemble Controller R15.2 Administrator Manual - Issue: A 252

Adtran Configuring Ensemble Controller

Default Allowed
Policy name Remarks
value range
0 = disabled minimum to
parameter maximum
User name 6 characters 1 to 32 This attribute constrains user names.
minimum characters That is, the user name that you
length create must be within this minimum
number to the maximum number of
allowed characters.
Password 8 characters 1 to 32 This attribute constrains passwords.
minimum characters That is, the password that you
length create must be within this minimum
number to the maximum number of
allowed characters.
If you set a value that is unequal to
or does not meet all of the required
minimum parameters, an error
displays. The minimum parameters
are lowercase, uppercase, special
characters, and digits. Adjust your
settings appropriately.
Optional Parameters
Password 0 characters 1 to 10 This attribute constrains passwords.
minimum characters That is, the password that you
number of create must be within this minimum
lowercase number to the maximum number of
letters allowed characters.
Password
minimum
number of
uppercase
letters
Password
minimum
number of
digits

Ensemble Controller R15.2 Administrator Manual - Issue: A 253

Adtran Configuring Ensemble Controller

Default Allowed
Policy name Remarks
value range
0 = disabled minimum to
parameter maximum
Password
minimum
number of
special
characters
Time period 60 days 0 to 360 days This attribute constrains inactive
after which an user accounts. That is, if an account
inactive user is unused for the number of days
account is that you specify in this field, the
disabled account becomes disabled. The
administrator must then reactivate
the account before a user can use it
again.
Password will 90 days If you set this attribute to 0, which
expire in disables it, the password never
expires.
Admin 30 days
password will
expire in
Keep 5 passwords This attribute constrains password
password reuse. It specifies how many
history for passwords are retained before a
user can reuse it.

3. Select Disable user name cache if you do NOT want to store the user name locally.
With this setting, the login window opens with the user name field unspecified or
empty. By default, the user name cache is enabled.
4. Click OK to apply your settings, or Cancel.

Setting Authentication Parameters

Complete these steps to set authentication parameters such as the type of authentication
and shared secret passwords for RADIUS, TACACS+, or LDAP servers.

Ensemble Controller R15.2 Administrator Manual - Issue: A 254

Adtran Configuring Ensemble Controller

1. Open the Server Preferences Security page as described in Opening the Security
Page.
The Authentication area shows these fields:

2. From the Authentication Type list, select the relevant option for authentication at
login:
l Local: Normal user login, no remote authentication.
l Remote via RADIUS: Centralized authentication using the Remote Access Dial-
In User Service (RADIUS).
l Remote via TACACS+: Centralized authentication using the Terminal Access
Controller Access Control Service Plus (TACACS+).
l Remote via LDAP: Centralized authentication using the Lightweight Directory
Access Protocol (LDAP).
3. To set a secret password, next to the server that you want to configure, click Set. The
Shared Secret dialog box for that server opens.

If you use LDAP authentication and you want to configure more than
one server, make sure you set the secret password for each server,
even if the same value is used.

4. In the Password field, enter a password.

By default, you can use a maximum of 16 characters for the RADIUS shared secret
password. To use more than 16 characters, in the fnm.properties file, edit the
property com.adva.fnm.option.radiusclient
For information about how to edit properties in the fnm.properties file, see Editing
the fnm.properties File.
5. In the Confirm Password field, re-enter the password.
6. Click OK to apply the settings, or Cancel to stop the operation.
7. Repeat the procedure from Step 2 to specify a password also for the other servers, as
applicable. The icons next to the Set button indicate the password status as follows:

Ensemble Controller R15.2 Administrator Manual - Issue: A 255

Adtran Configuring Ensemble Controller

Icon Meaning
A password is defined, and the respective server is configured in the
fnm.properties file.
No password is defined, but the respective server is configured in the
fnm.properties file.
A password is defined, but no respective server is configured in the
fnm.properties file.
no Neither a password nor a respective server is configured in the
icon fnm.properties file.

Additionally, if you hover over an icon, a tooltip reveals information about the icon.
For more information about how to configure servers in the fnm.properties file:
l For RADIUS, see Configuring the RADIUS Server Access in Ensemble Controller.
l For TACACS+, see Configuring the TACACS+ Server Access in Ensemble
Controller.
l For LDAP, see Configuring Access to the LDAP Server.
8. Click OK to apply the settings, or Cancel to stop the operation.

Setting SMTP Properties

Complete these steps to set the simple mail transfer protocol (SMTP) properties that the
server uses to send email notifications.

1. In the Ensemble Controller Settings, select System, and then Server Preferences.
The Server Preferences dialog box opens.
2. From the left menu, select SMTP.

Ensemble Controller R15.2 Administrator Manual - Issue: A 256

Adtran Configuring Ensemble Controller

3. In the SMTP page, edit these fields:

Field Description or Steps

Server Type the name of the SMTP server that the Ensemble Controller
will use to send emails. You can enter either a fully qualified name,
such as mail.yourdomain.com, or the IP address. If the server IP
address changes, you will have to adapt this setting. The fully
qualified name will not require any changes.

NOTE:
If you use the Windows Exchange Server 2010, add the Ensemble
Controller Server IP address to the Exchange server list of SMTP-
relays.
Outgoing Type the appropriate SMTP port number for the outgoing server.
server port
number (SMTP)
Sender email Type an identifying text for the notification, for example,
address (field notification .
FROM)
For email notifications, you will receive an email with the sender
identity equal to <From address field>@<SMTP server name>.
For example, [email protected]. This address must be
valid, or the email server will reject it.
Authentication If the SMTP server requires authentication from Ensemble
required Controller:
1. From your SMTP server administrator, request a login name
and password.
2. Select Authentication required.
3. In the Login field, type the login name.
4. In the Password field, type the password.

Test email To verify if your SMTP properties are correct, send a test email:
address (field 1. In the Test email address (field TO) field, type the email
TO) address where you want to receive a test email.
2. Make sure that this message displays: Email sent successfully.
Please check that it was received correctly.
3. Verify that you received a test email.

4. Click OK to apply your settings, or click Cancel.

Ensemble Controller R15.2 Administrator Manual - Issue: A 257

Adtran Configuring Ensemble Controller

Setting the Default NE Identity Type

Complete these steps to specify the default identity type for all network elements (NEs)
that you newly add to the Ensemble Controller (ENC) database.

The identity type determines how you label an NE wherever it is presented that is, for
example, in the tree and map pane, at the northbound interface (NBI), or in any of the
regular reports, such as inventory report, resource report, and so on.

1. In the Ensemble Controller Settings, select System, and then Server Preferences.
The Server Preferences dialog box opens.
2. From the left menu, select Identity.
3. In the Default NE Identity Type list, select the appropriate option.
Supported Identity Type options:

Identity
Description
Type
Name The name of a string that you set on the network element. If you
change the name in Ensemble Controller, the network element also
uses the changed name. If you change this name on the network
element, Ensemble Controller uses the changed name.
The string name requires the use of special characters. Use the NE
Identifier that supports special characters to specify the name.
IP Address This address is the host or network interface identification.
NE This identifier exists only in Ensemble Controller and conforms to a
Identifier secondary network element name. If you change the NE identifier, the
network element keeps it original name. This ID supports characters
that the network element might not support.

4. Click OK to apply the value that you selected, or click Cancel.

Changing the Network Element Icon Labeling

Complete these steps to change the labeling for all network element icons presented in
the Ensemble Controller. You can separately configure the icon labeling of the network
elements for the tree pane, the map pane in the Networks tab, and the map pane in the
Services tab.

1. From the application bar Settings menu, select System, and then Server
Preferences. The Server Preferences dialog box opens.

Ensemble Controller R15.2 Administrator Manual - Issue: A 258

Adtran Configuring Ensemble Controller

2. From the left menu, select NE Icon Label.

Figure 15: NE Icon Label, Server Preferences

For more information about how to set identity parameters, see the User Manual.
By default, the label value that you set for Identity Type <identity> displays for the
tree pane and the Topology Graph window. For the Service Paths window, the
label value set for Name and IP Address displays by default.
Depending on the options you selected from the lists, the adjacent graphical
presentation updates accordingly and you can preview the settings.
3. To change the icon labels for the network elements available in the tree pane, in the
Tree area, select from the Label list options.
4. To change the icon labels for the network elements available in:
l The Topology Graph window, edit the Network Map area.
l The service graph windows, which include the Service Paths window, the
Optical Trace window, or the Layer Browser window, edit the Service Map
area.
5. In the Network Map area or Service Map area, select from the Label Line 1-3 list
options:

Ensemble Controller R15.2 Administrator Manual - Issue: A 259

Adtran Configuring Ensemble Controller

As the lines indicate, the icon labels in the map pane can be provided with up to 3
lines:
l Line 1 is mandatory and therefore, the option <empty> is not available in the
option list.
l Line 2 and 3 are optional and can be selected as appropriate.
Label settings for the Topology Graph also affect the service wizard, for example the
Node Page or Summary Page will display the network element labels accordingly.
For the Service Map settings, if a network element label is longer than a predefined
width, that line is then truncated. A dot (.) symbol is appended to denote
abbreviation.
If you hover over the network element label, a tooltip indicates the full label.
6. Click OK. A notification dialog box appears:

7. Click OK, and then restart the Ensemble Controller Client.

Setting the Client Time Zone

Complete these steps to set a time zone for all your Ensemble Controller (ENC) Clients
that connect to that server. This can be useful if the operating systems where the Clients
run, display an undesirable time zone name. After you set a time zone, the Ensemble
Controller Clients ignore the time zone settings of their operating systems.

You can also set time zones for the Ensemble Controller Server. For information about
how to set Ensemble Controller Server time zones, see Setting the Server Time Zone.

1. In the Ensemble Controller Settings, select System, and then Server Preferences.
The Server Preferences dialog box opens.

Ensemble Controller R15.2 Administrator Manual - Issue: A 260

Adtran Configuring Ensemble Controller

2. From the left menu, select Time Zone.

3. To enable the Time Zone page for editing, select Enforce on the clients.
4. From the Time Zone ID list, select a time zone according to your geographical
location.
The time zone overview updates according to the selection.
The date is formatted according to the property com.adva.fnm.option.date_
format and the value that you can specify in the fnm.properties file. For more
information about the date format property, see Graphical User Interface Options.
The timestamp indicates the abbreviation for the time zone, such as CET - Central
European Time or CEST - Central European Summer Time.
The Time Zone Database defines the time zone IDs that the Internet Assigned
Numbers Authority (IANA) maintains.
5. Alternatively, to restrict the time zone ID list to those with the same UTC offset, select
Filter by UTC offset. This enables the adjacent list of time offsets.
6. Select the desired offset, then select the desired value from the now shorter Time
Zone ID list.
7. Click OK to apply the selected values, or click Cancel to stop the action. A
notification displays.
8. Click OK, and then restart the Ensemble Controller Client.
9. You can quickly verify the time zone changes:
l In the starting dialog box that appears after you successfully logged into the
Client as shown here:

Ensemble Controller R15.2 Administrator Manual - Issue: A 261

Adtran Configuring Ensemble Controller

l In the Alarms or Events table, Time column.

Configuring the NBI Trap Transmitter Settings

Complete these steps to configure trap transmitter parameters for the northbound
interface (NBI) to send traps to the operating support systems (OSS) that you specify. By
default, the NBI uses SNMPv2c.

These steps also include the instructions about how to modify the trap community string
applicable to SNMPv2c for the OSS.

Requirement to Configure the NBI Trap Transmitter Settings 262

Procedure to Configure the NBI Trap Transmitter Settings 263

Requirement to Configure the NBI Trap Transmitter

Settings
To configure the NBI trap transmitter, you need to have the permission Control NBI Trap
Transmitter Settings. This permission is by default granted only to the role of
administrators.
The administrator sets permissions and corresponding user roles in the Security
Manager. To open the Security Manager, in the Ensemble Controller Settings, select
Security, and then Security Manager. For more information about user roles and
allocated privileges, see Roles and Allocated Actions.

Ensemble Controller R15.2 Administrator Manual - Issue: A 262

Adtran Configuring Ensemble Controller

Procedure to Configure the NBI Trap Transmitter Settings

1. In the Ensemble Controller Settings, select System, and then NBI Trap Transmitter
Settings. The NBI Trap Transmitter window opens.
2. Edit the fields as described in this table. The fields that are shaded in yellow or red
are mandatory fields. You must edit them. However, the value that you enter in a
red-shaded field must meet certain criteria to be valid. Note the field messages,
which inform about the criteria.

Field Description or Steps

SNMP Version l Select v2c to modify the trap community string of that SNMP
version.
The SNMP v1/v2 Settings area is made available.
l Select v3 to change from the default SNMPv2c to SNMPv3 and
configure this interface accordingly. The SNMPv3 Settings area
is made available.

OSS Address Specify the OSS addresses to which you want Ensemble Controller
List to apply the settings:
1. To add an address, select Add. The Add new OSS Address
dialog box displays.

2. Edit these fields:

Field Description or Steps

IP/Host Type the IP or the host address.
Address
Port If required, you can change the default port 162
that already shows in this field.

3. Click OK to apply your changes, or Cancel to stop the

operation.
After you click OK, the new address displays in the OSS
Address List field.

Ensemble Controller R15.2 Administrator Manual - Issue: A 263

Adtran Configuring Ensemble Controller

Field Description or Steps

4. To modify or delete an existing address, in the OSS Address
List field, select the address, and then select Modify or
Delete.
l After you select Delete, Ensemble Controller immediately

removes the address from the OSS Address List field.

l After you select Modify, the Modify OSS Address dialog
box displays.
a. See Step 2 for information about how to edit the
fields.
b. After you edit the fields, click Modify to save your
changes, or Cancel to stop the operation.

Whenever you add, delete, or modify an address in the OSS

Address List field, the system sends respective event
notifications, for example, OSS-DEL or OSS-ADD, to each of
the listed addresses. For more information about these
events, see the User Manual.
5. If you have several IP interfaces, to specify the source IP that is
reported as varbind inside the event, in the fnm.properties
file, set the parameter
com.adva.fnm.option.snmpNBISource. For a description of
this property, see Server Access Options.
Get This field is available only if you selected v2c in the SNMP Version
Community field. If required, you can change the default trap community
string public that already shows in this field.
User Name Type the user name for this SNMP version.
Security Level Select the level of security that Ensemble Controller and the OSS
use to communicate.

Ensemble Controller R15.2 Administrator Manual - Issue: A 264

Adtran Configuring Ensemble Controller

Field Description or Steps

Authentication These fields are Select the authentication protocol that
Protocol available only if you Ensemble Controller uses to authenticate
selected messages.
Authentication and
Authentication Type the appropriate password for the
Privacy or
Password selected authentication protocol.
Authentication Only in
Retype the Security Level Retype the exact password you entered in
Authentication field. the Authentication Password field.
Password
Privacy These fields are Select the privacy protocol that Ensemble
Protocol available only if you Controller uses to encrypt the data
selected portion of messages.
Authentication and
Privacy Type the appropriate password for the
Privacy in the Security
Password selected privacy protocol.
Level field.
Retype Privacy Retype the exact password you entered in
Password the Privacy Password field.
Use Custom Select to set the field to Yes and thus enable the use of an SNMP
Engine engine ID, or set it to No to disable the use. After you set it to Yes,
you can edit the Custom Engine ID field.
Custom Engine This field is available only if you set the Use Custom Engine field to
ID Yes. Type an appropriate ID.

3. Click Save to immediately apply the settings, or Cancel to stop the operation.
After you click Save, the trap forwarder will resolve the host name addresses that you
specified in the OSS Address List field, into IP addresses by using a domain name
system (DNS) server. If the trap forwarder fails to resolve these host name addresses,

Ensemble Controller R15.2 Administrator Manual - Issue: A 265

Adtran Configuring Ensemble Controller

a red exclamation mark displays next to that address as illustrated in this figure:

4. Reopen the NBI Trap Transmitter window to verify whether the trap forwarder
could not resolve any of the host name address that you specified. To open a tooltip
with required information, hover over an unresolved host-name address.

Configuring ENC-ELS Single Sign-On Connection

With this feature you can configure three types of Single Sign-On (SSO) accounts:
l Admin - User is able to connect to ELS with ROLE_ADMIN+ROLE_READ privileges,
which gives full administrative and read privileges to all Flexnet Embedded Server
(FNE) data.
l Restricted admin - User is able to connect to ELS with ROLE_ADMIN+ROLE_READ
privileges but with no ability to perform user management functions on the ELS.
l Read - User is able to connect to ELS with ROLE_READ privileges, which gives only
the ability to view non-sensitive data of the FNE.

SSO connection to ELS is limited for every user by these permissions:

l View ENC-ELS Single Sign-On settings.
l Modify ENC-ELS Single Sign-On settings.
l Perform ELS Single Sign-On as Administrator.
l Perform ELS Single Sign-On as Restricted Administrator.
l Perform ELS Single Sign-On as Read.

Ensemble Controller R15.2 Administrator Manual - Issue: A 266

Adtran Configuring Ensemble Controller

The user will be able to connect to ELS with the currently configured SSO account
depending on the permissions he has. The system takes into account the highest granted
permission for the user. For example, if "Perform ELS Single Sign-On as Restricted
Administrator" is the highest permission granted to the user, restricted administrator
account must be enabled in the ENC-ELS SSO settings to have restricted administrator
privileges. The system grants all five permissions only to the administrator account, by
the default. All other users have only "Perform ELS Single Sign-On as Read" permission
enabled. The administrator sets permissions and corresponding user roles in the Security
Manager. To open the Security Manager, in the Ensemble Controller application bar
Settings menu, select Security, and then Security Manager. For more information about
user roles and allocated privileges, see the Administrator Manual, Roles and Allocated
Actions.

ELS SSO operates independently from authentication and authorization methods used to
log in to Ensemble Controller. Therefore, you can use ELS SSO alongside Ensemble
Controller Local, RADIUS, TACACS+ and LDAP authentication and authorization methods.

Requirement to Configure ENC-ELS Single Sign-On Connection 267

Procedure to Configure ENC-ELS Single Sign-On Connection 267

Requirement to Configure ENC-ELS Single Sign-On

Connection
In the fnm.properties file, located in the Ensemble Controller installation directory, edit
these properties to specify the main and backup license server GUI URL:
l com.adva.fnm.option.elsgui.ipaddress
l com.adva.fnm.option.backupElsgui.ipaddress

For information about how to edit the fnm.properties file, see Editing the fnm.properties
File.

Procedure to Configure ENC-ELS Single Sign-On

Connection
1. In the Ensemble Controller Settings, select System-> Licensing and ELS-> ENC-
ELS Single Sign-On Settings. The ENC-ELS Single Sign-On Settings window
opens.
2. Enable SSO connection using administrator account, if required:

Ensemble Controller R15.2 Administrator Manual - Issue: A 267

Adtran Configuring Ensemble Controller

l Select Enable Admin SSO.

l Enter username and password.
l To test the connection, click Test Admin ELS Connection.
o If the test is successful, go to the next step.

o If the test fails, make sure that you enter the correct credentials and retest.
l Click OK to save.

3. Enable SSO connection using restricted administrator account, if required:

l Select Restricted Admin SSO.

l Enter username and password.
l To test the connection, click Test Restricted Admin ELS Connection.
o If the test is successful, go to the next step.

o If the test fails, make sure that you enter the correct credentials and retest.
l Click OK to save.

Restrict User Management field is displayed for information only.

4. Enable SSO connection using read account, if required:

l Select Enable Read SSO.

l Enter username and password.
l To test the connection, click Test Read ELS Connection.
o If the test is successful, go to the next step.

o If the test fails, make sure that you enter the correct credentials and retest.
l Click OK to save.

Configuring Operations from the

fnm.properties File
This chapter discusses the operations that you configure in the fnm.properties file.

Editing the fnm.properties File 269

Enabling the Login or Post-Login Dialog Box Message 271

Ensemble Controller R15.2 Administrator Manual - Issue: A 268

Adtran Configuring Ensemble Controller

Setting Up RADIUS Authentication 274

Setting Up TACACS+ Authentication 278
Setting Up LDAP Authentication 281
Using Multiple Network Interfaces for Communication 285

Editing the fnm.properties File

To customize the Ensemble Controller Server, you can edit the appropriate properties in
the fnm.properties file. This file is located in the Ensemble Controller installation
directory.

Figure 16 gives an overview of the fnm.properties file.

The syntax for the properties is: com.adva.fnm.option.<parameter

name>=<parameter value>. The properties that you can customize, are organized in
sections.
l Lines that begin with the symbol #, are either comments or disabled properties,
and do not affect the Ensemble Controller Server.
l Lines that do NOT begin with the symbol #, are enabled properties that include a
value. Enabled properties affect the Ensemble Controller Server.

Each property is also briefly described in the fnm.properties file.

Ensemble Controller R15.2 Administrator Manual - Issue: A 269

Adtran Configuring Ensemble Controller

Figure 16: fnm.properties File Example

Complete these steps to edit the fnm.properties file:

1. Open the fnm.properties file on the relevant Ensemble Controller Server using a text
editor, for example, WordPad on Windows or Linux.
2. Use one of these options to customize the relevant properties:
l To enable the property, delete the initial # at the beginning of the line.
l To disable a property, add # at the beginning of the line.
l Change an enabled property value.
See the appendix > Server Property Overview for more information about the
supported properties.
3. Save and close the fnm.properties file.

Ensemble Controller R15.2 Administrator Manual - Issue: A 270

Adtran Configuring Ensemble Controller

4. Restart the Ensemble Controller Server, as described in Starting the Ensemble

Controller Server.

Enabling the Login or Post-Login Dialog Box

Message
In the fnm.properties server file, you can enable login and post-login messages.

The fnm.properties file is located in the Ensemble Controller (ENC) installation directory
C:\Program Files\ADVA Optical Networking\FSP Network Manager.

See these topics for more information about these messages and how you can enable
them:

Login Dialog Box Message 271

Post-Login Dialog Box Message 272

Login Dialog Box Message

When enabled, the login message displays in the Login dialog box for each Ensemble
Controller Client connecting to the server as illustrated here:

The first time the Ensemble Controller Client displays the Login dialog box, it does not
display any configured message. This is because the client has not yet established contact
with the server and thus has not yet access to the message.

After the first login, the Ensemble Controller Client stores the message in its cache. All
subsequent logins will display the message until you change or remove it.

If you change a message on the server, the Ensemble Controller Client Login dialog box
will not show the new message for the first login after the change. This is again because

Ensemble Controller R15.2 Administrator Manual - Issue: A 271

Adtran Configuring Ensemble Controller

the client has not yet established contact with the server and thus has not yet stored the
new message in its cache.

To enable the login message, do as follows:

1. Open the fnm.properties file on the relevant server using a text editor, for example
WordPad.
2. Search (Ctrl + f) for the parameter
com.adva.fnm.option.server_welcome_text
3. Enable the parameter by deleting the initial number sign <#> at the beginning of the
line.
4. As appropriate, change the default text to what is to be displayed in the Login dialog
box.
For example:
com.adva.fnm.option.server_welcome_text=Welcome to this session.
5. Save and close the fnm.properties file.
For more information about editing the fnm.properties file, see Editing the
fnm.properties File.

Post-Login Dialog Box Message

In the fnm.properties file, you can enable the post-login message. After you log in to the
Ensemble Controller Client, the message displays as shown:

Ensemble Controller R15.2 Administrator Manual - Issue: A 272

Adtran Configuring Ensemble Controller

Figure 17: Post-Login Dialog Box with Example Message

If the text has many lines and spreads beyond the border of the dialog box, you can use
the scroll bar or resize the dialog box to see the complete text.

Complete these steps to enable the post-login message:

1. Open the fnm.properties file on the relevant server using a text editor, for example
WordPad.
2. Use Ctrl + f to search for the property
com.adva.fnm.option.server_postLogonText
3. To enable the property, delete the initial number sign <#> at the beginning of the
line.
4. As appropriate, change the default text to what you want Ensemble Controller to
display in the post-login dialog box. The text is unlimited, which means you can add
as many lines as appropriate. For a better overview, you can use these optional
elements to structure the text:
l To separate lines and to indicate that the text continues, use \ backslashes.
Consequently, do NOT add a backslash to the end of the last line.

Ensemble Controller R15.2 Administrator Manual - Issue: A 273

Adtran Configuring Ensemble Controller

l To wrap lines, use \n\ as this example shows:

See Figure 17 for how this text is presented in the post-login dialog box.
5. Save and close the fnm.properties file.
For more information about how to edit the fnm.properties file, see Editing the
fnm.properties File.

Setting Up RADIUS Authentication

Ensemble Controller supports the remote access dial-in service (RADIUS) protocol based
on RFC2865 for centralized authentication.

RADIUS allows authentication of users by communicating with a central server. The server
maintains the user profiles in a central database, and RADIUS automatically recognizes
the properties that are assigned to each RADIUS user. Each user needs only one user
name and one password for all network elements.

To use RADIUS authentication with Ensemble Controller,prepare as follows:

l Configure one or up to three RADIUS servers to support Ensemble Controller, and
then specify the relevant user accounts with corresponding Ensemble Controller
group memberships.
l Configure Ensemble Controller with the RADIUS servers, host addresses, and the
RADIUS server shared secret passwords.

For information about how to configure the RADIUS shared secret passwords, see Setting
Authentication Parameters.

Configuring an External RADIUS Server 275

Configuring the RADIUS Server Access in Ensemble Controller 275
Configuring the RADIUS Server Timeout 276
RADIUS Access-Challenge 277

Ensemble Controller R15.2 Administrator Manual - Issue: A 274

Adtran Configuring Ensemble Controller

Configuring an External RADIUS Server

In order to use RADIUS authentication, a RADIUS server has to be configured. An
example of a RADIUS server is FreeRADIUS, a free RADIUS server (see
www.Freeradius.org).

1. Register the ADVA vendor ID 2544.

2. Register an attribute with ID 101 (ADVA-User-Groups) as an ADVA-vendor attribute
of type string. This table shows a FreeRADIUS dictionary example:
VENDOR ADVA 2544
ATTRIBUTE ADVA-User-Groups 101 string ADVA

3. For each user account that you want to log in to Ensemble Controller, create the
Adva-User-Groups attribute.
4. For each user account that you want to log in to Ensemble Controller, assign a value
to the Adva-User-Groups.
The value must be a comma separated list of the Ensemble Controller user group
names that the user account is to be a member of.

Configuring the RADIUS Server Access in Ensemble

Ensemble Controller R15.2 Administrator Manual - Issue: A 275

Adtran Configuring Ensemble Controller

6. Search for these port properties of the servers that you enabled in Step 2:
l 1st server: com.adva.fnm.option.radiusport
l 2nd server: com.adva.fnm.option.radiusport2
l 3rd server: com.adva.fnm.option.radiusport3
7. Remove the number sign # in front of the property to enable it for the respective
RADIUS server that you want to configure. Ensemble Controller listens on this
RADIUS server host port. By default this port is set to 1812.
8. If relevant, change the port number of the RADIUS server host that Ensemble
Controller is to listen to.
9. Save the file.
10. Set the server timeout as described in Configuring the RADIUS Server Timeout.

Configuring the RADIUS Server Timeout

The RADIUS server timeout controls the time after which Ensemble Controller attempts
to reach another server for authentication if the previous server is not available.

RADIUS authentication takes place sequentially as described here:

1. Try first RADIUS server if configured.

2. Try second RADIUS server if configured.
3. Try third RADIUS server if configured.
4. Authenticate locally.

To change the timeout values, complete these steps:

1. In the relevant Ensemble Controller Server, open the fnm.properties file. Use a text
editor, for example WordPad. The fnm.properties file is located in the Ensemble
Controller installation directory C:\Program Files\ADVA Optical Networking\FSP
Network Manager (for Windows).
2. In the fnm.properties file, search for these timeout properties according to the
number of servers that you want to configure:
l 1st server: com.adva.fnm.option.radiustimeout
l 2nd server: com.adva.fnm.option.radiustimeout2
l 3rd server: com.adva.fnm.option.radiustimeout3
3. Remove the number sign # in front of the property to enable it for the respective
RADIUS server that you want to configure. The default timeout is set to 8 seconds
per server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 276

Adtran Configuring Ensemble Controller

4. If relevant, change the default timeout value for the respective RADIUS server. Type a
new value after the equal sign =.

The total value of timeouts that you can configure for all RADIUS
servers must NOT exceed 60 seconds.

5. Save the file.

RADIUS Access-Challenge
This section provides one example method of how you can use the RADIUS access-
challenge during login. The other methods are not in the scope of the Ensemble
Controller user documentation.

Logging In Through One-Time-Password

To log into Ensemble Controller, you can use an RSA SecurID token to create a one-time-
password (OTP). For information about the regular Ensemble Controller login procedure,
see Logging Into the Ensemble Controller Client.

If you use OTP to log in, you cannot connect to multiple Ensemble
Controller Servers anymore. For more information about how to
connect to multiple Ensemble Controller Servers, see Enabling a
Connection of One Ensemble Controller Client to Multiple Servers.

The first time that you use the RSA SecurID token, you have to specify the PIN as this
example shows:

Ensemble Controller R15.2 Administrator Manual - Issue: A 277

Adtran Configuring Ensemble Controller

After you set the PIN, you can log into Ensemble Controller through OTP.

Setting Up TACACS+ Authentication

Ensemble Controller supports the Cisco terminal-access controller access-control system
(TACACS+) protocol for centralized authentication.

TACACS+ allows authentication of users by communicating with a central server. The

server maintains the user profiles in a central database, and TACACS+ automatically
recognizes the properties that are assigned to each TACACS+ user. Each user needs only
one user name and one password for all network elements.

To use TACACS+ authentication with Ensemble Controller, prepare as follows:

l Configure one or up to three TACACS+ servers to support Ensemble Controller,
and then specify the relevant user accounts with corresponding Ensemble
Controller group memberships.
l Configure Ensemble Controller with the TACACS+ servers, host addresses, and the
TACACS+ server shared secret passwords.

For information about how to configure the TACACS+ shared secret passwords, see
Setting Authentication Parameters.

Configuring an External TACACS+ Server 279

Configuring the TACACS+ Server Access in Ensemble Controller 280
Configuring the TACACS+ Server Timeout 280

Ensemble Controller R15.2 Administrator Manual - Issue: A 278

Adtran Configuring Ensemble Controller

Configuring an External TACACS+ Server

To use TACACS+ authentication, you must configure a TACACS+ server. Complete these
generic steps to configure a TACACS+ server in Linux.

1. Open the configuration file /etc/tacacs+/tac_plus.conf.

The file displays comments as indicated in this example:
# Created by Henry-Nicolas Tourneur([email protected])
# See man(5) tac_plus.conf for more details
# Define where to log accounting data, this is the default.
accounting file = /var/log/tac_plus.acct
# This is the key that clients have to use to access Tacacs+
key = testing123
2. To create a new user, add these commands:
user = <login name> {
pap = cleartext ChgMeNOW

service = fspnm {
Adva-User-Groups = Administrator
}
}

If a user already exists, this message displays:

user = <existingUser> {
pap = cleartext <secretPassword>

...
}
3. To add a new service to the existing user, add these commands:
service = fspnm {
Adva-User-Groups = Administrator
}

Finally, the configuration message for an existing user displays:

user = <existingUser> {
pap = cleartext <secretPassword>

...

service = fspnm {
Adva-User-Groups = Administrator
}
}

Ensemble Controller R15.2 Administrator Manual - Issue: A 279

Adtran Configuring Ensemble Controller

Configuring the TACACS+ Server Access in Ensemble

Controller
1. In the relevant Ensemble Controller Server, open the fnm.properties file. Use a text
editor, for example WordPad. The fnm.properties file is located in the Ensemble
Controller installation directory C:\Program Files\ADVA Optical Networking\FSP
Network Manager (for Windows).
2. In the fnm.properties file, search for these host properties according to the number
of servers that you want to configure:
l 1st server: com.adva.fnm.option.tacacshost1
l 2nd server: com.adva.fnm.option.tacacshost2
l 3rd server: com.adva.fnm.option.tacacshost3
3. Remove the number sign # in front of the property to enable it for the respective
TACACS+ server that you want to configure.
4. Replace the IP address after the equal sign = with the IP address of your TACACS+
server host.
5. Save the file.
6. Search for these port properties of the servers that you enabled in Step 2:
l 1st server: com.adva.fnm.option.tacacsport1
l 2nd server: com.adva.fnm.option.tacacsport2
l 3rd server: com.adva.fnm.option.tacacsport3
7. Remove the number sign # in front of the property to enable it for the respective
TACACS+ server that you want to configure. Ensemble Controller listens on this
TACACS+ server host port. By default this port is set to 49.
8. If relevant, change the port number of the TACACS+ server host that Ensemble
Controller is to listen to.
9. Save the file.
10. Set the server timeout as described in Configuring the TACACS+ Server Timeout.

Configuring the TACACS+ Server Timeout

The TACACS+ server timeout controls the time after which Ensemble Controller attempts
to reach another server for authentication if the previous server is not available.

TACACS+ authentication takes place sequentially as described here:

Ensemble Controller R15.2 Administrator Manual - Issue: A 280

Adtran Configuring Ensemble Controller

1. Try first TACACS+ server if configured.

2. Try second TACACS+ server if configured.
3. Try third TACACS+ server if configured.
4. Authenticate locally.

To change the timeout values, complete these steps:

1. In the relevant Ensemble Controller Server, open the fnm.properties file. Use a text
editor, for example WordPad. The fnm.properties file is located in the Ensemble
Controller installation directory C:\Program Files\ADVA Optical Networking\FSP
Network Manager (for Windows).
2. In the fnm.properties file, search for these timeout properties according to the
number of servers that you want to configure:
l 1st server: com.adva.fnm.option.tacacstimeout1
l 2nd server: com.adva.fnm.option.tacacstimeout2
l 3rd server: com.adva.fnm.option.tacacstimeout3
3. Remove the number sign # in front of the property to enable it for the respective
TACACS+ server that you want to configure. The default timeout is set to 8 seconds
per server.
4. If relevant, change the default timeout value for the respective TACACS+ server. Type
a new value after the equal sign =.

The total value of timeouts that you can configure for all TACACS+
servers must NOT exceed 60 seconds.

5. Save the file.

Setting Up LDAP Authentication

Ensemble Controller supports the Lightweight Directory Access Protocol (LDAP),
specifically LDAPv3 for centralized authentication.

LDAP authenticates users by communicating with a central server. The server maintains
user profiles in a tree-structured directory, which is described in Basics About the LDAP
Server Directory Structures. After you assign properties to each LDAP user, LDAP is
automatically aware of these properties. Because the centralized directory maintains each
user’s properties, you do not need to define each user with a local account in Ensemble
Controller.

Ensemble Controller R15.2 Administrator Manual - Issue: A 281

Adtran Configuring Ensemble Controller

To use LDAP authentication with Ensemble Controller, prepare as follows:

1. Configure one or up to three LDAP servers to support Ensemble Controller. Then

populate the directory with user accounts and group memberships that correspond
to the Ensemble Controller security groups. These options are available to represent
Ensemble Controller group information in the directory:

Group Management Option Description

advaUserGroups Lists the group names of a user in a string
attribute.
memberOf Uses the native directory group objects to
represent the group membership.

2. Configure the Ensemble Controller access and directory properties for the LDAP
servers and the LDAP server shared secret passwords.

For information about how to configure the LDAP shared secret passwords, see Setting
Authentication Parameters.

Configuring Access to the LDAP Server 282

Configuring the LDAP Server Timeout 283
Changing the Default Security Protocol 284

Configuring Access to the LDAP Server

1. In the relevant Ensemble Controller Server, use a text editor such as WordPad to
open the fnm.properties file. If your PC is running Windows, the fnm.properties file
is located in the Ensemble Controller installation directory C:\Program Files\ADVA
Optical Networking\FSP Network Manager.
2. In the fnm.properties file, search for these host properties according to the number
of servers that you want to configure:
l 1st server: com.adva.fnm.option.ldaphost1
l 2nd server: com.adva.fnm.option.ldaphost2
l 3rd server: com.adva.fnm.option.ldaphost3
3. At the beginning of each property name, remove # to enable the property for the
respective LDAP server that you want to configure.
4. Replace the IP address after = with the IP address of your LDAP server host.
5. Save the file.

Ensemble Controller R15.2 Administrator Manual - Issue: A 282

Adtran Configuring Ensemble Controller

6. Search for these port properties of the servers that you enabled in Step 2:
l 1st server: com.adva.fnm.option.ldapport1
l 2nd server: com.adva.fnm.option.ldapport2
l 3rd server: com.adva.fnm.option.ldapport3
7. At the beginning of the property name, remove # to enable the property for the
respective LDAP server that you want to configure. Ensemble Controller listens from
this LDAP server host port, number 389 by default.
8. If relevant, change the port of the LDAP server host that you want Ensemble
Controller to listen to. According to the port that you specify, Ensemble Controller
automatically uses a standard security protocol that you can change if the port
supports that change. This table shows the options:

Ports Default Security Protocol Optionally Change to

636 LDAPS
389, the default StartTLS Unencrypted
Non-Standard port LDAPS or Unencrypted

For information about the default protocols and how to change them, see Changing
the Default Security Protocol.
9. Save the file.
10. Set the server timeout as described in Configuring the LDAP Server Timeout.

Configuring the LDAP Server Timeout

The LDAP server timeout controls the length of time that Ensemble Controller attempts
to reach another server for authentication, if the previous server is unavailable.

LDAP authentication occurs sequentially:

1. Try the first LDAP server if configured.

2. Try the second LDAP server if configured.
3. Try the third LDAP server if configured.
4. Authenticate locally.

Complete these steps to change the timeout values:

1. In the relevant Ensemble Controller Server, use a text editor such as WordPad to
open the fnm.properties file. If your PC runs Windows, the fnm.properties file is
located in the Ensemble Controller installation directory C:\Program Files\ADVA

Ensemble Controller R15.2 Administrator Manual - Issue: A 283

Adtran Configuring Ensemble Controller

Optical Networking\FSP Network Manager.

2. In the fnm.properties file, search for these timeout properties according to the
number of servers that you want to configure:
l 1st server: com.adva.fnm.option.ldaptimeout1
l 2nd server: com.adva.fnm.option.ldaptimeout2
l 3rd server: com.adva.fnm.option.ldaptimeout3
3. At the beginning of the property name, remove # to enable it for the respective
LDAP server that you want to configure. The default timeout is 8 seconds per server.
4. If relevant, change the default timeout value for the respective LDAP server. Type a
new value after =.

The total value of timeouts that you can configure for all LDAP servers
must be less than or equal to 60 seconds.

5. Save the file.

Changing the Default Security Protocol

The LDAP server port that you specify automatically uses a standard security protocol.
See Configuring Access to the LDAP Server. If you can change the port settings, shown in
this table, you can change the default protocol for the selected LDAP server port.

Table 11: Default Protocols for the Selected LDAP Server Port
LDAP Server
Default Security Protocol Optionally Change to
Ports
636 LDAPS: SSL tunnel encryption with
simple authentication.
389, the default StartTLS: TLS encryption with simple Unencrypted
authentication.
Non-standard port LDAPS or Unencrypted

1. In the relevant Ensemble Controller Server, open the fnm.properties file in a text
editor, such as WordPad. The fnm.properties file on a PC running Windows is
located in the Ensemble Controller installation directory C:\Program Files\ADVA
Optical Networking\FSP Network Manager.
2. In the fnm.properties file, search for these security protocol properties according to
the number of servers that you want to configure:

Ensemble Controller R15.2 Administrator Manual - Issue: A 284

Adtran Configuring Ensemble Controller

l 1st server: com.adva.fnm.option.ldapsecprot1

l 2nd server: com.adva.fnm.option.ldapsecprot2
l 3rd server: com.adva.fnm.option.ldapsecprot3
3. At the beginning of the property name, remove # to enable the property for the
respective LDAP server that you want to configure. The software sets the default
security protocol to StartTLS.
4. If relevant, after =, change the security protocol for the respective LDAP server. See
Table 11 for information about the supported ports and their protocols.
5. Save the file.

Using Multiple Network Interfaces for

Communication
Complete the steps in this procedure to configure the Ensemble Controller Server to use
multiple network interfaces for communication.

Prerequisites to Use Multiple Network Interfaces 285

Configuring Multiple Network Interfaces 286

Prerequisites to Use Multiple Network Interfaces

If you want the Ensemble Controller Server (ENC Server) to use two (or multiple) network
interfaces for communication you must configure the interfaces. One interface
communicates with the network elements, and the other one with the ENC Server client
machines.

The user that configures the server must be logged on with system administrator rights
and be aware of the IP address that belongs to the respective network interface.

This procedure uses the IP address 10.0.119.50 for the interface facing the network
elements, and 10.31.66.67 for the interface facing the network, where the Ensemble
Controller Server clients are connected, as shown in Figure 18.

Ensemble Controller R15.2 Administrator Manual - Issue: A 285

Adtran Configuring Ensemble Controller

Figure 18: IPCONFIG of Communication Interfaces

Configuring Multiple Network Interfaces

Complete these steps to specify IP addresses for the Ensemble Controller Server that is
provided with several IP interfaces.

To specify the IP addresses, you edit the respective properties in the fnm.properties file.
The fnm.properties file is located in the Ensemble Controller installation directory, which
is for example C:\Program Files (x86)\ADVA Optical Networking\FSP Network Manager
for a Windows operating system.

For more information about the fnm.properties file and how to edit it, see Editing the
fnm.properties File.

Ensemble Controller R15.2 Administrator Manual - Issue: A 286

Adtran Configuring Ensemble Controller

1. In the fnm.properties file, navigate to these properties:

Properties Description
com.adva.fnm.option.serverIP For communication from the
server to the client, and from
the server to the server.
com.adva.fnm.option.trapsink For SNMP trap registrations.
The property supports only
IPv4 addresses or host names.
Type a trapsink IP address that
faces network elements.
com.adva.fnm.option.trapsinkport The port that the server uses
for SNMP trap notifications.
The default is 162. If you do
not define a port, the system
uses the default.
com.adva.fnm.option.trapsink.ip6 For SNMP trap registrations.
The property supports only
IPv6 addresses. Local link
addresses are not accepted.
com.adva.fnm.option.trapsink.IpValidationEnabled To enable the property, set it
to true. After you enable it, the
system validates the trapsink
IPv4 and IPv6 addresses to
verify whether they belong to
the system. The validation
process takes place during
server restart.
com.adva.fnm.option.snmpProviderHost For Element Manager SNMP
communication. Type an IP
address that faces Ensemble
Controller Server clients.
com.adva.nlms.mediation.mtosi.hostName Displays in MTOSI responses.

Ensemble Controller R15.2 Administrator Manual - Issue: A 287

Adtran Configuring Ensemble Controller

Properties Description
com.adva.fnm.option.snmpNBISource You can configure Ensemble
Controller to transmit SNMP
northbound interface (NBI)
traps. If configured, the
software reports the source IP
address that you specify with
this property as varbind within
the event.

2. To enable the properties, delete the initial number sign (#) at the beginning of each
line.
3. To specify an appropriate IP address for each property, replace the given value after
the equal sign (=).
4. Use these commands to restart the Ensemble Controller Server:
a. StopServer.bat
b. StartServer.bat
For more information about how to stop and restart the Ensemble Controller Server
according to your operating system, see the relevant topic:
l Stopping the Ensemble Controller Server
l Starting the Ensemble Controller Server

Script or Command-based Operations

This chapter discusses operations that require scripts or commands to be configured in
Ensemble Controller.

Enabling IPv6 289

Setting the Server Time Zone 289
Setting the Shared Buffer Size 291
Using Customer Certificates 292
Adapting the jms.properties File to the New Password 295
Adapting the Ensemble Controller Server to the New Password 296
Keystore and Private Key Password Encryption 296
Updating the Keystore and Defining a New Passphrase 298
Changing the Maximum User Processes Property in Linux 300
Creating Configuration File Templates for Ethernet Devices 300

Ensemble Controller R15.2 Administrator Manual - Issue: A 288

Adtran Configuring Ensemble Controller

Enabling IPv6
For IPv6 to be used with respect to Ensemble Controller (ENC), you must specify an IP
alias according to the operating system (OS):
l For Windows, specify the IP alias in c:\Windows\System32\drivers\etc\hosts.
l For Linux, specify the IP alias in /etc/hosts.

Upon next login to the Ensemble Controller Client, you must use the defined alias (not
IPv6 in numeric format).

When connecting to a remote Ensemble Controller Server (not the one installed locally),
you must specify the aliases on both, the Ensemble Controller Server system and the
system where the Ensemble Controller Client is located.

However, if you use a real IPv6 environment with a domain name system (DNS), then any
configuration of the network is done automatically and there is no need to set aliases
manually to be able to use IPv6.

Setting the Server Time Zone

Complete these steps to set a time zone for the Ensemble Controller Server (ENC Server).
This can be useful if the server is located in a different time zone than the clients to which
it is connected or if the operating system where the Server runs, displays an undesirable
time zone name. After you set a time zone, the Ensemble Controller Server ignores the
time zone settings of its operating system.

You can also set time zones for the Ensemble Controller Clients. For information about
how to set Ensemble Controller Client time zones, see Setting the Client Time Zone.

See the appropriate topic for your operating system:

In a Windows Operating System 289

In a Linux Operating System 290

In a Windows Operating System

1. Stop the Ensemble Controller Server.
2. Navigate to the fspnm.vmoptions file located in:
ENC Installation Directory/fspnm.vmoptions

Ensemble Controller R15.2 Administrator Manual - Issue: A 289

Adtran Configuring Ensemble Controller

3. Add the property -Duser.timezone=<time zone> as indicated in this example:

4. Make sure that you write the <time zone> string exactly as given in the Ensemble
Controller Client Server Preferences Time Zone ID field. Look it up again if
necessary:

5. Save the fspnm.vmoptions file.

6. Double-click the SetVMOptions.bat file located in:
ENC Installation Directory/SetVMOptions.bat
7. Restart the Ensemble Controller Server.

In a Linux Operating System

1. Stop the Ensemble Controller Server.
2. Navigate to the fnm.server file located in: /opt/adva/fsp_nm/bin/fnm.server

Ensemble Controller R15.2 Administrator Manual - Issue: A 290

Adtran Configuring Ensemble Controller

3. Add the property -Duser.timezone=<time zone> as indicated in this example:

$JAVASRV -Xmx6000M -XX:MaxPermSize=192m -
Djava.awt.headless=true -Djava.endorsed.dirs=lib/endorsed -
javaagent:lib/aspectjweaver.jar -
Djavax.net.ssl.keyStore=activemq/conf/client.ks -
Djavax.net.ssl.keyStorePassword=ChgMeNOW -
Djavax.net.ssl.trustStore=activemq/conf/client.ts -
Djava.util.logging.config.file=./celtixlogging.properties -
Duser.timezone=UTC
com.adva.nlms.mediation.Launcher >
/opt/adva/fsp_nm/var/log/mediation-start.log 2>&1 &
4. Make sure that you write the <time zone> string exactly as given in the Ensemble
Controller Client Server Preferences Time Zone ID field. Look it up again if
necessary:

5. Save the fnm.server file.

6. Restart the Ensemble Controller Server.

Setting the Shared Buffer Size

Use this procedure to change the shared buffer size value:

1. Shutdown FSP Mediation server.

2. Shutdown PostgreSQL database server.
3. Edit this file to set shared buffer:
NM Installation Directory/postgres/data/postgresql.conf
4. Change:
shared_buffers = 3072MB

Ensemble Controller R15.2 Administrator Manual - Issue: A 291

Adtran Configuring Ensemble Controller

5. Change:
effective_cache_size = 3584MB
6. Save the file.
7. Start PostgreSQL database server.
8. Start the FSP Mediation server.

Using Customer Certificates

You can replace an existing certificate with a customer certificate in these three ways.
Ensemble Controller supports the PEM or X.509/DER formats.

Creating a Keystore and a Self-Signed Certificate 292

Generating a Certificate Signing Request and Signing the Certificate
Externally 293
Creating the Key, Signing it Externally, and Bundling it as p12 Container 294

Creating a Keystore and a Self-Signed Certificate

Follow this procedure in order to use a self-signed certificate to identify the Ensemble
Controller (ENC).

1. Stop the Ensemble Controller Server as described in Stopping the Ensemble

Controller Server.
2. Remove the existing ssl-keystore file from the Ensemble Controller installation
directory <InstallLocation>\certs\fnmserver.ks.
3. Create and populate the keystore with a self-signed server certificate by going to the
<InstallLocation>\bin folder in the command line and running either command
according to your operating system:
l For Windows: createKeystore.bat
l For Linux: createKeystore
You will be prompted interactively for this information:
l A password for the keystore
You can use the default password “NeverChange” for the keystore. If you enter
your own password you must modify:
o The activemq\conf\jms.properties file with the new password as described

in Adapting the jms.properties File to the New Password.

–and–

Ensemble Controller R15.2 Administrator Manual - Issue: A 292

Adtran Configuring Ensemble Controller

o The Ensemble Controller Server with the new password as described in

Adapting the Ensemble Controller Server to the New Password.
l Your first and last name.
Important: You should enter the DNS name of the Ensemble Controller Server
here.
l Your organizational unit, such as a department within your company
l Your company/ organization
l A city or locality
l A country code
l A password for the private key, nms-server-key that protects access to the
generated private key. You can use the default password “NeverChange” for the
private key. If you enter your own password you must modify:
o The activemq\conf\jms.properties file with the new password as described

in Adapting the jms.properties File to the New Password. It is required

using the same password for both keystore and privatekey.
–and–
o The Ensemble Controller Server with the new password as described in
Adapting the Ensemble Controller Server to the New Password.
The above information is used to construct the keystore and populate a default
certificate with CN=<DNS name>, OU=<organizational unit>,
O=<company/organization>, L=<city>, ST=<state>, C=<country>.
4. Restart the Ensemble Controller Server as described in Starting the Ensemble
Controller Server.

Generating a Certificate Signing Request and Signing the

Certificate Externally
Complete these steps to generate a certificate signing request (CSR) from the Ensemble
Controller Server (ENC Server) and sign the certificate externally.

1. Stop the Ensemble Controller Server as described in Stopping the Ensemble

Controller Server.
2. Create a keystore as described in Creating a Keystore and a Self-Signed Certificate.
3. Backup the created keystore by using the Ensemble Controller installation directory
<InstallLocation>\certs\fnmserver.ks.
4. Generate a CSR for the nms-server-key by going to the <InstallLocation>\bin
folder in the command line and running this command according to your operating

Ensemble Controller R15.2 Administrator Manual - Issue: A 293

Adtran Configuring Ensemble Controller

system:
l For Windows: generateCSR.bat nms-server-key
l For Linux: generateCSR nms-server-key
5. Send the generated CSR located at <InstallLocation>\certs\nms-server.csr, to the
'Certificate Authority' (CA) for signing.
6. Copy all the certificates to <InstallLocation>\certs.
7. Go to the <InstallLocation>\bin folder in the command prompt.
8. Import the CA root certificate into the Ensemble Controller keystore by using this
command according to your operating system:
l For Windows: importCACertificate.bat ..\certs\rootca.crt nmsserver-root
l For Linux: importCACertificate ..\certs\rootca.crt nms-server-root
9. If necessary, import any intermediate certificates into the Ensemble Controller
keystore by using this command according to your operating system:
l For Windows: importCACertificate.bat ..\certs\intermediate.crt nms-server-imd
l For Linux: importCACertificate ..\certs\ intermediate.crt nms-serveri-imd
10. Repeat Step 9 if you have more intermediate certificates. Import it by using different
alias names: <nms-server-imd1> <nms-server-imd2>.
11. Import the signed certificate by using this command according to your operating
system:
l For Windows: importSignedCertificate.bat <InstallLocation>\certs\nms-
server.crt
l For Linux: importSignedCertificate <InstallLocation>\certs\nms-server.crt

Make sure that an original-created keystore file exists in

certs\fnmserver.ks because you import the signed certificate to the
original keystore.

12. Restart the Ensemble Controller Server as described in Starting the Ensemble
Controller Server.

Creating the Key, Signing it Externally, and Bundling it as

p12 Container
The customer can create a key with his own tools, sign it externally, and then has to
bundle the key and all the certificates (signed certificate, root certificate, intermediate
certificates) as p12 container.

Ensemble Controller R15.2 Administrator Manual - Issue: A 294

Adtran Configuring Ensemble Controller

This procedure provides the steps of importing the key and all certificates from the
container into the keystore.

1. Stop the Ensemble Controller Server as described in Stopping the Ensemble

Controller Server.
2. Copy the p12 container to <InstallLocation>\certs.
3. Remove the existing ssl-keystore file from the Ensemble Controller installation
directory <InstallLocation>\certs\ fnmserver.ks.
4. Go to the <InstallLocation>\bin folder in the command line and run either
command according to your operating system:
l For Windows: importp12conainer.bat ..\certs\nmskey-container.p12
l For Linux: importp12conainer ..\certs\nmskey-container.p12
5. Answer these questions about:
l destination keystore password
l re-entering new password
l source keystore password
You can use the default password “NeverChange” for the keystore. This same
password will be assigned for the key when importing the container. If you enter
your own password you have to modify the activemq\conf\jms.properties file
with the new password as described in Adapting the jms.properties File to the
New Password.
6. Restart the Ensemble Controller Server as described in Starting the Ensemble
Controller Server.

Adapting the jms.properties File to the New

keystorepassword=ChgMeNOW
keystorekeypassword=ChgMeNOW

You can modify these parameters:

Ensemble Controller R15.2 Administrator Manual - Issue: A 295

Adtran Configuring Ensemble Controller

l keystorepassword: The keystore password.

l keystorekeypassword: The private key password.

If you change these parameters, restart the Ensemble Controller Server as described in
Starting the Ensemble Controller Server.

Adapting the Ensemble Controller Server to the

New Password
1. Stop the Ensemble Controller Server as described in Stopping the Ensemble
Controller Server.
2. In the Ensemble Controller certs installation directory, open the sec.properties file.

3. In the sec.properties file, locate these properties:

Properties Description
#javax.net.ssl.keyStorePassword Protects the keystore.
#javax.net.ssl.trustStorePassword
#org.eclipse.jetty.ssl.keypassword Protects the private key.

4. To enable the properties, delete the preceding #, and then edit them as shown in this
example:
javax.net.ssl.keyStorePassword=MyKeystorePassword
javax.net.ssl.trustStorePassword=MyKeystorePassword
org.eclipse.jetty.ssl.keypassword=MyPrivateKeyPassword
5. Save the sec.properties file.
6. Restart the Ensemble Controller Server as described in Starting the Ensemble
Controller Server.

Keystore and Private Key Password Encryption

The passwords that you specify for the keystore and private key have to appear in certain
configuration files for Ensemble Controller (ENC) to access the keystore and private key
at runtime. These passwords can be in plain text or in encrypted form.

Encrypting Passwords or <text> 297

Adapting the jms.properties File to the Newly Encrypted Password 297
Adapting the Ensemble Controller Server to the Newly Encrypted Password 297

Ensemble Controller R15.2 Administrator Manual - Issue: A 296

Adtran Configuring Ensemble Controller

Encrypting Passwords or <text>

1. In the Ensemble Controller bin installation directory, double-click the encrypt_
passphrase file.
2. In the command line, type the passphrase as needed. Ensemble Controller encrypts
the passphrase and displays an output similar to this example:
Encrypted passphrase:AV5GHvebKNucKUoKIXLPELPXfHw74BEGE8U4JHWiLLNwrYpN
3. In the Ensemble Controller ...\activemq\conf installation directory, jms.properties
file, add the value of the encrypted password you generated in Step 1 to the keystore
or private key property name starting with ?. For example:
l For the keystore:

?keyStorePassword=AV5GHvebKNucKUoKIXLPELPXfHw74BEGE8U4JHWiLLNwrYpN
l For the private key:
?keystorekeypassword=AV5GHvf92TEx2vr60X7j9rXyFsWP+dqMZhZFKoV6sJ4zBSuU

Adapting the jms.properties File to the Newly Encrypted

Password
The Ensemble Controller ...\activemq\conf installation directory includes the
jms.properties file that you can use to adapt certain settings.
We recommend that you do not change the file settings, except if you must add new
password information.
To define encrypted passwords, the entries in the configuration file must be similar to the
example shown here. The question mark in the beginning of the line characterizes an
encrypted password.

?keyStorePassword=AV5GHvebKNucKUoKIXLPELPXfHw74BEGE8U4JHWiLLNwrYpN
?keystorekeypassword=AV5GHvf92TEx2vr60X7j9rXyFsWP+dqMZhZFKoV6sJ4zBSuU

You can modify the keystorepassword and keystorekeypassword, which are the variables
with the encrypted password.

If you change these parameters, restart the Ensemble Controller Server as described in
Starting the Ensemble Controller Server.

Adapting the Ensemble Controller Server to the Newly

Encrypted Password
1. Stop the Ensemble Controller Server as described in Stopping the Ensemble
Controller Server.
2. In the Ensemble Controller certs installation directory, open the sec.properties file.

Ensemble Controller R15.2 Administrator Manual - Issue: A 297

Adtran Configuring Ensemble Controller

3. In the sec.properties file, locate these properties:

Properties Description
#javax.net.ssl.keyStorePasswordEncrypted Protects the keystore.
#javax.net.ssl.trustStorePasswordEncrypted
#org.eclipse.jetty.ssl.keypasswordEncrypted Protects the private key.

4. To enable the properties, delete the preceding #, and then paste the encrypted
passphrases as shown in this example:

5. Save the sec.properties file.

6. Restart the Ensemble Controller Server as described in Starting the Ensemble
Controller Server.

Updating the Keystore and Defining a New

Passphrase
Complete these steps to update an existing keystore and change the passphrase either
for the private key or the keystore itself.

Command Definition 298

Procedure to Update the Keystore and Define a New Passphrase for the
Private Key 299
Procedure to Define a New Passphrase for the Keystore 300

Command Definition
This table describes the type of commands included in the steps:

Command Definition Example

<<keytool>> The keytool l For Linux:
command that /opt/adva/share/jre/bin/keytool
comes with l For Windows: C:\Program Files
the installed (x86)\ADVA Optical Networking\FSP
Ensemble Network Manager\jre64\bin\keytool
Controller.

Ensemble Controller R15.2 Administrator Manual - Issue: A 298

Adtran Configuring Ensemble Controller

Command Definition Example

<<fnmserver_ks_location>> The location of l For Linux: /opt/adva/fsp_
the keystore nm/certs/fnmserver.ks
that Ensemble l For Windows: C:\Program Files
Controller (x86)\ADVA Optical Networking\FSP
uses. Network Manager\certs\fnmserver.ks
<<private_key_alias>> The alias of the nms-server-key
private key
that exists in
the keystore.

Procedure to Update the Keystore and Define a New

Passphrase for the Private Key
1. Find the keystore type and the private key alias in the existing keystore:
<<keytool>> -list -v -keystore <<fnmserver_ks_location>>
The result includes these attributes:
l Keystore type: The type of the current keystore.

l Alias name: The alias of the private key.

2. Decide on the step to follow according to the Keystore type value in the result:
l If the Keystore type is JKS, proceed with Step 3.

l If the Keystore type is PKCS12, you must transform it to JKS because PKCS12
does not support the use of different passphrases to protect the keystore itself
and a private key. For more details, see
https://bugs.openjdk.java.net/browse/JDK-8008292. Complete these substeps:
a. Use this command to transform PKCS12 to JKS:
<<keytool>> -importkeystore -srckeystore <<fnmserver_ks_location>> -
srcstoretype pkcs12 -srcalias <<private_key_alias>> -destkeystore
<<fnmserver_ks_location>> -deststoretype jks

b. Type the passphrase that protects the existing keystore.

A warning message displays that the JKS keystore uses a proprietary
format, and the system backed up the old keystore.
3. Change the passphrase that protects the private key:
<<keytool>> -keypasswd -alias <<private_key_alias>> -keystore <<fnmserver_ks_
location>>

4. Type the passphrase that protects the existing keystore.

5. Type the new passphrase for the private key twice.

Ensemble Controller R15.2 Administrator Manual - Issue: A 299

Adtran Configuring Ensemble Controller

Procedure to Define a New Passphrase for the Keystore

1. Change the passphrase that protects the keystore:
<<keytool>> -storepasswd -keystore <<fnmserver_ks_location>>

2. Type the passphrase that protects the existing keystore.

3. Type the new passphrase twice.

Changing the Maximum User Processes Property

in Linux
You need to ensure that the Ensemble Controller Server, which is installed in a Linux
operating system, has a sufficient number of threads to run all the user processes. To
verify this requirement, you must change the max user processes property to
correspond to the size of network that you manage:

Each user process requires approximately 1 MB of memory in a 64-bit operating system.

In other words, if your physical system memory has sufficient capacity, increase the
maximum user processes value to 8192. Otherwise, calculate a lower value that the
system memory can support.

Creating Configuration File Templates for

Ethernet Devices
To create a template, an expert user modifies an existing text file in the way that it
describes the current configuration of an Ethernet device. The template consists of

Ensemble Controller R15.2 Administrator Manual - Issue: A 300

Adtran Configuring Ensemble Controller

configuration commands and tags that express parameterized attributes on the device.
The tags and attributes are nested and edited by specific syntax rules described in this
section.

For a list of valid template examples, see the Ensemble Controller installation directory
...\Examples\ECM-Templates.

For information about how to use configuration file templates, see the Packet
Management Guide, Managing NE Configuration Files.

Design Objectives 301

Tag Set 301
Rules 312

Design Objectives
The template format is targeted to provide a concrete baseline on top of which the
template creator can have full flexibility to express all available commands, while
enabling to specify coherent representation blocks to allow for sufficient input windows
that constitute a rich GUI-driven Ethernet service manager.

This includes ordering and grouping capabilities, selection for omission of optional
commands and associated fragments of configuration.

The mixture of both the template contents and the input information provided by the
operator can be blended to create a valid output configuration file that can then be
applied to the denoted NE type devices.

The syntax given, addresses all syntax particularities such as multiple level configuration,
nested commands, and multiple argument parameters.

The template creator is provided the means to parameterize the presented forms that
hold the adjustable parts of the NE. Independent naming facilities are in place to allow
for friendly and expressive naming of groupings, subgroupings and individual
parameters.

Furthermore, the template syntax and rules are very similar to XML and any prior XML
knowledge will make it easy to follow and understand the contents easily.

Tag Set
The available tags and attributes for the template syntax are:

Ensemble Controller R15.2 Administrator Manual - Issue: A 301

Adtran Configuring Ensemble Controller

tag1
Description
l attribute

template This is the root tag covering the overall template

structure.

header This is the first tag after the <template> tag and it
wraps up these tags identifying the template:
<neType>, <applyMode>, <version>, <summary>,
<category>, <comment>.

neType The NE type to which this template applies.

Supported values are:
l Multiple values allowed separated by commas.
l ANY indicates NE types not known to the
Ensemble Controller and templates that can be
applied to any NE respectively. To support future
or unknown NE types the contents of this tag are
not necessarily NE types known to the Ensemble
Controller.

applyMode Determines the mode by which the template will be

applied to the NE. Valid values inside this tag are
"Delta" and "Complete".

version A numerical value indicating the version of the

template. For the current release, version 1.3 is
applicable. This tag is required to validate a
template.

summary Short description of template, 200 characters max.

category Specifies template operation. Valid values are:

l Service Provisioning
l Bulk Configuration

1. For service configuration templates, no tag is included to specify the service type. the service type is closely
related to the NE type to which a given template can be applied. So, no further division takes place. However,
templates that configure certain service types, for example, EPL, EVPL for GE201 or GE206) can normally be
created and a hint for this can be given at the template name by the creator if needed.
Ensemble Controller R15.2 Administrator Manual - Issue: A 302
Adtran Configuring Ensemble Controller

tag1
Description
l attribute

comment A string that introduces a comment in the output

configuration file. A comment suppress fragment
commands, appends NE types where the
configuration file applies, and so on. Different
device types have different comment characters. If a
<command> tag is NOT provided in the template
the default '#' character is assumed.

fragment This tag groups NE commands that are outside a

<command> tag.
Defines an associate block. If the specified block is
l block
checked for omission, the grouped commands are
also omitted from the generated output
configuration file, i.e., the grouped commands are
commented out.
This attribute is optional and disabled (set to false)
l resolveGlobalParams
by default. When enabled (set to true), all global
parameters found in the <fragment> tag are
replaced with the parameter value.
Specifies the NE types for which the given code
l neType
fragment is generated. This allows to specify
sections per NE type and thus to handle CLI
differences between products.

command Defines the configurable part of a template. All

adjustable arguments are located inside a
<command> tag.

cli-command This tag is used for all template fragments, which

need to be conveyed to the configuration file
unchanged.

block Located inside the <command> tag, this tag defines

blocks that contain parameters or groups of other
blocks.

tag1
Description
l attribute

Defines the title of the block in GUI form.

l display
Refers to a block from the block attribute of the
l name
param tag and from the blockParent attribute of the
block tag.
Defines the parent block. A block can be nested
l blockParent
inside another. If parent attribute is NOT provided
the block is handled as a Top Level block.
Define the relative order of the container block in
l blockOrder
the form. The lower the attribute value the higher
this block is placed on the form. If omitted,
blockOrder defaults to 1. If more than one block is
found with the same blockOrder value on the same
level, their relative order is as entered on the
template.
Specifies if the whole block can be unchecked or
l blockOptionality
not. If unchecked, all the parameters and blocks
inside the block and associated fragments are
omitted from the output configuration file. If no
blockOptionality attribute is given the default value
is false.
The 'expanded' and 'selected' attributes only find
l expanded
use when the blockOptionality attribute is enabled
(set to true). Then in the GUI, the optional block can
be expanded or collapsed with the

l selected and

icons, and selected or cleared.

param Located inside the <command> tag, it is the core

tag of the template.

tag1
Description
l attribute

Defines the label shown in GUI form for this

l display
parameter.
Defines the name of the variable including these
l name
reserved ‘fnm’ values for special cases:
l fnm.neName - The configured NE name.
l fnm.neIpAddress - The configured NE IP address.
l fnm.serviceEnd - The AID of the entity, which is
the service end (flow or flowpoint). For PWE3
services, this is treated as customer service end.
l fnm.trailServiceEnd - Used with PWE3 services,
this is the end flow on EBP ports.
l fnm.erp.trailServiceEnd - Used with ring services
and specifies the AID of the entity, which is the
service end.

A container block in which this parameter is shown

l block
in GUI form. Blocks group together a number of
parameters or other blocks visually on the form.
Specifies if this parameter is optional. Valid values
l optional
are true or false.
Default value for the parameter.
l default
This attribute specifies from which parameter a
l copyFrom
value will be copied (either from this template, or an
external template) to replace the current
parameter’s value. It can contain the name of a
different parameter, or the same parameter.
Defines the visibility of the parameter, either “local”
l scope
to the containing <command> in this template only,
or “global” and visible throughout this template and
other templates.

tag1
Description
l attribute

With this attribute, a parameter can be “locked”,

l conveyanceType
which means that its value will be the same across
all loaded templates and its modification will only be
possible on the initial template containing the
locked parameter. This attribute is valid only when
the attributes
copyFrom and name have the same value, and the
attribute scope is “global”.
Defines the relative ordering of the corresponding
l paramOrder
parameter inside the block. The lower the attribute
value the higher the parm is placed on the form. If
omitted, parmOrder defaults to 1. If more than one
parm is found with the same parmOrder value on
the same level, their relative order is as entered on
the template.
Specifies the regular expression syntax that the
l regexp
parameter value must use.
For example, an ESA Probe’s name can only contain
letters and numbers for a maximum length of 15
characters. To enforce this, the regular expression
“[a-zA-Z0-9]{1,15}” can be used.

type Located inside a <param> tag, it defines the

parameter type. Valid values are String, Integer,
Enum or Composite.

token Located inside the <param> tag, it provides all the

available values for an Enum type.
Defines the label used to show this token in the
l display
form.
Defines the string used to describe this value in the
l literal
exported configuration file.

tag1
Description
l attribute

Defines the profile that is used to collect database

l function
information and enables creating dynamic
templates. These profile keyword values are
supported with template version 1.3:
l fnm.db.policerProfile
l fnm.db.queueProfile
l fnm.db.aclProfile
l fnm.db.flowPointCpdProfile

These values are supported with template version

1.4:
l fnm.db.prioMapProfile
l fnm.db.priorityRateProfile
l fnm.db.rateProfile

Specifies the NE types for which the token will be

l neType
visible as a choice in the graphical user interface
(GUI) form. This option is mostly used in these cases:
l Adjusting port representation between GE112
versus GE114
l Showing different tag controls depending on the
NE type
l Showing different speeds depending on the NE
type.
l And others ...

default Located inside a <param> tag, it contains a

<function> tag used to populate the default value
for the parameter.
For information about supported keywords, see
Supported <default> Keywords.

tag1
Description
l attribute

validate Located inside a <param> tag, it contains a

<function> tag used to validate the parameter’s
current value.

function Located inside a <default> or <validate> tag, it

defines the operation that dynamically queries the
database or validates the parameter’s value. It
contains zero or more <arg> tags. This attribute is
available with template version 1.4.
The function’s action/operation. Valid values are
l name
nextIndex, uniqueName.
The function target type. Valid values all begin with
l object
fnm.db. and end with one of these: fp, mpFlow,
elineFlow, flow, erp, satop, md, ma, esa. An example
is fnm.db.mpFlow. In template version 1.4, all
objects support only the name nextIndex, but esa
also supports uniqueName.

arg Located inside a <function> tag, it has no attributes.

Its contents can be a String, Integer, or another
parameter using %.

substitution Located inside a <command> tag, it defines the

exact command syntax that will be exported to the
output configuration file; parametrized with the
values selected by the operator for the specified
parameters.
The contents of a <substitution> tag are taken as
one sole command and exported in one line in the
output configuration file.
Only one <substitution> tag allowed per
<command> tag.
Omits the literal part of the substitution tag's
l suppressAllIfParamsAreNull
command if its parameter values are all empty. Valid
values are true and false. Default value is false.

Supported <default> Keywords

The <default> tag supports these keywords:

Return
Name Object Input args Meaning
args
nextIndex fnm.db.fp l slotIndex Integer Next available flow point
index based on the selected
l portIndex
slot or port.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150EG-Mx

Note:
To access FP on LAG use
these values:
l slotIndex=254
l portIndex=lagIndex

nextIndex fnm.db.mpFlow Integer Next available MP flow

index based on the selected
network element.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150EG-Mx

nextIndex fnm.db.elineFlow Integer Next available Eline flow

index based on selected
network element.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150EG-Mx

Ensemble Controller R15.2 Administrator Manual - Issue: A 309

Adtran Configuring Ensemble Controller

Return
Name Object Input args Meaning
args
nextIndex fnm.db.flow l slotIndex Integer Next available flow index
based on the slot or port
l portIndex
value.
l Range: [1..max]
l Applicable for:
FSP 150-GE[...]
FSP 150CC-XG[...]
FSP 150CCf-825

Note:
To access Flow on LAG use
these values:
l slotIndex=254
l portIndex=lagIndex

nextIndex fnm.db.erp Integer Next available ERP index

based on the selected
network element.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]

nextIndex fnm.db.satop slotIndex Integer Next available SATOP index

based on the slot value
where the PWE card is
located.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]

Ensemble Controller R15.2 Administrator Manual - Issue: A 310

Adtran Configuring Ensemble Controller

Return
Name Object Input args Meaning
args
nextIndex fnm.db.md Integer Next available MD index
based on the selected
network element.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]
FSP 150CCf-825

nextIndex fnm.db.ma mdIndex Integer Next available MA NET

index based on the selected
MD index value.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]
FSP 150CCf-825

nextIndex fnm.db.esa slotIndex Integer Next available ESA index

based on the selected slot
index.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]
FSP 150CCf-825

Note:
FSP 150EG-X always has
slotIndex=255, which
means that it is not
exposed in the template.

Ensemble Controller R15.2 Administrator Manual - Issue: A 311

Adtran Configuring Ensemble Controller

Return
Name Object Input args Meaning
args
uniqueName fnm.db.esa esaName Boolean Check if the used ESA name
is unique across the
network element.
l True - CLI generation
can be proceeded
l False - validation
message is shown as
tooltip - Warning: Name
already in use.

Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]
FSP 150CCf-825
fnm.db.elineFlow serviceName Uniqueness of
fnm.db.elineFlow and
fnm.db.flow
fnm.db.flow is applicable
for FSP 150EG-Mx
where the name of the
service ide5ntifies the
object.

Rules
These rules must be observed to edit a template to a valid format.

1. All elements require a start tag and an end tag.

2. The root tag of a template is <template> embracing its content.
3. Inside the <template> tag can be one <header> and multiple <cli-command>,
<command> and <fragment> tags.
4. The <header> tag is the first tag after the <template> tag.
5. The <header> tag must contain <neType>, <category>, <applyMode>, <version>
and optionally <summary> and <comment>.
6. NE commands must be inside either a <cli-command> or <fragment> tag and are
copied to the output configuration file unchanged.

Ensemble Controller R15.2 Administrator Manual - Issue: A 312

Adtran Configuring Ensemble Controller

7. Each literal NE command must be in a separate line.

8. A <param> tag must be located inside a <command> tag.
9. A <param> tag requires the attributes <display>, <name> and <block>. Other
attributes are optional.
10. A <fragment> tag requires a <block> attribute.
11. A template requires exactly one <neType> tag inside the <header> tag. This
element contains one or more NE types to which this template applies, separated by
commas. Alternatively, the value "ANY" is valid. The case is ignored on those
keywords.
12. All <neType> tags used in a template outside the <header> tag must be consistent
with the <neType> tag defined inside the <header> tag. No new types can be
defined in the <neType> tag outside the <header> tag.
13. Parameters with the same name in the same command cannot have the same
<neType> value defined as indicated in this example, which is invalid then:

14. For reserved parameters, which are the ones starting with "fnm", Rule Step applies as
well for parameters in different commands.
15. A template requires exactly one <category> tag inside of which one of these
categories must be given: Service Provisioning, Bulk Configuration.
16. A template of <category> Bulk Configuration requires the <applyMode> Delta.
17. A template requires exactly one <applyMode> tag.
18. Each template requires the <version> tag specifying the correct version number.
l With the Ensemble Controller release 8.2, the template versions 1.0 and 1.1 have
been supported.
l Ensemble Controller 8.4 additionally supports the template version 1.2.

Ensemble Controller R15.2 Administrator Manual - Issue: A 313

Adtran Configuring Ensemble Controller

l Ensemble Controller 9.1 additionally supports the template version 1.3.

l Ensemble Controller 9.2 additionally supports the template version 1.4.
19. A template can contain at most one <summary> tag.
20. A template summary must be at most 200 characters long.
21. The <neType>, <category>, <applyMode>, <version>, <summary>, <comment>
and <fragment> tags cannot include other tags or exist inside other tags.
22. The <optional> and <blockOptionality> attributes can be assigned the values true
or false.
23. The order-related attributes <blockOrder> and <paramOrder> affect only the
relevant ordering of the different blocks and parameters inside the form. The
ordering in the resulting output configuration file will be dictated by the ordering in
the source template.
24. The <blockOrder> and <paramOrder> attributes can take any value in the natural
numbers domain.
25. When using the <blockParent> attribute, the maximum allowed nesting depth of
blocks is five.
26. The values of the attributes cannot contain the " (double-quote) character.
27. The <name> attribute in the <param> and <block> tags cannot contain the space
character.
28. The <name> attribute of a parameter must be unique inside a command. In the case
of global parameters the name must be unique in the whole document.
29. The reserved <param> names fnm.neName, fnm.neIpAddress, fnm.serviceEnd,
fnm.trailServiceEnd and fnm.erp.trailServiceEnd can exist at most once in a valid
template file.
30. With the <conveyanceType> attribute, a parameter can be “locked”, which means
that its value will be the same across all loaded templates and its modification will
only be possible on the initial template containing the locked parameter. This
attribute is valid only when the attributes <copyFrom> and <name> have the same
value, and the attribute <scope> is “global”.
31. If the <conveyanceType> attribute is not present, the default meaning is "not
locked".
32. The optional <regexp> attribute can only be applied to <param> tags with the
<type> ‘String’ or ‘Integer’. The <regexp> value must be a valid Java regular
expression as defined in
http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html.
33. All <param> tags require exactly one <type> tag.

Ensemble Controller R15.2 Administrator Manual - Issue: A 314

Adtran Configuring Ensemble Controller

34. The <type> tag requires one of these options: String, Integer, Enum or Composite.
35. If the <type> tag has the Enum value then the corresponding parameter requires at
least one <token> tag.
36. If the <param> tag is of type Enum, it cannot be locked. That is, the
<conveyanceType> attribute cannot be set to "locked".
37. A <token> tag can only be defined for a <param> tag of type Enum.
38. The <token> tag can contain the <function> attribute. If used, then the <function>
attribute must be the only attribute used by the <token> tag. For bulk configuration,
the <function> attribute is not available.
39. Only one <substitution> tag can exist inside a <command> tag.
40. A <substitution> tag can contain at most one literal command.
41. The content of the <substitution> tag can see a parameter value by concatenating
the % symbol with the value of the <name> attribute (%paramName) of the
associated parameter as this example indicates:
Example: To get the parameter value “admin-state unassigned”, the <substitution>
tag requires this string:
<substitution>admin-state %adminstate</substitution>
By using double underscores surrounding <name> attributes (__%paramName__),
strings can be combined as this example indicates:
Example: To get the parameter value “configure port eth_port-1-2”, the
<substitution> tag requires this string:
<substitution>configure port eth_port-__%lineCard__-__%accPort__</substitution>

The endpoints specified in the template have to match the device

AIDs. For example,
l GE201, GE201se, GE206, and GE206f have AIDs in the format Flow
<shelf Index>-<slot Index>-<port Index>-<flow Index>
l GE206V, XG210, and GE110 have AIDs in the format FLOW-<NE
Index>-<shelf Index>-<slot Index>-<port Index>-<flow Index>

Installing the Docker-Community

Edition Application in Linux
Complete these steps to install the Docker-Community Edition (CE) 20.10 application in a
Linux operating system.

Ensemble Controller R15.2 Administrator Manual - Issue: A 315

Adtran Configuring Ensemble Controller

You need to install the Docker CE 20.10 if you want to use:

l To use the Sync Assurance application, see Installing and Configuring the Sync
Assurance Application in Linux.

The Sync Assurance supports only Docker 20.10.x versions, where x

is 10 or later.

l To use the Ensemble Fiber Director Server, see Installing the Ensemble Fiber
Director Server in Linux.
l To use the Ensemble TAPI Agent, see the TAPI Integration Manual.
l To use the Centralized Control Plane, see Managing the Centralized Control Plane.
l To use a map-tile server, see Installing the Local Geographical Map-Tile Server in
Linux.

You can install the Docker 20.10 on 64-bit Linux system using these versions:
l 7.8, and 7.9
l 8.4, and 8.6

Earlier Docker versions are not supported.

Installing Docker CE
To install Docker CE 20.10 from docker.com, follow these steps:

You need an internet connection to complete this procedure.

1. Follow the instructions to install Docker Engine on RHEL at

https://docs.docker.com/engine/install/rhel/.
Requirements:
l Note that for x86_64 machine architectures, these are supported using the

subsection Install Docker Engine on CentOS, as of the writing of this document.

l Select the Docker CE version as identified . Use the latest available patch release,

for example, 20.10.7.

l Only use the production version. Do not enable the nightly or test repositories.

2. Perform post-installation setup. Follow the instructions at

https://docs.docker.com/engine/install/linux-postinstall/.

Ensemble Controller R15.2 Administrator Manual - Issue: A 316

Adtran Configuring Ensemble Controller

Requirements:
l Do not follow Manage Docker as a non-root user.

l Configure Docker to start on boot. Do not add an HTTP Proxy.

l Do not use a different storage engine.
l It is recommended to configure the default logging driver so that Docker logs
do not cause exhaustion of disk resources.
l If you have more than one network interface, you must configure where the
Docker daemon listens for connections. Specify the IP address of that interface
in consistently with setting in com.adva.fnm.option.serverIP. Use the
docker.service system unit file, except on Linux versions where system is not
available.
l Enable IPv6 on the Docker daemon if this is appropriate for your environment.
l Ensemble Controller requires no Docker DNS configuration, but it may be
configured if appropriate for the customer environment.
l Do not allow access to the remote API through a firewall.
3. Install the Docker Compose utility per instructions at
https://docs.docker.com/compose/install/. We recommend that you follow
instructions to install the Linux Standalone binary and to install Compose as a
standalone binary on Linux systems.
4. Start the Docker Swarm orchestrator using this command:
docker swarm init --advertise-addr <server-IP-address>

Performing Post-Install Configuration

After you install Docker CE, perform the following post-install configuration. The system
automatically creates the docker bridge interfaces docker0 and docker_gwbridge.

Configure these docker bridge interfaces ONLY if the default IP addresses conflict with
the existing networks. See these topics:

docker0 317
docker_gwbridge 318

docker0
Complete these steps to configure the default docker0 bridge in the Docker Engine to
operate with a different subnetwork. This configuration is required ONLY if the docker0-
bridge network (172.17.0.0/16) conflicts with the network-elements network.

Ensemble Controller R15.2 Administrator Manual - Issue: A 317

Adtran Configuring Ensemble Controller

1. Provide the bip option with the applicable subnetwork in the daemon.json file,
located in the /etc/docker/daemon.json directory:
{
"bip": "172.69.0.1/16"
}
If the file is unavailable in this directory, create it.
2. Restart the docker daemon:
systemctl restart docker

docker_gwbridge
Complete these steps to change the default docker_gwbridge address immediately after
you completed the Docker installation procedure Installing the Docker-Community
Edition Application in Linux. No Docker containers should be running. This configuration
is required ONLY if the docker_gwbridge network (172.18.0.0/16) conflicts with the
network-elements network.

The docker_gwbridge interface provides default gateway functionality for all containers
and tasks that use a multi-host swarm-overlay network. Each Docker host creates this
interface when it joins a swarm cluster.

If the IP address of the interface docker_gwbridge conflicts with an address on your

network, you can change it on a host-by-host basis.

This procedure includes these cases:

l 1-Node Cluster
l N-Nodes Cluster [N>1]

Requirement
No containers should be running on the Docker cluster. If containers are running on the
cluster, stop them before you begin this procedure. You can restart them after you
complete the procedure.

1-Node Cluster
These configuration steps apply only for the 1-node cluster:

1. Leave the swarm.

docker swarm leave --force
Node left the swarm.
2. Remove the docker_gwbridge network:
docker network rm docker_gwbridge

Ensemble Controller R15.2 Administrator Manual - Issue: A 318

Adtran Configuring Ensemble Controller

docker_gwbridge
3. Recreate the docker_gwbridge network. Use the applicable network prefix and set
the applicable values. This example uses the 172.69.0.0/16 network:
docker network create \
--subnet 172.69.0.0/16 \
--gateway 172.69.0.1 \
-o com.docker.network.bridge.enable_icc=false \
-o com.docker.network.bridge.name=docker_gwbridge \
docker_gwbridge
4. (Optional) Confirm the settings on the docker_gwbridge network:
docker network inspect docker_gwbridge --format '{{range $k, $v :=
index .IPAM.Config 0}}{{.| printf "%s: %s " $k}}{{end}}'
Gateway: 172.69.0.1 Subnet: 172.69.0.0/16
5. Create the docker swarm cluster:
docker swarm init --advertise-addr <server-IP-address>

N-Nodes Cluster [N>1]

Complete these steps on a host-by-host basis. That is, complete each set of steps on
each node of the cluster. These cases are included:
l Case A: Execute the procedure on a manager node.
l Case B: Execute the procedure on a worker node.

Requirements
Make sure that:
l The host names of the manager nodes are manager1, manager2, manager3, and
so on.
l The host names of the worker nodes are worker1, worker2, worker3, and so on.

Case A
This procedure updates the manager3 node. In this case, you will run some steps from
the manager3 node and some steps from a manager node other than manager3, for
example manager1.

1. Demote the node to a worker, and then leave the cluster:

[manager3] # docker node demote manager3
[manager3] # docker swarm leave
2. Remove the docker_gwbridge network:
[manager3] # docker network rm docker_gwbridge

Ensemble Controller R15.2 Administrator Manual - Issue: A 319

Adtran Configuring Ensemble Controller

3. Recreate the docker_gwbridge network. Use the applicable network prefix and set
the applicable values. This example uses the 172.69.0.0/16 network.
[manager3] # docker network create \
--subnet 172.69.0.0/16 \
--gateway 172.69.0.1 \
-o com.docker.network.bridge.enable_icc=false \
-o com.docker.network.bridge.name=docker_gwbridge \
docker_gwbridge
4. (Optional) Confirm the settings on the docker_gwbridge network:
[manager3] # docker network inspect docker_gwbridge --format '
{{range $k, $v := index .IPAM.Config 0}}{{.| printf "%s: %s " $k}}
{{end}}'
Gateway: 172.69.0.1 Subnet: 172.69.0.0/16
5. From a manager node other than manager3, execute this command to remove the
manager3 node from the cluster:
[manager1] # docker node rm manager3
6. From a manager node other than manager3, execute this command to display the
swarm token. You will use this token later from manager3 to rejoin the cluster:
[manager1] # docker swarm join-token manager
To add a manager to this swarm, run this command:

docker swarm join --token SWMTKN-1-

205uuaqszb06cqkw31wqdbidssv10x8czsgmnlwansargukufs-
dtvlzfnb1uxcjxoffevu7q043 192.168.0.36:2377
7. Rejoin the swarm cluster:
[manager3] # docker swarm join --token SWMTKN-1-
205uuaqszb06cqkw31wqdbidssv10x8czsgmnlwansargukufs-
dtvlzfnb1uxcjxoffevu7q043 192.168.0.36:2377

Case B
This procedure updates the worker3 node. In this case you will run some steps from the
worker3 node and some steps from a manager node, for example manager1.

1. Leave the cluster:

[worker3] # docker swarm leave
2. Remove the docker_gwbridge network:
[worker3] # docker network rm docker_gwbridge
3. Recreate the docker_gwbridge network. Use the applicable network prefix and set
the applicable values. This example uses the 172.69.0.0/16 network.
[worker3] # docker network create \
--subnet 172.69.0.0/16 \
--gateway 172.69.0.1 \

Ensemble Controller R15.2 Administrator Manual - Issue: A 320

Adtran Configuring Ensemble Controller

-o com.docker.network.bridge.enable_icc=false \
-o com.docker.network.bridge.name=docker_gwbridge \
docker_gwbridge
4. (Optional) Confirm the settings on the docker_gwbridge network:
[worker3] # docker network inspect docker_gwbridge --format '
{{range $k, $v := index .IPAM.Config 0}}{{.| printf "%s: %s " $k}}
{{end}}'
Gateway: 172.69.0.1 Subnet: 172.69.0.0/16
5. From a manager node, execute this command to remove the worker3 node from the
cluster:
[manager1] # docker node rm worker3
6. From a manager node, execute this command to display the swarm token that that
you will use later from worker3 to rejoin the cluster:
[manager1] # docker swarm join-token worker
To add a worker to this swarm, run the following command:

docker swarm join --token SWMTKN-1-

205uuaqszb06cqkw31wqdbidssv10x8czsgmnlwansargukufs-
560zpu65edtr55xl696cy61qk 192.168.0.36:2377
7. Rejoin the swarm cluster:
[worker3] # docker swarm join --token SWMTKN-1-
205uuaqszb06cqkw31wqdbidssv10x8czsgmnlwansargukufs-
560zpu65edtr55xl696cy61qk 192.168.0.36:2377

Upgrading from Docker CE 18.09 to Docker CE

20.10
If you use Docker CE 18.09 with earlier versions of Ensemble Controller software, follow
these steps to upgrade the system to a newer version of Ensemble Controller and Docker
CE 20.10:

1. Perform an application database backup (for example, for EFD and Sync Assurance
applications).
2. Stop all containerized applications. See Stopping All Containerized Applications.
3. Stop Docker daemon. See Stopping the Docker Daemon.
4. Uninstall Docker 18.09. See Uninstalling Docker 18.09.
5. Upgrade your Linux operating system to one supported by Docker 20.
6. Install Docker 20.10. See Installing Docker CE.
7. Optional: Upgrade your Ensemble Controller installation.

Ensemble Controller R15.2 Administrator Manual - Issue: A 321

Adtran Configuring Ensemble Controller

8. Optional: Upgrade or re-install your optional Ensemble Controller applications on

Docker 20.10.
9. Restore your application databases.
10. Start all containerized applications. See Starting all Containerized Applications.

Stopping All Containerized Applications

For example, to stop all containers related to SyncAssurance, use these commands:

1. # cd /opt/adva/SyncAssurance
2. # ./SyncAssurance-ctl.sh stop

Stopping the Docker Daemon

For example, to stop the docker daemon, use these commands:

1. # systemctl stop docker.service

2. # systemctl disable docker.service

Uninstalling Docker 18.09

To uninstall all Docker rpm packages use the command yum history undo <ID>. <ID>
is the transaction ID of the installation which can be different on each server. To
determine which is the transaction ID of the Docker installation, list all transactions in a
history", and display detailed information about the installation transaction <ID>".

Displaying the History

Use the command # yum history. This is an example to display the transactions where ID
5 is the installation transaction ID.

ID | Command line | Date and time | Action(s) | Altered

-------------------------------------------------------------
--
5 | install -y --setopt=repo | 2021-02-03 12:50 | Install |
12
4 | install bash-completion | 2021-02-03 12:33 | Install | 5
3 | install vim -y | 2021-02-03 12:33 | Install | 4
2 | install tar | 2021-02-03 12:31 | Install | 1
1 | | 2021-02-03 11:17 | Install | 356 EE

Ensemble Controller R15.2 Administrator Manual - Issue: A 322

Adtran Configuring Ensemble Controller

Displaying Detailed Information About Installation Transaction ID

Use the command # yum history info <ID> to verify that the transaction ID is related to
the installation of docker packages.

For the example of installation transaction ID=5, use the command # yum history info 5
to display this:

Transaction ID : 5
...
Packages Altered:
...
Install docker-ce-3:18.09.1-3.el7.x86_64 @@commandline
Install docker-ce-cli-1:18.09.1-3.el7.x86_64 @@commandline

Uninstalling all Docker packages

Use the command # yum history -y undo <ID> to uninstall all Docker packages.

For the example of installation transaction ID=5, enter command # yum history -y undo
5.

After you uninstall the Docker packages, the system stores all data in docker volumes.
After the installation of the new Docker version, the data is available again. Enter the
command # ls -la /var/lib/docker/volumes/ to access the data.

Starting all Containerized Applications

You must start all containerized applications that you stopped in Stopping All
Containerized Applications.

For example, to start SyncAssurance containers, use these commands:

1. # cd /opt/adva/SyncAssurance
2. # ./deploy.sh ...

Configuring Docker for IPv6 Management

Setup and configure Docker and swarm to work with IPv6 network as described on this
website: https://github.com/robbertkl/docker-ipv6nat

This configuration allows IPv6 connectivity to components outside swarm, and yet keep
the containers within swarm overlay network to enjoy all the benefits of swarm.

Ensemble Controller R15.2 Administrator Manual - Issue: A 323

Adtran Configuring Ensemble Controller

The connectivity between docker, swarm and Ensemble Controller server must be over
IPv4.

Configuring Sync Assurance and the

Ensemble Fiber Director Server
Installing the Map Library in Linux 324
Installing and Configuring the Sync Assurance Application in Linux 326
Installing the Ensemble Fiber Director Server in Linux 349
Installing the Ensemble Fiber Editor 351
Installing the Local Geographical Map-Tile Server in Linux 352
Ensemble Fiber Director Mobile Application 355

Installing the Map Library in Linux

Complete these steps to install the map library in a Linux operating system.

To install the map library, use the applicable information as follows:

l To use the Sync Assurance application, see Installing and Configuring the Sync
Assurance Application in Linux.
l To use the Ensemble Fiber Director Server, see Installing the Ensemble Fiber
Director Server in Linux.
l To use the Ensemble TAPI Agent, see the TAPI Integration Manual.
l To use a map-tile server, see Installing the Local Geographical Map-Tile Server in
Linux.

Requirement to Install the Map Library

The map library supports these Red Hat Enterprise Linux and CentOS operating system
versions:
l 7.8, and 7.9
l 8.4, and 8.6

Ensemble Controller R15.2 Administrator Manual - Issue: A 324

Adtran Configuring Ensemble Controller

Procedure to Install the Map Library

See one of these sections according to the Ensemble Controller version, and then
complete the steps to install the map library:

Version 14.1 or Earlier

1. From the Ensemble Controller installation CD, copy the TAR file appropriate for your
Ensemble Controller version to a temporary directory:

Ensemble Controller
TAR File
Version
Up to 12.3. fiber-map-sys-libs-[...].tar
13.1 to 14.1 linux_client_lib_bundle-v[x.x.x].tar

2. Change the working directory to the one that you just created and unpack it, for
example:
tar -xf linux_client_lib_bundle-v[x.x.x].tar
3. As a super-user, run the install.sh installation script, for example:
sudo ./install.sh
4. At the prompt, type y to start the installation process.
5. After a successful installation, you can remove the temporary directory.
6. Restart the Ensemble Controller Server as described in Starting the Ensemble
Controller Server.

Version 14.2 or Later

1. As a super-user, install the RPM file:
sudo yum install <rpm_name>.
Where <rpm_name> is a name from the list: libX11, libX11-common, libXau, libxcb,
libXext, libXScrnSaver, nspr, nss-softokn-freebl, nss-util.
2. At the prompt, type y to start the installation process.
3. Repeat these steps for all nine RPM files listed in step 1.
4. Restart the Ensemble Controller Server as described in Starting the Ensemble
Controller Server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 325

Adtran Configuring Ensemble Controller

Installing and Configuring the Sync Assurance

Application in Linux
Complete this procedure to install a Sync Assurance application in:
l The Linux operating system where you also installed the Ensemble Controller
Server.
–or–
l A different independent Linux system.

The Sync Assurance application does NOT yet support High Availability.
However, if Ensemble Controller uses high availability, you can install the
Sync Assurance application on any of the Ensemble Controller Servers
that the high-availability cluster includes. Also, you must then configure
the Sync Assurance application to communicate with all Ensemble
Controller Servers available in that high-availability cluster, as described
in Connecting the Sync-Assurance Applications with the Ensemble
Controller.

You use the Sync Assurance application to provide synchronization monitoring and
assurance for the managed network. It includes these child assurance modules:
l GNSS Assurance: The GNSS module provides monitoring and assurance for GNSS
services. You need a GNSS Assurance service if you want to:
o View historical receivers and its satellites in the GNSS Assurance / Historical

Map window.
o Perform GNSS installation acceptance tests.
o Perform long term analysis to identify or troubleshoot GNSS problems in your
network.
For more information about the GNSS Assurance, see the Synchronization
Management Guide.
l PTP (Time And Phase) Assurance: The TPA module provides monitoring and
assurance for time and phase services. You need a PTP (Time And Phase)
Assurance service if you want to:
o Monitor long term Syncjack test results (TIE data).

o Perform long term quality analysis over historical collected TIE data.
o Perform Online Quality Metrics analysis, and generate TCA alarms if
configured thresholds are crossed.

Ensemble Controller R15.2 Administrator Manual - Issue: A 326

Adtran Configuring Ensemble Controller

For more information about Syncjack testing and PTP Assurance, see the
Synchronization Management Guide.
l SNT (Streaming Network Telemetry): The SNT module is a service that allows
collection and storage of long-term performance monitoring data. It can efficiently
collect near real time PM data from up to 1000 supported OSA devices. The system
collects PM data via streaming telemetry protocol, for example gNMI, and uses API
for PM data analysis. You need the SNT service if you want to use the Timing
Quality Compliance functionality of the Sync Assurance application. For more
information about SNT and Timing Quality Compliance, see the Synchronization
Management Guide.

Requirements to Install the Sync Assurance Application 327

Procedure to Install the Sync Assurance Application 329
Stopping the Sync Assurance Application 332
Starting the Sync Assurance Application 332
Health Check and Database Backup for Sync Assurance Applications 334
Automatic Database Backups 334
Restoring the Database from a Backup File 335
Connecting the Sync-Assurance Applications with the Ensemble Controller 339
Enabling Machine-Learning Based Alarms for GNSS 339
Creating Custom GNSS Scripts 339
Changing the Database Password of the Sync Assurance Applications 348
Configuring Streaming Network Telemetry Service 348

Requirements to Install the Sync Assurance Application

l The Sync Assurance and Ensemble Controller version numbers must be the same,
for example:
o Ensemble_Controller_for_Linux_v11.3.1-B6493.tar

– and –
o SyncAssurance_v11.3.1-B6493.tar.gz

l The Sync Assurance supports these Linux versions:

o 7.8, and 7.9

o 8.4, and 8.6

l You have super-user access.
l The SELinux status must be Permissive that is, SElinux = Permissive.
l You installed Docker CE 20.10.x, where x is 10 or later, on the destination system
and created a Docker swarm. For information about how to install and configure
the Docker CE, see Installing the Docker-Community Edition Application in Linux.

Ensemble Controller R15.2 Administrator Manual - Issue: A 327

Adtran Configuring Ensemble Controller

l
After you install Docker, you must NOT change the firewalld service
status.

CONTAINER ID IMAGE COMMAND CREATED STATUS

5840c1cab368 ...gnss- "/bin/sh -c 'exec 4 minutes Up 4 minutes
collector:... ./…" ago (healthy)
f223043f0538 ...gnss-data- "/bin/sh -c 'exec 4 minutes Up 4 minutes
access:... ./…" ago (healthy)

l The Sync Assurance application uses the TCP port 8093 for network
communication.

You do NOT have to open this TCP port because the Docker
daemon opens it automatically.

l You installed the map library appropriate for your Ensemble Controller version as
described in Installing the Map Library in Linux.
l For PTP Assurance only – you have installed or configured one or more File Servers
to be used by the PTP assurance TIE raw data collection.
o The file servers are used by:

n The Syncjack capable devices, to upload the TIE raw data files, generated

by the configured Syncjack Probes.

n The PTP Assurance application, which collect the raw data files, as part of

the PTP Assurance monitoring process.

o In case you have selected FTP as your preferred protocol to transfer the TIE
raw data files:

Ensemble Controller R15.2 Administrator Manual - Issue: A 328

Adtran Configuring Ensemble Controller

n We recommend using Vsftpd service which It is the default FTP server in

the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux
distributions.
Find more information here: https://security.appspot.com/vsftpd.html
n You must avoid using FTP servers running on Windows platform, and
specifically avoid using FileZilla server.

Procedure to Install the Sync Assurance Application

1. From the Ensemble Controller (ENC) installation medium, copy the SyncAssurance_
vX.X.X-Bxxxx.tar.gz file in the directory /opt/adva.
2. Set the working directory to /opt/adva:
cd /opt/adva/
3. Untar the SyncAssurance_vX.X.X-Bxxxx.tar.gz file:
tar -zxvf SyncAssurance_vX.X.X-Bxxxx.tar.gz
This will create the Sync Assurance directory structure.

4. Set the working directory to /opt/adva/SyncAssurance:

cd /opt/adva/SyncAssurance
5. Only for Sync Assurance 15.2.1 or later- run the enc_token_generate.sh script:
a. Make sure that ENC 15.2 is running.
b. Execute the enc_token_generate.sh script:
./enc_token_generate.sh [<ENC server IP address>]
<ENC server IP address> - optional attribute: IP address of ENC server from
which the token should be acquired. Enter this address if you use Sync
Assurance on a separate server.
c. Verify if the operation was successful:
l Display the list of the secrets:

docker secret ls
l Verify if the synca-enc-http-token secret has been created.
6. Execute the deploy.sh script:
./deploy.sh --enc-ip <ENC primary server IP address> \
[--enc-ip-2 ENC secondary server IP address] \
[--gnss-enable true|false] \
[--gnss-custom-device-enable true|false] \
[--tpa-enable true|false]
[--snt-enable true|false]
a. The <ENC primary server IP address> is the only mandatory parameter
that you must specify. However, if you configure Ensemble Controller in a high
availability configuration, you must specify the IP addresses for both the

Ensemble Controller R15.2 Administrator Manual - Issue: A 329

Adtran Configuring Ensemble Controller

primary and the secondary ENC Server.

l The IP address that you specify for the --enc-ip and eventually
for the --enc-ip-2 parameter cannot be localhost or 127.0.0.1
l The IP address that you specify for the --enc-ip and eventually
for the --enc-ip-2 parameter must be of a network interface
that is reachable from the outside world.

b. The --gnss-enable, --tpa-enable, and --snt-enable parameters specify the

Sync Assurance application stacks that the system is to deploy.

"Stack" is an object containing all the services that an application

contains. We use both terms interchangeably in this manual.

If you do not specify the --<stack-name>-enable parameters, the system

deploys GNSS and PTP (Time And Phase) Assurance applications. If you want to
deploy only one application stack, use only the relevant parameter.
c. If set to true, the --gnss-custom-device-enable parameter deploys an
additional gnss service “gnss_custom-worker” that supports third party GNSS
capable devices.
l This new service requires that gnss stack be present. Set --gnss-enable

true
l The default value is false.

d. If set to true, the --snt-enable parameter deploys an additional “snt” service

that allows the Streaming Network Telemetry PM data collection from
supported Softsync devices. You need to enable snt service to use the Timing
Quality Compliance functionality. The default value is false.
7. Verify that all requested Sync Assurance application stacks are running:
docker stack services <stack-name>
For the <stack-name>, type the relevant stack:
l rproxy (mandatory proxy application)
l gnss
l tpa
l snt
See Table 12 on p. 331 for a possible gnss command output. REPLICAS of all listed
services should be equal x/x, where x>0.

Ensemble Controller R15.2 Administrator Manual - Issue: A 330

Adtran Configuring Ensemble Controller

Command Output Example for a GNSS Service

Table 12: Command Output Example for GNSS Docker Services
ID NAME MODE REPLICAS IMAGE PORTS
1f051giosjun gnss_collector replicated 1/1 adva/gnss-collector:11.3.1-B6493
*:5433-
9oe4nruidacg gnss_timescaledb replicated 1/1 timescale/timescaledb:1.0.0-pg10
>5432/tcp
hxjzft83ypzs gnss_machine-learning replicated 1/1 adva/gnss-machine-learning:11.3.1-B6493
kksqb3omfbj3 gnss_data-access replicated 1/1 adva/gnss-data-access:11.3.1-B6493
o74pm467ag75 gnss_zookeeper replicated 1/1 zookeeper:3.4.14
rpw91raq7qid gnss_db-backup replicated 1/1 prodrigestivill/postgres-backup-local:10
z0ly9m08kesw gnss_kafka replicated 1/1 wurstmeister/kafka:2.12-2.2.0

Ensemble Controller R15.2 Administrator Manual - Issue: A 331

Adtran Configuring Ensemble Controller

Stopping the Sync Assurance Application

Complete these optional steps to stop the Sync Assurance application.

1. Set the working directory to /opt/adva/SyncAssurance:

cd /opt/adva/SyncAssurance
2. Stop the Sync Assurance application:
./SyncAssurance-ctl.sh stop

Starting the Sync Assurance Application

Complete these optional steps to start the Sync Assurance application.

1. Set the working directory to /opt/adva/SyncAssurance:

cd /opt/adva/SyncAssurance
2. Only for Sync Assurance 15.2.1 or later- run the enc_token_generate.sh script:
a. Make sure that ENC 15.2 is running.
b. Execute the enc_token_generate.sh script:
./enc_token_generate.sh [<ENC server IP address>]
<ENC server IP address> - optional attribute: IP address of ENC server from
which the token should be acquired. Enter this address if you use Sync
Assurance on a separate server.
c. Verify if the operation was successful:
l Display the list of the secrets:

docker secret ls
l Verify if the synca-enc-http-token secret has been created.
3. Execute the deploy.sh script:
./deploy.sh --enc-ip <ENC primary server IP address> \
[--enc-ip-2 ENC secondary server IP address] \
[--gnss-enable true|false] \
[--gnss-custom-device-enable true|false] \
[--tpa-enable true|false]
[--snt-enable true|false]
a. The <ENC primary server IP address> is the only mandatory parameter
that you must specify. However, if you configure Ensemble Controller in a high
availability configuration, you must specify the IP addresses for both the
primary and the secondary ENC Server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 332

Adtran Configuring Ensemble Controller

b. The --gnss-enable, --tpa-enable, and --snt-enable parameters specify the

Sync Assurance application stacks that the system is to deploy.

"Stack" is an object containing all the services that an application

contains. We use both terms interchangeably in this manual.

If you do not specify the --<stack-name>-enable parameters, the system

true
l The default value is false.

d. If set to true, the --snt-enable parameter deploys an additional “snt” service

that allows the Streaming Network Telemetry PM data collection from
supported Softsync devices. You need to enable snt service to use the Timing
Quality Compliance functionality. The default value is false.
4. Verify that all requested Sync Assurance application stacks are running:
docker stack services <stack-name>
For the <stack-name>, type the relevant stack:
l rproxy (mandatory proxy application)
l gnss
l tpa
l snt
See Table 12 on p. 331 for a possible gnss command output. REPLICAS of all listed
services should be equal x/x, where x>0.

Ensemble Controller R15.2 Administrator Manual - Issue: A 333

Adtran Configuring Ensemble Controller

Health Check and Database Backup for Sync Assurance

Applications
You can generate a health-check report or perform a database backup for each
supported Assurance applications. The required scripts are located in the gnss, tpa, or
snt directories in /opt/adva/SyncAssurance:
l ../gnss/ healthcheck_gnss.sh
l ../tpa/ healthcheck_tpa.sh
l ../snt/ healthcheck_snt.sh

healthcheck_<application Generates the healthcheck_<application name>_

name>.sh YYYY-MM-DD__HH-MM-SS.tar.gz file, which
contains log and configurations files of the
corresponding application, and some basic
information about the system status.
db_backup_<application name>.sh Generates the fnm_sync_pm-<application name>-
YYYY-MM-DD__HH-MM-SS.sql.gz file, which
contains the database-backup file (dump file).

If required, execute the relevant script.

Automatic Database Backups

Sync Assurance provides the db-backup service to periodically generate database
backups for all supported applications: PTP (Time And Phase) Assurance, GNSS, and SNT
in these time frames:
l Daily backup file generated at 01:00 UTC for GNSS.
l Daily backup file generated at 04:00 UTC for PTP (Time And Phase) Assurance.
l Daily backup file generated at 07:00 UTC for SNT.
l For each daily, weekly, and monthly time frame 2 backup files are available, one
related with the current (in progress) day, week, and month and one from the
previous day, week, and month.

The backup files are stored on the server where the Sync Assurance application runs, in
the directory /var/lib/docker/volumes/<application name>_db-backup

The <application name> can be tpa, gnss, or snt.

We strongly recommend that you copy database backup files to an external system.

Ensemble Controller R15.2 Administrator Manual - Issue: A 334

Adtran Configuring Ensemble Controller

Restoring the Database from a Backup File

Complete these steps to revert the database to a previous state from a database-backup
file that you created before.

1. Execute the relevant Docker command according to the application database that
you want to restore:
docker stack services <stack-name>
For the <stack-name>, type gnss, tpa, or snt.
See Table 13 on p. 338 for a possible gnss command output.
2. Note down the REPLICAS numbers for all running services that access the database:
l Any service with a name that ends with “collector”.

l Any service with a name that ends with “data-access”.

l Any service with a name that ends with “db-backup”.
a. Before you start the restore operation, you must stop these services. To stop the
services, execute these Docker commands:
docker service scale <stack-name>_[gnmi_]collector=0
docker service scale <stack-name>_data-access=0
docker service scale <stack-name>_db-backup=0

If you restore the GNSS database, and you use the optional gnss_
custom-worker service, also note down the REPLICA number of
that service, and then stop it using this command: docker
service scale gnss_custom-worker=0.
If you restore TPA database, also note down the REPLICA number
of tpa_online-qm service, and then stop it using command:
docker service scale tpa_online-qm=0.

b. Execute this Docker command to list the number of the services that still run for
PTP (Time And Phase) Assurance, GNSS, or SNT:
docker stack services <stack-name>
c. Verify that the system stopped the services that have access to the database,
which means REPLICAS = 0/0. See Table 14 on p. 338 for a possible GNSS-stack
command output after the services stopped.
3. Set the working directory to /opt/adva/SyncAssurance/<application name>
4. Execute the db_restore script:
./db_restore_<application name>.sh <backup_file>

Ensemble Controller R15.2 Administrator Manual - Issue: A 335

Adtran Configuring Ensemble Controller

You must run the restore script on the server where the Sync
Assurance application runs.

5. To restart the database service, complete these steps:

a. Execute this Docker command to stop the database service for the relevant
database that you want to restore:
docker service scale <stack-name>_timescaledb=0
b. Execute this Docker command to list the services that run for PTP (Time And
Phase) Assurance, GNSS, or SNT:
docker stack services <stack-name>
c. Verify that the system stopped the relevant database service, which means
REPLICAS = 0/0. See these examples:
l [root@tlv-s-nms-vm02 ~]# docker stack services tpa
ID NAME MODE REPLICAS IMAGE PORTS
kmkejkafdxis tpa_timescaledb replicated 0/0 adva/synca-
timescaledb:1.7.3-pg10 *:5439->5432/tcp
l [root@tlv-s-nms-vm02 ~]# docker stack services gnss
ID NAME MODE REPLICAS IMAGE PORTS
coe3ct4t8q20 gnss_timescaledb replicated 0/0 adva/synca-
timescaledb:1.7.3-pg10
l [root@tlv-s-nms-vm02 ~]# docker stack services snt
ID NAME MODE REPLICAS IMAGE PORTS
qqdjq6ow7ibd snt_timescaledb replicated 0/0 adva/synca-
timescaledb:2.9.1-pg14
d. Execute this Docker command to start the database service for the relevant
database that you want to restore:
docker service scale <stack-name>_timescaledb=1
e. Execute this Docker command to list the services that run for PTP (Time And
Phase) Assurance, GNSS, or SNT:
docker stack services <stack-name>
f. Verify that the system restarted the relevant database service, which means
REPLICAS = 1/1. See these examples:
l [root@tlv-s-nms-vm02 ~]# docker stack services tpa
ID NAME MODE REPLICAS IMAGE PORTS
kmkejkafdxis tpa_timescaledb replicated 1/1 adva/synca-
timescaledb:1.7.3-pg10 *:5439->5432/tcp
l [root@tlv-s-nms-vm02 ~]# docker stack services gnss
ID NAME MODE REPLICAS IMAGE PORTS

Ensemble Controller R15.2 Administrator Manual - Issue: A 336

Adtran Configuring Ensemble Controller

coe3ct4t8q20 gnss_timescaledb replicated 1/1 adva/synca-

timescaledb:1.7.3-pg10
l [root@tlv-s-nms-vm02 ~]# docker stack services snt
ID NAME MODE REPLICAS IMAGE PORTS
qqdjq6ow7ibd snt_timescaledb replicated 1/1 adva/synca-
timescaledb:2.9.1-pg14

6. Execute these Docker commands to restart the services that you stopped in Step 2
before you restored the database:
docker service scale <stack-name>_[gnmi_]collector=<no of replicas
noted down in step 2>
docker service scale <stack-name>_data-access=<no of replicas noted
down in step 2>
docker service scale <stack-name>_db-backup=<no of replicas noted
down in step 2>
If relevant: docker service scale gnss_custom-worker=<no of replicas
noted down in step 2>
If relevant: docker service scale tpa_online-qm=<no of replicas noted
down in step 2>
7. Verify that the services have access to the started database, which means that the
replica numbers must be equal to the ones noted down in Step 2.
docker stack services <stack-name>
See Table 13 on p. 338 for the command output example.
8. To clear the database backup condition, complete these steps (this step is only
relevant for GNSS and PTP (Time And Phase) Assurance):
a. Set the working directory to /opt/adva/SyncAssurance/<stack-name>
b. Execute the ./db_force_clear_db_backup_permission_<stack-name>.sh
script.
c. Verify that the output is as follows:
db backup permission cleared SUCCESS
If the output looks different, contact Technical Services.

Ensemble Controller R15.2 Administrator Manual - Issue: A 337

Adtran Configuring Ensemble Controller

Command Output Examples for GNSS Service Replicas

Table 13: Command Output Example for GNSS Docker Services – Replicas 1/1
ID NAME MODE REPLICAS IMAGE PORTS
1f051giosjun gnss_collector replicated 1/1 adva/gnss-collector:11.3.1-B6493
9oe4nruidacg gnss_timescaledb replicated 1/1 timescale/timescaledb:1.0.0-pg10 *:5433->5432/tcp
hxjzft83ypzs gnss_machine-learning replicated 1/1 adva/gnss-machine-learning:11.3.1-
B6493
kksqb3omfbj3 gnss_data-access replicated 1/1 adva/gnss-data-access:11.3.1-B6493
o74pm467ag75 gnss_zookeeper replicated 1/1 zookeeper:3.4.14
rpw91raq7qid gnss_db-backup replicated 1/1 prodrigestivill/postgres-backup-local:10
z0ly9m08kesw gnss_kafka replicated 1/1 wurstmeister/kafka:2.12-2.2.0

Table 14: Command Output Example for GNSS Docker Services – Replicas 0/0
ID NAME MODE REPLICAS IMAGE PORTS
1f051giosjun gnss_collector replicated 0/0 adva/gnss-collector:11.3.1-B6493
9oe4nruidacg gnss_timescaledb replicated 1/1 timescale/timescaledb:1.0.0-pg10 *:5433->5432/tcp
hxjzft83ypzs gnss_machine-learning replicated 1/1 adva/gnss-machine-learning:11.3.1-
B6493
kksqb3omfbj3 gnss_data-access replicated 0/0 adva/gnss-data-access:11.3.1-B6493
o74pm467ag75 gnss_zookeeper replicated 1/1 zookeeper:3.4.14
rpw91raq7qid gnss_db-backup replicated 0/0 prodrigestivill/postgres-backup-local:10
z0ly9m08kesw gnss_kafka replicated 1/1 wurstmeister/kafka:2.12-2.2.0

Ensemble Controller R15.2 Administrator Manual - Issue: A 338

Adtran Configuring Ensemble Controller

Connecting the Sync-Assurance Applications with the

Ensemble Controller
In the fnm.properties file, which is located in the Ensemble Controller installation
directory, add the IP address of the server where the Sync Assurance applications run to
this property:
com.adva.nlms.mediation.synchronization.assurance.cluster.host=<SYNCA_
SERVER_IP_ADDRESS>

If the Ensemble Controller and the Sync Assurance application run on the same system,
then the <SYNCA_SERVER_IP_ADDRESS> can be localhost.

For general information about how to edit the fnm.properties file, see Editing the
fnm.properties File.

Enabling Machine-Learning Based Alarms for GNSS

In the fnm.properties file, which is located in the Ensemble Controller installation
directory, set this property to true:
com.adva.nlms.mediation.synchronization.gnss.assurance.machine.learnin
g.alarms.enabled

For general information about how to edit the fnm.properties file, see Editing the
fnm.properties File.

This property specifies whether Ensemble Controller can raise and clear GNSS machine-
learning (ML) alarms that the GNSS Assurance ML service produces. By default, this
property is disabled (set to false).

If you set the property to false:

l Ensemble Controller cannot raise ML alarms.
l After the Ensemble Controller Server starts, the system clears all previously raised
ML alarms.

Creating Custom GNSS Scripts

The GNSS Assurance application requires custom scripts to monitor the third-party
custom GNSS devices after you import these devices to your network. This section
describes the required parameters for a valid custom script.

Supported Files and Script Formats 340

System-Provided Custom GNSS Help Files 342

Ensemble Controller R15.2 Administrator Manual - Issue: A 339

Adtran Configuring Ensemble Controller

Custom Script Business Logic 343

Post-Creation Steps 347

Supported Files and Script Formats

Ensemble Controller supports any Linux-executable file or the script formats that are
listed in this table. You define the script format in the first line of the script.

Table 15: Supported File and Script Formats

Script Format File Suffix First Script Line
Python py #!/usr/local/bin/python
pyw #!/usr/local/bin/python3
Unix script sh #!/bin/sh
bash #!/bin/bash
Java source java #! /opt/java/openjdk/bin/java --source 11

You can also use a Java 11 executable JAR file, but you must first convert the JAR file to a
Linux-executable file as described in these steps:

1. Create an executable Java JAR file, for example custom_script.jar, and then copy the
JAR file to a Linux machine.
2. On the target Linux machine, type these commands:
$ echo "#! /opt/java/openjdk/bin/java -jar" > custom_script
$ cat custom_script.jar >> custom_script
$ chmod +x custom_script

If you use one of the script formats described in Table 15 in a text file,
make sure that you save the file in the Unix End Of Line format (LF).
Take special care also if you create or edit the file in a non-Linux
environment. For example, when you edit the script file in Windows,
the system uses the Windows EOL (CR LF) format. However, in Linux
where you execute the script, the system cannot correctly interpret this
Windows format.

This figure shows a Python script example:

Ensemble Controller R15.2 Administrator Manual - Issue: A 340

Adtran Configuring Ensemble Controller

Ensemble Controller R15.2 Administrator Manual - Issue: A 341

Adtran Configuring Ensemble Controller

System-Provided Custom GNSS Help Files

The Sync Assurance server installation (gnss option) includes these custom GNSS help
files located in the /opt/adva/SyncAssurance/gnss/customGnssHelpFiles/
directory:

Ensemble Controller R15.2 Administrator Manual - Issue: A 342

Adtran Configuring Ensemble Controller

Custom GNSS Help Files Description

custom_gnss_device_ssh_ An example CLI-based python script that demonstrates
script.py how to monitor a specific GNSS device. The device uses
an SSH connection that runs CLI commands.
custom_gnss_device_script_ An example JSON result string, which is an example of
result_json.txt the returned python script.
custom_gnss_device_script_ The JSON result schema definition for a successful device
result_json_schema.txt collection.
custom_gnss_device_script_ The JSON result schema definition for a failed device
failure_result_json_ collection.
schema.txt
import_2_custom_gnss_ The Ensemble Controller (ENC) Client uses this example
devices_to_enc.xml XML file to discover and add two custom GNSS devices
to the ENC-managed network. The GNSS Assurance
application monitors those devices.

Custom Script Business Logic

The script that you create must automatically complete these operations when you run it.
Write the code accordingly. The script:

1. Opens a connection, for example, a CLI-based SSH connection, or HTTPS connection

to the custom GNSS device.
2. Uses the associated CLI connection properties and credentials to connect to the
device. The system passes these device parameters to the script processor, using the
process environment variables, and makes the parameters available for the processor
to read from inside the script.
l neIpAddress
l port
l user
l password
l connectTimeout
l readTimeout
3. Executes the relevant commands to obtain the GNSS telemetry data from the device.
4. Parses the returned data, and then translates the data into the JSON string. The JSON
string must conform to this JSON schema definition if successful:

{"$schema":"https://json-schema.org/draft/2019-09/schema",

Ensemble Controller R15.2 Administrator Manual - Issue: A 343

Adtran Configuring Ensemble Controller

"title": "List Of GNSSPortHolderDTO",

"description": "contains a list of GNSS ports, each with its own reported visible
satellites information in a specific time for a managed GNSS capable network
device",
"type":"array",
"items":
{
"description": "contains GNSS port and visible satellites information for a single
GNSS Reciever Port at a specific time for the GNSS Assurance application",
"type":"object",
"properties":{
"portIdentity":{
"type":"object",
"properties":{
"neIpAddress":{"description": "IP Address of the monitored device",
"type":"string"},
"portAid":{"description": "unique identity of the monitored GNSS port in this
device", "type":"string"}
},
"required": [ "neIpAddress", "portAid"]
},
"portData":{
"type":"object",
"properties":{
"adminState":{"type":"integer"},
"agc":{"description": "automatic gain control reported by the port in percentage",
"type":"integer","minimum": 0, "maximum": 100},
"antennaCableLength":{"type":"integer"},
"antennaStatus":{"type":"integer"},
"cnoMask":{"description": "carrier-to-noise density(C/No) mask configured for the
port. satellites with lower C/No are not used by the
reciever","type":"integer","minimum": 0, "maximum": 55},
"coordinateAltitude":{"description": "calculated altitude in meters",
"type":"integer"},
"coordinateLatitude":{"description": "calculated latitude in degrees, minutes,
seconds (DMS) notation. e.g. N32:11:32.23", "type":"string"},
"coordinateLongitude":{"description": "calculated longitude in degrees, minutes,
seconds (DMS) notation. e.g. E034:53:05.29", "type":"string"},
"delayOption":{"type":"integer"},
"delayValue":{"type":"integer"},
"elevationMask":{"type":"integer"},

Ensemble Controller R15.2 Administrator Manual - Issue: A 344

Adtran Configuring Ensemble Controller

"gnssSystem":{"description": "configured constellations for the port. described

via bitmap. bit positions from lsb: gps=0, glonass=1, beidou=2, galileo=3, sbas=4,
qzss=5", "type":"integer"},
"hdop":{"type":"integer"},
"horizontalAccuracy":{"type":"integer"},
"installationType":{"description": "Installation Type of GNSS Antenna. 1=full sky
view, 2= limited sky view", "type":"integer"},
"numTrackingSatellites":{"description": "number of used satellites",
"type":"integer"},
"numVisibleSatellites":{"description": "number of visible satellites",
"type":"integer"},
"operationalState":{"description":"current operational state of the GNSS receiver.
1=normal, 2=outage", "type":"integer"},
"pdop":{"type":"integer"},
"pdopMask":{"type":"integer"},
"ppsGenCondition":{"description": "if number of used satellites drops below this
number the GNSS will not produce PPS output and will be marked as red/Failed",
"type":"integer"},
"ppsGeneratedFlag":{"type":"integer"},
"satMin1Threshold":{"description": "if number of used satellites drops below this
number the GNSS result is suspected to be degraded and will be marked as
yellow/Degraded","type":"integer"},
"satMin2Threshold":{"type":"integer"},
"satellitesUsableFlag":{"type":"integer"},
"secondaryState":{"type":"integer"},
"selfSurveyControl":{"type":"integer"},
"selfSurveyPeriod":{"type":"integer"},
"selfSurveyPositionAccuracy":{"type":"integer"},
"selfSurveyProgress":{"description":"sulf survey progress in percentage",
"type":"integer","minimum": 0, "maximum": 100},
"spoofingLocationDifference":{"type":"integer"},
"spoofingLocationThreshold":{"type":"integer"},
"spoofingPpsDifference":{"type":"integer"},
"spoofingPpsThreshold":{"type":"integer"},
"tdop":{"type":"integer"},
"vdop":{"type":"integer"},
"verticalAccuracy":{"type":"integer"}
},
"required": [ "adminState", "gnssSystem", "elevationMask", "coordinateLatitude",
"coordinateLongitude", "coordinateAltitude", "operationalState",
"numTrackingSatellites", "numVisibleSatellites"]
},
"portVisibleSatellites":{

Ensemble Controller R15.2 Administrator Manual - Issue: A 345

Adtran Configuring Ensemble Controller

"type":"array",
"items":{
"type":"object",
"properties":{"azimuth":{"description": "reproted sattelite azimuth
angle","type":"integer"},
"cno":{"description": "reproted satellite carrier-to-noise density(C/No)",
"type":"integer"},
"elevation":{"description": "reproted satllite elevation angle",
"type":"integer"},
"health":{"description": "reported satellite health: N/A=1, OK=2, WEAK=3, DEAD=4,
NO_DATA_MODULATION=5","type":"integer"},
"inUse":{"description": "is reported satellite used by the reciever for location
and time calculations: true=1, false=2","type":"integer"},
"sv":{"description": "reported satellite id", "type":"integer"},
"svType":{"description": "reproted satellite constellation: gps=1, glonass=2,
beidou=4, galileo=8, sbas=16, qzss=32", "type":"integer"}
},
"required": [ "azimuth", "cno", "elevation", "health", "inUse", "sv", "svType"]
}
}
},
"required": ["portIdentity"]
}
}

The script might encounter a problem and therefore retrieve no results from the
device. If so, the script must then create a JSON string that conforms to this failed
collection JSON schema definition:

{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "GNSS Collection Error",
"description": "contains GNSS collection failure reason",
"type": "object",
"properties":{
"error": {"description": "collection failure reason", "type": "string"}
},
"required": ["error"]
}

5. Writes the JSON result to the standard output. This example shows the generated
JSON string based on the defined JSON schema in Step 4.

Ensemble Controller R15.2 Administrator Manual - Issue: A 346

Adtran Configuring Ensemble Controller

[
{"portIdentity": {
"portAid": "GNSS-1",
"neIpAddress": "192.168.178.210"
},
"portData": {
"adminState": 1,
"gnssSystem": 3,
"elevationMask": 5,
"coordinateLatitude": "N32:11:32.23",
"coordinateLongitude": "E034:53:05.29",
"coordinateAltitude": 107.0,
"operationalState": 1,
"numVisibleSatellites": 18,
"numTrackingSatellites": 18
},
"portVisibleSatellites": [
{"sv": 1, "cno": 46, "health": 2, "azimuth": 315, "elevation": 28, "svType": 1},
{"sv": 3, "cno": 41, "health": 2, "azimuth": 263, "elevation": 16, "svType": 1},
{"sv": 8, "cno": 48, "health": 2, "azimuth": 245, "elevation": 58, "svType": 1},
{"sv": 10, "cno": 45, "health": 2, "azimuth": 53, "elevation": 27, "svType": 1},
{"sv": 11, "cno": 48, "health": 2, "azimuth": 310, "elevation": 55, "svType": 1},
{"sv": 14, "cno": 47, "health": 2, "azimuth": 116, "elevation": 70, "svType": 1},
{"sv": 21, "cno": 45, "health": 2, "azimuth": 113, "elevation": 28, "svType": 1},
{"sv": 22, "cno": 44, "health": 2, "azimuth": 277, "elevation": 35, "svType": 1},
{"sv": 27, "cno": 48, "health": 2, "azimuth": 190, "elevation": 44, "svType": 1},
{"sv": 32, "cno": 52, "health": 2, "azimuth": 63, "elevation": 60, "svType": 1},
{"sv": 40, "cno": 40, "health": 2, "azimuth": 145, "elevation": 47, "svType": 1},
{"sv": 41, "cno": 42, "health": 2, "azimuth": 115, "elevation": 26, "svType": 1},
{"sv": 66, "cno": 52, "health": 2, "azimuth": 15, "elevation": 52, "svType": 2},
{"sv": 67, "cno": 51, "health": 2, "azimuth": 257, "elevation": 59, "svType": 2},
{"sv": 68, "cno": 42, "health": 2, "azimuth": 229, "elevation": 12, "svType": 2},
{"sv": 81, "cno": 50, "health": 2, "azimuth": 120, "elevation": 78, "svType": 2},
{"sv": 82, "cno": 50, "health": 2, "azimuth": 334, "elevation": 45, "svType": 2},
{"sv": 88, "cno": 37, "health": 2, "azimuth": 142, "elevation": 24, "svType": 2}]
}
]

6. Closes the connection to the device.

Post-Creation Steps
After you create the valid custom script according to the described Custom Script
Business Logic, add it to the Sync Assurance Settings window as described in the

Ensemble Controller R15.2 Administrator Manual - Issue: A 347

Adtran Configuring Ensemble Controller

Synchronization Management Guide.

Make sure that the relevant communication ports that the script uses,
for example port 22 for SSH, are open for the outgoing connection
from the Sync Assurance server towards the monitored GNSS devices.

Changing the Database Password of the Sync Assurance

Applications
Complete this optional procedure to change the database password of the Sync
Assurance Applications.

1. Set the working directory to /opt/adva/SyncAssurance/<application-name>.

The <application-name> is tpa, gnss, or snt.

2. Execute the db_pw_change_<application-name>.sh script:

./db_pw_change_<application-name>.sh '<new-password>'
Password has to meet the following requirements:
l Enclosed in single quotes.

l Have 1 to 995 characters.

l Can contain only these alphanumeric characters: a to z; A to Z; 0 to 9.
l Can contain only these special characters: ` ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ /
< > , . ; ? : |.

This script updates the database password and stops all services of the
specific application.

3. To restart all application services, execute the top level deploy.sh script. See
Procedure to Install the Sync Assurance Application.

Configuring Streaming Network Telemetry Service

Configure Streaming Network Telemetry (SNT) service to use TLS/ mTLS secure
connection between SNT stack and devices:

Ensemble Controller R15.2 Administrator Manual - Issue: A 348

Adtran Configuring Ensemble Controller

The mTLS secure connection is currently not supported by OSA

SoftSync devices.

1. Insert these files in /opt/adva/SyncAssurance/snt/ssl/ directory:

l gnmi-collector-client-ca.crt - CA certificate used by gnmi collector client to

verify the authenticity of devices.

l gnmi-collector-client.key - private key used by the gnmi collector client

(required only for mTLS).

l gnmi-collector-client.crt - gnmi collector client certificate (required only for

mTLS).
2. Set the working directory to /opt/adva/SyncAssurance/snt:
cd /opt/adva/SyncAssurance/snt
3. Execute the docker_create_secrets_from_certificate_files.sh script:
./docker_create_secrets_from_certificate_files.sh
The script removes the SNT stack in case it was already deployed. It also removes the
certificate/key files from /opt/adva/SyncAssurance/snt/ssl/ directory after processing
them.
4. To restart all application services, execute the top level deploy.sh script, see
Procedure to Install the Sync Assurance Application.

Installing the Ensemble Fiber Director Server in

Linux
Complete this procedure to install the Ensemble Fiber Director server in a Linux operating
system.

You need the Ensemble Fiber Director server if you want to use the fiber plant
management feature. For more information, see the Ensemble Fiber Director User
Manual.

Requirements to Install the Ensemble Fiber Director Server 349

Procedure to Install the Ensemble Fiber Director Server 351

Requirements to Install the Ensemble Fiber Director

Server
l Only install the Ensemble Fiber Director version that is included in the Ensemble
Controller installation CD. Other versions might not be supported.

Ensemble Controller R15.2 Administrator Manual - Issue: A 349

Adtran Configuring Ensemble Controller

l The minimal supported Ensemble Controller version is 11.1.

l The Ensemble Fiber Director supports these Linux versions:
o 7.8, and 7.9

o 8.4, and 8.6

l You have super-user access.
l The SELinux status must be Permissive that is, SElinux = Permissive.
l You installed Docker CE 20.10 on the destination system and created a Docker
swarm. For information about how to install and configure the Docker CE, see
Installing the Docker-Community Edition Application in Linux.

l
After you install Docker, you must NOT change the firewalld service
status.

If you nevertheless change the firewalld service status, for example, from inactive
to active or the other way around, or you reload the firewall configuration (firewall-
cmd --reload) while active, communication to the Docker services fails.
To recover the firewalld service status, complete these steps:
1. Restart the docker service:
systemctl restart docker.service
2. Verify that the system restarts all containers:
docker container ls
This is an example for a possible command output:
l If you nevertheless change the firewalld service status, for example, from inactive
to active or the other way around, or you reload the firewall configuration (firewall-
cmd --reload) while active, communication to the Docker services fails.
To recover the firewalld service status, complete these steps:
1. Restart the docker service:
systemctl restart docker.service
2. Verify that the system restarts all containers:
docker container ls
This is an example for a possible command output:

CONTAINER ID IMAGE COMMAND CREATED STATUS

600db3b12914 adva/geoserver: "/usr/local/ 4 minutes Up 4 minutes
... tomcat/t…" ago (healthy)
9347b47b410c adva/postgis: ... "docker- 4 minutes Up 4 minutes
entrypoint.s…" ago (healthy)

Ensemble Controller R15.2 Administrator Manual - Issue: A 350

Adtran Configuring Ensemble Controller

l The Ensemble Fiber Director uses these TCP ports:

o TCP ports 10080 and 10443 for the communication between the Ensemble

Controller and the Ensemble Fiber Director server.

o TCP port 25432 for the communication between the Ensemble Fiber Editor
and the Ensemble Fiber Director server.

You do NOT have to open these TCP ports because the Docker
daemon opens them automatically.

l You installed the map library appropriate for your Ensemble Controller version as
described in Installing the Map Library in Linux.

Procedure to Install the Ensemble Fiber Director Server

1. From the Ensemble Controller installation CD, copy the FiberDirector_for_Linux-
vX.X.X.tgz package to a temporary directory and unpack it.
2. Change the working directory to the one that you just created.
3. Only for Red Hat Enterprise Linux 8.x:
a. In the firewalld script, open these ports:
firewall-cmd --zone=public --permanent --add-port=25432/tcp
firewall-cmd --zone=public --permanent --add-port=10080/tcp
firewall-cmd --zone=public --permanent --add-port=10443/tcp
b. Reload the firewalld configuration:
firewall-cmd –-reload

4. Run the install.sh installation script with super-user privileges, for example:
sudo ./install.sh
5. If prompted:
l Type y or yes to run the Ensemble Fiber Director server automatically within this
installation process.
l Type n or no if you want to do additional reconfigurations manually before the
application is started.
6. After successful installation, you can remove the temporary directory.

Installing the Ensemble Fiber Editor

The Ensemble Fiber Editor is used to manage fiber plant data that the Ensemble Fiber
Director uses to visualize it in the Ensemble Controller. It is a user-friendly way to
configure and set up the fiber-optic network infrastructure.

Ensemble Controller R15.2 Administrator Manual - Issue: A 351

Adtran Configuring Ensemble Controller

For information about how to install the Ensemble Fiber Editor, see the Ensemble Fiber
Director User Manual, Installing Ensemble Fiber Editor.

For general information about the related fiber plant management feature, see the
Ensemble Fiber Director User Manual.

Installing the Local Geographical Map-Tile Server

in Linux
If the Ensemble Controller Client does not have an outside world internet connection, the
GNSS applications or the Ensemble Fiber Director server will appear without a
geographical map tile. To overcome this, you can install and run a local intranet-
accessible tile server that your Ensemble Controller Clients can connect to in a Linux
operating system. This procedure describes the steps.

If the Ensemble Controller Client has an internet connection, the Client uses the system-
provided tile server and default settings to display the geographical map tile. If you want
to change to a different tile server than the default, the steps in this procedure also apply.

l For security reasons, https web pages do only load secure https
subresources. For details, see Chrome Security Concern.
l The Ensemble Controller Client supports the tile servers that have an
URL x,y,z format, for example:
http://<ip>/<tiles-name>/{z}/{x}/{y}{r}.png
l If you plan to use a high number of maps, to avoid performance
issues, we recommend that you install the map-tile server on a
different computer that is separate from the computer where you
installed the Ensemble Controller Server.

1. You can obtain the tile server and geographical maps from any provider that
supports the x,y,z format. This table lists some known provider website examples.

Websites Remark
https://openmaptiles.org/docs/ Recommended.

Ensemble Controller R15.2 Administrator Manual - Issue: A 352

Adtran Configuring Ensemble Controller

Websites Remark
Docker Version: https://switch2osm.org/serving-tiles/using-a- Alternative.
docker-container/
https://knowledgebase.hyperlearning.ai/en/articles/centos-7-
open-street-map-tile-server#leaflet
The Ensemble Controller uses a leaflet whose default projection is
EPSG:3857. This is a Spherical Mercator projection coordinate
system that web services such as OpenStreetMap use. EPSG:3857
projection is also known as Google Mercator or Web Mercator.

2. After the download, follow the website instructions to install the tile server.
3. After the installation, open the tile-server installation description. Make a note of the
map-specific information that follows, which you will need in a later step to edit the
fnm.properties file.
l The URLs in x,y,z format.
l The maxZoom value.
l Optional: The license attribution of the geographical map-tile provider
requirements.
4. In the Ensemble Controller installation directory, open the fnm.properties file.
5. In the fnm.properties file, navigate to these tile-server related parameters:

This Tile Server settings section defines the tile servers for the map to provide a
street or a satellite view. Depending on the map that you purchase, you can
configure either parameter or both. If you miss the opportunity to configure a
parameter that your map supports, Ensemble Controller will display a gray
background instead of the relevant map information.
6. Use the information that you noted in Step 4, and then edit the relevant parameter in
the fnm.properties file as follows:
a. Replace the URL included in the TileServerLayer parameter with the URL from
the map that you installed.
b. If your map requires the TileServerAttribution parameter, add the appropriate
value from the map that you installed.

Ensemble Controller R15.2 Administrator Manual - Issue: A 353

Adtran Configuring Ensemble Controller

c. Change the maxZoom value to the appropriate value from the map that you
installed. If the maxZoom value for your map is not available, specify a value of
17 to 20.
7. Save the fnm.properties file.
8. Restart the Ensemble Controller Server as described in Starting the Ensemble
Controller Server.

Chrome Security Concern

For security reasons, a Chrome browser ensures that HTTPS web pages load only secure
HTTPS subresources. By default, the browser blocks mixed pages of insecure HTTP pages
on HTTPS pages.

If you have internet access for the default map tile server, open web server port 443. See
Configuring Server and Client Communication Ports.

If you do not have internet access, but you want to install or already installed a local map-
tile server, the tile server must support HTTPS connections. If your installed map-tile
server does not support HTTPS connections, complete these steps:

1. We recommend that you use the NGINX reverse proxy for the proxy server to
support an HTTPS endpoint on the map-tile server. See
https://documentation.maptiler.com/hc/en-us/articles/360020949718-MapTiler-
Server-behind-Nginx.
This example shows an NGINX configuration to support an HTTPS endpoint:

server {

listen 4650 ssl;

server_name localhost;

ssl_certificate C:/DevProjects/RePro/sslcert/server.crt;
ssl_certificate_key
C:/DevProjects/RePro/sslcert/server.key;

location / {proxy_pass http://localhost:3650;

}
}

2. Create the ssl keystore and ssl certificate. See Using Customer Certificates.

Ensemble Controller R15.2 Administrator Manual - Issue: A 354

Adtran Configuring Ensemble Controller

3. In the fnm.properties file, replace the URL included in the TileServerLayer parameter
with the URL from the map that you installed.

Ensemble Fiber Director Mobile Application

Prerequisites for Running the EFD Mobile Application 355
Installing the EFD Mobile Application 355
Running, Stopping, or Uninstalling the EFD Mobile Application 356

Prerequisites for Running the EFD Mobile Application

Start the docker container for the EFD mobile application from the Linux system.
l You must download Docker. See Installing the Docker-Community Edition
Application in Linux for more information.
l Ports 7443 and 8443 must be open. See "For Red Hat Enterprise Linux 7.x and 8.x"
in Steps to Installing Ensemble Controller in Linux for more information.

Installing the EFD Mobile Application

Before installing you must have the EFD-mobile-vXX.X.X-BXXXX.tgz package. The proper
docker container image and scripts are inside this package.

Certificates are automatically gathered during installation and are stored in the
/opt/adva/certs directory. When using your custom certificates, use this directory and
make sure the certificates are valid. Without proper server.key and server.crt files the
EFD Mobile App will not start.

1. Unzip the EFD-mobile-vXX.X.X-BXXXX.tgz package (tar -zxvf EFD-mobile-v15.2.1-

B0001.tgz).
2. Run the installefd_mobile.sh script (./installefd_mobile.sh).
3. Enter the correct ENC Master Server IP address.
4. Enter the correct ENC Slave Server IP address. If High Availability is not configured,
this could be the same as the Master.
5. After successful installation, the EFD-mobile-app is in the local docker registry and
scripts are in the /opt/adva/efd_mobile directory.

Ensemble Controller R15.2 Administrator Manual - Issue: A 355

Adtran Configuring Ensemble Controller

Running, Stopping, or Uninstalling the EFD Mobile

Application
To run, stop or uninstall the efd-mobile-app, run the proper scripts from the
/opt/adva/efd_mobile directory:
l run.sh
l stop.sh
l uninstallefd_mobile.sh

For example:

./run.sh

To change the ENC Server address, stop the application, edit the docker-stack.yml and
run the EFD mobile app.

The EFD mobile application is available at this link:

https://IP_address_of_server_with_docker_container:7443/efd/login

Consolidating Ensemble Controller

Servers
You can export database content from one Ensemble Controller Server and import it to
another Ensemble Controller Server. This is useful if you want to merge two independent
servers into one.

The steps in these topics apply to both, Windows and Linux systems, unless otherwise
stated.

Terminology 357
Requirements to Consolidate Servers 357
Prerequisite Steps for the Servers 357
Starting the ENC Migration Tool 358
Command Content Description 359
Overview of the Command Sequence 365
Exporting Database Content from the Source Server 366
Importing Database Content to the Destination Server 367
Post-Migration Steps After the Import 370

Ensemble Controller R15.2 Administrator Manual - Issue: A 356

Adtran Configuring Ensemble Controller

Terminology
l The Ensemble Controller Server that you use to export data is the source server.
l The Ensemble Controller Server that you use to import data is the destination
server.

Requirements to Consolidate Servers

l The source and destination servers must have the same software version.
l Verify that both, the source and destination servers are up and running.
l Verify that you have the login credentials available for both, the source and
destination servers.

Prerequisite Steps for the Servers

1. In both, source and destination servers, verify the database consistency as follows:
a. In the Ensemble Controller Client Networks tree pane, right-click the Network
root, and then select Check DB Consistency.
After the system finishes the database verification, the DB Consistency dialog
box appears.
b. In the DB Consistency dialog box, Results area, click Show Details to verify
the list for any error messages.
c. Export the DB consistency results to a file, if required:
i. Click Export.
ii. In the Save As dialog box, select the location and file name.
iii. Click Save.
d. If error messages display, in the tree pane, right-click the Network root, and
then select Fix DB Inconsistency.
e. Wait for this operation to complete.
After the system completes, the DB Consistency dialog box appears.
f. Click Show Details to verify whether the system fixed the errors.
g. If required, repeat the steps to clear remaining errors.
h. Repeat the steps for the other server.
2. Backup the database of both, source and destination servers, as follows:
a. In the Ensemble Controller Settings, select System, and then Immediate
Database Backup.

Ensemble Controller R15.2 Administrator Manual - Issue: A 357

Adtran Configuring Ensemble Controller

b. Repeat this step for the other server.

Starting the ENC Migration Tool

1. Navigate to the Ensemble Controller.../bin installation directory.
2. According to your operating system, run the appropriate script file as administrator:

Operating System Script File

Windows migrateENC.bat
Linux migrateENC.sh

The ENC Migration Tool opens in a command-line shell.

3. Type help, and then press Enter to show a list of supported commands.

These commands are the same for Windows and Linux.

However, Windows does not support the automatic tab-completion functionality.
That is, if you type the starting letters of a command, and then press Tab, the
Migration Tool in Linux automatically expands the command or displays a list of
commands that start with the letters that you typed.
For more information about the commands, see Command Content Description.
4. To continue, see the appropriate topic:
l To export database content, see Exporting Database Content from the Source
Server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 358

Adtran Configuring Ensemble Controller

l To import database content, see Importing Database Content to the Destination

Server.

Command Content Description

Each command that the ENC Migration Tool supports, contains a certain set of objects.
The system collects the object information in files and saves them to the Ensemble
Controller.../var/migration installation directory.

Content or Remark or
Command Included Generated File Link to more
Objects information
export-all Export export-all-YYYY_MM_DD-hh_mm_ Contains
report ss.log information
about the
export phases
and results.
Global snmp_properties_global.json The system
SNMP uses these files
properties only for
validation
Global http_properties_global.json purposes. It
HTTP does not use
properties this data for
the import.
Networks subnetwork.json Included
Attributes for
Network ne.json Network
Elements Exports
Links links.json Included
Attributes for
Link Exports
export-network Export export-network-YYYY_MM_DD-hh_ Contains
report mm_ss.log information
about the
export phases
and results.

Ensemble Controller R15.2 Administrator Manual - Issue: A 359

Adtran Configuring Ensemble Controller

Content or Remark or
Command Included Generated File Link to more
Objects information
Global snmp_properties_global.json The system
SNMP uses these files
properties only for
validation
Global http_properties_global.json purposes. It
HTTP does not use
properties this data for
the import.
Networks subnetwork.json Included
Attributes for
Network ne.json Network
Elements Exports
export-links Export export-link-YYYY_MM_DD-hh_mm_ Contains
report ss.log information
about the
export phases
and results.
Links links.json Included
Attributes for
Link Exports
export- Export export-servicetree-YYYY_MM_DD-hh_ Contains
servicetree report mm_ss.log information
about the
export phases
and results.
Service tree servicetree.json Included
groups, Attributes for
subgroups, Service Tree
customer Exports
groups, and
customers

Ensemble Controller R15.2 Administrator Manual - Issue: A 360

Adtran Configuring Ensemble Controller

Content or Remark or
Command Included Generated File Link to more
Objects information
export-tracked- Export export-tracked-services-YYYY_MM_ Contains
services report DD-hh_mm_ss.log information
about the
export phases
and results.
OCS service services/OCS/* Includes all
parameters OCS service
parameters.
ODS service services/ODS/* Includes all
parameters ODS service
parameters.
OCS service services/ocsTrackedServicesData.json
data with
export and
import Included
structure Attributes for
ODS service services/odsTrackedServicesData.json Tracked Service
data with Exports
export and
import
structure
import-network Import import-network-YYYY_MM_DD-hh_ Contains
report mm_ss.log information
about the
import phases
and results.
Networks
Network
Elements
import-links Import import-link-YYYY_MM_DD-hh_mm_ Contains
report ss.log information
about the
import phases
and results.

Ensemble Controller R15.2 Administrator Manual - Issue: A 361

Adtran Configuring Ensemble Controller

Content or Remark or
Command Included Generated File Link to more
Objects information
Links
import- Import import-servicetree-YYYY_MM_DD-hh_ Contains
servicetree report mm_ss.log information
about the
import phases
and results.
Service tree
groups,
subgroups,
customer
groups, and
customers
import-tracked- Import import-tracked-services-YYYY_MM_ Contains
services report DD-hh_mm_ss.log information
about the
import phases
and results.
OCS service
parameters
ODS service
parameters
OCS service
data with
export and
import
structure
ODS service
data with
export and
import
structure

Ensemble Controller R15.2 Administrator Manual - Issue: A 362

Adtran Configuring Ensemble Controller

Included Attributes for Network Exports

If you export networks, the system generates the files subnetwork.json and ne.json that
include these attributes:
l Name and identity.
l Location in the Network tree.
l Graphical position in the Topology Graph master layout. The user layout is not
taken into account.
l Network element identifier name.
l Physical location text.
l Contact person name.
l User text.
l Description text.
l Node-specific SNMP configuration settings.
l Node-specific HTTP configuration settings.
l Ethernet crypto settings.
l Custom fields.
l Centralized Control Plane information.

For unmanaged objects, the files additionally include these attributes:

l Ports
l Cross-connects
l Handover ports

The system does NOT export these network attributes. You must rediscover them after
the import to the destination server:
l Shelves
l Modules
l Resources
l Intra-NE connections
l Traffic engineering links
l Regular actions

Included Attributes for Link Exports

If you export links, the system generates the file links.json that includes these attributes:

Ensemble Controller R15.2 Administrator Manual - Issue: A 363

Adtran Configuring Ensemble Controller

l Starting network element and ending network element.

l Link type.
l Link name.
l Source endpoint name and target endpoint name.
l Link ports.
l Link OSC ports.
l Bandwidth capacity.
l Custom fields.

Included Attributes for Service Tree Exports

If you export the Services tree, the system generates the file servicetree.json and
exports all groups, subgroups, customer groups, and customers with these attributes:
l Names.
l Graphical position in the Topology Graph for groups, subgroups, and customer
groups.
l Customer contact information.
l Custom fields.

Included Attributes for Tracked Service Exports

If you export tracked WDM services, the system generates the files
services/ocsTrackedServicesData.json and services/odsTrackedServicesData.json.
These files let the system export ODS and OCS services with these attributes to import
and rebuild the services with similar parameters on the destination server, for example:
l Location in Services tree that is, relative to the same parent group, subgroup, or
customer.
l Service name.
l Service alternate name.
l Administrative state.
l Customer name.
l Remarks.
l Service type.
l Protection type.
l Service endpoints.

Ensemble Controller R15.2 Administrator Manual - Issue: A 364

Adtran Configuring Ensemble Controller

l Service intermediate points and links.

l Flags: Handover.

Overview of the Command Sequence

This procedure emphasizes the commands in the sequence that you must follow to
export and import Ensemble Controller database content. It is a brief command overview
with links to more information. The Summarized Command Sequence picks up on and
repeats only the commands in the required sequence to present the overall end-to-end
procedure. This section does not cover important information, for example, about
Requirements to Consolidate Servers or Prerequisite Steps for the Servers.

1. To export database content from the source server, in the source server ENC
Migration Tool, type the appropriate command. For information about the
supported commands and their effects, see Command Content Description.
For details about how to export database content, see Exporting Database Content
from the Source Server.
2. To import the database content to the destination server, complete the steps as
follows.
Importing networks or links might be time consuming. It depends on the size of the
imported networks and the server performance. For example, the system might
approximately require up to 2 hours to import an amount of 10,000 network
elements or links.
a. In the destination server ENC Migration Tool, type import-network.
After the import completes, the Ensemble Controller automatically starts the
inventory polling to discover the imported objects.
b. Restart the Ensemble Controller Client.
c. Wait for the inventory polling to finish.
d. After the inventory polling completes, in the destination server ENC Migration
Tool, type import-links.
e. After the script completes the link import, type import-servicetree.
f. After the script completes the service-tree import, type import-tracked-services.
For details about how to import database content, see Importing Database Content
to the Destination Server.
3. To remove the trapsink registration that still originates from the source server, from
the imported network elements in the destination server, in the destination server
ENC Migration Tool, type remove-trapsink.
For details about how to remove the trapsink registration, see Post-Migration Steps
After the Import.

Ensemble Controller R15.2 Administrator Manual - Issue: A 365

Adtran Configuring Ensemble Controller

Summarized Command Sequence

These steps show only the commands in the required sequence to give you a brief
overview of the overall end-to-end procedure. The commands are covered in more detail
in Overview of the Command Sequence.

1. export-all
2. import-network
Before you continue, wait for the discovery phase to fully complete.
3. import-links
4. import-servicetree
5. import-tracked-services
6. remove-trapsink

For the overall migration to be complete, you must successfully perform this command
sequence.

If errors occur for any of the commands, you can restart commands individually. We
recommend that you restart commands pairwise that is, if you need to restart an export
command, also restart the related import command, for example export-links and
import-links.

Exporting Database Content from the Source

Server
The export process is subject to these limitations:
l The system does not export network elements that you remove from the Ensemble
Controller database, or links where you remove the network element endpoints,
while you run the export process.
l The system does not export peer network elements. Peer network elements are
closely related to main network elements in the Ethernet area, and the system can
discover peers only after it discovered the main element. That is, after you export
and import the main element, the system automatically discovers the related peer
element if it exists in the destination server.

1. Make sure that you meet the Requirements to Consolidate Servers.

2. Complete the steps in Prerequisite Steps for the Servers.
3. In the source server, start the ENC Migration Tool as described in Starting the ENC
Migration Tool.

Ensemble Controller R15.2 Administrator Manual - Issue: A 366

Adtran Configuring Ensemble Controller

4. In the command-line shell, type the appropriate export command according to the
objects that you want to export. For information about the commands and the
objects that they can export, see Command Content Description.
5. Confirm the command if prompted.
After the system finishes the export, the ENC Migration Tool shows a corresponding
message. The files that the system generates from the export are saved to the
Ensemble Controller.../var/migration installation directory.
6. To verify any export phases and results, you can view the export LOG file that the
system also saved to the Ensemble Controller.../var/migration installation
directory.
7. If your source server uses the Centralized Control Plane to manage network
elements, you must stop it after the export. Change to the root user and type either
command:
l ni.server stop
–or–
l /opt/adva/fsp_nm_ni/sbin/ni.server stop

8. Proceed with the steps to import the database content that you exported from the
source server, to the destination server as described in Importing Database Content
to the Destination Server.

Importing Database Content to the Destination

Server
Requirements to Import Database Content
The import procedure as follows, assumes that:
l You already exported the relevant database content that you will need for the
import, from the source server as described in Exporting Database Content from
the Source Server.
l You stopped the Centralized Control Plane in the source server if existing as
described in Step 7 in Exporting Database Content from the Source Server.
l You meet the Requirements to Consolidate Servers.
l You completed the steps in Prerequisite Steps for the Servers.

Ensemble Controller R15.2 Administrator Manual - Issue: A 367

Adtran Configuring Ensemble Controller

Procedure to Import Database Content

1. If you import network elements that use HTTPS for the REST protocol such as FSP
3000 C or FSP 150-XG480, in the Overview tab, REST/HTTP Configuration area,
TLS Certificate field, select Accept Any. For details, see the User Manual,
Configuring REST, HTTP, or HTTPS on Network Level.
If you do NOT set this parameter, the destination server cannot discover the network
elements that use HTTPS, and a corresponding message displays in the import LOG
file. The system saves the import LOG file to the Ensemble
Controller.../var/migration installation directory after the import completes.
2. In the destination server, disable link discovery as follows.
This prevents the links that you import, from conflicting with the discovered links in
the destination server. If you do NOT complete these steps to disable link discovery,
the system does not start the import process and a corresponding message with
corrective information displays.
a. From the Ensemble Controller Settings, select Configuration, and then
Network Properties.
b. In the Network Properties window, from the left menu, select Topology &
Links.
c. In the Topology & Links page, clear both options:
l Enable Automatic Discovery of Topology and OL Assignments to Links

l Enable Automatic Discovery of Topology and Port Assignments to Links

(LLDP)
d. Click OK.
3. From the source server .../var/migration installation directory, copy the export
files that the system generated to the destination server in the same
.../var/migration directory.
4. In the destination server, start the ENC Migration Tool as described in Starting the
ENC Migration Tool.
5. According to the command that you used to export objects, in the command-line
shell, type the appropriate import command:
l If you used export-all or export-network, type import-network to first import
the networks and network elements, and then in a later step, you must still
import the links.
l If you used export-links, type import-links.
l If you used export-servicetree, type import-servicetree.
l If you used export-tracked-services, type import-tracked-services.

Ensemble Controller R15.2 Administrator Manual - Issue: A 368

Adtran Configuring Ensemble Controller

Importing networks or links might be time consuming. It depends on the size of the
imported networks and the server performance. For example, the system might
approximately require up to 2 hours to import an amount of 10,000 network
elements or links.
For more information about the commands, see Command Content Description.
For an overview of the command sequence, see Overview of the Command
Sequence.
6. Confirm the command if prompted.
l After you confirm the import command, the system verifies the uniqueness of

identifiers, such as link name, source endpoint, source link port, and so on,
against the content that already exists in the destination server database. The
system updates the database accordingly, and reports any import phases and
results in the LOG file that is saved to the Ensemble
Controller.../var/migration installation directory.
l If you import unmanaged network elements, and the name or IP address match

with a network element that already exists in the destination server, then the
system replaces the unmanaged network element with the one that is already
available, and updates the links between the existing network elements.

l If you import network elements that the Centralized Control Plane managed in
the source server, then the system adds these network elements also to the
Centralized Control Plane in the destination server.
After the import completes, the ENC Migration Tool shows a corresponding
message, and the imported objects show in the destination server Ensemble
Controller Client. The Ensemble Controller automatically starts the inventory polling
to discover the imported network elements and any related objects such as modules,
shelves, ports, and also peers for Ethernet network elements if available. Peer
network elements are closely related to main network elements in the Ethernet area,
and the system can discover peers only after it discovered the main element.
7. Restart the Ensemble Controller Client.
8. You must wait for the inventory polling to finish.
a. Verify the Networks tab tree pane for any network element icons that show as
white boxes. These white boxes indicate that the inventory polling for these
network elements has not finished yet.
b. After all icons recover, you can proceed with the steps in this procedure as
follows.

Ensemble Controller R15.2 Administrator Manual - Issue: A 369

Adtran Configuring Ensemble Controller

9. According to the command that you used in Step 5 to import objects, decide:
l If you used the import-network command, you must still import the links.
Proceed with Step 10.
l If you used these commands, you completed the procedure:
o import-links

o import-servicetree
o import-tracked-services
10. In the ENC Migration Tool, type import-links.
11. Confirm the command if prompted.
The system imports the links as described in Step 6.
After the import completes, the ENC Migration Tool shows a corresponding
message.
The LOG file that the system generates from the import is saved to the Ensemble
Controller.../var/migration installation directory.
12. If required, you can view the import LOG file to verify any import phases and results.
13. Proceed with the post-migration steps that you must complete after you finished the
import of the database content to the destination server. See Post-Migration Steps
After the Import.

Post-Migration Steps After the Import

Complete these steps to finalize the consolidation of two Ensemble Controller Servers.

If you do NOT complete these steps, the network elements that you imported to the
destination server, are managed by both the source and destination servers.

Requirement for the Post-Migration Steps

The steps in the procedure as follows, assume that you already imported database
content to the destination server as described in Importing Database Content to the
Destination Server.

Procedure for the Post-Migration Steps

1. Remove the trapsink registration that still originates from the source server, from the
imported network elements in the destination server.
a. In the destination server, start the ENC Migration Tool as described in Starting
the ENC Migration Tool.
b. In the ENC Migration Tool, type remove-trapsink.

Ensemble Controller R15.2 Administrator Manual - Issue: A 370

Adtran Configuring Ensemble Controller

c. Confirm the command if prompted.

The system removes the source server IP address from all network elements
that you imported. After the system completes to remove all IP addresses, the
ENC Migration Tool shows a corresponding message.
The system automatically adds the destination server IP address to the
imported network element trapsink tables while Ensemble Controller discovers
them.
2. Uninstall the source server as described in Uninstalling Ensemble Controller.

Accessing Management Tools

This section provides details about how to access these management tools to configure
and monitor network elements using Ensemble Controller.

If you use Ensemble Controller in an high-availability configuration, the respective

Ensemble Controller menu items to access the FSP Element Manager, the WEB Manager,
and the CLI client are not available in slave mode.

Command Line Interface 371

WEB Manager 374
Element Manager 388

Command Line Interface

Using a Secure Protocol 371
Using an Insecure Protocol 372
Configuring CLI Launch Commands 372

Using a Secure Protocol

If you use the command line interface (CLI) to access network elements (NEs), Ensemble
Controller (ENC) by default uses a secure protocol provided that:
l You installed a secure shell server, for example CopSSH, which is an
implementation of OpenSSH for Windows. For information about how to install
CopSSH, see Installing CopSSH. CopSSH offers both SSH client and server
functionality, and you can use it to remotely administer Windows systems.
l You specified the path for the secure protocol in the fnm.properties file, as
described in Configuring CLI Launch Commands.

Ensemble Controller R15.2 Administrator Manual - Issue: A 371

Adtran Configuring Ensemble Controller

You can specify the appropriate program to access a secure shell client also in the
application bar user menu > User Settings > Browsers tab > Secure Shell (SSH) Path field.
The settings you specify in the Browsers tab take priority, and the system does no longer
take the settings from the fnm.properties file into account.

Using an Insecure Protocol

You can install the Ensemble Controller Client on a Windows or Linux operating system
(OS). To use an insecure protocol that applies globally, you must:
l Specify the full command line for that client on the Ensemble Controller Server by
editing the fnm.properties file according to your OS.
l Locate the CLI client on the Ensemble Controller Client exactly as specified in the
fnm.properties file.

For information about how to specify the (insecure) client command line on the Ensemble
Controller Server, see Configuring CLI Launch Commands.

You can also determine insecure protocols on network element (NE) level. You specify
the respective NE types that are to use the insecure Telnet CLI in the fnm.properties file
by adding them to the property com.adva.fnm.option.useCLIOverTelnet.

You can specify the appropriate program to access an insecure shell client also in the
application bar user menu > User Settings > Browsers tab > Insecure Shell Path field. The
settings you specify in the Browsers tab take priority, and the system does no longer take
the settings from the fnm.properties file into account.

Configuring CLI Launch Commands

Complete these steps to globally configure launch commands for the secure or insecure
CLI client in the fnm.properties file.

After you complete this procedure, the Browsers window that you can open in the
application bar user menu > User Settings, displays the corresponding command values
specified as predefined values in the respective Secure or Insecure Shell Path field.

1. Shut down the Ensemble Controller (ENC) Server as described in Stopping the
Ensemble Controller Server.
2. Open the fnm.properties file for the relevant Ensemble Controller Server by using a
text editor, for example WordPad. The fnm.properties file is located in the Ensemble
Controller installation directory C:\Program Files\ADVA Optical
Networking\FSP Network Manager.

Ensemble Controller R15.2 Administrator Manual - Issue: A 372

Adtran Configuring Ensemble Controller

3. In the fnm.properties file, identify the relevant parameter to edit, according to your
operating system (OS), and whether you want to use a secure or insecure protocol:

Protocol CLI Parameters

Type Windows Linux
Secure com.adva.fnm.security.ssh.CL com.adva.fnm.security.ssh.CL
I_WINDOWS I_LINUX

Insecure com.adva.fnm.security.CLI_ com.adva.fnm.security.CLI_

WINDOWS LINUX

4. If the number sign <#> is in front of the parameter, remove it.

5. After the equal sign <=>, enter the relevant command as these examples show:
l Example parameter values for the secure protocol:

o com.adva.fnm.security.ssh.CLI_WINDOWS=C:\\Program Files
(x86)\\PuTTY\\putty.exe
o com.adva.fnm.security.ssh.CLI_LINUX=/usr/bin/xterm -e
/usr/kerberos/bin/putty
l Example parameter values for the insecure protocol:
o com.adva.fnm.security.CLI_WINDOWS=cmd /K start telnet
o com.adva.fnm.security.CLI_LINUX=/usr/bin/xterm -e
/usr/kerberos/bin/telnet
For an overview of these parameters maintained in the fnm.properties file, see
Graphical User Interface Options.

To type the path to the application, ALWAYS use slashes “/” even for
Windows commands.

6. Save, and then close the fnm.properties file.

7. Restart the Ensemble Controller server as described in Starting the Ensemble
Controller Server.
8. If the operating system is Windows 10, open Control Panel > Programs and
Features > Turn Windows features on or off.
9. Scroll down, and then select Telnet Client.
10. Click OK.

Ensemble Controller R15.2 Administrator Manual - Issue: A 373

Adtran Configuring Ensemble Controller

WEB Manager
You can use the WEB Manager to access and manage network elements through the web
interface from the Ensemble Controller Client. The WEB Manager opens in the default
web browser or a web browser that you can specify in the application bar user menu >
User Settings > Browsers tab:

To globally specify a web browser, see the fnm.properties file located in the Ensemble
Controller installation directory (C:\Program Files\ADVA Optical Networking\FSP
Network Manager) and edit the property com.adva.fnm.security.browser_<operating
system>. For more information about this property, see Security Options.

See these topics for more details about the WEB Manager:

Single Sign-On Support (SSO) 374

HTTP or HTTPS Communication 384

Single Sign-On Support (SSO)

To seamlessly open the WEB Manager from the Ensemble Controller Client, you can use
the method of SSO.

If you use the method of SSO, you must no longer enter any network element login and
password credentials to open the WEB Manager.

Ensemble Controller supports SSO for those network elements that also have this
support.

Scenarios That Support SSO

For SSO to work, the Ensemble Controller user account and password must be the same
as the network element user account and password. For information about how to create
a user account for Ensemble Controller with the same exact login credentials as the
network element account, see Users Tab.

With this requirement in mind, this table outlines the scenarios that support SSO.

Ensemble Controller R15.2 Administrator Manual - Issue: A 374

Adtran Configuring Ensemble Controller

No. Scenario Description For details, see ...

1. RADIUS- The system always l Establishing a Single Sign-On
defined synchronizes RADIUS-
Connection
accounts defined accounts so that
the network element and l Setting Up RADIUS
Ensemble Controller share Authentication This topic
the same user accounts and provides instructions about how
passwords. to create a RADIUS account for
centralized authentication for
both, Ensemble Controller and
network element.
2. Manual user You must manually Establishing a Single Sign-On
account and synchronize all user Connection
password accounts and passwords so
adaption that they are the same on
both, the network element
and Ensemble Controller
for all users who want to
use SSO.
3. No RADIUS or If you neither use RADIUS Establishing an SSO Connection
TACACS+, and or TACACS+ nor do you Using Fallback Passwords
no manual user manually synchronize user
account or accounts and passwords,
password you can use the fallback-
adaption user password
configuration.
4. Token-based If you use SSO through an Establishing an SSO Connection
authentication ad hoc account, you can Using an Ad-Hoc Local Network
with user use RADIUS and RSA Element Account
account and SecureID. You cannot use
password SSO with a fallback
adaption password as described in
No 3., because passwords
change every minute.

Ensemble Controller R15.2 Administrator Manual - Issue: A 375

Adtran Configuring Ensemble Controller

No. Scenario Description For details, see ...

5. Standard WEB If you cannot meet the User Manual
Manager use requirements for the
scenarios no. 1-3, for
example, user accounts or
passwords do not match or
communication fails,
Ensemble Controller opens
the default login page for
the network element in the
WEB Manager.

Establishing a Single Sign-On Connection

Complete the steps in this section to establish a single sign-on (SSO) connection for:
l Ensemble Controller Server and Client
l Network element
l Communication ports
l Protocols
–and–
l Used interfaces

For a better overview, the required steps are diagrammed in Figure 19.

The information is based on the use cases no. 1 and 2 described in Scenarios That
Support SSO.

Ensemble Controller R15.2 Administrator Manual - Issue: A 376

Adtran Configuring Ensemble Controller

Figure 19: Diagram for the SSO Connection Procedure

1. "Sent SSO action to server"

The Ensemble Controller Client (GUI) sends a request to the Server.
2. "Initial HTTPS communication to NE"
The Ensemble Controller Server sends a "Hello" message to the network element.
3. "Return signed certificate"
The network element returns a signed certificate to the Ensemble Controller Server.
4. "Return Certificate to user for acceptance"
The Ensemble Controller Server sends the certificate to the Client (GUI) for the user
to take further actions.
In the Examine Server Certificate dialog, click the appropriate button:

Button Description
Accept Click to permanently store the certificate on the server. Once
accepted, this certificate is also accepted for all other users in the
system. Ensemble Controller stores the file with the accepted
certificate in the installation directory .../ssocerts according to
your operating system and thus enables SSO support for that network
element.
Accept Click to temporarily store the certificate in the Ensemble
Temporary Controller Client cache. That is, Ensemble Controller removes the
certificate from the server when you close the Ensemble Controller
Client.

Ensemble Controller R15.2 Administrator Manual - Issue: A 377

Adtran Configuring Ensemble Controller

Button Description
Reject Click to disable the SSO support for that network element. Ensemble
Controller does not accept the certificate and thus raises a respective
security event (SSO-SEC: "NE certificate has been rejected by <user
name>"). The event displays in the tab pane, Security tab. The WEB
Manager login page opens.
Cancel Click to stop and to not open the web interface. You can also use X
Close to exit the window.

5. "If certificate accepted open SSO with user and password"

After you select Accept, you start SSO through user and password authentication
towards the Ensemble Controller Server.
6. "Sent login/ pass to NE"
The Ensemble Controller Server sends an HTTPS request to the network element with
password and user name to get a token for the SSO authentication.
Port 443 is used for the communication between the Ensemble Controller Server and
the network element.
7. "Return Authentication Token"
The network element sends a token response to the Ensemble Controller Server.
8. "Return Authentication Token to GUI"
The Ensemble Controller Server sends a token back to the Client.
9. "Send Authentication Token to WEB Browser"
10. "Access NE with Authentication Token"
The Ensemble Controller Client opens the web browser using token authentication
towards the network element without any user or password information. Port 443 is
used for the communication between the web browser and the network element.
For an overview of communication ports used by the Ensemble Controller Server or
Client and network element, see Communication Ports.

Establishing an SSO Connection Using Fallback Passwords

This section is based on the standard single sign-on (SSO) procedure described in
Establishing a Single Sign-On Connection and adds the option of using fallback
passwords if you use the web interface to log into the Network Element Director (NED).

The network element fallback-user password-management tool manages fallback

passwords detailed in Fallback Solution if the Network Element Connection Fails.

Requirements to Use SSO With Fallback Passwords 379

Procedural Description 380

Ensemble Controller R15.2 Administrator Manual - Issue: A 378

Adtran Configuring Ensemble Controller

Requirements to Use SSO With Fallback Passwords

l To use SSO with fallback passwords, in the fnm.properties file, edit these two
properties:
o Set the property com.adva.fnm.option.SSOviaFBP to true.

o Remove the number sign # at the beginning of the property

com.adva.fnm.option.FallbackNEUserID, and then specify the name of
the fallback user that the system uses to log into the network element in the
fallback case.

The fallback user name must be different from the one that you
specify for the SNMP communication to the network element. If
the names are identical, the password setting for the fallback
user will fail.

For information about how to edit properties in the fnm.properties file, see Editing
the fnm.properties File.
l These network elements support SSO with a fallback password if they have the
stated software version:

Required
Network Element Software
Version
FSP 150CC-GE206V
FSP 150-XG210
FSP 150-XG210C
FSP 150-XG116Pro 11.1.1
FSP 150-XG116Pro-H
FSP 150-XG118Pro-SH
FSP 150-XG120Pro
FSP 150-XG120Pro-SH 11.5.1
FSP 3000R7 15.1.2

l You must configure the relevant network elements to use SNMPv3 authentication
and privacy for communication to Ensemble Controller as described in the User
Manual.
l To use SSO with fallback passwords, you need to have the permission SSO NE
Login through Fallback Password. This permission is by default granted only to the

Ensemble Controller R15.2 Administrator Manual - Issue: A 379

Adtran Configuring Ensemble Controller

role of an administrator because the system automatically grants administrative

user rights on the network element.
The administrator sets permissions and corresponding user roles in the Security
Manager. To open the Security Manager, in the Ensemble Controller (ENC)
Settings, select Security, and then Security Manager.
For more information about user roles and allocated privileges, see Roles and
Allocated Actions.

Procedural Description
This procedure describes how you can establish an SSO connection using fallback
passwords for the Ensemble Controller Server and Client, and network element (NE),
including communication ports, protocols, and used interfaces. For a better overview, the
required steps are diagrammed in Figure 20.

The information is based on the use case no. 3 described in Scenarios That Support SSO.

Figure 20: Diagram of the SSO Connection Procedure Through Fallback Password

1. Steps P1 to P2 are part of the network element fallback password management

procedure. It happens already after network element discovery to establish the
fallback user, which has a one-time password.
2. Steps T1 to T10 are part of the SSO feature.
l Step T1 is triggered later when the user requests the Web Manager option the
first time.

Ensemble Controller R15.2 Administrator Manual - Issue: A 380

Adtran Configuring Ensemble Controller

l With Step T6, the token request is modified to take the user and the one-time
password managed by the network element fallback password procedure
instead of the values for the actual user of the Ensemble Controller Client.
3. If the SSO feature fails, the Web Manager opens the default login page for the
network element in the web browser.

Establishing an SSO Connection Using an Ad-Hoc Local Network

Element Account
This section describes an extension of the standard single sign-on (SSO) procedure
described in Establishing a Single Sign-On Connection.

The extended SSO procedure contributes to log into the Network Element Director (NED)
if you use RADIUS and RSA SecureID. You usually use the web interface to log into the
NED. Whenever you log into the NED, Ensemble Controller uses SNMP to create a special
temporary local ad-hoc user account (AHA).

Requirements to Use SSO With Ad-Hoc Accounts

l To enable SSO with ad-hoc accounts, in the fnm.properties file, set the property
com.adva.fnm.option.SSOviaAHA to true.
For information about how to edit properties in the fnm.properties file, see Editing
the fnm.properties File.
l These network elements support the extended SSO procedure if they have the
stated software version:

Ensemble Controller R15.2 Administrator Manual - Issue: A 381

Adtran Configuring Ensemble Controller

l You must configure the relevant network elements to use SNMPv3 authentication
and privacy for communication to Ensemble Controller as described in the User
Manual.
l You must enable the Single Sign-On 2-Factor flag on the relevant network
elements.
l To use the extended SSO procedure, you need to have the permission SSO NE
Login through Temporary Account. This permission is by default granted only to
the role of an administrator because the system automatically grants
administrative user rights to the ad-hoc accounts that it creates on the network
element.
The administrator sets permissions and corresponding user roles in the Security
Manager. To open the Security Manager, in the Ensemble Controller (ENC)
Settings, select Security, and then Security Manager. For more information about
user roles and allocated privileges, see Roles and Allocated Actions.

Procedural Description
This procedure describes how you can establish an SSO connection using an ad-hoc
account for the Ensemble Controller Server and Client, and the network element (NE),
including communication ports, protocols, and used interfaces. For a better overview, the
required steps are diagrammed in Figure 21.

The information is based on the use case no. 4 described in Scenarios That Support SSO.

Ensemble Controller R15.2 Administrator Manual - Issue: A 382

Adtran Configuring Ensemble Controller

Figure 21: Diagram for the SSO Connection Procedure Through Ad-Hoc Account

1. Ensemble Controller Client to Server: Go to NE through Web Manager action.

The Ensemble Controller user wants to access the NED without another login.
2. Ensemble Controller Server to NE: Configure local user (and password) on NE.
A local user with the same or a similar name as the Ensemble Controller user is
temporarily added to the local user NE database. Ensemble Controller reuses the
original login password, which ensures that it changes all the time. FSP 3000R7 NEs
accept user names in the local database only with 10 characters.
l The system prefixes the Ensemble Controller user name with an underscore, for

example: _encUser. If the name exceeds 10 characters, for

example: EnsembleControllerUser, the system additionally truncates the name
to include 10 characters only, for example: _EnsembleC
l If the system fails to create a user as described, it abandons the SSO login

procedure.
3. NE to Ensemble Controller Server: Local user (and password) confirmed by NE.
4. Ensemble Controller Server to NE: Initial HTTPS communication to NE.
Steps 4 to 7 are only taken place once, upon first contact.
5. NE to Ensemble Controller Server: Return signed certificate.
6. Ensemble Controller Server to Client: Present certificate to the user for acceptance
(options: accept, accept temporary, reject, cancel).
7. Ensemble Controller Client to Server: If certificate is accepted by the Ensemble
Controller user, confirm.

Ensemble Controller R15.2 Administrator Manual - Issue: A 383

Adtran Configuring Ensemble Controller

8. Ensemble Controller Server to NE: Token request: Send local user and password to
NE (with flag: Don’t ask RADIUS!).
A token request with special flag is sent asking to be locally authenticated.
9. NE to Ensemble Controller Server: Return authentication token.
If successful, the token is returned by the NE.
10. Ensemble Controller Server to Client: Return authentication token.
11. Ensemble Controller Client to Web Browser: Send authentication token to Web
Browser.
12. Browser to NE: Access NE with authentication token.
SSO completed. The Ensemble Controller user is logged in to the NE.
The name displayed on the NE is the same as the Ensemble Controller user name.
13. Ensemble Controller Server to NE: Remove local user from NE.
The local NE user account is removed after one hour of inactivity. Additionally, the
encrypted user password is removed from the Ensemble Controller database.
14. NE to Ensemble Controller Server: Local user removal confirmed by NE.

Disabling a Single Sign-On Connection

To permanently disable a single sign-on (SSO) connection, complete these steps.

1. In the fnm.properties file, edit this property:

com.adva.fnm.option.ssoDisabled.device.types
2. At the beginning of the property name, remove the number symbol (#).

3. After the equal sign (=), specify the NE types that you want to disable an SSO
connection for. Use one of these methods:
l Enter NE types separated by a semicolon (;), for example

com.adva.fnm.option.ssoDisabled.device.types=FSP 150-
GE114SH;FSP 150-XG210;FSP 150-XG418.
l For all device types, enter ANY.

For more information about how to edit the fnm.properties file, see Editing the
fnm.properties File.

HTTP or HTTPS Communication

The Ensemble Controller Server can use HTTP or HTTPS to communicate between the
browser opened on the client computer and the web server in the network element.

If no direct IP connectivity exists between the browser and the web server, which means
the Ensemble Controller Server uses two different networks for the clients and the DCN

Ensemble Controller R15.2 Administrator Manual - Issue: A 384

Adtran Configuring Ensemble Controller

without routing in between, you must configure a proxy server for the HTTP or HTTPS
traffic using either of these options:
l Configuring the Ensemble Controller-Internal HTTP Proxy that is installed as a
service automatically during the Ensemble Controller installation process.
–or–
l Configuring a Standard HTTP or HTTPS Proxy Server that has access to both
networks, for example the server that runs the Ensemble Controller Server process.

Configuring the Ensemble Controller-Internal HTTP Proxy

The Ensemble Controller-internal HTTP proxy, which is installed as a service during the
Ensemble Controller installation process, is a standard web-reverse proxy. The system
disables this proxy by default. To enable it, use either of the options described as follows.

If you upgrade your Ensemble Controller, and you require the HTTP
proxy service to run, you must re-enable it.

Editing the Property in the fnm.properties File 385

Configuring the Service in the Services Window 386

Editing the Property in the fnm.properties File

1. In the fnm.properties file, set this property to yes. See Editing the fnm.properties
File.
com.adva.nlms.mediation.server.proxy.startModule

After you set the property to yes, the HTTP proxy service starts or stops automatically
whenever the Ensemble Controller Server starts or stops.

By default the proxy uses the port 9090.

2. If required, you can use this property to change the proxy port:
com.adva.nlms.mediation.server.proxy.port

Ensemble Controller R15.2 Administrator Manual - Issue: A 385

Adtran Configuring Ensemble Controller

Configuring the Service in the Services Window

1. Go to Start > Control Panel > Administrative Tools > Services.
2. In the Services window, right-click ADVA: Http Proxy, and then select one of these
options relevant for your needs:
l Select Start to enable the proxy service only for this one session that is, you

must repeat this step every time you log into Ensemble Controller if you want
the service to run.
–or–
l Select Properties to configure the service to automatically start every time you

log in.
a. In the ADVA: Http Proxy Properties window, Startup type field, select
Automatic.
b. In the Service status field, verify the status. If required, select Start to start
the service. After you start the service, the status changes to Running.
c. Select Apply, and then OK to confirm your settings, or Cancel.

Configuring a Standard HTTP or HTTPS Proxy Server

1. Select the Windows Start icon, for example for Windows 10.
2. To start a search, type proxy.
3. From the search results, select Change proxy settings.

Ensemble Controller R15.2 Administrator Manual - Issue: A 386

Adtran Configuring Ensemble Controller

The Proxy settings window displays:

Consider that the proxy server must be used ONLY to access network
elements.
Therefore, we recommend that you use an automated configuration
script as described in Step 4, in which you can select only networks
with network elements. This guarantees accurate DCN IP networks.
Avoid using the setting options Automatically detect settings or
Manual proxy setup. They could lead to a misconfiguration and thus
to a proxy-server overload.

4. Proceed with one of these configuration methods:

Ensemble Controller R15.2 Administrator Manual - Issue: A 387

Adtran Configuring Ensemble Controller

l Automatic proxy setup

o Select Automatically detect settings to turn this feature on or off. After

you enable it, the system automatically detects proxy settings, which might
not be appropriate in any case.
o (Recommended) Select Use setup script to turn this feature on or off.
After you enable it, you can configure the proxy by means of a proxy auto-
configuration (PAC) script.
The Windows operating system (OS) provides the example PAC script
nmsproxy.pac located in the Ensemble Controller installation directory
C:\Program Files\ADVA Optical Networking\FSP Network
Manager\ws\webapps\proxy\nmsproxy.pac You can use this example
script as basis and adapt it in accordance with your network structure. Enter
the IP address of the Ensemble Controller Server where the proxy is located
including the port and the path to the PAC file. The address format is
http://<ENC Server IP address>:<port>/<PAC file path>
l Manual proxy setup
Select Use a proxy server to turn this feature on or off. After you enable it, edit
these fields:

Field Description or Steps

Address Type the Ensemble Controller Server IP address where the
proxy is located.
Port Type the port that the proxy uses.
Use the proxy Type the IP addresses of the proxy servers that you want to
server except exclude. It is important that you exclude the ones that do not
for addresses contain managed elements to protect the proxy server from
that start with overloading and eventually crashing.
...

5. After you enable one of the configuration methods, disable the other options.
6. Click Save for both configuration options. For each option, you have a separate Save
button.

Element Manager
To open the Element Manager from the Ensemble Controller Client to manage FSP 1500
devices, you must enable the SNMP Forwarder service described as follows. By default,
the SNMP Forwarder service is disabled.

Ensemble Controller R15.2 Administrator Manual - Issue: A 388

Adtran Configuring Ensemble Controller

If you upgrade your Ensemble Controller, and you require the SNMP
Forwarder service to run, you must re-enable it.

Enabling the SNMP Forwarder Service in Windows 389

Enabling the SNMP Forwarder Service in Linux 390

Enabling the SNMP Forwarder Service in Windows

To enable the SNMP Forwarder service in Windows, use either of these options:

Running the Script File 389

Configuring the Service in the Services Window 389

Running the Script File

To start the SNMP Forwarder service, in the Ensemble Controller installation bin directory,
run the StartSnmpForwarder.bat script file.

To stop the service, run the StopSnmpForwarder.bat script file.

Configuring the Service in the Services Window

1. Go to Start > Control Panel > Administrative Tools > Services.
2. In the Services window, right-click ADVA: SNMP Forwarder, and then select one of
these options relevant for your needs:
l Select Start to enable the service only for this one session that is, you must

repeat this step every time you log into Ensemble Controller if you want the
service to run.
–or–
l Select Properties to configure the service to automatically start every time you

log in.
a. In the ADVA: SNMP Forwarder Properties window, Startup type field,
select Automatic.
b. In the Service status field, verify the status. If required, select Start to start
the service. After you start the service, the status changes to Running.
c. Select Apply, and then OK to confirm your settings, or Cancel.

Ensemble Controller R15.2 Administrator Manual - Issue: A 389

Adtran Configuring Ensemble Controller

Enabling the SNMP Forwarder Service in Linux

To start the SNMP Forwarder service, at the command prompt, type:
./snmpforwarder.sh start

Additional Options:
l To stop the service, type:
./snmpforwarder.sh stop
l To verify the SNMP Forwarder status, type:
./snmpforwarder.sh status

Fault Management
This chapter discusses topics that contribute to manage faults and if required correct
malfunctions in the network.

Enabling Logging of Service Affected Alarms in the Ensemble Controller

Database 390
Enabling and Configuring Event Logging to External CSV File 391
Installing the OSA WinSTS Tool 393

Enabling Logging of Service Affected Alarms in

the Ensemble Controller Database
To enable logging of service affected alarms in the Ensemble Controller (ENC) database,
edit the parameter

com.adva.nlms.mediation.event.storeServiceOperStateChangeAlarms

in the fnm.properties file as described in the Editing the fnm.properties File section in the
Administrator Manual. These values are supported:
l yes - service affected alarms are stored in the Ensemble Controller database.
l no - (by default) service affected alarms are not stored in the Ensemble Controller
database.

Ensemble Controller R15.2 Administrator Manual - Issue: A 390

Adtran Configuring Ensemble Controller

Enabling and Configuring Event Logging to

External CSV File
In addition to the Ensemble Controller (ENC) global event database, continuous logging
of events to an external comma separated values (CSV) file can be enabled, sorted by
Ensemble Controller detection time. This makes it possible to export events into other
archiving tools.

If event properties are updated (correlated), a new line is added to the CSV file. The CSV
file is stored in the Ensemble Controller installation directory under var\log. It is created
automatically and named eventlog.csv.

The maximum size for this file can be specified, and when the file reaches this size,
Ensemble Controller creates a backup, eventlog.csv.<n>. It then clears the eventlog.csv
file, and continues logging in it. The number of such backups that Ensemble Controller is
to create before starting to overwrite old backups is configurable as well.

The file log4j2.xml governs whether event logging is done to an external CSV file or not.
Also, properties allow for configuring the way in which the external CSV file is presented.
The xml file is located in the Ensemble Controller installation directory.

Only alter properties in the log4j2.xml file that are described in this
procedure.

1. Navigate to the Ensemble Controller installation directory.

2. Identify the log4j2.xml file and open it with a suitable editor, for example Windows
Notepad.
3. Identify this section in the xml file:

4. Enable or disable logging to the external CSV file:

a. In the '# Ensemble Controller CSV event logger' section, identify the entry
CSVEventLogger.

Ensemble Controller R15.2 Administrator Manual - Issue: A 391

Adtran Configuring Ensemble Controller

b. To enable event logging to the external CSV file, edit that line so it reads as
follows: <Logger name=”CSVEventLogger” level=”on” as suggested in the
header of the new log4j2.xml file.
c. To disable event logging to the external csv file, edit that line so it reads as
follows: <Logger name=”CSVEventLogger” level=”off”
5. If appropriate, in the 'Appenders' section, adapt property values to configure the
external CSV file as required:
a. To set the number of backups and the maximum size of the external CSV file,
identify these properties (in bold below):
<Appender name="csveventlog" type="RollingFile"
fileName="$(logdir)/eventlog.csv"
filePattern="$(logdir)/eventlog.csv.%i"
append="true" >
<Layout type="PatternLayout" pattern="%m" />
<DefaultRolloverStrategy max="10" />
<SizeBasedTriggeringPolicy size="1mb" />
</Appender>

l Type the maximum number of backups after the equal sign (=) of the
property “<DefaultRolloverStrategy max="10" />”.
l Type the maximum size of the external CSV file after the equal sign (=) of
the property “<SizeBasedTriggeringPolicy size="1mb" />”.
b. To apply a time policy, add a <Policies> tag and the respective property tags to
the 'Appender' structure as indicated in this example:
<Appender name="csveventlog" type="RollingFile"
fileName="${logdir}/eventlog.csv"
filePattern="${logdir}/eventlog_%d{yyyy-MM-
dd}.csv.%i" append="true" >
<Layout type="PatternLayout" pattern="%m" />
<DefaultRolloverStrategy max="10" />
<Policies>
<SizeBasedTriggeringPolicy size="1mb" />

Ensemble Controller R15.2 Administrator Manual - Issue: A 392

Adtran Configuring Ensemble Controller

l Type the maximum number of intervals after the equal sign (=) of the
property “<TimeBasedTriggeringPolicy interval="1"/>”.
This value determines how often the file is created (1=every day/month,
2=every second day/month, …).
l To create a new file every day or month, you can adapt the ‘filePattern’
attribute accordingly:
-> per day: filePattern=…{yyyy-MM-dd})
-> per month: filePattern=…{yyyy-MM})

6. Save the file and exit the editor.

Installing the OSA WinSTS Tool

The OSA WinSTS tool is a synchronization analysis tool that is used on Windows
operating systems (OS) to process and analyze long term 'time interval error' (TE TIE) test
results (raw data) exported beforehand.

For information about exporting raw data files, see the Synchronization Management
Guide, Exporting Long-Term Test Results.

Complete these steps to install the OSA WinSTS tool in Windows.

1. Download the WinSTS.zip file from the Customer Portal, and extract it to a folder of
your choice.
2. Double-click the setup.exe file in the WinSTS.net\V<version number>\Install folder.
The WinSts setup wizard displays:

Ensemble Controller R15.2 Administrator Manual - Issue: A 393

Adtran Configuring Ensemble Controller

3. Select Next.
4. The 'Select Installation Folder' wizard page opens:

5. Follow the instructions in this window and click Next.

The 'Confirm Installation' wizard page opens:

Ensemble Controller R15.2 Administrator Manual - Issue: A 394

Adtran Configuring Ensemble Controller

6. Click Next to start the installation or Cancel to abort the action.

The 'Installation Complete' wizard page opens:

7. Click Close.
8. You can now view exported WinSTS files as described in the Synchronization
Management Guide, Viewing Exported OSA WinSTS Files.

Ensemble Controller R15.2 Administrator Manual - Issue: A 395

Adtran Maintaining Ensemble Controller

Chapter 4

Maintaining Ensemble
Controller
This chapter describes how to maintain Ensemble Controller.

Adding or Removing Ensemble Controller Features 396

Changing the Database Password 403
Verifying the Ensemble Controller Server by Using the Healthcheck Script 405
Considerations When Replacing FSP 3000R7 Network Elements 406
Locking Client Upgrades or Downgrades 407
Customizing Network Element Icons 407
Updating Ensemble Controller Database Information 408
Upgrading Ensemble Controller 414
Upgrading Sync Assurance in Linux 430
Upgrading Ensemble Fiber Director in Linux 439
Uninstalling Ensemble Controller 439
Uninstalling Linux Applications 444
Uninstalling the Sync Assurance Application 444

Adding or Removing Ensemble

Controller Features
To add or remove Ensemble Controller features, the maintenance mode application is
used.

Ensemble Controller R15.2 Administrator Manual - Issue: A 396

Adtran Maintaining Ensemble Controller

Adding Features to the Ensemble Controller 397

Removing Features from the Ensemble Controller 400

Adding Features to the Ensemble Controller

Complete these steps to add features to the installed Ensemble Controller by means of
the maintenance mode application:

1. In the Ensemble Controller installation directory, Change_Ensemble Controller

folder, start the Change Ensemble Controller.exe file. The Maintenance Mode
window opens:

2. Select Add Features.

Ensemble Controller R15.2 Administrator Manual - Issue: A 397

Adtran Maintaining Ensemble Controller

3. Click Next. The Add Features window opens:

4. Click Next. The Choose Install Set window opens:

Ensemble Controller R15.2 Administrator Manual - Issue: A 398

Adtran Maintaining Ensemble Controller

Before you select ENC Client without automatic updates, first verify
whether you removed the ENC Client feature. If not, remove it as
described in Removing Features from the Ensemble Controller, and
then resume this procedure. Ensemble Controller supports only either
one of the clients.

5. Select the additional features to install, and then click Install. A status bar and status
messages indicate progress. The installation continues as illustrated:

After the installation completes, the Installation Complete window displays:

Ensemble Controller R15.2 Administrator Manual - Issue: A 399

Adtran Maintaining Ensemble Controller

6. Click Done to complete the procedure.

Removing Features from the Ensemble Controller

Complete these steps to remove features from the installed Ensemble Controller by
means of the maintenance mode application:

1. In the Ensemble Controller installation directory, Change_Ensemble Controller

folder, start the Change Ensemble Controller.exe file. The Maintenance Mode
window opens:

Ensemble Controller R15.2 Administrator Manual - Issue: A 400

Adtran Maintaining Ensemble Controller

2. Select Remove Features.

3. Click Next. The Remove Features window opens:

Ensemble Controller R15.2 Administrator Manual - Issue: A 401

Adtran Maintaining Ensemble Controller

4. Click Next. The Choose Product Features window opens:

5. Select the features that you want to remove, and then click Uninstall.
The Ensemble Controller Server automatically shuts down independently from the
selected features. The Post Uninstall Process window appears indicating the
Ensemble Controller service termination:

6. Click OK to continue. A status bar and status messages indicate progress while
uninstalling. After the uninstall procedure completes, the Uninstall Complete

Ensemble Controller R15.2 Administrator Manual - Issue: A 402

Adtran Maintaining Ensemble Controller

window displays. If there are installation remnants that could not be removed by the
uninstall process, they are listed including their location as illustrated:

7. Make note of the installation remnants. Delete the folders and their contents
manually after you finish this procedure.
8. Click Done to complete the procedure.
9. Restart the server as described in Starting the Ensemble Controller Server.

Changing the Database Password

Complete these steps to change the database password for Windows and Linux.

After you complete this procedure, the new password takes immediate effect that is,
server and database will communicate using the new password from the moment that
the password change completes and the server restarts.

1. Depending on your operating system, navigate to either of these script files located
in the bin folder of the respective Ensemble Controller installation directory:
l In Windows, double-click the nmsadmin.bat file.

l In Linux, type ./nmsadmin.sh in the command line.

Ensemble Controller R15.2 Administrator Manual - Issue: A 403

Adtran Maintaining Ensemble Controller

The nmsadmin script file opens:

With each command that you type, press ENTER to activate the
command.

2. Type Y to select Change Database Password:

Enter letter and press enter:

Y
DB password change
Database running
Password file not found
Initiating default authentication...
User adva authenticated with default password
Please enter new database password (attempt 1 of 4):

l If you change the password for the first time, you are asked to enter only the
new password.
l If you change the password again, you are asked to enter the current, and then
the new password:

Please enter current database password (attempt 1 of 4):

Password valid for user adva
Please enter new database password (attempt 1 of 4):

Ensemble Controller R15.2 Administrator Manual - Issue: A 404

Adtran Maintaining Ensemble Controller

Please enter it again:

3. Type the new password when prompted, and then repeat it.
The password must contain a minimum of 8 characters to be valid. This password
rule is specified by default in the server preferences. If required, you can change it as
appropriate. For information about how to change password characteristics and
other security-related parameters, see Editing Security Parameters.
l If the repeated password does not match or is invalid, you can repeat it three

more times as indicated in brackets. If you exceeded the allowed attempts,

follow the instructions to restart the procedure.
l When the system declares the entered new password valid, the password
change action completes by restarting the server:

Security properties loaded from db

New password is valid
Password updated
Database password change complete
Restarting server...

4. As prompted, press any key to continue and the action finalizes.

Verifying the Ensemble Controller

Server by Using the Healthcheck
Script
If you run the healthcheck script, Ensemble Controller creates a health report, which is
useful for Technical Services when analyzing and troubleshooting problems.

See the relevant section for information about how to run the healthcheck script
according to your operating system:
l For Windows
l For Linux

Ensemble Controller R15.2 Administrator Manual - Issue: A 405

Adtran Maintaining Ensemble Controller

For Windows
1. Right-click the healthcheck_nms.bat file located in: C:\Program Files
(x86)\ADVA Optical Networking\FSP Network Manager\bin
2. Select Run as administrator.
3. Follow further instructions on the screen.
When complete, Ensemble Controller created a ZIP file and stored it in the same
location that is C:\Program Files (x86)\ADVA Optical Networking\\FSP
Network Manager\bin
It is named according to this example:
healthreport_MGN-N-SINAD_2017_06_29_14_11_26.zip

For Linux
1. As a root level user, run the healthcheck_nms.sh file located in: /opt/adva/fsp_
nm/bin/
2. Follow further instructions on the screen.
When complete, Ensemble Controller created a GZ file and stored it in the same
location that is /opt/adva/fsp_nm/bin/
It is named according to this example:
healthcheck_fspnap05_20170526_1555.tar.gz

Considerations When Replacing

FSP 3000R7 Network Elements
When you replace FSP 3000R7 network elements, and then restart the Ensemble
Controller Server, the software loses SNMP communication to the Ensemble Controller.
After you replace the network element, the software generates a new engineID
(password) based on the shelf serial number. The new engineID causes a mismatch
between the passwords that the Ensemble Controller uses and the FSP 3000R7 network
element password.

To refresh the FSP 3000R7 password after replacement, right-click the network element,
and then select Reset SNMP Session to reset the SNMP session.

After the SNMP session resets, you can restart the Ensemble Controller Server as
described in Starting the Ensemble Controller Server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 406

Adtran Maintaining Ensemble Controller

Locking Client Upgrades or

Downgrades
Under normal operation, you are prompted to upgrade or downgrade your client upon
logging in if your current Ensemble Controller Client version is older than or incompatible
with the Ensemble Controller Server. However in certain situations, upgrade or
downgrade of the client installation package needs to be locked, for example during an
Ensemble Controller Server upgrade.

To lock upgrades or downgrades of the Ensemble Controller Client, manually delete or

move the client installation package from this client repository on the server:

ENC Installation Directory\ws\webapps\clientUpdate

You need to have full administrator permissions on your computer to

delete the client installation package from the designated folder.

Customizing Network Element Icons

To display the function of an individual network element, you can change its icon. This
icon then displays in the Topology Graph and Topology Map for all clients attached to
this server. For more information about how to change the network element icon, see the
User Manual, Configuring the Network Element Identity.

Complete these steps to customize and place your network element icons.

1. On the Ensemble Controller Server, go to the folder

<InstallLocation>\ws\webapps\customimages\netypes.
Each network element type has its own folder.

When you install Ensemble Controller, it creates a network element

folder structure. Keep this structure exactly as it is. Do not delete or
rename the folders. The client can read the custom icons from their
respective folders only if you maintain the original structure.

2. Navigate to the folder of the network element type that you want to provide an icon
image for.

Ensemble Controller R15.2 Administrator Manual - Issue: A 407

Adtran Maintaining Ensemble Controller

3. Add icon images that conform to these guidelines:

l File type: PNG, JPG, GIF. Avoid the use of animated GIFs or use only sparingly.

l Image size: The default dimensions are width=40 and height=26 pixels, but any
size displays correctly if the width and height are within the minimum (10) and
maximum (64) pixels. If the image width or height is too small or too large, the
image will display, but the software will scale it to fit and will likely appear
distorted.
l Quantity: The Ensemble Controller supports up to 64 image files per network
element type folder.
4. You might need to reselect the targeted network element or its subnet before the
new icon will appear in the Overview tab’s selector. There is no need to restart the
mediation server or the client.

Updating Ensemble Controller

Database Information
To keep the Ensemble Controller database updated, you have these options:
l Keep Alive Polling
l Database Update Actions
l Discovery Polling

You can specify these update actions to take place automatically, at regular intervals or
instantly. By default only keep alive polling is enabled for such regular execution, this
action is considered important for ease of management. For the other update actions, the
usefulness of each of them depends on the network element types in your networks, the
network element software releases and what operation routines you will be carrying out.

Enabling these functions is done with the recurring actions tool. For information about
configuring recurring actions, see the User Manual, Specifying Recurring Actions.

Database Update Actions 409

Immediate Database Backup 411
Restoring the Ensemble Controller Database 412
Setting the Number of Database Backup Files Allowed to be Created 414

Ensemble Controller R15.2 Administrator Manual - Issue: A 408

Adtran Maintaining Ensemble Controller

Database Update Actions

The Ensemble Controller maintains a mirror image of some of the network element
SNMP MIB objects in its management database. There are four mechanisms that keep
this database up to date:
l By traps: If an SNMP trap is received, the appropriate objects are updated in the
database.
l By 'keep alive polling': The 'keep alive polling' reads original traps from the log
located on the NE and then updates the appropriate objects in the database
accordingly.
l By polling: Objects can be polled manually, upon user request. If changes are
detected, polling generates appropriate events in the same way as if these
changes were indicated by SNMP traps.
l Immediately: In the Ensemble Controller Settings, select System, and then
Immediate Database Backup.

These mechanisms are normally sufficient to keep the database up to date. If you for
some reason need to update the database by other means, the Ensemble Controller
offers five separate, manual actions to poll the Network Element or read a file, and thus
update the database.

Status Check
This action updates the information about current alarms and protection status. This can
for example be: loss of signal on an interface or a protection status change.

Configuration Check
This action causes the Ensemble Controller to update its information with regard to any
configuration changes on the Network Element. This can for example be: protection
configuration or configuration of data rate.

Inventory Check
This action causes the Ensemble Controller to verify the NE inventory for changes and
applies those changes to the management database if they are not destructive, for
example adds new modules to the database but does not remove absent modules from
the database.

The information in the Network Element Properties window, Shelves and Modules tabs
with the exception of channel assignment, service name and protection status is updated.

Ensemble Controller R15.2 Administrator Manual - Issue: A 409

Adtran Maintaining Ensemble Controller

Status, configuration or inventory updates must be done by manual polling at the

individual Network Element level. Select the NE and click ”NE Status” from the Networks
ribbon menu (Ctrl + F1), which as well updates alarm/ events, or ”NE Configuration”.

To indicate that an update is ongoing, the Network Element icon changes in the tree
pane. For more information on all kinds of NE icons and symbols, see the User Manual.

For FSP 3000R7, the inventory polling also triggers service discovery based on any
tunnels that are on the NE, with network and client ports being In-Service on both source
and destination NEs.

Discovery Polling
Discovery Polling attempts to detect undiscovered NEs present in the network. If
detected, automatic discovery for the NE is triggered, which includes trapsink registration
if the process completes.

The IP address AND NEType of the NE to be discovered must be configured. If the

NEType is missing or a mismatch with the NEType detected at the polled IP address, then
the discovery is aborted and the NE remains in the undiscovered state. To discover this
NE nevertheless, it has to be deleted and added again as described in the User Manual,
Adding Network Elements to a Subnetwork.

The user would then need to manually change NEType by modifying the subnetwork.

The polling interval can be regulated in the recurring actions tool. For information about
configuring recurring actions, see the User Manual.

Immediate Database Backup

Immediate database backup immediately updates the database. For more information,
see Immediate Database Backup.

Backing Up or Restoring the Ensemble Controller

Database
Under certain circumstances, the Ensemble Controller (ENC) database can become
corrupted. This can for example happen if an Ensemble Controller Server workstation
power failure occurs in the middle of a transaction.

In such situations it is necessary to restore to a previous backup. Backups should not be

made by copying directly from the backup database file. This is because the backup
database would be corrupted if a transaction took place during the copying.

Ensemble Controller R15.2 Administrator Manual - Issue: A 410

Adtran Maintaining Ensemble Controller

Ensemble Controller offers services to make a controlled database backup and restore.
Backups should be made regularly, and the service is hence offered together with the
automated recurring actions. For information about recurring actions, see the User
Manual.

Ensemble Controller supports multiple database backup files. The number of backup files
is configurable through a properties file. The names have a timestamp appended to the
name.

For compliance with the high availability functionality the last database backup file is
stored in two copies, one file is named dbfnm.tar.gz and the other is named dbfnm yyyy-
mm-dd hh.mm.ss.tar.gz. If you have redundant Ensemble Controller Servers, the backup
file will automatically be moved and restored on the slave server.

To perform Ensemble Controller database backup or restore, you

need to have full user rights on the FTP/ SFTP server - that is read/
write/ modify/ delete.

Immediate Database Backup

This operation creates a binary database backup and a textual database backup. The
textual database backup is used to manually restore the database, as described in
Restoring the Ensemble Controller Database. The binary database backup is used by the
high-availability feature to transfer the database between the master and slave servers.

Complete these steps to immediately back up the database:

1. From the Ensemble Controller application bar Settings menu, select System, and
then Immediate Database Backup.

If this is the master high-availability server, the Immediate Database Backup dialog
box shows Automatic high availability synchronization enabled.
2. To manually synchronize the dumped database from the master to the slave server,
select Automatic high availability synchronization.
3. Click Yes to continue, or Cancel to exit the backup operation.
See the message pane for any operation results.

Ensemble Controller R15.2 Administrator Manual - Issue: A 411

Adtran Maintaining Ensemble Controller

Ensemble Controller saves the binary backup file dbfnm.tar.gz and the textual
backup file dbfnm.sql to the var\db.backup folder in the installation directory.
Older backup files have the date and time in the file name.
4. Copy the backup files to a location associated with a regular backup process.

Restoring the Ensemble Controller Database

This procedure provides the steps to restore previous or current database files and to
upgrade to a newer Ensemble Controller version. Pay attention to the requirements
according to your intended use.

General Requirements 412

Requirements When Upgrading to a Newer Ensemble Controller Version 412
Procedure to Restore the Database in Linux 412
Procedure to Restore the Database in Windows 413

General Requirements
1. Move the database file you want to restore to the Ensemble Controller installation
directory var/db.backup folder.
2. To preserve the backup file currently located in the var/db.backup folder, move it to
a different location.

Requirements When Upgrading to a Newer Ensemble

Controller Version
1. If you use this procedure to upgrade to a newer Ensemble Controller version and you
wish to use the reports of the current version, additionally preserve the report files by
moving them to a different location. They are stored in Ensemble Controller
installation directory .../ws/webapps/reportdb.
2. After you complete the restore procedure in this section, move the preserved records
back into their previous Ensemble Controller directories as appropriate.

Procedure to Restore the Database in Linux

1. Shut down the Ensemble Controller Server as described in Stopping the Ensemble
Controller Server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 412

Adtran Maintaining Ensemble Controller

2. At the command prompt, type:

opt/adva/fsp_nm/bin/restoreDB
3. Start the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.

After a launch, the server starts inventory, status and configuration

polling for each NE. If the network has a large number of NEs, the
process can take 24 hours to complete the polling and stabilize the
server.

Procedure to Restore the Database in Windows

1. Open the restoreDB.bat file located in the Ensemble Controller installation bin
folder, and then follow the prompt commands.

If UAC is enabled, you must run the CMD shell as administrator.

2. To run a CMD shell, follow these steps:

a. Click Start.
b. In the search field, type CMD. Do not press Enter yet.
c. After the search is complete, CMD will display under Programs.
d. Right-click the CMD icon, and then select Run as administrator.
e. Use the CD command and change to the Ensemble Controller installation bin
directory.
f. Type restoreDB, and then press Enter.

Ignore the error message isAdmin.vbs not found.

3. Start the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.

After a launch, the server starts inventory, status and configuration

polling for each NE. If the network has a large number of NEs, the
process can take 24 hours to complete the polling and stabilize the
server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 413

Adtran Maintaining Ensemble Controller

Setting the Number of Database Backup Files

Allowed to be Created
To set this parameter, you need to edit the property
com.adva.fnm.option.databasebackupfilesnumber in the fnm.properties file.

For information about editing the properties in the fnm.properties file, see Editing the
fnm.properties File.

Upgrading Ensemble Controller

Successfully Upgrading Ensemble Controller 414
Requirements to Upgrade Ensemble Controller 416
Reconfiguring Properties for RADIUS or TACACS+ Configurations 417
Enhancing the Database Password Encryption Security 417
Upgrading High Availability Servers 419
Retaining a Customized fnm.properties File 419
Overview of the Upgrade Procedure Steps 420
Upgrading Ensemble Controller in Windows 421
Upgrading Ensemble Controller in Linux 427
Enhancing the User Password Encryption After an Upgrade to Version 14.1
or Later 430

Successfully Upgrading Ensemble Controller

To successfully upgrade to a later Ensemble Controller version, you must have the
minimum installed software version on your system. That is, a certain target release
requires a certain current release. See Figure 22 for an overview of the upgrade sequence
that you must follow for a given current version that you installed.

Ensemble Controller R15.2 Administrator Manual - Issue: A 414

Adtran Maintaining Ensemble Controller

Figure 22: Supported Version-Upgrade Sequences

Color Legend:

Tested and supported upgrade path.

Contact Adtran Technical Support for upgrade

path details. See Technical Services.

Unsupported upgrade path.

Ensemble Controller R15.2 Administrator Manual - Issue: A 415

Adtran Maintaining Ensemble Controller

Always upgrade the Ensemble Controller Server and all of the Ensemble
Controller Clients that use this server at the same time.

Requirements to Upgrade Ensemble Controller

l If you upgrade to an Ensemble Controller version before 12.1, for example from
10.x to 11.x, you must enter a new license key.
You can find the licensee name and key printed on a sheet of paper that is
included in the shipment. We will send the license information to you electronically
if you request it.
l If you upgrade to the Ensemble Controller version 12.1, Call Adtran to ensure that
you are provided with a set of feature licenses that are equivalent to those you
used in previous versions.
With the Ensemble Controller version 12.1, the Embedded License Server manages
any required licenses that you must order from the ADVA Customer Focus Team.
For more information, see The Embedded License Server.
If you already have used the Embedded License Server before the Ensemble
Controller version 12.1, make sure your Embedded License Server holds either:
o The basic license, for example ENC-SERVER-R12.x, for the target release.

–or–
o An upgrade license for the target release plus a basic license for the previous
release.
l Before you upgrade from the Ensemble Controller version 12.x, 13.x or 14.x, make
sure your Embedded License Server holds one of these basic licenses plus the
needed upgrade licenses:

Basic License Needed Upgrade Licenses

ENC-SERVER-R15.x -
ENC-SERVER-R14.x ENC-SERVER-U-R15.x
ENC-SERVER-R13.x l ENC-SERVER-U-R14.x and
l ENC-SERVER-U-R15.x

ENC-SERVER-R12.x l ENC-SERVER-U-R13.x,
l ENC-SERVER-U-R14.x and
l ENC-SERVER-U-R15.x

Ensemble Controller R15.2 Administrator Manual - Issue: A 416

Adtran Maintaining Ensemble Controller

For information about how to verify the licenses that the Embedded License Server
currently provides for your Ensemble Controller device, see the User Manual.

Reconfiguring Properties for RADIUS or

TACACS+ Configurations
With each upgrade, Ensemble Controller overwrites the fnm.properties file. As a result,
any RADIUS or TACACS+ servers that you configured in the fnm.properties file might no
longer be available with respect to a centralized login authentication. Therefore, you
must reconfigure the required server in the fnm.properties file.
l For information about how to configure RADIUS servers in the fnm.properties file,
see Setting Up RADIUS Authentication.
l For information about how to configure TACACS+ servers in the fnm.properties
file, see Setting Up TACACS+ Authentication.

If required, you can disable the login authentication through RADIUS or TACACS+ in the
security server preferences as described in Setting Authentication Parameters.

Enhancing the Database Password Encryption

Security
After you upgrade your Ensemble Controller to 15.2 without uninstalling the existing
version as the sections that follow describe, you can enhance the database password
encryption algorithm from the potentially insecure MD5 to the secure SHA256.

With a clean installation to 15.2, which means that any previous Ensemble Controller
version does not exist on the system, the database password is already configured to use
the SHA256 encryption algorithm.

See one of these sections according to the version you upgraded, and then complete the
steps to enhance the password security:

Any 13.x Version Upgraded to 13.3 or Later 417

Any Supported Version Before 13.1 Upgraded to 13.3 or Later 418

Any 13.x Version Upgraded to 13.3 or Later

Both the Adtran and the root user passwords currently use the MD5 encryption
algorithm. To enhance the passwords to use the SHA256 algorithm, run the nmsadmin
script file. According to your system, the script file is located here:

Ensemble Controller R15.2 Administrator Manual - Issue: A 417

Adtran Maintaining Ensemble Controller

l Windows: C:\Program Files (x86)\ADVA Optical Networking\FSP

Network Manager\bin
l Linux: /opt/adva/fsp_nm/bin

To enhance the Adtran user password, in the nmsadmin script file:

1. Type Y, which starts the Change Database Password option.

2. Type a new password as requested.
3. Type V to exit the script.
After you change the password in the nms home directory /opt/adva/fsp_nm, the
dbaccess.txt file displays.
4. Copy the dbaccess.txt file to the server that now hosts the standby server.

To enhance the root user password, in the nmsadmin script file:

1. Type Q, which starts the Query DB option.

fnm-#
2. Type this command:
alter user root with password ‘new_password_here’;

Specify the new password by replacing new_password_here, for example:

alter user root with password ‘MyNewPassword#123’;

3. Type exit to exit the Query DB option.

4. Type V to exit the script.

Any Supported Version Before 13.1 Upgraded to 13.3 or

Later
The Adtran user password currently uses the MD5 encryption algorithm. The root user
password by default uses SHA256 already. Complete these steps to enhance the Adtran
password to also use the SHA256 algorithm.

1. Run the nmsadmin script file. According to your system, the script file is located
here:
l Windows: C:\Program Files (x86)\ADVA Optical Networking\FSP

Network Manager\bin
l Linux: /opt/adva/fsp_nm/bin
2. Type Y, which starts the Change Database Password option.
3. Type a new password as requested.
4. Type V to exit the script.

Ensemble Controller R15.2 Administrator Manual - Issue: A 418

Adtran Maintaining Ensemble Controller

After you change the password in the nms home directory /opt/adva/fsp_nm, the
dbaccess.txt file displays.
5. Copy the dbaccess.txt file to the server that hosts the standby server.

Upgrading High Availability Servers

For information about how to upgrade servers that run in a high-availability
configuration, see either of these sections:
l Upgrading Ensemble Controller Servers that Use Standard High Availability
l Upgrading Streaming Replication High Availability

Retaining a Customized fnm.properties File

These upgrade scenarios determine whether you manually must take actions to save
changed properties in the fnm.properties file, or Ensemble Controller automatically takes
care of it.

Upgrading an Existing Ensemble Controller Version 419

Upgrading by Installing a New Ensemble Controller Version 420

Upgrading an Existing Ensemble Controller Version

If you customized the fnm.properties file to suit your system requirements, and then you
upgrade your Ensemble Controller to a newer version without uninstalling the existing
version as the sections that follow describe, the system automatically:
l Backs up the customized fnm.properties file.
l Identifies the changes in the fnm.properties file.
l Merges the changes to the new fnm.properties file that comes with the upgrade.
l Saves the original ADVA-delivered fnm.properties file that includes the standard
release values to a different name, and thus preserves that file.

With the release version 12.3, the default value for the property
jms.transportProtocol changed from nio to nio+ssl. Therefore, if
you upgrade to the version 12.3, ensure that in the fnm.properties file,
you change the jms.transportProtocol to nio+ssl after you finish
the upgrade. For more information about this property, see Properties
for Configuring the Java Messaging System (JMS).

Ensemble Controller R15.2 Administrator Manual - Issue: A 419

Adtran Maintaining Ensemble Controller

Upgrading by Installing a New Ensemble Controller

Version
If you customized the fnm.properties file, and then you completely uninstall the existing
Ensemble Controller version to perform a clean installation of the newer version, you
must manually take care of the steps to save changed properties and merge them into
the new fnm.properties file as follows:

1. Before you uninstall the existing Ensemble Controller version as described in

Uninstalling Ensemble Controller, save the customized fnm.properties file to a
directory outside of the Ensemble Controller installation files.
2. After you install the new Ensemble Controller version as described in Installing
Ensemble Controller, paste the customized fnm.properties file that you saved in Step
1, in the Ensemble Controller backup installation directory.
3. In the Ensemble Controller bin installation directory, use the relevant file:
l For Linux, start the propup.sh file.
l For Windows, start the propup.bat file.
The propup file includes these parameter options that you can use to process the file
as required:

Parameter Description
-? The description about the usage of this file.
-i <inputfile> The customized fnm.properties file to be transferred. Defaults to
backup/fnm.properties.
-o <targetfile> The new fnm.properties file where the properties from the
customized fnm.properties file are merged.
-b <backupfile> The file that preserves the original ADVA-delivered
fnm.properties file. Defaults to <targetfile>.org.
-d <propertyId> The identifier in the header of the file followed by the revision.
Defaults to fnm.properties.
-l number The number of lines to be preserved for the footer at the end of
the file. Defaults to 3.

Overview of the Upgrade Procedure Steps

Complete these steps to successfully upgrade Ensemble Controller in this sequence:

Ensemble Controller R15.2 Administrator Manual - Issue: A 420

Adtran Maintaining Ensemble Controller

1. Copy these files to a secure location for future use:

l ENC Installation Directory\fnm.properties
l ENC Installation Directory\log4j2.xml
l ENC Installation Directory\ws\webapps\reportdb\*
l ENC Installation Directory\CustomProducts\*
l ENC Installation Directory\dbaccess.txt

2. Upgrade Ensemble Controller according to your operating system:

l Upgrading Ensemble Controller in Windows
l Upgrading Ensemble Controller in Linux
Alternatively, see Restoring the Ensemble Controller Database for information about
how to upgrade Ensemble Controller by restoring a previous or current database
backup file.

Before you upgrade, the installation script backs up the current

Ensemble Controller Server database to the Ensemble Controller
installation directory /var/db.backup/preupgrade. No manual
backup is needed.

Upgrading Ensemble Controller in Windows

Complete these steps to upgrade the Ensemble Controller software version in a Windows
system.

Requirements 421
Restriction 422
Procedure to Upgrade in Windows 422

Requirements
l You are informed about Antivirus Software.
l You must follow the upgrade sequence for a given current Ensemble Controller
version that you installed. See Figure 22 for an overview of the version upgrade
sequence.
l You have full administrator permissions on your local personal computer. Verify,
and if necessary, modify your computer account settings: go to Start > Control
Panel >User Accounts > Manage User Accounts.
l On the computer where Ensemble Controller is installed, ensure that the system

Ensemble Controller R15.2 Administrator Manual - Issue: A 421

Adtran Maintaining Ensemble Controller

automatically manages the paging file for virtual memory. At a minimum, set the
paging file to be equal to the system physical memory.

Restriction
DO NOT change your system type from a 32-bit Windows version to a
64-bit version while the Ensemble Controller is up and running.

If such a system change is necessary, complete these steps:

1. Back up your Ensemble Controller database. Choose from these options:

l The recurring Database Backup action that you configure in Ensemble Controller
initiates regular backups. For information about how to configure recurring
actions, see the Ensemble Controller User Manual.
l In the Ensemble Controller Settings > System > Immediate Database Backup,
you can create immediate backups. For more information about how to start an
immediate backup, see Immediate Database Backup.
l The NMSAdmin script option [J] - Backup Database initiates immediate backups.
2. Uninstall Ensemble Controller as described in Uninstalling Ensemble Controller.
3. Reinstall Ensemble Controller as described in Installing Ensemble Controller in
Windows.
4. Restore the Ensemble Controller database as described in Restoring the Ensemble
Controller Database.

Procedure to Upgrade in Windows

1. To start your Ensemble Controller Client, in the tree pane Networks tab, right-click
the Network root.
2. Fix database inconsistencies, see User Manual, Fixing Database Inconsistencies.
3. Close all Ensemble Controller Client applications.
4. Use the Windows Task Manager to look for and, if necessary, terminate any running
fnm.exe process.
5. From the Salesforce Customer Portal, copy these scripts to the Ensemble Controller
installation scripts directory, for example: C:\Program Files (x86)\ADVA
Optical Networking\FSP Network Manager\scripts
l printDBInconsistenciesPostgres.bat

l printDBInconsistenciesPostgres.sql

Ensemble Controller R15.2 Administrator Manual - Issue: A 422

Adtran Maintaining Ensemble Controller

6. To start a CMD shell, in the Windows start menu field, type cmd.
7. Change to the Ensemble Controller scripts installation directory, for example:
C:\Program Files (x86)\ADVA Optical Networking\FSP Network
Manager\scripts
8. In the CMD shell, run printDBInconsistenciesPostgres.bat to verify basic
database inconsistencies.
An error-free output displays, as shown in Error-free Output of Database Validation
Verification.
The system displays additional data after the colon to show inconsistencies.
9. Proceed only if the database validation succeeds. If validation fails, contact Adtran
Technical Services for support.
10. Shut down the ENC server as described in Procedure for Stopping the Server in
Windows.
11. Install the new Ensemble Controller version as described in Installing Ensemble
Controller.
The upgrade installation process begins with this Upgrade window:

12. Click Next.

Ensemble Controller R15.2 Administrator Manual - Issue: A 423

Adtran Maintaining Ensemble Controller

The Choose Install Set window opens.

l If you already have used the Embedded License Server before the
Ensemble Controller version 12.1 and you now want to upgrade to
12.1 or later, you must upgrade the Embedded License Server to
the version that we deliver with the Ensemble Controller version
12.1 before you can use Ensemble Controller 12.1.
l If you upgrade from Network Manager release 10.5.1, consider
these options:
o If your system also includes the Embedded License Server, you

must NOT upgrade the Embedded License Server by itself.

Always upgrade the Network Manager and the Embedded
License Server together. For more information, see Restrictions
For Uninstalling the 10.5.1 Network Manager.
o If your system only includes the Network Manager without the

Embedded License Server, you can upgrade only the Network

Manager Server and Client.
o If your system only includes the Embedded License Server

without the Network Manager, you can upgrade only the

Embedded License Server.

13. Select one ENC option or both ENC Server and ENC Client. If your system also
includes the Embedded License Server, also select it.

Ensemble Controller R15.2 Administrator Manual - Issue: A 424

Adtran Maintaining Ensemble Controller

14. Click Install.

The wizard starts the upgrade installation process.
15. Complete the wizard steps, and then click Next to continue through the wizard.
The upgrade process is almost complete when the Post Install Upgrade window
opens:

16. Click Next.

The Installation Complete window opens and displays this information:

17. Click Done to exit the upgrade installation wizard.

Ensemble Controller R15.2 Administrator Manual - Issue: A 425

Adtran Maintaining Ensemble Controller

18. If you selected the Embedded License Server in Step 13, before you proceed with this
procedure, first prepare and enable the Embedded License Server as described in
Preparing and Enabling the Embedded License Server.
19. Restart your computer to complete the upgrade process.
20. After your computer restarts, verify that all services are running as described in
Verifying Services in Windows.
After an upgrade, your computer can take longer than usual to restart. During this
time, the software rejects any client-login attempts.
The system upgrades the database. See the var\log dbupgrade.lo file for these
messages:
l This is the message that displays when Ensemble Controller starts to upgrade

the database:
INFO - ======================================================================
INFO - DATABASE UPGRADE HAS BEEN STARTED AND THIS PROCESS CAN TAKE A WHILE TO
COMPLETE. PLEASE WAIT FOR THE DATABASE UPGRADE COMPLETION MESSAGE BEFORE
CONTINUING.
INFO - ======================================================================

The upgrade process might take some time to finish. The length
of time depends on:
l The database size.
l The upgrade path based on the number of how many
intermediate Ensemble Controller versions you bypassed.
l The server performance.

l This is the message that displays when Ensemble Controller completes to

upgrade the database:
INFO - ======================================================================
INFO - DATABASE UPGRADE HAS BEEN FINISHED.
INFO - ======================================================================

21. On computers where only Ensemble Controller Clients are installed, follow these
steps to update the client:
a. Uninstall the previous Ensemble Controller Client versions as described in
Uninstalling Ensemble Controller.
b. Next, install the target version of the Ensemble Controller Client as described in
Installing Ensemble Controller.
22. After the server restarts, open the Ensemble Controller Client as described in Logging
Into the Ensemble Controller Client.

Ensemble Controller R15.2 Administrator Manual - Issue: A 426

Adtran Maintaining Ensemble Controller

23. Open the cleanPostgresAfterUpgrade script to clean up old PostgreSQL

folders. The script is located in the Ensemble Controller bin installation directory, for
example: C:\Program Files (x86)\ADVA Optical Networking\FSP
NetworkManager\bin
24. Optional: After you upgrade to the Ensemble Controller version 15.2, you have these
additional options to optimize the system:
l To customize your client to personal needs, see the User Manual.

l To enhance the database password encryption algorithm, see Enhancing the

Database Password Encryption Security.

Upgrading Ensemble Controller in Linux

Complete these steps to upgrade the Ensemble Controller software version in a Linux
system.

Requirements to Upgrade in Linux 427

Restriction to Upgrade in Linux 428
Procedure to Upgrade in Linux 428

Requirements to Upgrade in Linux

Area Requirement Description
Version Upgrade You must follow the upgrade sequence for a given current Ensemble
Sequence Controller version that you installed. See Figure 22 for an overview of
the version upgrade sequence.
Sync Assurance If your Ensemble Controller installation is configured to use Sync
Assurance, you must:
l Stop the Sync Assurance application before you upgrade
Ensemble Controller.
l First complete the Ensemble Controller upgrade procedure, and
then also upgrade the Sync Assurance application.
l Make sure that Sync Assurance and Ensemble Controller have the
same software version. Otherwise, the applications cannot
interchange appropriate data formats.

Ensemble Controller R15.2 Administrator Manual - Issue: A 427

Adtran Maintaining Ensemble Controller

Restriction to Upgrade in Linux

If you want to upgrade your Red Hat Enterprise Linux version, for example from 6.x to 7.x,
you must also upgrade your Ensemble Controller. First upgrade the Red Hat Enterprise
Linux, and then afterwards as second step upgrade your Ensemble Controller as
described in Procedure to Upgrade in Linux, not the other way around.

Otherwise, if you want to keep your current Ensemble Controller version, upgrade your
Red Hat Enterprise Linux version as planned, and then for the Ensemble Controller,
complete these steps:

1. Back up your Ensemble Controller database. Choose from these options:

l The recurring Database Backup action that you configure in Ensemble Controller
initiates regular backups. For information about how to configure recurring
actions, see the Ensemble Controller User Manual.
l In the Ensemble Controller Settings > System > Immediate Database Backup,
you can create immediate backups. For more information about how to start an
immediate backup, see Immediate Database Backup.
l The NMSAdmin script option [J] - Backup Database initiates immediate backups.
2. Uninstall Ensemble Controller as described in Uninstalling Linux Applications.
3. Reinstall Ensemble Controller as described in Installing Ensemble Controller in Linux.
4. Restore the Ensemble Controller database as described in Restoring the Ensemble
Controller Database > Procedure to Restore the Database in Linux.

Procedure to Upgrade in Linux

1. Switch to the root user:
su -
2. From the Salesforce Customer Portal, copy these scripts to the Ensemble Controller
installation scripts directory:
l printDBInconsistenciesPostgres.sh
l printDBInconsistenciesPostgres.sql.

3. Run the printDBInconsistenciesPostgres.sh script to verify basic database

inconsistencies.
An error-free output displays, as shown in Error-free Output of Database Validation
Verification.
The system displays additional data after the colon to show inconsistencies.
4. Proceed only if the database validation succeeds. If validation fails, contact Adtran
Technical Services for support.

Ensemble Controller R15.2 Administrator Manual - Issue: A 428

Adtran Maintaining Ensemble Controller

5. Shut down the ENC server as described in Procedure for Stopping the Server in Linux.
6. Copy the Ensemble Controller installation file to a directory on your local hard drive.
7. Unpack the tar archive:
tar xf <tar archive name>
8. Start the installation program:
./install
9. Follow the instructions that the system displays during this process.
10. If you upgrade step by step and have not yet installed the final version, repeat Step 2
through Step 9.
11. After the installation completes, you must wait until the system upgrades the
database. See the dbupgrade.log file, which is located in var\log, for these
messages:
l This is the message that displays when Ensemble Controller starts to upgrade
the database:
INFO - ======================================================================
INFO - DATABASE UPGRADE HAS BEEN STARTED AND THIS PROCESS CAN TAKE A WHILE TO
COMPLETE. PLEASE WAIT FOR THE DATABASE UPGRADE COMPLETION MESSAGE BEFORE
CONTINUING.
INFO - ======================================================================

l This is the message that displays when Ensemble Controller completes to

12. Start the Ensemble Controller as described in Logging Into the Ensemble Controller
Client.
13. Open the cleanPostgresAfterUpgrade script to clean up old PostgreSQL
folders.
The script is located in /opt/adva/fsp_nm/bin.

Ensemble Controller R15.2 Administrator Manual - Issue: A 429

Adtran Maintaining Ensemble Controller

14. Optional: After you upgrade to the Ensemble Controller version 15.2 or later, you
have these additional options to optimize the system:
l To customize your client to personal needs, see the User Manual, User Settings.

l To enhance the database password encryption algorithm, see Enhancing the

Database Password Encryption Security.

Enhancing the User Password Encryption After

an Upgrade to Version 14.1 or Later
Any Ensemble Controller version earlier than 14.1 uses a DSA encryption algorithm for
user passwords. After you upgrade Ensemble Controller to version 15.2, you must
enhance the encryption algorithm from the potentially insecure DSA to the secure
SHA512. Ensemble Controller will automatically change the encryption algorithm to
SHA512 in these cases:
l Changing the user password.
l Logging in to the upgraded Ensemble Controller.

For all new users created since Ensemble Controller version 14.1,
system uses SHA512 algorithm.

To determine which users still need to enhance their user passwords, verify the date of
the last login for each account. If this date is later than the 14.1 upgrade date, the
algorithm for this user account changes to SHA512. We recommend that you migrate
every user account to use the secure algorithm. For accounts that do not meet the
upgrade conditions, manually change the password, or if necessary, delete the account.

For remote authentication, the system verifies whether the same user name also exists
with the local account. Only if the passwords for both accounts are the same, the system
will automatically change the algorithm of the local account. If the passwords do not
match, the system leaves the local account unchanged and you must manually change
those passwords.

Upgrading Sync Assurance in Linux

Complete these steps to upgrade the Sync Assurance application in Linux.

Requirements to Upgrade Sync Assurance 431

Ensemble Controller R15.2 Administrator Manual - Issue: A 430

Adtran Maintaining Ensemble Controller

Procedure to Upgrade Sync Assurance 433

Procedure to Upgrade Sync Assurance 15.1 to 15.2 including GNSS and TPA
Raw Data Migration 434

Requirements to Upgrade Sync Assurance

Area Requirement Description
Application Upgrade Make sure that you first upgrade Ensemble Controller
Sequence before you upgrade the Sync Assurance application.
Version Upgrade Sequence Sync Assurance supports only incremental upgrades, for
example from 13.1 to 13.2, or also from 12.3 to 13.1 as
long as they are consecutive.
NOTICE: If you upgrade from 12.3 to 13.1, and you use
PTP (Time And Phase) Assurance, the upgrade process
deletes the time interval error data and also the
database backup files because they are incompatible
with the new 13.1 release.

Ensemble Controller R15.2 Administrator Manual - Issue: A 431

Adtran Maintaining Ensemble Controller

Area Requirement Description

ATTENTION:
If you upgrade from 13.2 to 13.3, the upgrade process
deletes both GNSS and TPA databases, and also the
backup files. To preserve the data, before you start the
upgrade, manually backup the GNSS and TPA
databases. For both applications, run the db_backup_
<application name>.sh scripts located in
/opt/adva/SyncAssurance/<application name>.
We strongly recommend that you copy the database
backup files to an external system. After the upgrade
procedure completes, you can restore the databases.
See Restoring the Database from a Backup File.

ATTENTION:
If you upgrade from 15.1 to 15.2, the upgrade process
deletes both GNSS and TPA databases, and also the
backup files. To preserve the data, before you start the
upgrade, manually backup the GNSS and TPA
databases. For both applications, run the db_backup_
<application name>.sh scripts located in
/opt/adva/SyncAssurance/<application name>.

We strongly recommend that you copy the database

backup files to an external system.
Version Consistency After this procedure and at all times, make sure that
Sync Assurance and Ensemble Controller have the same
software version. Otherwise, the applications cannot
interchange appropriate data formats.

Ensemble Controller R15.2 Administrator Manual - Issue: A 432

Adtran Maintaining Ensemble Controller

Procedure to Upgrade Sync Assurance

For 15.1 to 15.2 upgrade, follow this procedure Procedure to Upgrade
Sync Assurance 15.1 to 15.2 including GNSS and TPA Raw Data
Migration. This special procedure is related to GNSS and TPA database
upgrade. It is designed to migrate historical GNSS and TPA raw data to
the new format. If you upgrade only SNT service, apply regular
procedure. During the regular procedure, the process deletes GNSS
and TPA data.

1. Rename the /opt/adva/SyncAssurance directory to

/opt/adva/SyncAssurance.<old_version_number>
2. From the Ensemble Controller installation medium, copy the SyncAssurance_
vX.X.X-Bxxxx.tar.gz file in the directory /opt/adva.
3. Set the working directory to /opt/adva:
cd /opt/adva/
4. Untar the SyncAssurance_vX.X.X-Bxxxx.tar.gz file:
tar -zxvf SyncAssurance_vX.X.X-Bxxxx.tar.gz
This will create the Sync Assurance directory structure.
5. Set the working directory to /opt/adva/SyncAssurance:
cd /opt/adva/SyncAssurance
6. If the current installation contains custom settings in the docker-stack.yml files, you
must apply these settings again in the new docker-stack.yml files. In other words,
preserve any custom changes made in these files:
l /opt/adva/SyncAssurance/gnss/docker-stack.yml
l /opt/adva/SyncAssurance/tpa/docker-stack.yml
l /opt/adva/SyncAssurance/snt/docker-stack.yml
7. Install the Sync Assurance application as described from Step 5 to 6 in Procedure to
Install the Sync Assurance Application.
The upgrade and migration process from 12.2 and earlier release versions deletes all
the database backup files. You cannot use these backup files to restore a release
because the new timescaleDB version installed is incompatible with the old database
backup files. Be sure that you save a copy of the earlier release on another system if
you want to revert back to the previous release.
The upgrade and migration process from 15.1 and earlier release versions deletes
GNSS and TPA database and backup files. You cannot use these backup files to
restore data in new release because the new timescaleDB version installed is
incompatible with the old database backup files. Be sure that you save a copy of the
earlier release on another system if you want to revert back to the previous release.
To migrate from 15.1 release while preserving GNSS and TPA raw data, follow

Ensemble Controller R15.2 Administrator Manual - Issue: A 433

Adtran Maintaining Ensemble Controller

Procedure to Upgrade Sync Assurance 15.1 to 15.2 including GNSS and TPA Raw
Data Migration.

Procedure to Upgrade Sync Assurance 15.1 to

15.2 including GNSS and TPA Raw Data
Migration
Follow this procedure only in case of 15.1 to 15.2 Sync Assurance upgrade. It is a special
upgrade procedure that includes upgrading the Timescale DB from timescaledb:1.7.5-
pg12 to timescaledb:2.9.1-pg14 release for GNSS and PTP Assurance applications.

This procedure migrates the GNSS and TPA raw data into the new database. The process
does not migrate the GNSS and TPA aggregated data. The SNT data is not affected by
this migration, since it already uses timescaledb:2.9.1-pg14 for 15.1 SyncAssurance
release.

For GNSS and PTP Assurance applications prior to 15.1, follow the regular upgrade
procedures up to 15.1 release (run a set of consecutive upgrades from one release to the
next without skipping any upgrade) before upgrading to 15.2.

1. Rename the /opt/adva/SyncAssurance directory to

/opt/adva/SyncAssurance.<old_version_number>.
2. From the Ensemble Controller installation medium, copy the SyncAssurance_
v15.2.X-Bxxxx.tar.gz file in the directory /opt/adva.
3. Set the working directory to /opt/adva:
cd /opt/adva/
4. Untar the SyncAssurance_v15.2.X-Bxxxx.tar.gz file:
tar -zxvf SyncAssurance_v15.2.X-Bxxxx.tar.gz
This will create the Sync Assurance directory structure.
5. Re-deploy SyncAssurance 15.1 in case it has been stopped during ENC upgrade:
a. Set the working directory to /opt/adva/SyncAssurance.<old_version_
number>:
cd /opt/adva/SyncAssurance.<old_version_number>
b. Execute the deploy.sh script, see Procedure to Install the Sync Assurance
Application. Depending on the applications you use, start GNSS, TPA or both.
Starting gnss_custom-worker, SNT application or specifying ENC secondary
server IP address is not required at that point.
6. Verify that database services are running, see Procedure to Install the Sync Assurance
Application.
7. Stop all GNSS and TPA services except the database (scale down):

Ensemble Controller R15.2 Administrator Manual - Issue: A 434

Adtran Maintaining Ensemble Controller

a. To stop the services, execute these Docker commands:

docker service scale <stack-name>_collector=0
docker service scale <stack-name>_data-access=0
docker service scale <stack-name>_db-backup=0
For the <stack-name>, type gnss or tpa.

If you migrate TPA database, stop it using command: docker

service scale tpa_online-qm=0.

b. Execute this Docker command to list the number of the services that still run for
PTP (Time And Phase) Assurance or GNSS:
docker stack services <stack-name>
c. Verify that the system stopped the services that have access to the database,
which means REPLICAS = 0/0. See Table 14 on p. 338 for a possible GNSS-stack
command output after the services stopped.
8. Set the working directory to /opt/adva/SyncAssurance/util/migration/migration_
from_15.1_to_15.2/data:
cd /opt/adva/SyncAssurance/util/migration/migration_from_15.1_to_
15.2/data
9. Run the special export script to export data for gnss application, if applicable:
./export.sh gnss
10. Wait for the process to complete.
11. Run the special export script to export data for tpa application, if applicable:
./export.sh tpa
12. Wait for the process to complete.
13. Verify that relevant csv files are generated
under /opt/adva/SyncAssurance/util/migration/migration_from_15.1_to_
15.2/data directory. Look for files with the following name structure: pg_data_
dump_<stack name>_<table name>.csv[.gz].
14. If the current installation contains custom settings in the docker-stack.yml files, apply
these settings again in the new docker-stack.yml files. In other words, preserve any
custom changes made in these files:
l /opt/adva/SyncAssurance/gnss/docker-stack.yml

l /opt/adva/SyncAssurance/tpa/docker-stack.yml
l /opt/adva/SyncAssurance/snt/docker-stack.yml
15. Set the working directory to /opt/adva/SyncAssurance.<old_version_number>:
cd /opt/adva/SyncAssurance.<old_version_number>
16. Stop the Sync Assurance application:
./SyncAssurance-ctl.sh stop

Ensemble Controller R15.2 Administrator Manual - Issue: A 435

Adtran Maintaining Ensemble Controller

17. Make sure that ENC 15.2 is running.

18. Set the working directory to /opt/adva/SyncAssurance:
cd /opt/adva/SyncAssurance
19. Run the enc_token_generate.sh script:
./enc_token_generate.sh [<ENC server IP address>]
<ENC server IP address> - optional attribute: IP address of ENC server from which
the token should be acquired. Enter this address if you use Sync Assurance on a
separate server.

From now on, do not restart ENC until you complete step 22 (stop services).

20. Execute the deploy.sh script, see Procedure to Install the Sync Assurance
Application.
21. Verify that all required Sync Assurance application stacks are running, see Procedure
to Install the Sync Assurance Application.

The upgrade and migration process from 15.1 deletes all GNSS and
TPA database backup files. You cannot use these backup files to
restore a release because the installed timescaleDB version is
incompatible with the old database backup files. Make sure that you
save a copy of the earlier release on another system if you want to
revert back to the previous release.

22. Stop all GNSS and TPA services except the database (scale down):
a. Execute the relevant Docker command according to the application database that
you want to migrate:
docker stack services <stack-name>
For the <stack-name>, type gnss or tpa
See Table 13 on p. 338 for a possible gnss command output.
b. Note down the REPLICAS numbers for all running services that access the
database:
l Any service with a name that ends with “collector”.

l Any service with a name that ends with “data-access”.

l Any service with a name that ends with “db-backup”.
c. To stop the services, execute these Docker commands:
docker service scale <stack-name>_collector=0
docker service scale <stack-name>_data-access=0
docker service scale <stack-name>_db-backup=0

Ensemble Controller R15.2 Administrator Manual - Issue: A 436

Adtran Maintaining Ensemble Controller

If you migrate the GNSS database, and you use the optional gnss_
custom-worker service, also note down the REPLICA number of that
service, and then stop it using this command: docker service
scale gnss_custom-worker=0.
If you migrate TPA database, also note down the REPLICA number
of tpa_online-qm service, and then stop it using command: docker
service scale tpa_online-qm=0.

d. Execute this Docker command to list the number of the services that still run for
PTP (Time And Phase) Assurance or GNSS:
docker stack services <stack-name>
e. Verify that the system stopped the services that have access to the database,
which means REPLICAS = 0/0. See Table 14 on p. 338 for a possible GNSS-stack
command output after the services stopped.
23. Set the working directory to /opt/adva/SyncAssurance/util/migration/migration_
from_15.1_to_15.2/data:
cd /opt/adva/SyncAssurance/util/migration/migration_from_15.1_to_
15.2/data
24. Run the special import script to import data into the gnss application, if applicable:
./import.sh gnss
25. Wait for the process to complete.
26. Run the special import script to import data into the tpa application, if applicable:
./import.sh tpa
27. Wait for the process to complete.
28. To restart the database service, complete these steps:
a. Execute this Docker command to stop the database service for the relevant
database that you want to migrate:
docker service scale <stack-name>_timescaledb=0
b. Execute this Docker command to list the services that run for PTP (Time And
Phase) Assurance or GNSS:
docker stack services <stack-name>
c. Verify that the system stopped the relevant database service, which means
REPLICAS = 0/0. See these examples:
l [root@tlv-s-nms-vm02 ~]# docker stack services tpa
ID NAME MODE REPLICAS IMAGE PORTS
kmkejkafdxis tpa_timescaledb replicated 0/0 adva/synca-
timescaledb:1.7.3-pg10 *:5439->5432/tcp
l [root@tlv-s-nms-vm02 ~]# docker stack services gnss
ID NAME MODE REPLICAS IMAGE PORTS

Ensemble Controller R15.2 Administrator Manual - Issue: A 437

Adtran Maintaining Ensemble Controller

coe3ct4t8q20 gnss_timescaledb replicated 0/0 adva/synca-

timescaledb:1.7.3-pg10
d. Execute this Docker command to start the database service for the relevant
database that you want to migrate:
docker service scale <stack-name>_timescaledb=1
e. Execute this Docker command to list the services that run for PTP (Time And
Phase) Assurance or GNSS:
docker stack services <stack-name>
f. Verify that the system restarted the relevant database service, which means
REPLICAS = 1/1. See these examples:
l [root@tlv-s-nms-vm02 ~]# docker stack services tpa
ID NAME MODE REPLICAS IMAGE PORTS
kmkejkafdxis tpa_timescaledb replicated 1/1 adva/synca-
timescaledb:1.7.3-pg10 *:5439->5432/tcp
l [root@tlv-s-nms-vm02 ~]# docker stack services gnss
ID NAME MODE REPLICAS IMAGE PORTS
coe3ct4t8q20 gnss_timescaledb replicated 1/1 adva/synca-
timescaledb:1.7.3-pg10

29. Execute these Docker commands to restart the services that you stopped in Step 22
before you imported the database:
docker service scale <stack-name>_collector=<no of replicas noted
down in step 22>
docker service scale <stack-name>_data-access=<no of replicas noted
down in step 22>
docker service scale <stack-name>_db-backup=<no of replicas noted
down in step 22>
If relevant: docker service scale gnss_custom-worker=<no of replicas
noted down in step 22>
If relevant: docker service scale tpa_online-qm=<no of replicas noted
down in step 22>
30. Verify that the services have access to the started database, which means that the
replica numbers must be equal to the ones noted down in Step 22:
docker stack services <stack-name>
See Table 13 on p. 338 for the command output example.

Ensemble Controller R15.2 Administrator Manual - Issue: A 438

Adtran Maintaining Ensemble Controller

Upgrading Ensemble Fiber Director in

Linux
If you upgrade the Ensemble Controller (ENC), you also need to upgrade the Ensemble
Fiber Director (EFD). Use only the EFD version that is included in the ENC installation CD.
Other versions might not be supported.

Follow these steps to upgrade the EFD along with the ENC:

1. Shut down the ENC server as described in Procedure for Stopping the Server in Linux.
2. Shut down the EFD server:
./opt/adva/fiberdirector/stop.sh
3. Upgrade the ENC as described in Upgrading Ensemble Controller in Linux. Do not
start the ENC server after the upgrade.
4. Upgrade the EFD by over-installation as described in Installing the Ensemble Fiber
Director Server in Linux.
5. Start the EFD server:
./opt/adva/fiberdirector/start.sh
6. Start the ENC server as described in Procedure to Start the Server in Linux.

Uninstalling Ensemble Controller

Complete these steps to uninstall Ensemble Controller (ENC) by using the Maintenance
Mode application.

Restrictions For Uninstalling the 10.5.1 Network Manager 439

Procedure to Uninstall Ensemble Controller 440

Restrictions For Uninstalling the 10.5.1 Network

Manager
This section applies only if you have installed 10.5.1 Network Manager
and the Embedded License Server (ELS).

Ensemble Controller R15.2 Administrator Manual - Issue: A 439

Adtran Maintaining Ensemble Controller

You might encounter issues if you want to uninstall the 10.5.1 Network Manager in this
unusual case, which is related to the rebranding of the Network Manager to Ensemble
Controller in the 11.1.1 release.

Initial Situation: You installed the 10.5.1 Network Manager and the Embedded License
Server.

Previously Taken Actions: Do not replicate the steps that follow! This information is to
help you understand this atypical case that results in an Alert message and your inability
to uninstall the 10.5.1 Network Manager. These steps describe the actions that resulted in
the Alert message being displayed:

1. You upgraded only the Embedded License Server to release 11.1.1 but not the
Network Manager.
The system created files for both Network Manager and Ensemble Controller
because of the product re-branding in release 11.1.1.
2. You used the Ensemble Controller file Change_Ensemble Controller and uninstalled
only the Embedded License Server.
This action also deleted the register keys for the Network Manager.
3. You then started to uninstall the 10.5.1 Network Manager.
This Alert message opened:

You were unable to uninstall the 10.5.1 Network Manager because of the missing
register keys.

Conclusion: To resolve this issue, you must upgrade from the 10.5.1 Network Manager to
the 11.1.1 Ensemble Controller including the Embedded License Server.

Procedure to Uninstall Ensemble Controller

1. To smoothly uninstall Ensemble Controller, complete these steps first:
a. Remove the previously installed Ensemble Controller Clients as described in
Viewing and Deleting Installed Clients.

Ensemble Controller R15.2 Administrator Manual - Issue: A 440

Adtran Maintaining Ensemble Controller

b. If your Ensemble Controller uses Streaming Replication High Availability,

disable it as described in Reverting to a Non-Resilient Configuration or
Disabling Streaming Replication High Availability.
2. Save any data and close all open programs.
3. To start the Maintenance Mode application:
l Select Start > Control Panel > Programs and Features > Ensemble

Controller.
–or–
l Follow this path: ENC Installation Directory\Change_Ensemble

Controller\Change Ensemble Controller.exe

The Maintenance Mode window opens:

4. Select Uninstall Product.

5. Click Next to continue.
The Uninstall Ensemble Controller window opens.

Ensemble Controller R15.2 Administrator Manual - Issue: A 441

Adtran Maintaining Ensemble Controller

6. Click Next.
The Post Uninstall Process message opens to inform you that the Ensemble
Controller services terminated.
7. Click OK to continue. A status bar and status messages indicate progress while the
system uninstalls the software.

After the uninstall procedure completes, the Uninstall Complete window opens.

Ensemble Controller R15.2 Administrator Manual - Issue: A 442

Adtran Maintaining Ensemble Controller

Any files that the application was unable to remove from your system remain and are
listed, including their locations, as illustrated here:

8. Make a note of the installation directories that the software was unable to remove.
Keep this list nearby until the end of this procedure.
9. Continue with one of these options:
l Select Yes, restart my system, and then click Done.

Your computer automatically closes any currently running files or programs, and
then restarts. Any unsaved data is lost.
Continue with these steps:
a. Wait until your computer restarts.
b. Verify whether the installation directories that you noted in Step 8 are still
present in the installation directory. If yes, delete them.
-or-
l Select No, I will restart my system myself, and then click Done.
Continue with these steps:
a. Save and close any currently running files or programs on your computer.
b. Restart your computer.
c. Wait until your computer restarts.
d. Verify whether the installation directories that you noted in Step 8 are still
present in the installation directory. If yes, delete them.

Ensemble Controller R15.2 Administrator Manual - Issue: A 443

Adtran Maintaining Ensemble Controller

Uninstalling Linux Applications

The Ensemble Controller installation on a Linux operating system includes other
applications that you can install on your system.

If you need to uninstall any of these applications, including the Ensemble Controller itself,
use these commands:

Change to root and type this command to

Applications
uninstall
Flexnet Licensing Server /opt/adva/fsp_nm/flexnetls/server/fne.sh uninstall
Centralized Control Plane /opt/adva/fsp_nm_ni/uninstallni.sh
l Flexnet Licensing Server /opt/adva/uninstall-fsp_nm
l Centralized Control Plane
l Ensemble Controller

Uninstalling the Sync Assurance

Application
To uninstall the Sync Assurance application that you install in a Linux system, run the
uninstall.sh script located in the /opt/adva/SyncAssurance directory:

./uninstall.sh

Ensemble Controller R15.2 Administrator Manual - Issue: A 444

Adtran Managing the Centralized Control Plane

Chapter 5

Managing the Centralized

Control Plane
The Centralized Control Plane (CPc) is a management tool that supports path
computation or service provisioning for FSP 3000R7 network elements. The CPc runs as a
Docker container.

Each FSP 3000R7 network element has one instance of the CPc that exchanges
information with all other network elements that are connected to that network element.
The network elements recognize the locally-available traffic engineering resources and
pass this information to the CPc. The CP maintains a centralized repository of all the
traffic-engineering topology information.

You can use Ensemble Controller (ENC) to configure the communication channel to the
CPc that is described in this chapter.

CPc is the state-of-the-art version of Control Plane for ENC. Therefore,

you should use CPc for all green-field installations.

An example of how the CPc communicates with the Ensemble Controller Server (ENC
Server) and FSP 3000R7 network elements is shown in this illustration:

Ensemble Controller R15.2 Administrator Manual - Issue: A 445

Adtran Managing the Centralized Control Plane

Setting Up the Centralized Control Plane 446

Configuring a Connection Between Ensemble Controller and the Centralized
Control Plane 447
Configuring Centralized Control Plane High Availability 449
Opening and Viewing the CPc Manager 450
Managing the Centralized Control Plane Server in Linux 462

Setting Up the Centralized Control

Plane
l For Windows operating systems, in the fnm.properties file, add this property and
set it to true: com.adva.nlms.mediation.sm.prov.ni.controller
For information about how to edit properties in the fnm.properties file, see Editing
the fnm.properties File. For an overview of all properties, see Server Property
Overview.
l For Linux operating systems, see especially Step 6 in Installing Ensemble Controller
in Linux.
l In order for the Centralized Control Plane (CPc) to communicate with the agents,
you need to install a signed certificate for the CPc. To do this, run the script

Ensemble Controller R15.2 Administrator Manual - Issue: A 446

Adtran Managing the Centralized Control Plane

/opt/adva/fsp_nm_ni/ni-install-certificates.sh. Do this step after the ENC is fully

started. The script requires entering ENC and CPc credentials.

After you set up the Centralized Control Plane according to your operating system,
establish a connection to Ensemble Controller; see Configuring a Connection Between
Ensemble Controller and the Centralized Control Plane.

Configuring a Connection Between

Ensemble Controller and the
Centralized Control Plane
Complete these steps to establish a connection to the Centralized Control Plane (CPc)
and then access the CPc Manager.

A single CPc can establish and maintain communication sessions with

only one Ensemble Controller.

The CPc Manager manages the CPc, for example, the Manager adds network elements to
or removes elements from the CPc. For information about the CPc Manager, see Opening
and Viewing the CPc Manager.

1. Enable the CPc according to your operating system as described in Setting Up the
Centralized Control Plane.
2. To set other then default credentials for CPc access in the Ensemble Controller
application (step 4), configure them first using script ./ni-change-credentials.sh in
directory /opt/adva/fsp_nm_ni.
3. In the Ensemble Controller application bar Settings, select System, and then
Centralized CP.
4. In the Centralized CP Configuration window, Credentials tab, User Name column,
select the relevant user name.
a. In the ribbon menu, Options area, click Edit.
–or–
In the Credentials Details Pane, click .

Ensemble Controller R15.2 Administrator Manual - Issue: A 447

Adtran Managing the Centralized Control Plane

Complete these fields:

Field Description
User Name User name used in step 2. If you have not used script ./ni-
change-credentials.sh, use default user name: admin.
Password Password used in step 2. If you have not used script ./ni-
change-credentials.sh, use default password: chgme.1a.

b. Click to save, or to cancel.

5. Select the Sessions tab, and then the relevant table entry.
The table includes these columns:

Column Description
Current Whether the Ensemble Controller currently connects to
the CPc:
l true - connected
l false - disconnected

IP address The IP address of the CPc.

Protocol The protocol you want to use to connect to the CPc.
Supported values are:
l HTTP
l HTTPS

Port The port you want to use to connect to the CPc. Default
values are:
l HTTP: 8080
l HTTPS: 9443

Last Response Time The time that the CPc last responded. If the CPc
disconnects from Ensemble Controller, no value
displays.
CPc Controller Version The software version of the CPc.

Ensemble Controller R15.2 Administrator Manual - Issue: A 448

Adtran Managing the Centralized Control Plane

Column Description
Status The connection status between Ensemble Controller
and the CPc. Supported values are:
l OK
l Not Reachable

WebSocket Connection The WebSocket connection status to the CPc.

Supported values are:
l Connected
l Not Connected

a. In the ribbon menu, Options area, click Edit.

-or-
In the CPc Controller Details Pane, click .

Complete the fields:

Field Description
IP address Type the IP address of the CPc.
HTTP protocol Select the protocol you want to use to connect to the CPc. For
details, see Protocol.
Port According to the selected HTTP protocol, type the port you
want to use to connect to the CPc. For details, see Port.

b. Click to save, or to cancel.

Configuring Centralized Control Plane

High Availability
Ensemble Controller supports the Centralized Control Plane (CPc) only with the standard
version of high availability, and in Linux systems.

1. Configure standard high availability for Ensemble Controller in Linux. See

Configuring Standard High Availability in Linux Systems.
2. For each Ensemble Controller server separately, the primary and secondary server:

Ensemble Controller R15.2 Administrator Manual - Issue: A 449

Adtran Managing the Centralized Control Plane

a. Set up the CPc. See Setting Up the Centralized Control Plane.

The primary and secondary server must have a CPc each. Both the
CPc and the relevant server must be co-located on the same
machine.

b. Configure a connection to the CPc. See Configuring a Connection Between

Ensemble Controller and the Centralized Control Plane.

Opening and Viewing the CPc

Manager
The CPc Manager manages the Centralized Control Plane (CPc). For example, the CPc
Manager adds network elements to the CPc or removes them. Complete these steps to
use Ensemble Controller to open the CPc Manager in a web browser.

Requirements to View the CPc Manager 450

Procedure to View the CPc Manager 451
Legacy Links Page 453
Links Page 454
NEs Configuration Page 457
TE Links From CPc Page 459
NEs From CPc Page 461

Requirements to View the CPc Manager

l Configure a connection between Ensemble Controller and the CPc as described in
Configuring a Connection Between Ensemble Controller and the Centralized
Control Plane.
l Set up your network to use SNMPv3 and HTTPS:
o For information about how to configure SNMPv3, see the User Manual,

Managing SNMP Profiles.

o For information about how to configure HTTPS, see the User Manual,
Configuring REST, HTTP, or HTTPS on Network Level.

Ensemble Controller R15.2 Administrator Manual - Issue: A 450

Adtran Managing the Centralized Control Plane

Procedure to View the CPc Manager

1. In the Ensemble Controller tree pane Networks tab, right-click a relevant
FSP 3000R7 network element or a network that contains FSP 3000R7 network
elements.
2. From the menu, select CPc Manager.
3. If a message related to the website security certificate displays, click Details, and
then Go on to the webpage even though it states (Not recommended).

The login window opens.

4. In the ENC Admin User Name field, type the user name that you use to log in to
Ensemble Controller.

If Ensemble Controller uses RADIUS authentication, use a local account

to log in to CPc Manager.

5. In the Password field, type the password that you use to log in to Ensemble
Controller.
6. Click Login or Cancel. The CPc Manager window opens:

Ensemble Controller R15.2 Administrator Manual - Issue: A 451

Adtran Managing the Centralized Control Plane

Table 16: CPc Manager – Main Menu Options

Link to More
Option Description
Information
Legacy Links Lists these types of links: Legacy Links Page
l Links from the Ensemble Controller
database that you can migrate to the
network elements.
l Links where you can use SNMP to
create logical-interface control-plane
(LIF-CP) objects on the network
elements that have corresponding TE
links in the CPc.

Links that are based on link-configuration

objects (LCOs) do not display in this table.
Also use this page to migrate links to the
network elements.
Links List links that are based on link Links Page
configuration objects (LCO) from the
Ensemble Controller database and the CPc.
Links that have end-point types other than
optical links (Ols) do not display in this
table.
Also use this page to migrate links from
Ensemble Controller to the CPc, or to
delete them.

Ensemble Controller R15.2 Administrator Manual - Issue: A 452

Adtran Managing the Centralized Control Plane

Table 16: CPc Manager – Main Menu Options

Link to More
Option Description
Information
NEs Lists the network elements from the NEs Configuration
Configuration selected network. The Ensemble Controller Page
database contains these network elements.
You can also use this page to configure
certain attributes on the network element
in one step, to add more network elements
to the CPc, or to remove them.
TE Links From Lists the traffic-engineering links that the TE Links From CPc
CPc CPc retains. Page
NEs From CPc Lists the network elements that the CPc NEs From CPc Page
manages. You can remove network
elements from the CPc here.
Home Click to return to the welcome screen.
Logout Click to close the CPc Manager.

When you click an option, a tooltip with information about that page displays.

Legacy Links Page

After you select Legacy Links, the Migrate Links to NEs table opens and lists:
l Links from the Ensemble Controller database that can be migrated to the network
elements.
l Links where logical-interface control-plane (LIF-CP) objects are created using
SNMP on the network elements, with corresponding TE links in the Centralized
Control Plane (CPc).

Links that are based on link-configuration objects (LCOs) do not display in this table.

To migrate links to the network elements, in the first column, select the links you want to
migrate, and then click Migrate.

The Migrate Links to NEs table includes these columns:

Ensemble Controller R15.2 Administrator Manual - Issue: A 453

Adtran Managing the Centralized Control Plane

Column Description
Link ID The link ID.
Link Name The link name.
Source NE Identifier The name of the starting network element.
Source NE IP The IP address of the starting network element.
Source CPc Agent The CPc agent status, either enabled or disabled, of the
starting network element. If enabled, you can add the
network element and the CPc can manage it.
Source Endpoint The link end point at the starting point.
Source Connected The module type that connects through the fiber map to the
Module Type link end point at the starting point.
Source Endpoint Type The link-end point type at the starting point.
Destination NE Identifier The name of the ending network element.
Destination NE IP The IP address of the ending network element.
Destination CPc Agent The CPc agent status, either enabled or disabled, of the
ending network element. If enabled, you can add the
network element, and the CPc can manage it.
Destination Endpoint The link end point at the ending point.
Destination Connected The module type that connects using the fiber map to the
Module Type link end point at the ending point.
Destination Endpoint The link-end point type at the ending point.
Type
CPc Migration State The status of the migration process of the links.
CPc Migration Case The end point types of the link with details about any
migration results.

Links Page
After you select Links, the Links from Ensemble Controller table opens and lists links that
are based on link-configuration objects (LCO) from the Ensemble Controller database
and the Centralized Control Plane (CPc).

Links that have end point types other than OLs (optical links) do not display in this table.

Ensemble Controller R15.2 Administrator Manual - Issue: A 454

Adtran Managing the Centralized Control Plane

For information about how to migrate links to or delete them from the CPc, see
Migrating Links to the Centralized Control Plane or Deleting Them.

The Links from Ensemble Controller table includes these columns:

Column Description
Migration State The status of the link migration process:
l Local: The link resides in the Ensemble Controller
database and is not yet migrated.
l Synchronized: The link is successfully migrated to the CPc
and the link values are the same for Ensemble Controller
and the CPc.
l Failed: An interim value resulting from a failure to
migrate a link. If you refresh or reopen the page, then
this value is replaced with Out of Sync.
l Out of Sync: The link exists in both Ensemble Controller
and the CPc but:
o The values are not identical.

–or–
o An attempt to update the link in the CPc failed.

–or–
o A link-configuration object (LCO) is updated or
deleted using CLI in the CPc.
o A TE link and corresponding LCOs exist in the CPc.
You created a corresponding link in Ensemble
Controller, but you have not yet migrated it to the
CPc.

Link ID The link ID.

Link Name The link name.
Source NE Identifier The name of the starting network element.
Source NE IP The IP address of the starting network element.
Source Endpoint The link end point at the starting point.
Source Connected The module type that connects through the fiber map to the
Module Type link end point at the starting point.

Ensemble Controller R15.2 Administrator Manual - Issue: A 455

Adtran Managing the Centralized Control Plane

Column Description
Source Endpoint Type The link-end point type at the starting point.
Destination NE Identifier The name of the ending network element.
Destination NE IP The IP address of the ending network element.
Destination Endpoint The link end point at the ending point.
Destination Connected The module type that connects using the fiber map to the
Module Type link end point at the ending point.
Destination Endpoint The link-end point type at the ending point.
Type
TE Metric The link metric that the CPc needs to allow routing
preferences. The default value is 10, which is set for existing
and newly created links, unless you changed it. The value
ranges from 1 to 10,000.
Shared Risk Link Group The CPc uses this value depending on the needs and design.
By default, this value is not set (empty field). The value
ranges from 1 to 255.

Migrating Links to the Centralized Control Plane or

Deleting Them
Complete this procedure to migrate links that are based on link-configuration objects
(LCO) to the Centralized Control Plane (CPc), and also to delete them.

Requirements to Migrate Links

l You created links in Ensemble Controller between network elements that the CPc
manages.
o For information about how to create links in Ensemble Controller, see the

User Manual, Creating or Deleting Links Between Network Elements.

o To have the CPc manage network elements, you must add them as described
in Configure & Add Node To CPc.

Procedure to Migrate Links

1. To migrate links, in the Links Page, Links from Ensemble Controller table, first
column, select the links you want to migrate, and then click Migrate.

Ensemble Controller R15.2 Administrator Manual - Issue: A 456

Adtran Managing the Centralized Control Plane

2. To delete links, in the first column, select the links you want to delete, and then click
Delete.

Result messages for this action appear in the Links page, and also in the Ensemble
Controller message pane.

NEs Configuration Page

After you select NEs Configuration, a table opens that lists the network elements from
the selected network and those that the Ensemble Controller database contains.

Table Description 457

Action Controls 458

Table Description
Column Description
ID The CPc Manager internal identifier.
NE Identifier The identifier of the network element.
NE IP The IP address of the network element.
NE Type The network element type.
Mib Variant The variant of the management information base (MIB).
CP Enable State The control plane status, either True or False.
Node Name Syntax A name syntax of the network element. Supported values are IP or
TID.
l For FSP 3000R7 network elements that run software version
18.1.1, only IP is supported and displayed in this column.
l For software version 18.1.2 and higher, IP and TID (system
identifier) are supported.

CP_WDM True or False.

CP_OTN True or False.
LIF_CP Auto- True or False.
Creation
CPc Agent True or False. If True, then the Centralized Control Plane (CPc) can
manage the network element.

Ensemble Controller R15.2 Administrator Manual - Issue: A 457

Adtran Managing the Centralized Control Plane

Column Description
Web Interface True or False.
Managed by CPc True or False. If True, then the CPc can manage the network
Controller element.
Polling State l Not scheduled: Migration polling is not scheduled or is not
running for this network element.
l Scheduled: Migration polling is scheduled for this network
element.
l Running: Migration polling is currently running on this network
element.

First Sync Time The time when the network element was added to the CPc.
Last Sync Time The time when the last synchronization occurred.
CPc ID The identifier of the network element in the CPc.
Connection to CPc The state of the connection between the CPc and the network
State element (CPc agent).

Action Controls
The NEs Configuration page includes these action controls:

Ensemble Controller R15.2 Administrator Manual - Issue: A 458

Adtran Managing the Centralized Control Plane

Action Control Description

Discover Topology Click to discover links without the need to scan the entire
topology.
Configure & Add Node 1. In the NEs Configuration table, select the relevant
To CPc network elements that you want to configure and add
them to the CPc.
2. Click Configure & Add Node To CPc.
The software configures the attributes in one step on the
selected network element. The software:
l Enables the CPc (see the column CP Enable State).

l Enables the Web Interface.

l Creates the CP_WDM object.
l Creates the CP_OTN object.
l Changes the Node Name Syntax to IP.
l Enables the CPc Agent.

3. To visualize which network elements the CPc manages, in

the Ensemble Controller User Settings, set the CPc icon to
show; see the User Manual, General Settings for
information.

Remove Node From 1. From the NEs Configuration table, select the relevant
CPc network elements that you want to remove from the CPc.
2. Click Remove Node From CPc.
The software removes the selected network element from
the CPc. The CPc Agent attribute on the network element
remains unchanged.
Sync Connection State Click to synchronize the connection state between the network
element and the CPc.
Refresh Click to reload the page with new data.

TE Links From CPc Page

After links successfully migrate, you can select the main menu option TE Links From CPc.
A table displays that lists the traffic engineering links stored in the Centralized Control
Plane (CPc).

The table includes these columns:

Ensemble Controller R15.2 Administrator Manual - Issue: A 459

Adtran Managing the Centralized Control Plane

Columns Description
Address Type The type of traffic-engineering link address, either Unnumbered or
Numbered traffic engineering.
l An unnumbered traffic-engineering link address contains the
parent router IP and a unique number, usually referred to as link ID,
for example, 192.168.1.1:10001.
l A numbered traffic-engineering link address contains only an IP
address, for example, 10.1.1.1.

Router ID The parent router address that the traffic-engineering link is attached
to.
Peer Router ID The peer router address of the traffic engineering link, which is the
router that the traffic-engineering link points to.
Link ID The node-scope identifier, if it is an unnumbered link.
Peer Link ID The node-scope identifier of a peer, unnumbered link.
Physical Link ID The identifier of the physical termination point that the traffic-
engineering link is attached to. For example, for WDM-layer traffic-
engineering links, the physical link ID refers to OL.
SRLC The shared-risk link color (SRLC) is a network-scope unique number
that the CPc assigns to a pair of synchronized traffic-engineering links.
The value is stored in one of the traffic-engineering links within the
pair. You can use SRLC to determine whether two paths do not contain
common intersections, for example.
Peer SRLC The SRLC value assigned to the peer of the applicable traffic-
engineering link.
TE Metric The cost of a traffic-engineering link for a path computation engine.
Layer The layer network that the traffic-engineering link belongs to. You can
consider certain traffic-engineering links as links in a WDM or TDM
(OTN) layer. The layer determines:
l The type of resources that the link advertises.
l The physical termination points that the links can attach to.

Synchronized Whether the traffic-engineering link is synchronized, either true or

false. You can consider the traffic-engineering link as being
synchronized if its peer traffic-engineering link exists in the traffic-
engineering topology database.

Ensemble Controller R15.2 Administrator Manual - Issue: A 460

Adtran Managing the Centralized Control Plane

Columns Description
OSC Status The operational status of related OSC channels for WDM-layer traffic-
engineering links. Supported values are:
l Unknown: No OSC.
l Down: The OSC has an alarm.
l Up: The OSC is operable.

DP Status The summarized operational status of the data plane for WDM-layer
traffic-engineering links. Supported values are:
l Unknown: The system cannot determine the data plane.
l Down: All data-plane connections are down.
l Up: The data plane is operable.

If this window has many pages, use this page navigator to change pages:

NEs From CPc Page

After you select NEs From CPc, a table displays and lists network elements that
successfully migrated and are added to the Centralized Control Plane (CPc).

The table includes these columns:

Column Description
CPc URI The uniform resource identifier of the network element in the CPc.
CPc ID The identification of the network element in the CPc database.

Ensemble Controller R15.2 Administrator Manual - Issue: A 461

Adtran Managing the Centralized Control Plane

Column Description
NE ID The identification of the network element in the Ensemble Controller
database. If no value displays, the network element does not exist in the
Ensemble Controller database.
To remove network elements from the CPc that are not in the Ensemble
Controller database, in the first column of the table, select it, and then
click Remove Node From CPc.
Connection The connection state between network elements and the CPc.
Status

If this window has many pages, use this page navigator to change pages:

Managing the Centralized Control

Plane Server in Linux
You can manually manage the Centralized Control Plane (CPc) server by changing to the
root account or user which belongs to docker group, and then running the ./ni-ctl.sh
script located in the directory /opt/adva/fsp_nm_ni.

The software logs any action in a file stored in the directory

/var/lib/docker/volumes/ni_ni-logs/_data/adva-ni/.

For information about uninstalling the CPc server, see Uninstalling Linux Applications.
More actions to maintain the CPc server are described in these topics:

Upgrading the Centralized Control Plane Server 463

Backing Up the Control Plane Database 463
Restoring the Centralized Control Plane Database 465

Ensemble Controller R15.2 Administrator Manual - Issue: A 462

Adtran Managing the Centralized Control Plane

Centralized Control Plane Server Health Check 466

Upgrading the Centralized Control Plane Server

If the Centralized Control Plane (CPc) server is enabled, follow the standard Ensemble
Controller upgrade procedure. These steps also automatically upgrade the CPc server.
This procedure applies to both the common installation variant (Ensemble Controller
AND CPc server) and the standalone variant (only CPc server).

For information about how to enable the CPc server, see Setting Up the Centralized
Control Plane.

For information about how to upgrade the Ensemble Controller, see Upgrading Ensemble
Controller in Linux.

Backing Up the Control Plane Database

If the Centralized Control Plane (CPc) server is enabled, follow the standard options to
back up the Ensemble Controller database, which automatically back up the CPc server.
This procedure applies to both the common installation variant (Ensemble Controller
AND CPc database) and the standalone variant (CPc database only).

For information about how to enable the CPc server, see Setting Up the Centralized
Control Plane.

Choose from these options to back up Ensemble Controller and the CPc database:
l The recurring Database Backup action that you configure in Ensemble Controller
initiates regular backups. For information about how to configure recurring
actions, see the Ensemble Controller User Manual.
l In the Ensemble Controller Settings > System > Immediate Database Backup, you
can create immediate backups. For more information about how to start an
immediate backup, see Immediate Database Backup.
l The NMSAdmin script option [J] - Backup Database initiates immediate backups.

Ensemble Controller R15.2 Administrator Manual - Issue: A 463

Adtran Managing the Centralized Control Plane

If you use the NMSAdmin script to back up the database, the process
does not account for the number of backup files that you can create.
That is, if this process exceeds the number of backup files that you
specified in the fnm.properties file, the software does not
automatically delete the old backup files. You have to delete them
manually.
For information about how to set the allowed number of backup files
that can be created, see Setting the Number of Database Backup Files
Allowed to be Created.

For additional information about database backup, see Updating Ensemble Controller
Database Information.

Backup File Storage 464

Backup Operation Notifications 464

Backup File Storage

If the database backup is successful, the process creates relevant files including the
binary backup package dbfnm_NM_NI.tar.gz. This file contains both Ensemble Controller
and Control Plane server backup files. If the Control Plane database backup fails, the
process does not create the binary backup package.

The Ensemble Controller installation directory stores the binary backup package
/var/db.backup. You will need this package later to restore the database.

For information about database restore, see Restoring the Centralized Control Plane
Database.

Backup Operation Notifications

You can view any backup operation in the Ensemble Controller message pane, including
notifications in the Events tab.
The message pane and Events tab is described in the User Manual.

Ensemble Controller R15.2 Administrator Manual - Issue: A 464

Adtran Managing the Centralized Control Plane

Restoring the Centralized Control Plane

Database
If the Centralized Control Plane (CPc) server is enabled, complete the standard Ensemble
Controller restore steps and consider the Requirements to Restore the CPc Database in
this chapter. This restore procedure also automatically restores the CPc database. The
restore procedure applies to both the common installation variant (Ensemble Controller
AND the CPc database) and the standalone variant (only the CPc database).

For information about how to enable the CPc server, see Setting Up the Centralized
Control Plane.

For information about how to restore the Ensemble Controller database, see Restoring
the Ensemble Controller Database.

Requirements to Restore the CPc Database 465

Procedure to Restore the CPc Database 465

Requirements to Restore the CPc Database

l Ensure that the CPc backup database file that you want to restore (dbni.tgz by
default) resides in the Ensemble Controller installation directory var/db.backup.
Also verify that the backup database file is in the binary backup package dbfnm_
NM_NI.tar.gz. For information about the binary backup package, see Backup File
Storage.
l To restore the CPc database, including the Ensemble Controller database, instead
of RestoreDB, use the NMSAdmin script and complete these steps. The RestoreDB
script restores only the Ensemble Controller database.

Procedure to Restore the CPc Database

1. Shut down the Ensemble Controller Server. See Stopping the Ensemble Controller
Server.
2. Change to the root account, and then run the NMSAdmin script.
3. Type [L] - Restore Database Backup.
4. Wait for the process to finish.
5. After the restore process completes, start the Ensemble Controller Server. See
Starting the Ensemble Controller Server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 465

Adtran Managing the Centralized Control Plane

Centralized Control Plane Server Health Check

To analyze and troubleshoot Centralized Control Plane (CPc) server problems, you can
verify the condition of the server health by either running scripts or by viewing the
Ensemble Controller (ENC) client graphical user interface (GUI). The health-check report
collects CPc server data, for example, debug data, logs, traces, component status, and so
on.

Health Check Using Scripts 466

Health Check Using the Ensemble Controller GUI 466

Health Check Using Scripts

The script you use depends on how you installed the CPc server.

Change to the root account, and then:

l If you installed the CPc server as a standalone version, run the ni-sdp.sh script
located in the directory /opt/adva/fsp_nm_ni/.
l If you installed the CPc server using Ensemble Controller, run the healthcheck_
nms.sh scipt located in the directory /opt/adva/fsp_nm/bin/.
–or–
You can run the NMSAdmin script, and then select [H] - System Health Report.

Health Check Using the Ensemble Controller GUI

If the CPc server is enabled, complete the standard Ensemble Controller steps for
Creating a System Health Report.

For information about how to enable the CPc server, see Setting Up the Centralized
Control Plane.

Ensemble Controller R15.2 Administrator Manual - Issue: A 466

Adtran Troubleshooting

Chapter 6

Troubleshooting
This chapter describes how to troubleshoot Ensemble Controller.

Purpose 467
Assumptions 467
Terms 468
Preparation 469
Tools of the Trade 470
Troubleshooting Steps 470
Resolving Installation Issues 471
Resolving Start-up Issues 477
Resolving Access Issues 487
Resolving Normal Operations Issues 493

Purpose
The purpose of this chapter is to provide a guide to troubleshooting the Ensemble
Controller. While it cannot cover every possible error or problem, it covers enough
ground to be able to resolve approximately 80% of all known issues which can occur with
the Ensemble Controller. Issues that are related to a special software version are not
discussed as most of them are fixed in the successor version.

Assumptions
This document assumes these conditions:

Ensemble Controller R15.2 Administrator Manual - Issue: A 467

Adtran Troubleshooting

l You are trained on Ensemble Controller and the Element Manager, and you know
what the software does.
l You are trained on at least one FSP product.
l You have access to Ensemble Controller and Element Manager documentation
(User Manual, Release Notes, and Compatibility Matrix).
l You know IP and SNMP.
l You have basic knowledge of optics and WDM.
l You have a network plan containing the IP addresses of the network elements and
paths of the service connections.
l The network element configuration and the software versions installed on the
network elements are documented.
l You are familiar with NEMI software.
l You know the user names and passwords to access the NEMI, the Ensemble
Controller and Element Manager Software.
l All components are using the most current version of software. If not, you need to
have access to the Adtran website, often referred to as the Partner Login, and be
able to download the current version. Please see “Determining NEMI NE Software
Revision Level” for further assistance.
l All units can be powered on.

Terms
Throughout the document the term Adtran Management Software is used for the
Ensemble Controller and the FSP xxxx Element Managers. FSP xxxx Element Manager
stands for FSP 150 and FSP 1500 Element Manager. Ensemble Controller is available for
Windows and Linux.

These terms are used in that document:

ENC Ensemble Controller

EM Element Manager
NE Network Element
NMS Network Management Station

Ensemble Controller R15.2 Administrator Manual - Issue: A 468

Adtran Troubleshooting

Preparation
Before you begin to troubleshoot the Management Software or any given installation, it
is important to prepare for the task beforehand. These are some basic steps that you
should take, before you continue to troubleshoot a problem or issue.

Discussing the Management-Software Products Ensemble Controller and

FSP Element Manager 469
Discussing the Network Configuration 469
Clearly Defining the Issue That You Try to Resolve 470

Discussing the Management-Software Products

Ensemble Controller and FSP Element Manager
Even with the best documentation, it is pointless to attempt to troubleshoot issues with a
product, with which you are not familiar. At the very least you should have attended
product training for the product that included the management software. If you know
nothing about management software, you should seriously question whether or not you
should be attempting to resolve issues with these products.

Discussing the Network Configuration

You cannot troubleshoot a configuration with which you are not familiar. To solve
management issues, you require knowledge about the management and the optical
network. A very key part of this is to have a map of the management network containing
information about the IP addresses of the network elements, about the SNMP
communities and the topology. You can connect network elements to the management
through:
l Ethernet
l OSC
l Serial line

You need to have this information in forehand. To solve problems that are released to the
services running on your network, an “optical” network map and topology is required. In
the Ensemble Controller, you can setup connections between the nodes on port level. So
you have to know, which ports are actually connected through fibers, and which are
protected and unprotected.

Ensemble Controller R15.2 Administrator Manual - Issue: A 469

Adtran Troubleshooting

Clearly Defining the Issue That You Try to

Resolve
Too often, the full description of an issue is “it doesn’t work”. Unfortunately, as
description as vague as this does not shed much light on the issue. A clear description of
which aspect of the equipment functions are not correctly operating as well as an
understanding of how to recognize and test a working configuration, is essential to the
timely resolution of any problem.

Determine the tools you will likely need to resolve the issue, before you begin your work.
It is a tremendous disappointment to drive 100 kilometers to an installation location and
find that you do not have the appropriate tools to do the job. However, people do this
every day. The standard resolution to this issue is to create a kit that has every
conceivable tool that could be used and keep it with you at all times. The only difficulty
with this solution is that much of the equipment associated with optics is rather
expensive and thus, can need to be shared amongst a variety of individuals.

Tools of the Trade

In any technical profession, there are certain tools that should be on hand at all times.
Most of the tools needed to troubleshoot network manage issues are already on the
customer side. The customer runs a network management station that has the
management software installed. Software utilities for network management like ping,
traceroute, a MIB Browser are standard on a management station. Even so you should
carry a laptop with you with these installations:
l MIB Browser
A MIB browser like MG Soft shall be installed on your computer. It helps you
checking the MIB variables.
l Adtran Management Software
You should have installed the latest version of the Ensemble Controller and the
FSP xxx Element Managers.

Troubleshooting Steps
Complete these steps to troubleshoot Ensemble Controller issues.

These steps do NOT include the most intuitive aspects of any installation, such as
monitoring alarms or adding a new subnetwork. It also does not discuss issues external

Ensemble Controller R15.2 Administrator Manual - Issue: A 470

Adtran Troubleshooting

to Ensemble Controller, such as issues with operating systems, for example Windows or
Linux, and so on.
l Is the issue associated with a management-software installation?
If yes, go to Resolving Installation Issues.
l Does a problem appear during the software start-up?
If yes, go to Resolving Start-up Issues .
l Do you have network-access problems?
If yes, go to Resolving Access Issues.
l Do you have problems during normal operations?
If yes, go to Resolving Normal Operations Issues .

Resolving Installation Issues

This section addresses issues that might occur during the installation of Ensemble
Controller.

Inform yourself about the operating system and the Ensemble Controller version.

Verify the installation requirements of Ensemble Controller against the processor power,
available memory, and the free disk capacity of the system.

The installation of Ensemble Controller requires local administrator privileges on the

system.

Cannot install Ensemble Controller. 471

The Ensemble Controller installation fails with an error message. 472
Updating the Ensemble Controller Client Launcher 473

For more troubleshooting steps regarding installation, see Troubleshooting Client

Download Errors. Otherwise, return to Troubleshooting Steps.

Cannot install Ensemble Controller.

Cause: The management machine does not meet the software installation
requirements, or you do not have sufficient privileges.

Ensemble Controller R15.2 Administrator Manual - Issue: A 471

Adtran Troubleshooting

Solution: 1. Verify the installation instructions. You might have to uninstall the
existing software before you install the new software version.
2. Make sure the Ensemble Controller Server has the required processor
power, the memory, and the free hard disk capacity specified in the
Release Notes of the Adtran management software.
3. Make sure that you have full administrator or power-user privileges on
the Windows Ensemble Controller Server.
4. On the Linux Ensemble Controller Server, you must have root permission
to install the Adtran management software.
5. In some rare cases, you might need to delete the complete Ensemble
Controller installation directory after you uninstall the previous Ensemble
Controller version. Back up the Ensemble Controller database before you
delete the complete Ensemble Controller installation directory.

The Ensemble Controller installation fails with an

error message.
Cause: You have not properly removed the previous Ensemble Controller version
from the Ensemble Controller Server in your Windows system.
Solution: To verify that Ensemble Controller completely uninstalled from the
Windows Ensemble Controller Server, click Start > Settings > Control
Panel > Add/Remove Software. If you see Ensemble Controller in the list,
uninstall it. If Ensemble Controller is not in the list, proceed with these steps:
1. Launch the Windows Registry Editor.
2. Delete all these entries:
l HKEY_LOCAL-
Machine\Software\Microsoft\Windows\CurrentVersion\
Uninstall\{55C56D...}
l HKEY_LOCAL-
Machine\Software\ADVA Optical
Networking\FSP Network Manager
NOTE: For a 64-bit Windows operating system, this key is located
in: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adva
Optical Networking\FSP Network Manager

3. Install the new Ensemble Controller version.

Ensemble Controller R15.2 Administrator Manual - Issue: A 472

Adtran Troubleshooting

Updating the Ensemble Controller Client

Launcher
You use the Ensemble Controller Client launcher to download different graphical user
interface (GUI) versions and to start these versions depending on the server version.

Complete this procedure to update the client launcher.

Requirement to Update the Client Launcher 473

Procedure to Update the Client Launcher 473

Requirement to Update the Client Launcher

l Somebody requested from you to update the client launcher, or the Release Notes
state it.
l Your current Ensemble Controller installation is a client-only installation.
o If yes, start this procedure with Step 4 and skip the first 3 steps.

o If no, complete this procedure from the beginning.

Procedure to Update the Client Launcher

Obtaining a Client-Only Installation
1. Install the Ensemble Controller as described from Step 1 to Step 5 in the section
Installing Ensemble Controller in Windows.

Ensemble Controller R15.2 Administrator Manual - Issue: A 473

Adtran Troubleshooting

2. In the Choose Install Set window, clear ENC Server.

Only ENC Client is selected now:

3. Follow the installation wizard as described from Step 9 in the section Installing
Ensemble Controller in Windows.

Updating the Client Launcher

4. Download the relevant version of the Ensemble Controller installation package to
which you wish to update the client launcher.
5. Double-click the EXE application file of this installation package that you have just
downloaded.
The InstallAnywhere window appears. A status bar indicates progress while the
system starts the installation wizard:

Ensemble Controller R15.2 Administrator Manual - Issue: A 474

Adtran Troubleshooting

6. Click Next to continue. The Choose Install Set window opens:

7. Stay with the settings as displayed that is, only ENC Client is selected, and then click
Install.
A status bar and status messages indicate progress. The upgrade continues as
illustrated:

Ensemble Controller R15.2 Administrator Manual - Issue: A 475

Adtran Troubleshooting

8. Click Next.
After the upgrade completes, the Installation Complete window displays:

9. Click Done to complete the procedure.

Ensemble Controller R15.2 Administrator Manual - Issue: A 476

Adtran Troubleshooting

Resolving Start-up Issues

This section addresses issues that might happen while launching the Ensemble Controller
Server or the client.

Ensemble Controller does not start without an error message. 477

The Ensemble Controller Server SNMP Forwarder does not start. 478
The Ensemble Controller Server Mediation Server does not start. 478
Cannot launch the Element Manager Using Ensemble Controller. 479
External event logging does not start. 479
Ensemble Controller Server Connectivity 480
SNMP Connectivity Test 481
Unable to start or stop the Ensemble Controller Server without an error
message. 482
Ensemble Controller Server processes do not start after server restart or
crash. 483
The Ensemble Controller Server does not start after Linux restarts. 484
Linux stops with the error message: "No buffer space available." 484
Open-file limit is too low for the Ensemble Controller Server process in
Linux 485
Cannot launch the Ensemble Controller Client. 485
Problem to start the Ensemble Controller Client 485
Irrelevant error message that Mediation Server could not start 486
Unable to launch the Ensemble Controller Client after download and
upgrade to 12.1.1 487

Return to Troubleshooting Steps.

Ensemble Controller does not start without an

error message.
Issue: The system performance is too low.
Solution: Make sure the Ensemble Controller Server has the required processor power,
the memory and the free hard disk capacity. For more details, see the
Release Notes of the Ensemble Controller.

Ensemble Controller R15.2 Administrator Manual - Issue: A 477

Adtran Troubleshooting

The Ensemble Controller Server SNMP Forwarder

does not start.
Issue: Windows: SNMP Forwarder does not start.
Linux: SNMP Forwarder does not exist in the list when the issue occurs.
Cause: l The SNMP Forwarder service is by default disabled, and thus it does not
start automatically.
–or–
l You enabled the SNMP Forwarder service but still, it does not start. The
SNMP Forwarder listens to TCP and UDP port 2545 by default. A reason
why the SNMP Forwarder could fail is because another application
process occupies the TCP port 2545. If the UDP port 2545 is occupied, it
will not receive forwarded traps from the Ensemble Controller Server.
Solution: l Enable the SNMP Forwarder service. See Element Manager.
–or–
l Exit the application that also uses the port 2545, and then restart the
Ensemble Controller Server.
Note: You can verify whether the port 2545 is in use with these
commands for your system:
o Windows: netstat -p udp -an

o Linux: netstat -a | grep 2545

The Ensemble Controller Server Mediation Server

does not start.
Issue: Linux: The Xmx3000M (Mediation Server) SNMP Forwarder does not exist in
the list when the issue occurs.
Solution: 1. Restart the Mediation Server.
2. If that does not help, restart the Ensemble Controller Server.
3. If both fails, contact Adtran Technical Services.

Ensemble Controller R15.2 Administrator Manual - Issue: A 478

Adtran Troubleshooting

Cannot launch the Element Manager Using

Ensemble Controller.
Issue: l You have not enabled the SNMP Forwarder service, which is disabled
by default. The Element Manager requires this service to run.
l A common issue is that the SNMP response time is too low.
l You have not installed the Element Manager that comes with the
Ensemble Controller software package.
l The IP connectivity is bad.
l The firewall blocks port 2545 for the Element Manager.

Solution: 1. From the Ensemble Controller application bar Settings menu, select
Configuration, and then SNMP Profiles Manager.

2. Select the profile that this network element uses, and then in the
Timeout / [sec] field, adapt the timeout value.

3. Log into the network element by using telnet, and then launch the
craft interface.

4. Go to SNMP Configuration and load the correct MIB.

5. Run the Ensemble Controller installation software on the machine

where you want to launch the Element Manager.

6. Contact your network administrator to request to verify the network

connectivity.

7. Enable the SNMP Forwarder service. See Element Manager.

8. Unblock the port 2545 on the firewall that is located between the
Ensemble Controller Server and Client.

External event logging does not start.

Issue: You have not enabled logging to the external file eventlog.csv.
Solution: 1. Go to the Ensemble Controller installation directory.

Ensemble Controller R15.2 Administrator Manual - Issue: A 479

Adtran Troubleshooting

2. Open the log4j2.xml file, and then identify this section:

3. Change the level attribute value to on:

4. Restart the Ensemble Controller Server.

By default, Ensemble Controller writes the logs to a ring of 10 files each the size of 1 MB.
After Ensemble Controller writes the last file, the log again begins to write to the first file
and overwrites all information in that file. For this setting to take effect, you must restart
the Ensemble Controller Server.

Ensemble Controller Server Connectivity

After the system accepts the login, it tries to connect to the Mediation Server. If the
connection fails, the system raises one of these error messages:

Cannot find the specified host name 480

Ensemble Controller Server could be down or is not responding 480
Cannot connect to the Ensemble Controller Server: xyz 481

Cannot find the specified host name

The specified name cannot be resolved to an address. It is either incorrect or the name
server configuration on the local system is incorrect.

Ensemble Controller Server could be down or is not

responding
Although firewalls can actively reject connection attempts as well as just dropping
packets, the most likely reason is that the specified host could be reached but refused the
connection because the Mediation Server is not running or is using a different port
(default 8443).

Ensemble Controller R15.2 Administrator Manual - Issue: A 480

Adtran Troubleshooting

Cannot connect to the Ensemble Controller Server: xyz

Possible reasons include an incorrect address, missing or incorrectly configured routes on
the involved systems, broken physical links, firewall dropping packets, or a server system
that disconnected or switched off.

After the system connects to the Mediation Server, it attempts to contact the JMS broker.
If this test encounters a problem, an error message displays:

The specified host could be reached but refused the connection because the JMS broker
is not running, is using a different port (default 33028) or the port is blocked by a firewall.

SNMP Connectivity Test

The Element Manager embedded in Ensemble Controller to manage FSP 1500 devices
needs to communicate with the SNMP Forwarder server. If this is not possible, the
Element Manager blocks.

This test verifies whether the Element Manager can reach the server and informs about
any existing problems. If a problem exists, you can start the Element Manager anyway or
cancel the request. The system tries to perform the test sequence as follows:

1. Obtain the configured host name and ports.

2. Establish a TCP connection.
3. Close the connection.

If everything works, the Element Manager starts.

Ensemble Controller R15.2 Administrator Manual - Issue: A 481

Adtran Troubleshooting

If the name cannot be resolved that is, there is either a frontend or a DNS configuration
problem, this message displays:

If a connection is actively refused, the most likely reason is that the server is not running
or is not using the configured port, although a firewall also could reject connections. This
message displays:

In all other cases, a blocked port is the most likely reason. Other problems, such as
missing routes, or the host being down, are less likely because the frontend is able to talk
to the Mediation Server. This message displays:

Unable to start or stop the Ensemble Controller

Server without an error message.
Issue: If you run either of these commands, the system generates an error:
l ENC Installation Directory\bin > StartServer.bat
l ENC Installation Directory\bin > StopServer.bat

Ensemble Controller R15.2 Administrator Manual - Issue: A 482

Adtran Troubleshooting

The same error also appears if you click either of these options:
l

An example error message is shown here:

Input Error: There is no script engine for file extension ".vbs".
Shutting down Ensemble Controller Server...
System error 5 has occurred.
Access is denied.

Solution: NOTE:

You have to be a member of the administrator group to start or stop the

server.
If the VBScript module is not registered correctly or the VBS file class
settings are broken, the error occurs when you run cscript. To fix the
problem, install Windows Script 5.7 for Windows 2003 from Microsoft to
allow the admin to verify the code.
Use this link for the Windows 2003 Window Script 5.7 software:
http://www.microsoft.com/downloads/en/confirmation.aspx?
displaylang=en&FamilyID=f00cb8c0-32e9-411d-a896-f2cd5ef21eb4
Use this link for Windows XP or Windows 2000 Window Script 5.6 software:
http://www.microsoft.com/downloads/en/confirmation.aspx?
FamilyID=47809025-D896-482E-A0D6-524E7E844D81

Ensemble Controller Server processes do not

start after server restart or crash.
Issue: You rebooted your Windows or Linux system before the PostgresSQL server
was able to terminate its shutdown process. That is, the PostgresSQL process
prevents the system from starting properly.
Cause: The reason for that is, the Postgres database writes a control file to prevent a
second postgres instance from running on the same server. This control file
is deleted if you shut down the PostgresSQL server. If the PostgresSQL
shutdown process is disrupted, for example if you restart the system, before
the control file is deleted, the server cannot restart as long as this file exists.

Ensemble Controller R15.2 Administrator Manual - Issue: A 483

Adtran Troubleshooting

Solution: Delete the postmaster.pid file located in the Ensemble Controller

installation directory ...\postgres\data, and then restart your system.

The Ensemble Controller Server does not start

after Linux restarts.
Cause: The runlevel of the Linux server is not set to the required level.
Solution: Complete either of these options in your Linux system:
l In the /etc/inittab file, change the runlevel value to 3, and then
restart.
–or–
l Copy the S96postgres file and the S98fnm.server file from /etc/rc3.d
to /etc/rc5.d/.

Linux stops with the error message: "No buffer

space available."
Cause: If Linux discovers network elements, it uses the local address resolution
protocol (ARP) for processing purposes. If it discovers a large number of
network elements, for example 10,000 network elements, the ARP table
stores many entries respectively, and thus is likely to exceed the upper
threshold of 1,024 entries. This results in the No buffer space available
error message.
Solution: Increase the ARP table threshold ("lookup") number to 32,768 in these files,
and then restart your Linux system:
l /proc/sys/net/ipv4/neigh/default/gc_thresh1
l /proc/sys/net/ipv4/neigh/default/gc_thresh2
l /proc/sys/net/ipv4/neigh/default/gc_thresh3

Ensemble Controller R15.2 Administrator Manual - Issue: A 484

Adtran Troubleshooting

Open-file limit is too low for the Ensemble

Controller Server process in Linux
Cause: File descriptors are open while they connect to the network element, and
also when MTOSI is enabled, for example during inventory polling. If
inventory polling takes less than one minute, the file descriptor stays open
and the system generates error messages.
Solution: Increase the open-file limit on the server as described in Installing Ensemble
Controller in Linux.

Cannot launch the Ensemble Controller Client.

Issue: The unzipping of the client files, which happens on a first launch or upon
upgrade, fails for unknown reasons.
Solution: Delete all files and folders in C:\ProgramData\clientupdater.

Problem to start the Ensemble Controller Client

Cause: Insufficient memory to launch client. This error displays:

Solution: Close other applications, and then relaunch the Ensemble Controller Server
and Client.

Ensemble Controller R15.2 Administrator Manual - Issue: A 485

Adtran Troubleshooting

Irrelevant error message that Mediation Server

could not start
Issue: On some Windows computers, you might experience that the Ensemble
Controller Client and Server start successfully. However, the system still
sends a message that it could not start the Mediation Server as this example
shows:
Start_Server
Starting Ensemble Controller Server...
The ADVA: PostgreSQL Server service is starting.
The ADVA: PostgreSQL Server service was started successfully.
The ADVA: JMS Server service is starting.
The ADVA: JMS Server service was started successfully.
The ADVA: SNMP Forwarder service is starting.
The ADVA: SNMP Forwarder service was started successfully.
The ADVA: Mediation Server service is starting.....
The ADVA: Mediation Server service could not be started.
More help is available by typing NET HELPMSG 3523.
Command Failed, please check error(s) messages above.

Solution: Complete the steps provided at

https://support.microsoft.com/en-us/help/922918/a-service-
does-not-start-and-events-7000-and-7011-are-logged-in-window
to add the registry key ServicesPipeTimeout with a value of 120,000
milliseconds to the Registry Editor in these directories:
l Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
l Computer\HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Services\advams

Ensemble Controller R15.2 Administrator Manual - Issue: A 486

Adtran Troubleshooting

Unable to launch the Ensemble Controller Client

after download and upgrade to 12.1.1
Issue: If you use an Ensemble Controller Client version before 12.1.1, and you
connect to a 12.1.1 Ensemble Controller Server, a Confirm dialog box opens
that recommends to upgrade your Client to 12.1.1.

After you select Yes, the software downloads and upgrades your Client.
After the upgrade finishes, an Error message displays:

Solution: For all Ensemble Controller Client versions that you want to upgrade to
12.1.1, first complete these steps:
1. Use a text editor to open the launch.properties file that Ensemble
Controller stores in the clientupdater installation directory.
2. In the launch.properties file, search for
-Djava.endorsed.dirs=lib/endorsed, and then delete it. Also remove
any leftover spaces to adjust the line.
3. Log in the Ensemble Controller Client as planned.

Resolving Access Issues

This section addresses connectivity issues between the Network Management Software
and the network.

Cannot ping the network element 488

Cannot configure the network element through the Element Manager 488

Ensemble Controller R15.2 Administrator Manual - Issue: A 487

Adtran Troubleshooting

SNMP timeout occurs while accessing the network element 489

The Ensemble Controller Client cannot connect to the Server 490
The Ensemble Controller Client cannot connect because of incorrect user
name - password pair 491
SNMPv3 communication fails after factory-default reset 491
Centralized Control Plane Cannot Connect to the Network Element on
Server with Two Network Interfaces 492

Return to Troubleshooting Steps.

Cannot ping the network element

Cause: This issue can occur for multiple reasons. It could be related to the hardware
or to the software. Hardware issue like a faulty cable are not discussed in
that document. It is assumed that the hardware and the cabling is setup
properly and works as designed.
l A most common reason is that the IP address or the IP route or default
gateways is not setup correctly in the network element or in the
Ensemble Controller Server.
l Another possibility is that the port for pings (ICMP messages) is blocked
in the network.

Solution: 1. Verify whether the IP configuration of the Ensemble Controller Server

and of the network element is consistent.
2. Verify whether ICMP messages are filtered in the firewall.
3. Verify whether the network element is powered up and ready for service

Cannot configure the network element through

the Element Manager
Cause: You do not have SNMP write access to the network element. These
situations could be the reason:
l SNMP write access is prohibited on the network element. You can verify
the write access settings for a selected network element in the Overview
tab, SNMP Configuration area, Management Settings.

Ensemble Controller R15.2 Administrator Manual - Issue: A 488

Adtran Troubleshooting

l The SNMP write community string in the Ensemble Controller does not
match the community string specified in the network element. In that
case it is not possible to perform SNMP set commands. Nobody has write
access to this network element.
l Your user privileges in the Ensemble Controller are not sufficient to
change parameters on the network element.

Solution: 1. Enable SNMP SET access on the NE for everyone or for a dedicated range
of Ensemble Controller Servers. You can do this through the NE craft
interface in the menu SNMP configuration.
2. Make sure that the write community string of the network element
matches the write community setup in the Element Manager. You can do
this through the network element craft interface in the menu SNMP
configuration.
3. The Element Manager supports users with different privileges so called
roles. Contact the network administrator for more information about
roles.

SNMP timeout occurs while accessing the

network element
You have these options to troubleshoot the issue:

Option 1 – IP Connectivity Bad 489

Option 2 – Improper Handling of Fragmented Packets or MTU Too Small 490

Option 1 – IP Connectivity Bad

Cause: The IP connection is bad.
Solution: 1. Check connectivity to the network element with a “ping”. If a ping
fails, see solutions mentioned under Cannot ping the network
element

2. If you are able to ping the NE, from the Ensemble Controller
application bar Settings menu, select Configuration, and then
SNMP Profiles Manager.

Ensemble Controller R15.2 Administrator Manual - Issue: A 489

Adtran Troubleshooting

3. Select the profile that this network element uses, and then in the
Timeout / [sec] field, adapt the timeout value.

4. If you still get the timeouts and you are using Windows XP, verify
that you enabled the firewall, which is automatically installed with
Service Pack 2. This can cause an unpredictable behavior even if the
applications have "allowed status" in the firewall configuration.

Option 2 – Improper Handling of Fragmented Packets or

MTU Too Small
Cause: Improper handling of fragmented packets or the maximum transmission
unit (MTU) is too small.
Solution: Follow either of these solutions:
l Change to SNMPv1 because there are no SNMP GET BULK requests,
which can have gotten fragmented.
l Fix intermediate device 'data communication network' (DCN)
configurations to allow for large or fragmented packets on the path
between Ensemble Controller (ENC) and network element (NE).

The Ensemble Controller Client cannot connect

to the Server
Cause: l The user name of the Ensemble Controller Server cannot be resolved.
DNS server might be missing in the network.
l A firewall between the Ensemble Controller Server and Client computer is
blocking required ports.

Solution: 1. Make sure that the Ensemble Controller Server computer knows itself
under the same name as the Client. If a DNS server is missing, from the
Ensemble Controller Server computer name, remove the DNS suffix.
2. The Ensemble Controller Client and Server communicate through the
ports as outlined in Supported Communication Ports. Make sure that a
firewall does not block these ports. Note that Windows XP by default
enables a firewall. Make sure that it is disabled because it could still
cause unpredictable problems although correctly configured.

Ensemble Controller R15.2 Administrator Manual - Issue: A 490

Adtran Troubleshooting

The Ensemble Controller Client cannot connect

because of incorrect user name - password pair
Issue: You forgot your password or someone has changed it.
Solution: 1. If you have a backup from a point in time where you know the passwords
then replay the backup and after that you will be able to login with the
old passwords. Beware that changes from the timespan between now
and that date in the past will be lost.
2. Take a backup of the current database and send that to Adtran support.
The password for admin will be reset and the database sent back to you
for replay.

SNMPv3 communication fails after factory-

default reset
Issue: SNMP communication to the network element fails. Network element is not
visible in Ensemble Controller.

Ensemble Controller R15.2 Administrator Manual - Issue: A 491

Adtran Troubleshooting

Solution: On FSP150CP and CM, after you reset Ensemble Controller to factory
defaults, and especially with SNMPv3 configurations, you must set up the
SNMP credentials on the network element, and then toggle the SNMP
configuration in the Ensemble Controller as follows:
1. In the tree pane Networks tab, select the problem network element, and
then in the tab pane, open the Overview tab. If this tab is not yet
available in the pane, press Ctrl + t. In the window that opens, select the
relevant tab name. The Overview tab shows the parameter group areas
for the selected network element.
2. In the SNMP Configuration area, click the pen icon .
3. In the SNMPv3 Settings area, User Name field, change the user name,
for example, to netadmin1, and then click Apply. For more information
about how to change SNMP settings for an individual network element,
see the User Manual.
4. Open the SNMP Profiles tab for the network that includes the network
element. If this tab is not yet available in the pane, press Ctrl + t. In the
window that opens, select the relevant tab name.
5. In the Profile Name column, note down the SNMP profile that this
network uses.
6. In the ribbon menu Action area, select SNMP Profiles Manager.
7. In the SNMP Profiles Manager window, select the profile for the
network. For information about the SNMP Profiles Manager window,
see the User Manual.
8. In the SNMP Settings area, SNMPv3 Settings, User Name field,
change the user name back to the original name, and then click Apply.

Centralized Control Plane Cannot Connect to the

Network Element on Server with Two Network
Interfaces
Cause: On the ENC Server with two or more network interfaces, it is possible that
not all changes in the networks are visible for docker service. This may lead
to a situation where Centralized Control Plane (CPc) which runs in docker
container cannot connect to the network element, and only ENC can connect
to this network element.

Ensemble Controller R15.2 Administrator Manual - Issue: A 492

Adtran Troubleshooting

Solution: Restart the docker service:

systemctl restart docker
After the restart, CPc will see all networks from the ENC Server and will be
able to connect to the network element.

Resolving Normal Operations Issues

This section discusses issues that could happen during normal operation with the
network management software.

General Trouble 494

Ensemble Controller Menu displays in gray color. 494
Ensemble Controller does not receive traps. 495
Ensemble Controller displays the network-element inventory incorrectly. 495
Ensemble Controller does not detect a fiber break. 496
The Ensemble Controller Server detects a false fiber break. 496
Different alarm severities in Ensemble Controller and Element Manager. 496
Removed module displays in the Ensemble Controller inventory. 497
Connections from removed modules still display. 497
Alarms in the Alarm View display in gray color. 497
You cannot start the Element Manager for an FSP 3000R7 NE. 498
Configuration backup of FSP 3000R7 fails with the message “Download
protocol …”. 498
After configuration, network element backup fails with the message “...
Backup server is not responding...” 498
You received the system event “Maximum amount of events, which are
queued for processing, has been reached (“500”), events are discarded.” 499
You receive the event “System time deviation high”. 499
The Notification Manager does not send emails although configured. 500
You receive the event “Authentication failure trap message”. 501
Ensemble Controller receives no traps for an FSP 3000R7 network element. 501
The system does not write the trap address to the FSP 150CM. 502
The Ensemble Controller Server crashes after a time or time zone change,
scheduled backup does not work, or status polling never ends. 503
“Unknown Entity” displays in alarm or event windows. 503

Ensemble Controller R15.2 Administrator Manual - Issue: A 493

Adtran Troubleshooting

Security Manager permission "Write Access to Supported Connections" is

not blocked although disabled. 503
UDP Packet Loss on a Linux Server 504

Return to Troubleshooting Steps.

General Trouble
The Ensemble Controller database can be inconsistent, for example, if an inventory
update fails to update the database according to the real inventory.

Complete these steps to verify the Ensemble Controller database for any inconsistencies
and fix them if required:

1. In the tree pane Networks tab, right-click a single network element, a network, or
the root, and then select Check DB Consistency. After the system finishes the
database verification, the DB Consistency dialog box appears.
2. In the DB Consistency dialog box, Results area, click Show Details to verify the list
for any error messages.
3. Export the DB consistency results to a file, if required:
a. Click Export.
b. In the Save As dialog box, select the location and file name.
c. Click Save.
4. If Ensemble Controller reports a database inconsistency, right-click the same tree
pane element as in Step 1, and then select Fix DB Inconsistency.
5. Wait for this operation to complete. After the system completes, the DB Consistency
dialog box appears.
6. Click Show Details to verify whether the system fixed the errors.
7. If required, repeat the steps to clear remaining errors.
8. If your issue still remains, contact our Technical Services.

Ensemble Controller Menu displays in gray color.

Cause: Ensemble Controller supports users with different privileges. If a user does
not have the privileges to run a menu it displays in gray color.
Solution: Contact your network administrator for more information about privileges.

Ensemble Controller R15.2 Administrator Manual - Issue: A 494

Adtran Troubleshooting

Ensemble Controller does not receive traps.

Cause: l The most common cause is that you did not specify Ensemble Controller
as a trap recipient in the network element.
l Another process blocks trap port 162 on the Ensemble Controller Server
machine. Ask your system administrator for support if you think that this
is the reason but you cannot resolve it.
l IP connectivity between the network element and the Ensemble
Controller is bad.

Solution: 1. In the trapsink table of the network element, type the IP address of the
management station. Use the FSP Element Manager or the network
element craft interface.

2. Verify that only the Ensemble Controller uses the trap port 162 on the
management machine.
3. Verify the IP connection. If it is bad, contact your network administrator.

Ensemble Controller displays the network-

element inventory incorrectly.
Cause: Lost traps can cause inconsistencies in the inventory.
Solution: Force inventory polling of the network element or press F5.

Ensemble Controller R15.2 Administrator Manual - Issue: A 495

Adtran Troubleshooting

Ensemble Controller does not detect a fiber

break.
Cause: Ensemble Controller uses alarm correlation to detect fiber breaks. This
means that the time between the network elements and the Ensemble
Controller Server must be synchronized.
Solution: 1. Use a network time protocol (NTP) server to synchronize the time of all
network elements and the Ensemble Controller Server. You can setup an
NTP server on each network element through the craft interface.
2. Install timesync software on your Windows Ensemble Controller Server.
–or–
Use the net time command to configure the Windows Time Service.
For Linux, you must set up an xntp server.

The Ensemble Controller Server detects a false

fiber break.
Cause: To detect a fiber break the Ensemble Controller Server is reliant on the
correct setup of fibers if the network includes an OSC. If fibers are not set up
correctly, the Ensemble Controller Server might report a fiber break as soon
as all the connections that use that fiber signal LOS or LOC. If you defined
only one connection, then this can happen very easily.
Solution: Verify and correct the fiber setup.

Different alarm severities in Ensemble Controller

and Element Manager.
Cause: Ensemble Controller and the integrated Element Manager work
independently from one another. Alarms are forwarded to and interpreted
from both managers independently.
Solution: To harmonize the alarm severities, adjust the severities for Ensemble
Controller and Element Manager.

Ensemble Controller R15.2 Administrator Manual - Issue: A 496

Adtran Troubleshooting

Removed module displays in the Ensemble

Controller inventory.
Issue: The channel module appears in the Ensemble Controller inventory even
though you removed it from the network element.
Cause: Ensemble Controller keeps removed modules in the database and lists them
in the inventory with the installation state not installed. The module state
will indicate a mismatch. Ensemble Controller deletes a removed module
from the database only when you insert a different module in the same slot,
or if you manually delete it.
Solution: If the module is not physically installed, you can delete it from the Ensemble
Controller database in the Modules tab.

Connections from removed modules still display.

Issue: Ensemble Controller displays connections that are related to the
modules that you removed from the network element.
Cause: Ensemble Controller keeps connections in the database although you
removed the related module from the network element. The advantage
is that the connections are not lost if you remove modules for test or
maintenance purposes. Ensemble Controller deletes the connections
only when you insert a different module in the same slot, or when you
manually delete the module.
Solution: If the module is not installed you can delete it from the Ensemble
Controller database in the Modules Tab.

Alarms in the Alarm View display in gray color.

Cause: Ensemble Controller displays disabled alarms in gray color in the Alarm
View. Ensemble Controller disables alarms that are not related to a
connection. You can manually disable and filter alarms.
Solution: Works as designed. No action required.

Ensemble Controller R15.2 Administrator Manual - Issue: A 497

Adtran Troubleshooting

You cannot start the Element Manager for an

FSP 3000R7 NE.
Cause: The Element Manager for your FSP 3000R7 network element is not included
in the Ensemble Controller Server because of operability reasons. Future
releases might contain it again.
Solution: For the moment, it works as intended. To access your network elements, you
can use the Web Manager, Telnet, or CLI. A standalone version of the
Element Manager for FSP 3000R7 is available. Contact us if you plan to
purchase it.

Configuration backup of FSP 3000R7 fails with

the message “Download protocol …”.
Cause: To back up FSP 3000R7 configurations, you require a working FTP server.
The network elements contain no FTP server of their own. If it is missing
or configured incorrectly, the download of backup configurations from
the network element will fail.
Solution: Configure the NE Backup Transfer settings as described in the User
Manual.

After configuration, network element backup

fails with the message “... Backup server is not
responding...”
Cause: When the network element backup fails, this error message displays:
"Final failure. (Internal error: Backup server is not responding)!"
It means that the last connection to the server failed, and the system
changed the server status to not alive.
Ensemble Controller tests the server availability every 5 minutes as
configured. Ensemble Controller will connect to the FTP or SFTP server as
soon as the availability test is successful.

Ensemble Controller R15.2 Administrator Manual - Issue: A 498

Adtran Troubleshooting

Solution: 1. Verify that the FTP or SFTP server is running.

2. To manually test the server availability, in the Ensemble Controller
Settings, select Configuration, and then Network Properties.
3. From the left menu, select NE Backup Transfer.
4. In the relevant server area, click Test FTP Server Connection or Test
SFTP/SCP Server Connection.

If the test is successful, the network element backup will immediately start.

You received the system event “Maximum

amount of events, which are queued for
processing, has been reached (“500”), events are
discarded.”
Cause: Network element traps flood Ensemble Controller. The amount is so high
that the system cannot respond properly anymore.
Solution: To determine the root cause, use a type of network sniffer to find the
network element through its IP address that produces much traffic and thus
floods the system.

You receive the event “System time deviation

high”.
Cause: The network element time is not synchronized with the Ensemble Controller
Server. This could impede event correlation, for example.
Solution: Correct the network element time settings. We recommend to use a network
time-protocol server that takes care of the time synchronization on both the
Ensemble Controller Server and the network element.

Ensemble Controller R15.2 Administrator Manual - Issue: A 499

Adtran Troubleshooting

The Notification Manager does not send emails

although configured.
Cause: l The user email address that you specified in the Notification Manager is
invalid.
l The SMTP server that you specified might reject the sender address, is
not reachable, or not configured at all.
l You specified a very long time for the waiting time delay, which
determines the time after an event occured when Ensemble Controller
can send events.

Solution: 1. Consult your SMTP administrator to get a valid server address or a valid
email address that is registered with the server for outgoing email traffic.
2. In the Ensemble Controller Settings, select System, and then Server
Preferences > SMTP.
3. In the SMTP page fields, type the data obtained from your administrator
in Step 1.
4. Click OK.
5. In the Ensemble Controller Settings, select System, and then
Notification Manager.
6. Specify a shorter delay for getting notifications.
For example, if you specify a delay of 2 days, you will get notification
earliest after 2 days. The notification then includes all the events that
occurred within these two days.

Ensemble Controller R15.2 Administrator Manual - Issue: A 500

Adtran Troubleshooting

You receive the event “Authentication failure

trap message”.
Cause: The system generates this trap when:
l The agent on the network element receives the request from an
unauthorized manager.
–or–
l The request contains an incorrect community string.

The trap message contains the IP address and community string of the
manager that sent the request. Ensemble Controller displays this trap in the
Events tab.

NOTE
Only FSP 1500 has this functionality.
Solution: 1. If an unauthorized manager caused this trap, it works as designed.
2. If the community string is incorrect, fix it in the manager that issued the
request.

Ensemble Controller receives no traps for an FSP

3000R7 network element.
If you do not receive traps from an FSP 3000R7 network element that has been
configured to not use the OSPF protocol, this can be due to an incorrect configuration of
the network element system IP address. You must use the network element IP address
rather than the LAN or Ethernet IP address.

The FSP 3000R7 network element has two IP addresses, an IP address for the Ethernet
interface, and a system IP address. If you add network elements to the Ensemble
Controller database, you must enter the network-elements system IP address. If this IP
address is not configured at all, or incorrectly configured, the Ensemble Controller cannot
receive traps from it.

The easiest way to be sure that the setting is correct, is to set the same IP address for the
Ethernet interface and the system IP.

Consult the FSP 3000R7 Provisioning and Operations Manual for instructions on how to
carry out the described tasks.

Ensemble Controller R15.2 Administrator Manual - Issue: A 501

Adtran Troubleshooting

1. Verify whether you configured the FSP 3000R7 to use OSPF routing.
2. If OSPF routing is used:
a. Verify that the system IP address is equal to the IP addresses assigned to the
SC-1-A-C-LANIP (Ethernet interface).
b. If the IP addresses are equal, go to Step 5.
c. If the IP addresses are different, modify the system IP address to the same
address as the Ethernet interface.
3. If OSPF routing is not used, go to Step 5.
4. Verify whether Ensemble Controller now receives traps from the FSP 3000R7 network
element.
5. If Ensemble Controller still does not receive traps, there is another cause for this
trouble. Contact the Adtran Technical Services for assistance.
6. If Ensemble Controller now can receive traps, you are finished with this procedure.

The system does not write the trap address to

the FSP 150CM.
Cause: The system does not write the trap address to the FSP 150CM network
element in the initial discovery process. Ensemble Controller discovers the
network element, however does not send traps from the network element to
Ensemble Controller.

NOTE
The network element does send alarms only if the public string is available
while Ensemble Controller discovers it. After Ensemble Controller discovered
the network element, you can delete the public string and the network
element continues to send traps to Ensemble Controller.
Solution: Ensemble Controller uses SNMPv2c to handle traps. Make sure that you
correctly configured the SNMPv2c community string in Ensemble Controller.
Also, if you use SNMPv3 as the communication protocol between Ensemble
Controller and the network element, make sure you correctly configured the
SNMPv3 credentials.

Ensemble Controller R15.2 Administrator Manual - Issue: A 502

Adtran Troubleshooting

The Ensemble Controller Server crashes after a

time or time zone change, scheduled backup
does not work, or status polling never ends.
Cause: The Windows system time changed to a time in the past or you changed the
system time zone.
Solution: Restart the Ensemble Controller Server.

“Unknown Entity” displays in alarm or event

windows.
Cause: Alarm or event windows sometimes show Unknown Entity when Ensemble
Controller receives a trap from the entity that is not discovered or is not
supported in Ensemble Controller.
Solution: For the undiscovered entity, Ensemble Controller corrects the AID after it
successfully discovered the entity.

Security Manager permission "Write Access to

Supported Connections" is not blocked although
disabled.
Cause: Although you disabled the role permission Write Access to Supported
Connections in the Security Manager, you can still execute any actions
related to this permission.

Ensemble Controller R15.2 Administrator Manual - Issue: A 503

Adtran Troubleshooting

Solution: To apply the required security restriction, apart from Write Access to
Supported Connections, you must also disable all the other permissions in
the Configuration-Services category except for these ones:
l Browse Services
l Ensemble Bandwidth Manager
l Read Access to Supported Connections

UDP Packet Loss on a Linux Server

Cause: If the system experiences a high SNMP trap rate, the UDP buffer resources
become insufficient and some UDP packets (SNMP traps) might get lost. This
could reduce the Ensemble Controller performance because of additional
resynchronization procedures.

Ensemble Controller R15.2 Administrator Manual - Issue: A 504

Adtran Troubleshooting

Solution: 1. Add these lines to the /etc/sysctl.conf file, and increase their buffer
limits to at least 25 MB:
l net.core.rmem_max=26214400

l net.core.rmem_default=26214400
2. Restart your Linux system.

Ensemble Controller R15.2 Administrator Manual - Issue: A 505

Adtran Hardware or Software Support and Compatibilities

Appendix A

Hardware or Software
Support and Compatibilities
Communication Ports 506
Client Property Overview 516
Server Property Overview 516
Error-free Output of Database Validation Verification 581
Entity Index or AID Values 584

Communication Ports
Communication ports transfer system data for specific purposes across the network
manager, different servers, and network elements. The tables in Supported
Communication Ports outlines these ports with respect to source, destination,
application, protocol and purpose.

This information is especially helpful when configuring a firewall.

Port Connection Sequence 507

Configuring Server and Client Communication Ports 507
Effects on the GUI Using Secure Ports 508
Supported Communication Ports 508

Ensemble Controller R15.2 Administrator Manual - Issue: A 506

Adtran Hardware or Software Support and Compatibilities

Port Connection Sequence

This is the sequence in which the Ensemble Controller Server and Client connects to ports
for the initial communication:

1. The server listens on both, secure (HTTPS) and insecure (HTTP) ports.
2. The client first tries to connect to the secure port.
3. If the secure connection fails, the client connects to the insecure port.

Configuring Server and Client Communication

Ports
To specify secure and insecure ports for the server and the client (client updater), edit the
relevant properties in these files:
l fnm.properties: Use these properties to set the server ports:
o com.adva.fnm.option.webserver.port

To disable insecure ports, set the property

com.adva.fnm.option.webserver.port to none.

Recommendation:
If you set the property to none, we recommend that you adapt
these tile server properties to use https.
l com.adva.fnm.option.TileServerLayer.street=https:
[...]
l com.adva.fnm.option.TileServerLayer.satellite=https:
[...]

For information about map tile servers, see Installing the Local
Geographical Map-Tile Server in Linux.

o com.adva.fnm.option.rest.securePort

The fnm.properties file is stored in the Ensemble Controller installation directory,

which is for example: C:\Program Files (x86)\ADVA Optical
Networking\FSP Network Manager
For more information about these properties, see the respective paragraph in
Server Access Options.
For more information about editing the fnm.properties file, see Editing the
fnm.properties File.

Ensemble Controller R15.2 Administrator Manual - Issue: A 507

Adtran Hardware or Software Support and Compatibilities

l launch.properties: Set client updater ports. The property to edit is

launcher.webserver.port_x
By default, the ports in the launch.properties file are specified as follows:
launcher.webserver.port_0=8443
launcher.webserver.port_1=8080
launcher.webserver.port_2=80
launcher.webserver.port_3=9000
After you configure the web server in the fnm.properties file to use a different
port than the default one, you must edit the launch.properties file accordingly.
For example,
launcher.webserver.port_4=9999
where 9999 represents the port that the server uses.
The launch.properties file is stored in the Ensemble Controller installation
directory, which is for example: C:\Program Files (x86)\ADVA Optical
Networking\FSP Network Manager\clientupdater

Consider that the value that you set for

com.adva.fnm.option.rest.securePort must match one of the
launcher.webserver.port settings in the launch.properties file
so that the client updater can communicate with the server through
a secure port.

Effects on the GUI Using Secure Ports

If you use secure ports for communication, a server certificate displays for you to accept if
you perform these actions in the Ensemble Controller Client graphical user interface
(GUI):
l Logging in to the Ensemble Controller Client
For more information about how to log in to the Ensemble Controller, see Logging
Into the Ensemble Controller Client.
l Configuring the Multi-server Management window
For more information about the Multi-server Management window and its usage,
see the User Manual.

Supported Communication Ports

This section provides an overview of the communication ports for connected sources and
destinations and includes the related applications and protocols.

Ensemble Controller R15.2 Administrator Manual - Issue: A 508

Adtran Hardware or Software Support and Compatibilities

Reference to Supported Communication

Source Destination Ports, Different Applications and
Protocols
Ensemble Ensemble Controller Table 17 Ensemble Controller Client
Controller Server Connections to Ensemble Controller Server
Client
Message Server Table 18 Ensemble Controller Client
Connections
Connections to Message Server
Ensemble Controller Table 19 Ensemble Controller Client
Server SNMP Forwarder Connections to Ensemble Controller Server
App SNMP Forwarder App
Network Element Table 20 Ensemble Controller Client
Connections to Network Element

Ensemble Controller R15.2 Administrator Manual - Issue: A 509

Adtran Hardware or Software Support and Compatibilities

Reference to Supported Communication

Source Destination Ports, Different Applications and
Protocols
Ensemble Ensemble Controller Table 21 Ensemble Controller Server
Controller Server Connections to Ensemble Controller Server
Server Table 22 Ensemble Controller Server
Ensemble Controller
Server (Remote) Connections to Ensemble Controller Server
(Remote)
Ensemble Controller Table 23 Ensemble Controller Server
Server (Primary or Connections to Ensemble Controller Server
Standby) (Primary or Standby)

Quorum Server Table 24 Ensemble Controller Server

Connections to Quorum Server
Fiber Director Server Table 25 Ensemble Controller Server
Connections to Fiber Director Server
SyncAssurance Table 26 Ensemble Controller Server
Connections to SyncAssurance
Message Server Table 27 Ensemble Controller Server
Connections to Message Server
Postgres Database Table 28 Ensemble Controller Server
Connections to Postgres Database
FTP Server Table 29 Ensemble Controller Server
Connections to FTP Server
Network Element Table 30 Ensemble Controller Server
Connections to Network Element
NTP Server Table 31 Ensemble Controller Server
Connections to NTP Server
SNMP Forwarder Table 32 Ensemble Controller Server
Connections to SNMP Forwarder

Ensemble Controller R15.2 Administrator Manual - Issue: A 510

Adtran Hardware or Software Support and Compatibilities

Reference to Supported Communication

Source Destination Ports, Different Applications and
Protocols
Network Ensemble Controller Table 33 Network Element Connections to
Element Server Ensemble Controller Server

FTP Server Table 34 Network Element Connections to

FTP Server
SCP Server Table 35 Network Element Connections to
SCP Server
FlexNet Embedded Table 36 Network Element Connections to
Server FlexNet Embedded Server

SNMP Network Element Table 37 SNMP Forwarder Connections to

Forwarder Network Element
Web Browser FlexNet Embedded Table 38 Web Browser Connections to
Server FlexNet Embedded Server
EFD Mobile Application Table 39 Web Browser Connections to
EFD Mobile Application

Quorum Server Ensemble Controller Table 40 Quorum Server Connections to

Server (primary or Ensemble Controller Server (Primary or
standby) Standby)
Ensemble Fiber Ensemble Fiber Director Table 41 Ensemble Fiber Editor to Ensemble
Editor Server Fiber Director Server
Servers Using Ensemble Controller Table 42 Servers Using Mutual Authentication
Mutual Server Connections to Ensemble Controller Server
Authentication

Table 17: Ensemble Controller Client Connections to Ensemble Controller Server

Application Port Protocol Purpose or Remarks
HTTP 8080 TCP For legacy client software updates
through the REST interface or the
client updater from an Ensemble
Controller installation earlier than
version 9.2.

Ensemble Controller R15.2 Administrator Manual - Issue: A 511

Adtran Hardware or Software Support and Compatibilities

Table 17: Ensemble Controller Client Connections to Ensemble Controller Server

Application Port Protocol Purpose or Remarks
HTTPS 8443 For client software updates through
the REST interface and other secured
REST interfaces.
HTTP, HTTPS 9090 For the HTTP proxy functionality.

Table 18: Ensemble Controller Client Connections to Message Server

Application Port Protocol
JMS 33028 TCP

Table 19: Ensemble Controller Client Connections to Ensemble Controller Server

SNMP Forwarder App
Application Port Protocol Purpose or Remarks
Prop 2545 TCP For Element Manager functionality.

Table 20: Ensemble Controller Client Connections to Network Element

Application Port Protocol Purpose or Remarks
SSH, SCP 22 TCP
Telnet 23
HTTP 80 For the Web GUI.
HTTPS 443 For the Web GUI over HTTPS.
SyncView 8000 Open SyncView Plus from the Ensemble Controller to
Plus communicate with the OSA 5548C device.

Table 21: Ensemble Controller Server Connections to Ensemble Controller Server

Application Ports Protocol Purpose or Remarks
RMI 33091 TCP Remote operations between the nmsadmin
script and the server.

Table 22: Ensemble Controller Server Connections to Ensemble Controller Server

(Remote)
Application Ports Protocol Purpose or Remarks
HTTPS 8443 TCP Standard High Availability
9543

Ensemble Controller R15.2 Administrator Manual - Issue: A 512

Adtran Hardware or Software Support and Compatibilities

Table 23: Ensemble Controller Server Connections to Ensemble Controller Server

(Primary or Standby)
Application Ports Protocol Purpose or Remarks
HTTPS 2379 TCP Streaming Replication High Availability
2380
8008
SQL 5432

Table 24: Ensemble Controller Server Connections to Quorum Server

Application Ports Protocol Purpose or Remarks
HTTPS 12379 TCP Streaming Replication High Availability
12380
The ports differ depending on the number of
managed clusters. See Overview of Quorum
Server Ports.

Table 25: Ensemble Controller Server Connections to Fiber Director Server

Application Ports Protocol Purpose or Remarks
HTTP 10080 TCP Communication to the Ensemble Fiber
Director Server. See Requirements to Install
HTTPS 10443 the Ensemble Fiber Director Server.

Table 26: Ensemble Controller Server Connections to SyncAssurance

Application Ports Protocol Purpose or Remarks
HTTPS 8093 TCP Communication to the SyncAssurance server.
See Installing and Configuring the Sync
Assurance Application in Linux.

Table 27: Ensemble Controller Server Connections to Message Server

Application Ports Protocol Purpose or Remarks
JMS 33028 TCP Available only locally on the server machine.

Table 28: Ensemble Controller Server Connections to Postgres Database

Application Ports Protocol Purpose or Remarks
SQL 5432 TCP Available only locally on the server machine.

Ensemble Controller R15.2 Administrator Manual - Issue: A 513

Adtran Hardware or Software Support and Compatibilities

Table 29: Ensemble Controller Server Connections to FTP Server

Application Ports Protocol Purpose or Remarks
FTP 21 TCP Information and server management; can also
be SFTP.
SFTP 22 Information and server management.
SCP

Table 30: Ensemble Controller Server Connections to Network Element

Application Ports Protocol Purpose or Remarks
HTTPS 443 TCP SSO support for the Web GUI over HTTPS. See
Single Sign-On Support (SSO).
SNMP 161 UDP SNMP manages the get and response
functions.

Table 31: Ensemble Controller Server Connections to NTP Server

Application Ports Protocol Purpose or Remarks
NTP 123 UDP Use for an NTP time update.

Table 32: Ensemble Controller Server Connections to SNMP Forwarder

Application Ports Protocol Purpose or Remarks
SNMP 2545 UDP Trap forwarding. Available only locally on the
server machine. Need only if you manage FSP
1500 devices using the Element Manager.

Table 33: Network Element Connections to Ensemble Controller Server

Application Ports Protocol Purpose or Remarks
SNMP 161 UDP SNMP response.
SNMP 162 UDP SNMP traps.

Table 34: Network Element Connections to FTP Server

Application Ports Protocol Purpose or Remarks
FTP 20 TCP File transfer. Disable this server if you use SCP,
and the network element supports the server.
21 Information and server management. Yo can
also use SFTP.

Ensemble Controller R15.2 Administrator Manual - Issue: A 514

Adtran Hardware or Software Support and Compatibilities

Table 35: Network Element Connections to SCP Server

Application Ports Protocol Purpose or Remarks
SCP 22 TCP File transfer.

Table 36: Network Element Connections to FlexNet Embedded Server

Application Ports Protocol Purpose or Remarks
HTTP 7070 TCP Network element access to FlexNet (license
validation).
HTTPS 7071

Table 37: SNMP Forwarder Connections to Network Element

Application Ports Protocol Purpose or Remarks
SNMP 161 UDP SNMP manages the get and response
functions.

Table 38: Web Browser Connections to FlexNet Embedded Server

Application Ports Protocol Purpose or Remarks
HTTPS 8444 TCP License management (FlexNet Publisher from
Flexera).

Table 39: Web Browser Connections to EFD Mobile Application

Application Ports Protocol Purpose or Remarks
HTTPS 7443 TCP Communication to the EFD Mobile
Application.

Table 40: Quorum Server Connections to Ensemble Controller Server (Primary or

Standby)
Application Ports Protocol Purpose or Remarks
HTTPS 2379 TCP Streaming Replication High Availability
2380

Table 41: Ensemble Fiber Editor to Ensemble Fiber Director Server

Application Ports Protocol Purpose or Remarks
SQL 25432 TCP Communication with the Ensemble Fiber
Director Server database. See Requirements to
Install the Ensemble Fiber Director Server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 515

Adtran Hardware or Software Support and Compatibilities

Table 42: Servers Using Mutual Authentication Connections to Ensemble

Controller Server
Application Ports Protocol Purpose or Remarks
HTTPS 9543 TCP On this port, the ENC accepts connections from other
servers using mutual authentication. To disable this
port, edit property
com.adva.fnm.option.rest.securePortWithMutualAuth
in the fnm.propertis file. For more details about this
property, see Server Access Options.

Client Property Overview

This section describes the Remote User Options available in the fnmclient.properties
file. To customize the Ensemble Controller Client you can edit the appropriate property in
this file.
l For Windows, the fnmclient.properties file is located in the Ensemble Controller
installation directory C:\Program Files\ADVA Optical Networking\FSP
Network Manager\clientupdater.
l For Linux, the fnmclient.properties file is located in the /opt/adva/fsp_nm
directory.

Remote User Options

Use this option to enable or disable remote access to the Ensemble Controller Client
through special system applications such as Citrix.

com.adva.common.workbench.dialog.login.force_
system_user=false
This property is disabled (set to false) by default. When enabled (set to true), the
determined system user name is retrieved from the system and automatically entered in
the User Name field of the Login window. The field becomes disabled (dimmed) and
thus cannot be edited.

Server Property Overview

This section describes the properties included in the fnm.properties file.
Ensemble Controller R15.2 Administrator Manual - Issue: A 516
Adtran Hardware or Software Support and Compatibilities

Whenever you change property settings, restart the Ensemble Controller Server as
described in Verifying Services in Windows and Verifying Services in Linux.

Authentication Access Options 517

Backup Options 534
Disk Space Monitoring Options 534
Ensemble Sync Director Options 536
Embedded License Server Options 540
Graphical User Interface Options 543
High Availability Options 547
Internal Options 549
Miscellaneous Options 555
Oscillating Events Suppression Options 564
Password Change Action Manager Options 565
Performance Monitoring Options 565
Qualitiy Compliance Options 565
Rapid Term Monitoring (RTM) 566
Scaling Options 570
Security Options 571
Self-Monitoring 573
Server Access Options 576
TCA Monitoring Option 581

Authentication Access Options

Ensemble Controller supports these authentication access protocols:

RADIUS 517
TACACS+ 521
LDAP 524

RADIUS
This section describes the properties to configure one or up to three RADIUS servers.

After you set the properties, you must also configure the Ensemble Controller Settings >
System > Server Preferences > Security parameters. For more information about how to
set security parameters, especially for authentication, see Setting Authentication
Parameters.

Ensemble Controller R15.2 Administrator Manual - Issue: A 517

Adtran Hardware or Software Support and Compatibilities

Properties for the Specific RADIUS Server 519

RADIUS Client Library 521
Specifying the RADIUS Authentication Type 521

Ensemble Controller R15.2 Administrator Manual - Issue: A 518

Adtran Hardware or Software Support and Compatibilities

Properties for the Specific RADIUS Server

Properties Description

1st Server 2nd Server 3rd Server

com.adva.fnm.option.radiushost com.adva.fnm.option.radiushost2 com.adva.fnm.option.radiushost3 This property
specifies the server
IP address or host
name.
com.adva.fnm.option.radiusport com.adva.fnm.option.radiusport2 com.adva.fnm.option.radiusport3 This property
specifies the port
that the server
listens to. The
factory default is
1812.

Ensemble Controller R15.2 Administrator Manual - Issue: A 519

Adtran Hardware or Software Support and Compatibilities

Properties Description

1st Server 2nd Server 3rd Server

com.adva.fnm.option.radiustimeout com.adva.fnm.option.radiustimeout2 com.adva.fnm.option.radiustimeout3 This property
specifies the server
time-out in seconds.
If you do not set it,
the system uses the
default of 8 seconds.

NOTE:
This time-out plus
the time-outs that
you can set for the
other RADIUS
servers, must NOT
exceed 60 seconds.

For detailed instructions about these properties, see these related topics:
l Configuring the RADIUS Server Access in Ensemble Controller
l Configuring the RADIUS Server Timeout

Ensemble Controller R15.2 Administrator Manual - Issue: A 520

Adtran Hardware or Software Support and Compatibilities

RADIUS Client Library

com.adva.fnm.option.radiusclient

This parameter specifies the client library that RADIUS uses.

RADIUS supports these client libraries. According to the specified library, the system
determines the maximum shared secret password length:
l axl: The system uses this library by default. It allows a maximum password length
of up to 16 characters.
l jradius: Use this library if you require a password with more than 16 characters.

For RADIUS Access-Challenge, both client libraries are supported.

For information about how to specify shared secret passwords, see Setting
Authentication Parameters.

Specifying the RADIUS Authentication Type

com.adva.fnm.option.radiusauthentication

This parameter specifies the type of authentication that the configured RADIUS servers
use. These are the supported authentication types:
l PAP (default)
l CHAP
l MSCHAP
l MSCHAP2

TACACS+
This section describes the properties to configure one or up to three TACACS+ servers.

Properties for the Specific TACACS+ Server 522

Specifying the TACACS+ Authentication Type 524

Ensemble Controller R15.2 Administrator Manual - Issue: A 521

Adtran Hardware or Software Support and Compatibilities

Properties for the Specific TACACS+ Server

Properties Description

1st Server 2nd Server 3rd Server

com.adva.fnm.option.tacacshost1 com.adva.fnm.option.tacacshost2 com.adva.fnm.option.tacacshost3 This property
specifies the server
IP address or host
name.
com.adva.fnm.option.tacacsport1 com.adva.fnm.option.tacacsport2 com.adva.fnm.option.tacacsport3 This property
specifies the port
that the server
listens to. The
factory default is
49.

Ensemble Controller R15.2 Administrator Manual - Issue: A 522

Adtran Hardware or Software Support and Compatibilities

Properties Description

1st Server 2nd Server 3rd Server

com.adva.fnm.option.tacacstimeout1 com.adva.fnm.option.tacacstimeout2 com.adva.fnm.option.tacacstimeout3 This property
specifies the server
time-out in
seconds. If you do
not set it, the
system uses the
default of 8
seconds.

NOTE:
This time-out plus
the time-outs that
you can set for the
other TACACS+
servers, must NOT
exceed 60 seconds.

For detailed instructions about these properties, see these related topics:
l Configuring the TACACS+ Server Access in Ensemble Controller
l Configuring the TACACS+ Server Timeout

Ensemble Controller R15.2 Administrator Manual - Issue: A 523

Adtran Hardware or Software Support and Compatibilities

Specifying the TACACS+ Authentication Type

com.adva.fnm.option.tacacsauthentication

This parameter specifies the type of authentication that the configured TACACS+ servers
use. These are the supported authentication types:
l PAP (default)
l CHAP
l MSCHAP
l ASCII

LDAP
This section describes the properties that you use to configure the access and directory
information for one or up to three LDAP servers.
l To gather valuable background information about LDAP, start off with Basics
About the LDAP Server Directory Structures.
–or–
l Immediately proceed to edit these properties to configure and use LDAP
authentication:
o Specific LDAP Server Properties

o Advanced Server Properties

After you set the properties, you must also configure the Ensemble Controller
Settings > System > Server Preferences > Security parameters. For more
information about how to set security parameters, especially for authentication,
see Setting Authentication Parameters.

Basics About the LDAP Server Directory Structures

Ensemble Controller connects to LDAP servers to maintain the required user information
in a single, logically centralized, tree-structured directory.

The LDAP remote authentication and authorization capability works with any directory
server that provides a standard LDAPv3 protocol interface and has the necessary schema
and directory tree structures needed as a prerequisite.

Adtran extensively tested the solution with Microsoft Active Directory and OpenLDAP
directory servers. Other directory servers should be compatible but have not been tested
explicitly.

Ensemble Controller R15.2 Administrator Manual - Issue: A 524

Adtran Hardware or Software Support and Compatibilities

To set up an Ensemble Controller LDAP integration requires intimate knowledge of the

directory environment to configure it correctly and securely. We recommend that you
discuss your environment with the technical support if you have any doubts about how
to configure LDAP settings in Ensemble Controller.

Using the Directory for Authentication 525

Using the Directory for Authorization 525

Using the Directory for Authentication

To log in to Ensemble Controller, you must provide your username and password for
authentication. To validate your authentication credentials, Ensemble Controller uses the
fnm.properties settings as described in Specific LDAP Server Properties and Advanced
Server Properties to form an LDAP query as follows:

1. Find the user entry in the directory.

When Ensemble Controller searches for the user entries in the directory, ENC makes
this LDAP request:
l The search root = Search Base.
l The search scope = Subtree.
l The search filter = Filter = (&(objectClass=<User Object Class>)
[(objectCategory=<User Object Category>)](<Login Attribute>=<username>)).
2. Bind to the directory using the provided password.
3. If both steps are successful, proceed to the authorization phase. Otherwise,
Ensemble Controller rejects the login.

Using the Directory for Authorization

You can specify either of these authorization methods to determine the directory
structure and schema:
l memberOf or isMemberOf
l advaUserGroups

memberOf or isMemberOf

The directory group membership method to specify a directory structure applies after
you select the Authorization Attribute memberOf or isMemberOf. The selected attribute
uses directory groups to represent the security group membership of Ensemble
Controller users.

Ensemble Controller R15.2 Administrator Manual - Issue: A 525

Adtran Hardware or Software Support and Compatibilities

You must first create a set of directory groups that correspond to the Ensemble
Controller security group names. Then, ensure that you add the individual directory users
as members of these groups.

This sample directory structure illustrates a hierarchy of users and groups specific to
Ensemble Controller (ENC).

Figure 23: Example of a memberOf Directory Structure

l The Search Base shows the parent node for the user entries where the system
begins to search.
l The Group Base shows the parent node for the security groups.

memberOf User Entry Example

This example illustrates a user entry that shows various groups for the memberOf
attribute. The bold text in this example shows the defined Group Base and the security
group names that are based on the shown directory structure in Figure 23.

Ensemble Controller R15.2 Administrator Manual - Issue: A 526

Adtran Hardware or Software Support and Compatibilities

To define group membership, in the directory, populate distinguished name (DN) values
of group members in the group members attribute. This multi-valued attribute provides
forward pointers to the group member entries. Each individual user entry has a
memberOf attribute. This attribute contains backpointers to the distinguished names of
the groups that the user is a member of. Because of the general nature of directories,
user entries can be a member of many different directory groups.

You use a group base setting to identify the set of directory groups that is relevant for
Ensemble Controller, and the directory groups prune the memberOf values to identify
this specific set.

advaUserGroups

The advaUserGroups method identifies the set of security group names that belong in a
directory. The directory uses a simple directory attribute of a previously-authenticated
user entry. First you must select the Authorization Attribute advaUserGroups.

To use this approach, you must extend the directory schema and populate the values for
each individual user who wants access to Ensemble Controller.

This sample directory structure illustrates a hierarchy of users.

Ensemble Controller R15.2 Administrator Manual - Issue: A 527

Adtran Hardware or Software Support and Compatibilities

Figure 24: Example of an advaUserGroups Directory Structure

The Search Base shows the parent node for the user entries where the system begins the
search.

advaUserGroups User Entry Example

This example illustrates how to update an existing directory entry with values for the
advaUserGroups attribute that match the user to pre-existing Administrator and
Configurator groups. You must correctly and individually configure this attribute for each
directory user who requires access to Ensemble Controller.

Ensemble Controller R15.2 Administrator Manual - Issue: A 528

Adtran Hardware or Software Support and Compatibilities

Specific LDAP Server Properties

Each of the three servers has specific properties that Ensemble Controller uses to connect to them, shown in the next table. After you edit
these server-specific properties, edit the Advanced Server Properties.

1st Server Properties 2nd Server Properties 3rd Server Properties Description
com.adva.fnm.option. com.adva.fnm.option. com.adva.fnm.option. Specifies the server IP address or host name.
ldaphost1 ldaphost2 ldaphost3

com.adva.fnm.option. com.adva.fnm.option. com.adva.fnm.option. Specifies the port that the server listens to. The default
ldapport1 ldapport2 ldapport3 is 389.

com.adva.fnm.option. com.adva.fnm.option. com.adva.fnm.option. Specifies the port that the server listens to. The default
ldaptimeout1 ldaptimeout2 ldaptimeout3 is 389.
Note: This timeout, in addition to the timeouts that
you can set for the other LDAP servers, must be less
than or equal to 60 seconds.
com.adva.fnm.option. com.adva.fnm.option. com.adva.fnm.option. Specifies the security protocol, either StartTLS or
ldapsecprot1 ldapsecprot2 ldapsecprot3 LDAPS, that secures the connection to the LDAP server
and relates to the selected port.

For detailed instructions about these properties, see these related topics:
l Configuring Access to the LDAP Server
l Configuring the LDAP Server Timeout
l Changing the Default Security Protocol

Ensemble Controller R15.2 Administrator Manual - Issue: A 529

Adtran Hardware or Software Support and Compatibilities

Advanced Server Properties

You can use certain Ensemble Controller (ENC) settings to customize LDAP interaction behavior. You can also use these settings to manage
some variation in the directory tree structure and schema that customer deployments use. These settings and your specific LDAP
installation must be compatible.

This table describes the properties that you need to edit to use LDAP authentication, in addition to the Specific LDAP Server Properties . For
general information about how to edit the fnm.properties file, Editing the fnm.properties File.

Name Property Description

Search User com.adva.fnm.option. Specifies the distinguished name of a node within the directory information tree (DIT).
ldapsearchuser This node corresponds to an account that has sufficient permissions. The system uses this
account to connect to the LDAP server and search for users. The system also uses this
account with the same shared secret password that you specify for all three servers. For
information about how to specify the secret passwords, see Setting Authentication
Parameters.
Validate com.adva.fnm.option. Specifies whether the system should validate the LDAP server certificates. The default
Certificate ldapvalidatecertificate value is false, which disables certificate validation.
l Before you enable the certificate, you must import certificates from each server. Also
import any available public key infrastructure root or subordinate certificates into the
keystores of all Ensemble Controller systems. For information about how to import
certificates, see Generating a Certificate Signing Request and Signing the Certificate
Externally, especially Steps 6 to 8.
l After the imported certificates expire, you can no longer log in to your Ensemble
Controller Client.
l You need to import certificates only if you enable this property.

Ensemble Controller R15.2 Administrator Manual - Issue: A 530

Adtran Hardware or Software Support and Compatibilities

Name Property Description

Search Base com.adva.fnm.option. Specifies the distinguished name of the node within the DIT, where the search for users
ldapsearchbase should begin. If you do not set this property, the system starts the search from the overall
directory root.
User Object Class com.adva.fnm.option. Specifies the name of the directory-schema object class that provides user information.
ldapuserobjectclass The system uses this property to find the user entry within the directory. The default value
is user. You can use these values or any other valid class name:
l For the Active Directory, use the default value user.
l For other LDAP servers, change the value to person.

User Object com.adva.fnm.option. Specifies the name of the directory-schema object category that provides user
Category ldapuserobjectcategory information. The system uses this property to find the user entry within the directory. By
default, this property contains no value, which disables it.
l If you use the Active Directory, we recommend that you enable this property to
optimize the user entry search. Specify person as the value.
l For other LDAP servers or standard LDAP directories, leave the property disabled, with
no value.
l If you add a value to this property, the system uses the value to form the object
category filter. The system uses this property for the search only if you add a value.
Login Attribute com.adva.fnm.option. Specifies the name of the directory-schema attribute that provides the username value.
ldaploginattribute When the system searches for an equivalent username to the user entry in the directory,
the system uses this property.
The default value is sAMAccountName. You can use these values or any other valid
attribute name:
l For the Active Directory, use the default value sAMAccountName.

Ensemble Controller R15.2 Administrator Manual - Issue: A 531

Adtran Hardware or Software Support and Compatibilities

Name Property Description

l For other LDAP servers, change the value to uid.

Authorization com.adva.fnm.option. Specifies the name of the directory-schema attribute that the system uses for
Attribute ldapauthorizationattribute authorization. The default value is memberOf, which the system also uses if you specify an
invalid attribute. You can use these values for a case-insensitive attribute:
l memberOf or isMemberOf: The system uses directory groups to represent the security
group membership of Ensemble Controller users.
l advaUserGroups: The system uses a simple directory attribute of a previously
authenticated user entry. The purpose is to identify the set of security group names
that the user should belong to.
Group Base com.adva.fnm.option. Specifies the distinguished name of a node. This node is one level above the specific
ldapgroupbase directory groups for the Ensemble Controller authorization within the DIT. You must set
this property after you select memberOf or isMemberOf for the Authorization Attribute. If
you do not set this property, the system responds to these settings as a misconfiguration.
You must correct the mismatch, and then the system will permit any remote user to log in
to Ensemble Controller.
Group Name com.adva.fnm.option. Specifies a string that identifies ENC-specific groups. This identification occurs if both ENC
Prefix ldapgroupnameprefix groups and non-ENC groups are combined within the directory subtree that the Group
Base property defines. If the group base directory subtree stores only ENC security group
definitions, the default, you can omit using a group name prefix.
To add a group name prefix to differentiate ENC groups from those maintained for other
applications, be aware that the group names in the directory must consist of the prefix
plus the ENC security group name, for example, aENC01Administrator. During the
process, the software removes the prefix to match the user to the Administrator ENC
security group.

Ensemble Controller R15.2 Administrator Manual - Issue: A 532

Adtran Hardware or Software Support and Compatibilities

Name Property Description

You can also use the string to identify multiple ENC instances in one directory. For
example, define
l One set of group names for the ENC01 system using the group name prefix = aENC01.
l A second set of group names for the ENC02 system using the group name prefix =
aENC02.

Ensemble Controller R15.2 Administrator Manual - Issue: A 533

Adtran Hardware or Software Support and Compatibilities

Backup Options
com.adva.fnm.option.databasebackupfilesnumber
This parameter specifies how many database backup files to create. To comply with high-
availability functionality, the software stores the last database backup file in these two file
copies:
l dbfnm.sql
l dbfnm_time_stamp.sql

Heartbeat on Alarm NBI

This option causes Ensemble Controller (ENC) to create the regular event <Heart Beat>
configurable for different northbound interfaces (CSV, SNMP and MTOSI) to indicate that
the Ensemble Controller Server is still up and running.

These parameters are available:

l com.adva.fnm.option.HeartBeatInterval
This parameter sends an event to all interfaces that you did not configure, such as
CSV, SNMP, and MTOSI.
l com.adva.fnm.option.HeartBeatInterval.CSV_NBI
This property specifies the rate that the system uses to sendt the <Heart Beat>
event only to the CSV alarm NBI described in the Integration Manual.
l com.adva.fnm.option.HeartBeatInterval.SNMP_NBI
This property specifies the rate that the system uses to send the <Heart Beat>
event only to the SNMP alarm NBI described in the Integration Manual.
l com.adva.fnm.option.HeartBeatInterval.MTOSI_NBI
This property specifies the rate that the system uses to send the <Heart Beat>
event only to the MTOSI alarm NBI described in the Integration Manual.

For the relevant parameter to be specified, enter the time between two heart beat events
in seconds. Range is 5 to 360 seconds with a default of 300.

Disk Space Monitoring Options

Make sure to restart the server for any property changes to take effect.

Ensemble Controller R15.2 Administrator Manual - Issue: A 534

Adtran Hardware or Software Support and Compatibilities

com.adva.fnm.option.diskSpaceLowThreshold
Use this parameter to configure the initial low-disk-space monitoring threshold. The
parameter specifies the available disk space percentage that raises the corresponding
Disk Space Low alarm if the percentage decreases. See the User Manual, Disk Space LOW.

A default value of 30 percent in the fnm.properties file defines this property. If you
configure an illegal value such as invalid syntax, out of range, or less than or equal to the
Disk Space Critical Threshold value, Ensemble Controller logs the misconfiguration and
uses the default value.

The syntax is an unsigned integer that indicates a percentage of 0 to 99. Specify a value
of zero to disable the threshold alarm.

com.adva.fnm.option.diskSpaceCriticalThreshold
Use this parameter to configure the critical low-disk-space monitoring threshold. This
parameter specifies the available disk space percentage that raises the corresponding
Disk Space Critical alarm if the percentage decreases. See the User Manual, Disk Space
CRITICAL.

A default value of 15 percent in the fnm.properties file defines this property. If you
configure an illegal value such as invalid syntax, out of range, or greater than or equal to
the Disk Space Low Threshold value, Ensemble Controller logs the misconfiguration and
uses the default value.

The syntax is an unsigned integer that indicates a percentage of 0 to 99. Specify a value
of zero to disable the threshold alarm.

com.adva.fnm.option.diskSpacePollingFrequency
Use this this parameter to configure the frequency of when the software should verify the
available disk space. This parameter specifies the number of hours between polls for
available disk space.

A default value of 24 hours in the fnm.properties setting defines this property. If you
configure an illegal value such as invalid syntax or out of range, Ensemble Controller logs
the misconfiguration and uses the default.

The syntax is an unsigned integer of 1 to 168 hours. Specify a value of zero to disable disk
space monitoring.

Ensemble Controller R15.2 Administrator Manual - Issue: A 535

Adtran Hardware or Software Support and Compatibilities

Ensemble Sync Director Options

These are the Ensemble Sync Director options, formerly known as Sync Manager options.

com.adva.nlms.mediation.synchronization.discovery.Sync
DiscoveryQueueSize
This property specifies the synchronization-discovery message-queue size. That is the
number of network-related events, which the synchronization-discovery layer must
handle to update the synchronization topology.

If the managed network is very big or experiences many changes in configuration or

operation in a short time, then the queue increases. If the queue is exhausted, this slows
down the server responsiveness, and thus the graphical user interface also works more
slowly.

To avoid this issue, for XL systems of about 50,000 network equivalents or more, we
recommend to increase the default value of 10,000 up to 100,000. This results in more
Java virtual-machine (JVM) memory usage in the server process.

com.adva.nlms.mediation.synchronization.ncd.auto.align.
with.subnet
With this property enabled (set to true), the NCD structure in the Synchronization tree
pane aligns with the subnetwork structure in the Networks tree pane. For more
information about NCD structure alignment, see the Synchronization Management Guide,
Aligning the NCD Structure with the Subnetwork Structure.

com.adva.nlms.mediation.synchronization.ncd.auto.align.
with.subnet.separator
This property specifies the separator used in the name of a newly created NCD due to
structure alignment. For more information about NCD structure alignment, see the
Synchronization Management Guide, Aligning the NCD Structure with the Subnetwork
Structure.

com.adva.nlms.mediation.synchronization.snt.telemetry.t
ls.option
This property specifies whether the system uses the TLS option to connect to the devices
during the streaming telemetry collection. This setting applies to all devices supported by

Ensemble Controller R15.2 Administrator Manual - Issue: A 536

Adtran Hardware or Software Support and Compatibilities

Quality Compliance functionality. To enable TLS option, set the value of this property to
tls. The default is no tls.

Health Center Properties

This section describes properties that you can use to change default settings for the
Health Center window. For information about the Health Center window, see the User
Manual, Viewing the Server Health Performance.

com.adva.fnm.option.HealthCenter.SampleRateInMinutes 537
com.adva.fnm.option.HealthCenter.ViewRefreshPeriodInSec 537
com.adva.fnm.option.HealthCenter.GaugeMonitoredHours 537
com.adva.fnm.option.HealthCenter.DBRetentionDays 537
CPU Thresholds 537
Memory Thresholds 538
Disk Thresholds 539

com.adva.fnm.option.HealthCenter.SampleRateInMinutes
This property specifies the health center sampling rate in minutes. You can specify a value
between 1 and 60. The default is 1.

com.adva.fnm.option.HealthCenter.ViewRefreshPeriodInSec
This property specifies the health center refresh period in seconds. You can specify a
value between 60 and 3600. The default is 300.

com.adva.fnm.option.HealthCenter.GaugeMonitoredHours
This property specifies the health center gauge monitor hours (last x hours). You can
specify a value between 1 and 23. The default is 1.

com.adva.fnm.option.HealthCenter.DBRetentionDays
This property specifies the database retention days. Any data older than the specified
property value will Ensemble Controller automatically delete. You can specify a value
between 30 and 365. The default is 120.

CPU Thresholds
com.adva.fnm.option.HealthCenter.CpuUtilizationThreshold 538
com.adva.fnm.option.HealthCenter.CpuDegradedThreshold 538

Ensemble Controller R15.2 Administrator Manual - Issue: A 537

Adtran Hardware or Software Support and Compatibilities

com.adva.fnm.option.HealthCenter.CpuUnhealthyThreshold 538

com.adva.fnm.option.HealthCenter.CpuUtilizationThreshold
This property specifies the CPU utilization threshold in % to determine whether the CPU
sample is healthy. You can specify a value between 0 and 100. The default is 85.

com.adva.fnm.option.HealthCenter.CpuDegradedThreshold
This property specifies the high threshold in % for the rate of good CPU samples out of
all samples for each observed period. If this rate of good samples and all samples is
below the high threshold but still above the low threshold, the CPU is considered
degraded for the measured period. Default observed periods display in a gauge for the
last 60 minutes and in a chart for the last 30 days in the Ensemble Controller Health
Center. You can specify a threshold value between 15 and 99. The default is 70.

com.adva.fnm.option.HealthCenter.CpuUnhealthyThreshold
This property specifies the low threshold in % for the rate of good CPU samples out of all
samples for each observed period. If this rate of good samples and all samples is below
the low threshold, the CPU is considered unhealthy for the measured period. Default
observed periods display in a gauge for the last 60 minutes and in a chart for the last 30
days in the Ensemble Controller Health Center. You can specify a threshold value
between 0 and 84. The default is 30.

The specified value must be at least 15 points below the value you
specified for the CPU degraded threshold. If not, Ensemble Controller
automatically sets the value to exactly 15 points below the degraded
threshold.

Memory Thresholds
com.adva.fnm.option.HealthCenter.PhysicalMemoryUtilizationThreshold 538
com.adva.fnm.option.HealthCenter.SwapMemoryUtilizationThreshold 539
com.adva.fnm.option.HealthCenter.PageVsPhysicalMemoryThreshold 539
com.adva.fnm.option.HealthCenter.MemoryDegradedThreshold 539
com.adva.fnm.option.HealthCenter.MemoryUnhealthyThreshold 539

com.adva.fnm.option.HealthCenter.PhysicalMemoryUtilizationThreshold
This property specifies the physical memory utilization threshold in % to determine
whether the memory sample is healthy along with other conditions such as the Swap
Memory Utilization and the Page Vs Physical Memory rate. You can specify a value
between 0 and 100. The default is 85.

Ensemble Controller R15.2 Administrator Manual - Issue: A 538

Adtran Hardware or Software Support and Compatibilities

com.adva.fnm.option.HealthCenter.SwapMemoryUtilizationThreshold
This property specifies the swap memory utilization threshold in % to determine whether
each memory sample is healthy along with other conditions such as the Swap Memory
Utilization and the Page Vs Physical Memory rate. You can specify a value between 0 and
100. The default is 85.

com.adva.fnm.option.HealthCenter.PageVsPhysicalMemoryThreshold
This property specifies the page against physical memory rate threshold in % to
determine whether each memory sample is healthy along with other conditions such as
the Swap Memory and the Physical Memory Utilization. You can specify a value between
0 and 100. The default is 20.

com.adva.fnm.option.HealthCenter.MemoryDegradedThreshold
This property specifies the high threshold in % for the rate of good memory samples out
of all samples for each observed period. If this rate of good samples and all samples is
below the high threshold but still above the low threshold, the memory is considered
degraded for the measured period. Default observed periods display in a gauge for the
last 60 minutes and in a chart for the last 30 days in the Ensemble Controller Health
Center. You can specify a threshold value between 15 and 99. The default is 70.

com.adva.fnm.option.HealthCenter.MemoryUnhealthyThreshold
This property specifies the low threshold in % for the rate of good memory samples out
of all samples for each observed period. If this rate of good samples and all samples is
below the low threshold, the memory is considered unhealthy for the measured period.
Default observed periods display in a gauge for the last 60 minutes and in a chart for the
last 30 days in the Ensemble Controller Health Center. You can specify a value between 0
and 84. The default is 30.

The specified value must be at least 15 points below the value you
specified for the memory degraded threshold. If not, Ensemble
Controller automatically sets the value to exactly 15 points below the
degraded threshold.

Disk Thresholds
com.adva.fnm.option.HealthCenter.WindowsMonitoredDiskPartitions
This property specifies the Windows disk partitions to be monitored. Type comma-
separated strings, for example: c,d
For each taken sample, Ensemble Controller displays the health information for the disk
or partition experiencing the lowest values. The default is c.

Ensemble Controller R15.2 Administrator Manual - Issue: A 539

Adtran Hardware or Software Support and Compatibilities

com.adva.fnm.option.HealthCenter.LinuxMonitoredDiskPartitions
This property specifies the Linux disk partitions to be monitored. Type comma-separated
strings, for example: /,/opt/adva
For each taken sample, Ensemble Controller displays the health information for the disk
or partition experiencing the lowest values. The default is /,/opt/adva,/var/lib/docker.

com.adva.fnm.option.HealthCenter.DiskDegradedThreshold
This property specifies the high free-disk threshold in %. If the average free disk
utilization (%) for the observed period is below this threshold but still above the low
threshold, the disk is considered degraded. You can specify a value between 15 and 99.
The default is 30.

com.adva.fnm.option.HealthCenter.DiskUnhealthyThreshold
This property specifies the low free-disk threshold in %. If the average free disk utilization
(%) for the observed period is below this threshold, the disk is considered unhealthy. You
can specify a value between 0 and 84. The default is 15.

The specified value must be at least 15 points below the value you
specified for the disk degraded threshold. If not, Ensemble Controller
automatically sets the value to exactly 15 points below the degraded
threshold.

Embedded License Server Options

com.adva.fnm.option.flexeraServer.ipaddress
This parameter specifies the IP address of the main Embedded License Server, and is by
default disabled. Write the IP address in uniform resource identifier (URI) format:
<protocol>://<IPaddress>:<port>
If you specify only the <IPaddress> without the <protocol> or the <port>, Ensemble
Controller uses the default values that is, https for <protocol> and 7071 for <port>. For
more information about the default values, see Supported Communication Ports.

com.adva.fnm.option.backupFlexeraServer.ipaddress
This parameter specifies the IP address of a second Embedded License Server that
operates as a backup server. It is disabled by default. Write the IP address in URI format:
<protocol>://<address>:<port>
If you specify only the <IPaddress> without the <protocol> or the <port>, Ensemble

Ensemble Controller R15.2 Administrator Manual - Issue: A 540

Adtran Hardware or Software Support and Compatibilities

Controller uses the default values that is, https for <protocol> and 7071 for <port>. For
more information about the default values, see Supported Communication Ports.

com.adva.fnm.option.elsgui.ipaddress
This property specifies the main license server GUI URL. A default browser will be used to
open the ELS GUI URL of the main license server. The format of this property is:
[https://]<host>[:<port>]. If you specify a URL without the protocol, then the default
protocol is https://. Also if you do not specify a port, the default port for secure access is
8444. For more information about the default port values, see Supported Communication
Ports. The overall default URL for this property is https://127.0.0.1:8444.

com.adva.fnm.option.backupElsgui.ipaddress
This property specifies the backup license server GUI URL. A default browser will be used
to open the ELS GUI URL of the backup license server. The format of this property is:
[https://]<host>[:<port>]. By default this property is disabled (empty URL). If you specify
a URL without the protocol, then the default protocol is https://. Also if you do not
specify a port, the default port for secure access is 8444. For more information about the
default port values, see Supported Communication Ports.

com.adva.fnm.option.flexeraServer.pollingInterval
This parameter specifies the polling interval in seconds between the Ensemble Controller
and the Embedded License Server. You can select a value in the range of 30 to 300
seconds. If you specify a value that is out of that range, Ensemble Controller uses the
default value of 60 seconds.
This property is not included in the fnm.properties file. You must add it if you want to use
it.

com.adva.fnm.option.flexeraServer.timeout
This parameter specifies the time in milliseconds after which Ensemble Controller notifies
about connection issues to the Embedded License Server. The default value is 5000
milliseconds.
This property is not included in the fnm.properties file. You must add it if you want to use
it.

com.adva.fnm.option.flexeraServer.hostidprefix
This property specifies an optional prefix that you can specify. The system combines this
prefix with a server-generated suffix to form the complete Flexera host-ID value for the

Ensemble Controller R15.2 Administrator Manual - Issue: A 541

Adtran Hardware or Software Support and Compatibilities

Ensemble Controller installation.

The default prefix value is enc that the system uses even if the property is not present in
the fnm.properties file. If you do not want a prefix, type "" as the value.

Comply with these format rules to specify the prefix:

l A printable string of up to 32 characters.
l Unicode characters are permitted, except hyphen ("-") and space (" ").

If the defined prefix violates any of the formatting rules, then the system uses the default
prefix enc in software without further notice.

Any change to this property affects the overall host ID assigned to the Ensemble
Controller instance. After a server restart, the changes take effect and result in releasing
all licenses that you acquired against the old host ID followed by a re-acquisition against
the new host ID.

com.adva.opt.flexera.requestLicenses
This property specifies the set of feature licenses that you want the system to acquire.
The system always acquires basic licenses or the equivalent chain regardlessly of this
property.

Comply with these format rules to specify the feature licenses:

l A string that contains comma-delimited feature license names.
Use this option if you have multiple Ensemble Controller installations using a
common Embedded License Server. It will allow you to control the feature licenses
that each Ensemble Controller is to request individually.
l If you specify *, the system will request licenses for all licensed capabilities and will
be bound by the available set of licenses on the Embedded License Server. You can
use this option when your Ensemble Controller is the only client of the Embedded
License Server.
l If you specify no string value, the system will NOT acquire feature licenses.

As an example, this property value allows the system to request the licenses for the
Ensemble Optical Director, the Bandwidth Manager, which you will need to use all
features of Optical Director, and also the Ensemble Fiber Director:

com.adva.opt.flexera.requestLicenses=ENC-EOD,ENC-BWM,ENC-EFD

This property is not included in the fnm.properties file. You must add it if you want to
change the default value *, which the system always uses independently from whether
this property is present in the fnm.properties file. In advanced customer environments

Ensemble Controller R15.2 Administrator Manual - Issue: A 542

Adtran Hardware or Software Support and Compatibilities

with Embedded License Server license pooling, we recommend to set this property on
each Ensemble Controller Server.

This list shows the complete set of supported feature license names that you can use with
this property:
l ENC-BWM
l ENC-CBM
l ENC-CRYPTO
l ENC-EFD
l ENC-EOD
l ENC-EPD
l ENC-ESAMG
l ENC-ESAMP
l ENC-ESD
l ENC-HA-STD
l ENC-HA-STREAM
l ENC-MTOSI
l ENC-SDN-PRESTO
l ENC-SDN-TAPI

Graphical User Interface Options

com.adva.fnm.option.server_welcome_text
This property is used to specify a welcome message to be displayed in the login dialog
box.

com.adva.fnm.option.server_postLogonText
This property is used to specify a post-login message to be displayed after you log in to
the Ensemble Controller (ENC) Client. See Post-Login Dialog Box Message for more
information.

com.adva.fnm.option.date_format
This property enables to customize the format of how the date is presented wherever it
appears in the graphical user interface of the Ensemble Controller Client.

Ensemble Controller R15.2 Administrator Manual - Issue: A 543

Adtran Hardware or Software Support and Compatibilities

This table provides some examples of date formats that are possible. However, you can
specify your own format by using these predefined characters:
l YY - year
l MM - month
l dd - day

Format Date Example

YYYY-MM-dd 2014-07-21
dd.MM.YY 21.07.14
dd MMM YY 21 Jul 14
dd MMM YYYY 21 Jul 2014
M/d/YY 7/21/14
MM/d/YY 07/21/14
MM/d/YYY 07/21/2014

Browser-Related Properties
This section describes properties that you can use to specify secure or insecure CLI shell
clients, also for individual network elements, web browsers, or PDF viewers.

com.adva.fnm.security.CLI_[WINDOWS|LINUX] 544
com.adva.fnm.security.ssh.CLI_[WINDOWS|LINUX] 545
com.adva.fnm.option.useCLIOverTelnet 545
com.adva.fnm.security.browser_[WINDOWS|LINUX] 546
com.adva.fnm.security.pdf_[WINDOWS|LINUX] 546

com.adva.fnm.security.CLI_[WINDOWS|LINUX]
This property predefines the configuration of an insecure shell client such as Telnet. Each
operating system (OS) that Ensemble Controller supports, has a dedicated property to
launch the relevant network element command line interface:
l Windows: com.adva.fnm.security.CLI_WINDOWS=cmd /K start telnet
l Linux: com.adva.fnm.security.CLI_LINUX=/usr/bin/xterm -e
/usr/kerberos/bin/telnet

These properties are by default disabled. After you enable them, as described in
Configuring CLI Launch Commands, the specified, corresponding command values

Ensemble Controller R15.2 Administrator Manual - Issue: A 544

Adtran Hardware or Software Support and Compatibilities

display as predefined values in the respective Insecure Shell Path field in the Browsers
window. The Browsers window is opened from the application bar user menu, User
Settings.

In the Browsers window, you can change the predefined settings for a shell client as
described in the User Manual, Procedure to Specify Browsers, and the system does no
longer take the settings from the fnm.properties file into account. The settings that you
specify in the Browsers window take priority.

com.adva.fnm.security.ssh.CLI_[WINDOWS|LINUX]
This property predefines the configuration of a secure shell client such as PuTTY. Each
operating system (OS) that Ensemble Controller supports, has a dedicated property to
launch the relevant network element command line interface:
l Windows: com.adva.fnm.security.ssh.CLI_WINDOWS=C:\\Program Files
(x86)\\PuTTY\\putty.exe
l Linux: com.adva.fnm.security.ssh.CLI_LINUX=/usr/bin/xterm -e
/usr/kerberos/bin/putty

These properties are by default disabled. After you enable them, as described in
Configuring CLI Launch Commands, the specified, corresponding command values
display as predefined values in the respective Secure Shell (SSH) Path field in the
Browsers window. You open the Browsers window from the application bar user menu,
User Settings.

com.adva.fnm.option.useCLIOverTelnet
This property specifies the devices that use the insecure Telnet client when they access
the command line interface. By default, there are no devices listed. Multiple devices can
be specified separated by commas.

These device values are supported:

l ALM
l FSP_1500 series
l FSP_150CC series
l FSP_150CC_T series

Ensemble Controller R15.2 Administrator Manual - Issue: A 545

Adtran Hardware or Software Support and Compatibilities

l FSP_150CM/CP
l FSP_150CP/MX
l FSP_150EGM series
l FSP_150EGX
l FSP_3000C
l FSP_3000R7
l FSP_ProVM series
l FSP_XG/GE series
l HN4000/HN400 series
l JUNIPER_MX series
l OSA series

For value details about specific variants of a device series, see the NE Type field on the
device, or the ne.versions file in the Ensemble Controller installation directory.

com.adva.fnm.security.browser_[WINDOWS|LINUX]
This property predefines the configuration of a browser such as the Internet Explorer.
Each operating system (OS) that Ensemble Controller supports, has a dedicated property
to launch the relevant network element browser:
l Windows: com.adva.fnm.security.browser_WINDOWS=C:\\Program
Files\\Internet Explorer\\iexplore.exe
l Linux: com.adva.fnm.security.browser_LINUX=

These properties are by default disabled. After you enable them, the specified,
corresponding command values display as predefined values in the respective Web
Browser Path field in the Browsers window. You open the Browsers window from the
application bar user menu, User Settings.

In the Browsers window, you can change the predefined settings for a web browser as
described in the User Manual, Procedure to Specify Browsers, and the system does no
longer take the settings from the fnm.properties file into account. The settings that you
specify in the Browsers window take priority.

com.adva.fnm.security.pdf_[WINDOWS|LINUX]
This property predefines the configuration of a PDF viewer such as Adobe Reader. Each
operating system (OS) that Ensemble Controller supports, has a dedicated property to
launch the relevant network element PDF:

Ensemble Controller R15.2 Administrator Manual - Issue: A 546

Adtran Hardware or Software Support and Compatibilities

l Windows: com.adva.fnm.security.pdf_WINDOWS=C:\\Program Files

(x86)\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe
l Linux: com.adva.fnm.security.pdf_LINUX=

These properties are by default disabled. After you enable them, the specified,
corresponding command values display as predefined values in the respective PDF
Viewer Path field in the Browsers window. You open the Browsers window from the
application bar user menu, User Settings.

In the Browsers window, you can change the predefined settings for a PDF viewer as
described in the User Manual, Procedure to Specify Browsers, and the system does no
longer take the settings from the fnm.properties file into account. The settings that you
specify in the Browsers window take priority.

com.adva.fnm.option.maxMapLabelLength
This property specifies the maximum number of characters that can be used for the
network element (NE) names in the map pane. By default, a maximum of 100 characters
are supported.

Should the specified maximum number of characters be exceeded, then the NE name
ends with three dots. For example, if the property has been set to 5 and the NE name is
“EGX-123” then the name displayed in the map pane is "EGX-1…".

com.adva.fnm.security.auto_logout_user_disable
If you configured the auto-logout feature and you are inactive for some minutes,
Ensemble Controller will log you out automatically.

This property specifies the users who Ensemble Controller is NOT to consider for the
auto-logout feature, and therefore does not automatically log these users out.

To specify the users, type the case-sensitive user names behind the equal sign and
separate them by commas, for example:
com.adva.fnm.security.auto_logout_user_
disable=Admin,admin,User01,user02

High Availability Options

com.adva.fnm.ssl.knownHosts
This parameter specifies the name of the file containing the list of known SFTP hosts on
the primary server. The factory default name and location is .ssh/known_hosts.

Ensemble Controller R15.2 Administrator Manual - Issue: A 547

Adtran Hardware or Software Support and Compatibilities

com.adva.fnm.option.automaticSwitchover
This parameter regulates whether the secondary Ensemble Controller Server
automatically changes to master mode when it cannot connect to the primary server that
currently runs in master mode.

If the high-availability configured servers lose connection to each

other, the Ensemble Controller status bar (see Server Status)
indicates the respective status with a delay of one minute after the
servers lost connection.

If you set this parameter to enabled, automatic switchover will take place. The factory
default setting is disabled.

com.adva.nlms.mediation.ha-stream.automatic-
switchover
This property specifies whether the system automatically takes care of switchovers. This
setting must be the same on all cluster members. If not, a configuration error occurs and
the system behavior is undefined.

If you change this property, you do not need to restart the Ensemble Controller Server to
take effect. It might cause an unnecessary switchover.
l If you set this property to enabled:
o The system will monitor faults and raise alarms for these where possible.

o The system will react automatically to detected faults and, if necessary, will
attempt to change the standby to become the primary if the current primary
experiences an outage or loses quorum.
l If you set this property to disabled:
o The system will monitor faults and raise alarms for these where possible.

o The system will NOT automatically react to detected faults and will NOT
attempt to change the standby to become the primary if the current primary
experiences an outage or loses quorum.
o The system will respond to a manual switchover request if you decide that a
switchover is needed.
o If you detect that the expected primary experiences an outage, manually
perform a switchover to the standby as described in Initiating a Server Work
Mode Switchover.

Ensemble Controller R15.2 Administrator Manual - Issue: A 548

Adtran Hardware or Software Support and Compatibilities

com.adva.fnm.option.slavePolling
If polling for example performance monitoring polling is allowed in slave mode, this
property is used to specify polling to be 'enabled' or 'disabled'. By default it is disabled.

com.adva.fnm.ssl.keyfile
This parameter specifies the location and name of the private key file for connecting to
an SFTP on the primary server. The value .ssh/id_rsa stated in this property is an
example.

Optionally, a password can be specified related to this private key file. To do so, see the
property com.adva.fnm.ssl.passphrase.

com.adva.fnm.ssl.passphrase
This parameter specifies a passphrase that protects the private key used for the Ensemble
Controller Server SSH or SFTP connections.

Encrypt this property value using the obfuscate_ssl_password script. This script is
obfuscate_ssl_password.sh for Unix and obfuscate_ssl_password.bat for
Windows. The script is located in the <installation>/bin directory.

To populate the property value:

1. Execute the obfuscate_ssl_password script. When prompted, type in the

passphrase that protects the private key, such as mypassphrase. The script output
should be similar to Encrypted password:t61arUIkx8+Y3SJkc66qYA==
2. Use the generated encrypted string as the property value, for example,
com.adva.fnm.ssl.passphrase=t61arUIkx8+Y3SJkc66qYA==

com.adva.fnm.option.afterSwitchoverSecondaryScript=/
opt/usr/bin/secondary.sh
In Linux, this parameter points to the script that the system executes after this node
changed to the slave state.

Internal Options
You typically do not modify internal options unless the ADVA Technical Services advise
you to do so.

Ensemble Controller R15.2 Administrator Manual - Issue: A 549

Adtran Hardware or Software Support and Compatibilities

com.adva.fnm.option.recalculateCounter
Use this parameter to enable event counter recalculation on server startup by typing true.
After the server has started, you must reset this parameter to false, which disables the
function.

com.adva.nlms.mediation.evtProc.maxEventQueueSize
This parameter specifies the maximum number of events, which are queued for
processing. When this number is reached, all events are discarded.

Properties for Handling Event Processing Suspension

To keep the server responsive in case of a high trap rate, the processing is suspended
based on the processing queue level. There are three stages:

Stage 1: blocking of most chatty NE live traps

Stage 2: blocking of live and regenerated traps of most chatty traps

Stage 3: blocking of all traps

These settings specify the upper and lower thresholds of the three protection stages (in
percent):
l com.adva.nlms.mediation.evtProc.EventQueueThresholdsStage1=50,30
l com.adva.nlms.mediation.evtProc.EventQueueThresholdsStage2=60,40
l com.adva.nlms.mediation.evtProc.EventQueueThresholdsStage3=70,50

This setting defines the suspend/resume interval for protection stages 1 and 2 (in
seconds):
l com.adva.nlms.mediation.evtProc.EventQueueSuspendResumeInterval=30,10

This setting defines the ratio of affected NEs for suppression during protection stages 1
and 2 (in percent):
l com.adva.nlms.mediation.evtProc.EventQueueSuspendedRatio=30

Properties for Handling Trap Flood Detection

The trap flood detection feature is used to detect trap floods per NE. An alarm is raised if
the number of traps exceeds the given threshold values. The alarm is cleared if the flood
does not exist anymore.

Ensemble Controller R15.2 Administrator Manual - Issue: A 550

Adtran Hardware or Software Support and Compatibilities

These properties allow to enable or disable the feature and to adjust the threshold
values:
l # if SNMP trap flood mechanism is enabled (default value = true)
com.adva.nlms.mediation.evtProc.TrapFloodDetectorEnabled=true
l # number of traps per second which is considered as trap flood
com.adva.nlms.mediation.evtProc.TrapFloodSampleThreshold=5
l # Length of sample period in seconds
com.adva.nlms.mediation.evtProc.TrapFloodSamplePeriodTime=10
l # Number of consecutive sample periods
com.adva.nlms.mediation.evtProc.TrapFloodSamplePeriodAmount=18

The detector only considers live traps (detection type = TRP). It supervises the number of
traps for each NE separately over a couple of sample periods.

Upon expiry of the sample period timer (TrapFloodSamplePeriodTime) the detector

checks whether a flood condition now exists or not anymore and raises/clears the flood
alarm.

A flood condition exists if the threshold (TrapFloodSampleThreshold) is exceeded in x

consecutive sample periods (x = TrapFloodSamplePeriodAmount – 1). A flood condition
does not exist anymore if the threshold is exceeded in less than x sample periods (x =
TrapFloodSamplePeriodAmount / 2).

com.adva.nlms.mediation.event.maxEventLogSize
This setting specifies the maximum event log size. The default value is 200,000.

If needed you can increase this value up to 999,999. However, any value above 500,000
could cause the Ensemble Controller to have temporary problems in displaying new
events. It can happen at the time when the Ensemble Controller starts to delete old
events to bring the number below the specified threshold.

Properties for Setting NBI Alarm or Event Filters

These properties specify the severities for the alarms and events that you want Ensemble
Controller to filter out for either of these northbound interfaces (NBIs):

NBI Property for ...

SNMP Alarms: com.adva.nlms.mediation.event.SnmpNbiAlarmFilter
Events: com.adva.nlms.mediation.event.SnmpNbiEventFilter

Ensemble Controller R15.2 Administrator Manual - Issue: A 551

Adtran Hardware or Software Support and Compatibilities

NBI Property for ...

CSV Alarms: com.adva.nlms.mediation.event.CsvNbiAlarmFilter
Events: com.adva.nlms.mediation.event.CsvNbiEventFilter

For information about the Ensemble Controller NBIs, see the Integration Manual.

This table lists the supported severity values:

Severity
Description – The system reports:
Value
CR A critical event.
MJ A major event.
MN A minor event.
WN A warning event.
I An informational event.

To use this property, type the severity values as these examples show:
l com.adva.nlms.mediation.event.SnmpNbiAlarmFilter=Severity[I]
–or–
l com.adva.nlms.mediation.event.CsvNbiAlarmFilter=Severity[WN,I]

For information about how to change the default or currently assigned severity and type
for events in Ensemble Controller, see the User Manual, Setting Event Type and Severities.

com.adva.nlms.mediation.event.initCSVLogOnStartup
After you enable this property, the system writes all standing alarms to the event CSV file
each time the Ensemble Controller Server (ENC Server) restarts. The content of the CSV
rows are largely similar to the alarms when they are initially written to the eventlog.csv
file, with these exceptions:
l The Update field has a new value of INIT signifying that these rows were written
due to the Ensemble Controller re-initialization. This will allow the OSS to have
absolute knowledge that these are the only alarms of which the Ensemble
Controller is aware and will allow it to determine alarms it that it needs to add, and
also alarms that it needs to delete from its view.
l Because this feature is governed by an enabled/disabled flag, there is no
backwards compatibility impact from the new field value.

Ensemble Controller R15.2 Administrator Manual - Issue: A 552

Adtran Hardware or Software Support and Compatibilities

l The Ack field will contain a reflection of whether the alarm was acknowledged in
the Ensemble Controller or not.
l All other fields will contain values as per the time that the alarm was last emitted or
updated by the Ensemble Controller.

com.adva.nlms.mediation.event.CSVLogLineBreakAtEOL
This parameter is by default set to no, which locates the insertion of the line break at the
start-of-line. Changing it to yes locates the insertion of the line break at the end-of-line.

com.adva.nlms.mediation.event.syncAlarmsListenerPort
This parameter specifies the port that is used by an OSS client to trigger the alarm NBI
synchronization. The function is disabled if there is no port specified.

com.adva.fnm.option.hideFAMDetails
When set to true, this parameter disables the ribbon menu option of the Fiber Assurance
tab allowing to view measurement details about the fingerprint or fault analysis. By
default, the parameter is set to false that is, the menu option is enabled (made available).

com.adva.fnm.option.trapsink.aging
When Ensemble Controller discovers a network element, the system uses the keep alive
polling (KAP) feature to automatically register the Ensemble Controller Client (ENC Client)
IP address in the trapsink table of that network element. For more information about
trapsink aging, see the User Manual.

Use this property to:

l Define how long the network element must keep the ENC Client IP address in
thetrapsink table before the network element automatically removes it.
If Ensemble Controller sends requests to the network element during the time that
you set, the time counting restarts and the IP address retention time extends in the
network element trapsink table.
l Disable the automatic trapsink registration.

These are the supported property values:

Ensemble Controller R15.2 Administrator Manual - Issue: A 553

Adtran Hardware or Software Support and Compatibilities

Value
Value Name Description
Number
0 trapsink disabled Type 0 behind the property equal sign to disable
trapsink registration.
After you disable trapsink registration:
l It applies to all network element types that
Ensemble Controller discovers from that moment.
l You can no longer disable the Automatic Trapsink
Re-Registering feature.

1 duration1hour(1) Type 1 behind the property equal sign to specify that

the network element must keep the trapsink table
entry for 1 hour.
2 duration1day(2) The default value, which defines that the network
element must keep the trapsink table entry for 1 day.
3 duration3days(3) Type 3 behind the property equal sign to specify that
the network element must keep the trapsink table
entry for 3 days.
4 duration1week(4) Type 4 behind the property equal sign to specify that
the network element must keep the trapsink table
entry for 1 week.
5 duration1month(5) Type 5 behind the property equal sign to specify that
the network element must keep the trapsink table
entry for 1 month.
6 unlimited(6) Type 6 behind the property equal sign to specify that
the network element never removes the trapsink table
entry.

Consider these limitations if you change the property value:

l If you change the value, it takes effect only for newly discovered network elements.
However, the FSP 3000 C shows an exception to this rule for value number 6. If you
change to 6, it applies to already discovered and newly discovered FSP 3000 C
network elements.
l These property values are designed for FSP 3000R7 network elements. If you
change the value to anything between 1 and 5, other network elements interpret
them only as value number 6.

Ensemble Controller R15.2 Administrator Manual - Issue: A 554

Adtran Hardware or Software Support and Compatibilities

com.adva.unsupported.ne.versions.check.enabled
This property specifies whether the Unsupported Versions tab is available in the tab pane,
and thus the feature. See User Manual.
If the property is set to true, Ensemble Controller recognizes unsupported network
elements that it discovers, and then raises a respective alarm. The property is by default
set to false, and thus the tab with its feature disabled. For this property to take effect if
you change it, you must restart the Ensemble Controller Server as described in Starting
the Ensemble Controller Server.

Miscellaneous Options
com.adva.fnm.option.disableClientUpdates
This parameter controls the behavior of the client updater. When set to true, the client
updater is disabled and does not inform you about updates. In this scenario, the updater
does not verify the server version, and the software starts the installed client. You can
therefore use an existing GUI with a patched server. By default, this parameter is set to
false with the client updater enabled.

com.adva.fnm.option.iphostnameenabled
Ensemble Controller supports the fully qualified IP hostname for every network element
as a separate data field. You can edit this field for a selected network element in the
Overview tab, Identity area. This field, however, initializes with the host name that the
software retrieves from a reverse hostname lookup, which is OS-dependant. This process
occurs on the Ensemble Controller Server host. If the reverse lookup process fails, the
hostname field remains empty, even if you specify a host name when you add the
network element to Ensemble Controller.

Only web-based craft interfaces, on an external web browser, use the hostname field. This
property sets the use of the host name. If set to true, ENC uses the host name, and if set
to false ENC does not use the host name.

com.adva.nlms.mediation.report.NeCountInventoryThres
hold
This parameter specifies the network-element threshold number for a single inventory
report. If the report shows a threshold that exceeds the specified value, a message

Ensemble Controller R15.2 Administrator Manual - Issue: A 555

Adtran Hardware or Software Support and Compatibilities

displays to warn you. The message includes a request for you to proceed or cancel the
report generation. The default threshold value is 200.

com.adva.nlms.mediation.report.AlarmCountThreshold
This parameter specifies the number of alarms threshold for a single fault/security report.
If the report shows a threshold number that exceeds the set value, a message displays to
warn you. The message includes a request for you to proceed or cancel the report
generation. The default threshold value is 3000.

com.adva.fnm.option.CSVSeparator
This property specifies the character that separates column values. By default, Ensemble
Controller uses the pipe "|" character. Alarm or event log files are unaffected by any
character definition through this property because these log files do not use this
property.

com.adva.nlms.mediation.report.keptfilesnumber
This property specifies the total number of scheduled CSV report files for each report
type that the system will store in filesystem locations. If the total number of reports
exceeds the set value, the oldest report is deleted. The default is four CSV report files.

com.adva.nlms.mediation.report.keptfilesnumber.manual
This property specifies the total number of manual CSV report files for each report type
that the system will store in filesystem locations. If the total number of reports exceeds
the set value, the oldest report is deleted. This property is disabled by default (0).

com.adva.nlms.mediation.report.performance.PmReport
PagesLimit
This parameter specifies the number-of-pages threshold value for a single
performance/service performance report. The default is 1000 pages. The software first
verifies the threshold number before the process generates the report. If this number
exceeds the threshold value, the software does not generate a report.

com.adva.nlms.mediation.report.reportExternalStorage
If you set this property to true, the report process considers external file storage paths
when the software generates reports.

Ensemble Controller R15.2 Administrator Manual - Issue: A 556

Adtran Hardware or Software Support and Compatibilities

For each type of report, such as an inventory report, service inventory report, and other
reports, you must specify a different path. Add this path immediately after the
...reportExternalStorage property. After the software generates the report, the
software stores the report in the location you specify.

The paths are organized into interactive (manual) reports and scheduled reports. This
figure displays the property with the respective paths (unspecified) that the reports
extract from the fnm.properties file.

Consider these aspects when you specify paths:

l Make sure that access permissions do not restrict the specified paths.
l After an upgrade, previous reports do not migrate to the new location. You must
maintain or migrate these reports manually.
l The report process considers the property and specified paths for scheduled
reports by using the aging or deletion function of CSV reports.
Manual reports do not use this process, and you must manually clean the data in
these files.
l Make sure that you maintain or update the fnm.properties file on all servers,
including the high availability (HA) servers.
l If you encounter errors, for example a path is missing or inaccessible because of
permissions, the software generates an error message and displays manual

Ensemble Controller R15.2 Administrator Manual - Issue: A 557

Adtran Hardware or Software Support and Compatibilities

reports. For scheduled reports, an event that displays on the appropriate event
screen points to the encountered error.

com.adva.nlms.mediation.report.sync.performance.devic
e.types
This property specifies which device types should be included in the sync performance
report. By default, a sync performance report covers these network elements:
l OSA 5401
l OSA 5405-I
l OSA 5405-MB
l OSA 5405-O
l OSA 5405-P
l OSA 5410
l OSA 5411
l OSA 5412
l OSA 5420
l OSA 5421
l OSA 5422
l OSA 5430
l OSA 5440
l OSA SoftSync

If you want to reduce the list of device types included in the report, add this property to
the fnm.properties file and type comma seperated list of device types as its value. You
can only enter device types from the above list.

com.adva.nlms.mediation.report.suffix
This property specifies the suffix of the automatic reports file name. The suffix has format
"_text_%version". For example, if you type
com.adva.nlms.mediation.report.suffix=report1A, the report file will have this name:
<report name>_report1A_ENC_xx.x.x. The text in this property can contain only:
l These alphanumeric characters: a to z; A to Z; 0 to 9.
l These special characters: “.” and “_”. No other special characters are allowed.

This property is not added to the fnm.properties file automatically. To use this property,
you need to add it manually to the file.

Ensemble Controller R15.2 Administrator Manual - Issue: A 558

Adtran Hardware or Software Support and Compatibilities

com.adva.nlms.mediation.neResources.csv.NE_
RESOURCES_REGULAR_REPORT_FILE_PATTERN
This parameter specifies the name of a resource report. The default name is
Resource_%DATE_TIME%.csv.

com.adva.nlms.mediation.neResources.csv.NE_
RESOURCES_REGULAR_REPORT_DAYS_TO_RETAIN_FILES
This parameter specifies the number of days the system will retain a resource report. The
default value is 10 days.

com.adva.nlms.mediation.neResources.csv.NE_
RESOURCES_REGULAR_REPORT_MAX_FILE_SIZE
This parameter specifies the maximum file size of a resource report. The default value is
50 MB.

com.adva.nlms.mediation.CSV_FILE_TRANSFER
If you set this property to yes, these CSV files transfer to a secure file-transfer protocol
(SFTP) server:
l Inventory Report
l Performance Monitoring Reports (see CSV Performance NBI)
l Ensemble Sync Director Reports:
o PTP Remote Slaves Report

o Sync Topology Report

o Sync Performance Report

For more information about these reports, see the Integration Manual. For information
about how to configure the SFTP server, see the Integration Manual, Enabling the CSV
File Transfer.

com.adva.nlms.mediation.sm.prov.cp.CP_POLICY_PROXY_
NODES_IP
This property specifies one or more proxy node IP addresses. To add IPv4 addresses, use
this format separated by commas: A.B.C.D,E.F.G.H,W.X.Y.Z

Ensemble Controller R15.2 Administrator Manual - Issue: A 559

Adtran Hardware or Software Support and Compatibilities

You can apply the control plane policy only to proxy nodes that run software version
16.1.1 or later.

com.adva.nlms.mediation.sm.prov.cp.waitForMonitorEqu
alizationTimeInSecs
This property specifies the time in seconds that Ensemble Optical Director must wait after
you initiate an action before the system monitors equalization. The default is 2 seconds.

com.adva.nlms.mediation.sm.prov.cp.waitForEqualization
TimeInSecs
This property specifies the maximum time in seconds required to complete equalization
on the device. The default is 900 seconds. The software uses this property when you
provision a service. Wait until the creation of the service and equalization complete
before you modify any ports in use.

com.adva.nlms.mediation.sm.prov.cp.LOCKED_LINKS_
ENABLED
This parameter specifies whether locked links display in the GUI and whether you can
reset them. The parameter has these values:
l true - enables the locked links display and reset feature.
l false (default) - disables the locked links display and reset feature.

For hardware release 12. 1, first enable this parameter before any initial discovery of any
FSP 3000R7 network elements. If you enable this property after discovery of these
network elements, the software will not recognize the locked links.

com.adva.nlms.mediation.sm.prov.cp.UseCPRestForPrePa
thComputation
If you set this parameter to 'yes', the system uses the CP REST interface to compute
possible working and protection paths during service creation. A table displays the paths,
and you can select the most applicable path. The default parameter is enabled.

Ensemble Controller R15.2 Administrator Manual - Issue: A 560

Adtran Hardware or Software Support and Compatibilities

com.adva.nlms.mediation.sm.prov.cp.MaxNumberOfCom
putedPaths
This parameter specifies the number of paths that display in the table of possible paths
computed by control plane through the CP REST interface during service creation. By
default, the interface sets five paths.

com.adva.nlms.mediation.sm.DigitalSignalSuffix
This property specifies the suffix that the software adds to the top-level service
connection name. The property applies to explored, provisioned, and tracked services. If
you enable the property, the top-level service connection inherits the service object
name and adds the specified suffix.

The maximum length of the service name including the suffix must be
1000 characters or less.

For more information, see the WDM Management Guide, Service Name Propagation to
the Client-Facing Connectivity.

com.adva.nlms.mediation.sm.EthernetDigitalSignalSuffix
This property specifies the suffix that the software adds to the top-level service
connection name. The property applies to Ethernet-tracked services. If you enable the
property, the top-level service connection inherits the service object name and adds the
specified suffix.

The maximum length of the service name including the suffix must be
1000 characters or less.

For more information, see the Packet Management Guide, Ethernet Tracked Services
Name Propagation to the Top-Layer Connection.

com.adva.nlms.mediation.sm.ServiceNameTemplate
This property specifies the string pattern that Ensemble Controller uses to create the
service names, and then displays the pattern in the tree pane Services tab. For more
information about how to edit the property, see the property description in the

Ensemble Controller R15.2 Administrator Manual - Issue: A 561

Adtran Hardware or Software Support and Compatibilities

fnm.properties file. For general information about service names, see the WDM
Management Guide, Service Naming.

com.adva.nlms.common.visual.BANDWIDTH_USAGE_
[LOW|HIGH]
This parameter specifies the number-of-links threshold for bandwidth usage. The
threshold values are:
l low = 1% to 25% (com.adva.nlms.common.visual.BANDWIDTH_USAGE_LOW=25)
l normal = 26% to 74%
l high = 75% to 99% (com.adva.nlms.common.visual.BANDWIDTH_USAGE_
HIGH=75)
l full = 100%

com.adva.nlms.mediation.ethNEConfig.maxTemplateSize
InKB
This parameter specifies the maximum template size in KB. The default template size is
1024 KB.

com.adva.nlms.mediation.config.fsp_
r7.useAdvaSpecificSerialNumbers
If you set this property to 'true', the premise of the Ensemble Controller is that all FSP
3000R7 serial numbers start with 'LBADVA' instead of 'FA'.

The software updates all serial numbers upon server startup.

com.adva.nlms.mediation.config.shelfLocationInfoSettab
le
If you set this parameter to true, the physical shelf location that you can define in the
Overview tab, Identity area, correlates to the respective network element. The reverse is
also true. That is, if you change the shelf location property on the NE, this information
also changes on Ensemble Controller.

Ensemble Controller R15.2 Administrator Manual - Issue: A 562

Adtran Hardware or Software Support and Compatibilities

com.adva.nlms.mediation.sm.prov.ni.controller
This parameter specifies whether the Network Intelligence (NI) Controller is enabled
(true) or disabled (false).

Properties for Managing Pro-Vision

To enable and then start Pro-Vision in your web browser, set these properties to true:
l com.adva.nlms.sdn.enabled
l com.adva.nlms.mediation.pv.startModule

com.adva.fnm.option.UseSnmpForRest
This property specifies whether changed SNMPv3 login credentials — the user name and
password — overwrite any specified HTTP, HTTPS, or REST credentials for FSP 3000R7
network elements. If you do not change the SNMPv3 credentials, the specified
credentials for HTTP, HTTPS, or REST remain valid. By default, the property is set to true,
and thus enabled.

The SNMPv3 login credentials change reflects in:

l The Overview tab for an individual FSP 3000R7 network element.
l The Overview tab for the Network root if it contains FSP 3000R7 network elements.
l The Centralized Control Plane for the FSP 3000R7 network elements that the
control plane manages.

com.adva.fnm.option.UseSFTPFileTransfer.device.types
For a secure transfer protocol, ENC uses SCP if the network element supports it. For
devices that do not support SCP, ENC transfers files using SFTP. Use this property to
specify the devices and versions that will use SFTP instead of SCP by default.

Example:
com.adva.fnm.option.UseSFTPFileTransfer.device.types = OSA 5420:10.5, OSA 5422, OSA
5412

In this example ENC would use SFTP for OSA 5412, 5422, and for OSA 5420 version 10.5
or later (e.g. 10.6 or 11.1).

Ensemble Controller R15.2 Administrator Manual - Issue: A 563

Adtran Hardware or Software Support and Compatibilities

To avoid issues with unsecure old versions of SFTP use this property
with the latest currently installed version of the element. You can skip
the version if the element is new enough that it never used the
outdated SFTP - not even in its first software version.

Oscillating Events Suppression Options

These options configure suppression of oscillating events.

Sometimes an event “oscillates”, that is, it is raised repeatedly. Depending on the

oscillating event suppression settings, the Ensemble Controller Server can ignore these
events. The settings are:
l The oscillating events soak period.
l The oscillating events blocking period.

com.adva.fnm.option.disableLoggingPeriod
If the Ensemble Controller Server receives the same event three times within the number
of seconds specified by this parameter (soak period), further logging of that event is
inhibited. The factory default value is 10 seconds.

com.adva.fnm.option.enableLoggingPeriod
Logging of the inhibited event is enabled again when Ensemble Controller Server has not
received the particular event for the number of seconds specified by this parameter
(blocking period). The factory default value is 60 seconds.

com.adva.nlms.medation.config.dyingGaspDisabled.devi
ce.types
If a network element sends dying gasp notifications, it alerts that it is about to restart,
reset or otherwise go down. These notifications help service technicians to already
exclude issues such as circuit or hardware failures, and thus narrow down the search for
the issue.

However, you can disable these dying gasp notifications for the network elements that
you specify.

1. Behind the property equal sign, type the relevant network element string IDs.
Seperate them through commas, for example:
[...]config.dyingGaspDisabled.device.types=FSP 150CC-XG210,FSP 150-GE102Pro-
Ensemble Controller R15.2 Administrator Manual - Issue: A 564
Adtran Hardware or Software Support and Compatibilities

H
2. Restart the Ensemble Controller Server as described in Verifying Services in Windows
and Verifying Services in Linux.
After the Ensemble Controller Server restarts, the property change takes effect only
for newly discovered network elements. The network elements that the system
already discovered remain unaffected by this property change.
The Message Pane shows relevant messages if the system disables dying gasp
notifications for certain network elements.

Password Change Action Manager Options

This option allows the created password change action (PCA) log file to be sent to the
email address specified. The entry is defined as follows:

com.adva.fnm.option.pcaLogReceiver=<email_address>
Enter the email address where the newly created log file will be sent.

com.adva.fnm.option.pcaMaxThreadCount
This property specifies the maximum PCA threads.

Performance Monitoring Options

com.adva.nlms.mediation.performance.CSVvalidTime
This parameter specifies how many days the system preserves CSV performance report
files before it deletes them. The parameter becomes inoperative, when you disable the
recurring action Performance Data Export (Short Term) and Sync Performance Report.

For more information about the file handling of performance reports, see the Integration
Manual.

com.adva.nlms.mediation.neComm.150ccSnmpDelay
This parameter specifies how long of a delay (in milliseconds) is to be allowed between
performance monitoring requests for FSP 150CC devices.

Qualitiy Compliance Options

Specify these parameters to set up the Sync Quality Compliance Report.
Ensemble Controller R15.2 Administrator Manual - Issue: A 565
Adtran Hardware or Software Support and Compatibilities

com.adva.nlms.mediation.performance.CSVvalidTime
This parameter specifies how many days the system preserves the report files before it
deletes them. The parameter becomes inoperative, when you disable the recurring action
Sync Quality Compliance Report.

com.adva.nlms.mediation.report.sync.quality.compliance.
clock.ref
This parameter specifies the clock reference for the Sync Quality Compliance Report.
These are the valid values:
l SystemClock
l PTP
l NTP

If you specify a non-valid value, the system uses the default SystemClock.

com.adva.nlms.mediation.report.sync.quality.compliance.
threshold.degraded.ns
This parameter specifies the degraded threshold in nanoseconds. It must be bigger than
zero and smaller than the failed threshold. If the offset of the selected clock reference, for
a specific NE is bigger than this value over the report time range, but is never bigger than
Failed threshold, the report Compliance status for this NE is Degraded.

com.adva.nlms.mediation.report.sync.quality.compliance.
threshold.failed.ns
This parameter specifies the failed threshold in nanoseconds. It must be bigger than the
degraded threshold. If the offset of the selected clock reference, for a specific NE is
bigger than this value over the report time range, the report Compliance status for this
NE is Failed.

Rapid Term Monitoring (RTM)

Rapid Term Monitoring is a newer metric-collection mechanism that is used to monitor
and assess the overall health of the Ensemble Controller. Compared to self-monitoring,
RTM monitors application and system attributes at a shorter interval called the rapid term
interval. You can start and stop RTM from the Ensemble Controller GUI or CLI, compared
to the short-term and long-term options of self-monitoring.

Ensemble Controller R15.2 Administrator Manual - Issue: A 566

Adtran Hardware or Software Support and Compatibilities

To set up RTM, configure these parameters.

com.adva.fnm.mediation.monitoring.rapidTermInterval
Set the rapid term interval to any integer between 1 and 299 seconds. If invalid values are
entered, including alphabetical strings, the default value of 2 seconds is used.

com.adva.fnm.mediation.monitoring.rapidStartAtSystem
StartUp
If you wish to start RTM at system startup, set the above property to ‘true’. By default,
RTM does not start at system startup. RTM is started and stopped manually after the data
is collected. If the server restarts when RTM is running, RTM will not restart automatically.
Only one instance of RTM is allowed to run at a given time.

Deletion of Log Files

Ensemble Controller deletes old log files according to these rules:
l Rapid monitoring log files are rolled at startup or when the size of the files exceeds
the maximum value configured in log4j2.xml. Afterwards, the backup index of the
files get increased by one. When the backup index of a file exceeds the maximum
value configured in log4j2.xml, this file gets deleted.
l NE-related log files older than 5 days are deleted. Hence we recommend that you
save NE logs in a separate folder, if you wish to keep them for future reference.

Retrieving Monitoring Data

The resulting RTM data are stored in /var/monitoring under the Ensemble Controller
installation directory:
l rapidTerm.csv
o Application data values that are configured for rapid term monitoring.

l rapidTermNE_<NE-name>.csv
o Network element-related data configured for rapid term monitoring.

The maximum file size and maximum backup index of the rapid monitoring csv files are
configured using log4j2.xml.

At the start of every rapid monitoring session, the csv files are rolled over (rapidTerm.csv
becomes rapidTerm.csv.1, rapidTerm.csv.1 becomes rapidMonitoring.csv.2,..,
rapidMonitoring.csv.max gets deleted). This occurs even if the current log file has not

Ensemble Controller R15.2 Administrator Manual - Issue: A 567

Adtran Hardware or Software Support and Compatibilities

reached the maximum file size, since new configuration will lead to different headers in
log files.

Specifying Monitored Attributes

A configuration file, stored in monitoringConfig/rapidTerm under the Ensemble
Controller installation directory, contain the parameters that RTM monitors. It specifies
the application, system, and NE-related parameters to monitor and is read only when
rapid term monitoring is started.
l Application attributes are variables of the Ensemble Controller Server modules
such as performance, polling, persistence, NE communication, configuration, event
processing, events, and server.
l System attributes are parameters of the Java VM such as Hot Spot Diagnostic,
Class Loading, Memory, Code Cache Manager, Code Cache, PS Eden Space, PS Old
Gen, PS Perm Gen, PS Survivor Space, operating system, runtime, threading, and
logging.
l The number of timeouts can be monitored per NE.

You can either use the default configuration file or customize it as follows:

1. Navigate to this folder:

ENC Installation Directory\monitoringConfig\rapidTerm
2. Modify the defaultRapidTerm.properties file as follows:
l Add each new attribute you wish to monitor in separate row.
l To exclude an attribute from monitoring, place a “#” in the beginning of the row.
3. If you wish to monitor NE attributes, add the corresponding network element names
to this file:
ENC Installation Directory\monitoringConfig\monitoredNEList\rapid.properties
4. Restart the Ensemble Controller Server.

Triggering RTM
Use one of these applications to trigger RTM:

Windows CLI Interface 569

Linux CLI Interface 569
Ensemble Controller GUI 569
nmsadmin Script 570

Ensemble Controller R15.2 Administrator Manual - Issue: A 568

Adtran Hardware or Software Support and Compatibilities

Windows CLI Interface

For Windows, run RTM from the Ensemble Controller installation directory using these
CLI commands:

1. To display the RTM state (activated or not), type this command:

jre\bin\java -jar lib\adva_tools.jar -rState
2. To start RTM, type this command:
jre\bin\java -jar lib\adva_tools.jar -rStart 1000
where 1000 in this example is the duration of rapid monitoring.
3. To stop RTM, type this command:
jre\bin\java -jar lib\adva_tools.jar -rStop

Linux CLI Interface

For Linux, run RTM from the Ensemble Controller installation directory using these CLI
commands:

1. To display the RTM state (activated or not), type this path including the command:
/opt/adva/share/jre/bin/java -jar /opt/adva/fsp_nm/lib/adva_
tools.jar -rState

Please ensure that you enter the path as one command. The same
applies to Step 2 and 3.

2. To start RTM for a specified duration, type this command:

/opt/adva/share/jre/bin/java -jar /opt/adva/fsp_nm/lib/adva_
tools.jar -rStart 1000
where 1000 in this example is the duration of rapid monitoring.
3. To stop RTM, type this command:
/opt/adva/share/jre/bin/java -jar /opt/adva/fsp_nm/lib/adva_
tools.jar -rStop

Ensemble Controller GUI

Complete these steps to run RTM from the Ensemble Controller GUI:

1. In the Ensemble Controller Settings, select System, and then Rapid Term
Monitoring. The Rapid Monitoring window opens.
2. Type the Duration in seconds, and then click Start. A message indicates rapid
monitoring activation.

Ensemble Controller R15.2 Administrator Manual - Issue: A 569

Adtran Hardware or Software Support and Compatibilities

3. Click OK to acknowledge the RTM start message. The Message Pane indicates that
RTM was collected.
4. If you wish to stop RTM before the monitoring duration elapses, in the Ensemble
Controller Settings, select System, and then Rapid Term Monitoring.
5. Click Stop in the resulting window.

nmsadmin Script
Complete these steps to run RTM using the nmsadmin script:

1. Run the nmsadmin script file located in the Ensemble Controller bin installation
directory.

2. Type I to show the current RTM state.

3. Type N to start RTM, and then enter the RTM duration in the range of 1 to 3600
seconds. If the maximum value is exceeded, a warning message displays.
4. Press Enter.
5. To stop RTM before the duration expires, type U, and then press Enter.

Scaling Options
com.adva.fnm.option.threadPoolSize
For each Ensemble Controller connected to the Ensemble Controller Server, a thread is
established. Each thread requires a certain amount of memory, and hence it is advisable

Ensemble Controller R15.2 Administrator Manual - Issue: A 570

Adtran Hardware or Software Support and Compatibilities

to limit the number of simultaneous threads allowed. This parameter specifies this
number. The factory default is 9.

com.adva.nlms.mediation.polling.MAX_RUNNING_
POLLING_TASKS
Ensemble Controller is configured to poll Network Elements at regular intervals. The
number of simultaneous polling actions must be in accordance with the DCN capacity,
and is specified by this parameter. The factory default value is 10.

com.adva.nlms.mediation.performance.watchdog.olp
Setting this parameter to 'true', the system will automatically stop the performance
monitoring collection if these limits for performance monitoring objects (PMOs) have
been exceeded:
l com.adva.nlms.mediation.performance.watchdog.max15minPmo=50000
This property specifies the maximum number of PMOs for the short term interval.
l com.adva.nlms.mediation.performance.watchdog.max24minPmo=200000
This property specifies the maximum number of PMOs for the long term interval.

When these limits have been exceeded, an alarm is raised and PM data is no longer
collected.

To resume PM collection, decrease the number of subnetworks to which PM templates

are assigned and restart the server.

Security Options
com.adva.fnm.option.FallbackNEUserID
This property specifies the user name that relates to the randomly created fallback
password. An acceptable user name must conform to character rules. The rules differ
according to the network-element type and any configured security policies. For FSP
3000R7 network elements, the fallback user name must:
l Have 4 to 10 characters.
l Contain only these alphanumeric characters: a to z; A to Z; 0 to 9.
l Contain only these special characters: “.” and “_”. No other special characters are
allowed.

Ensemble Controller R15.2 Administrator Manual - Issue: A 571

Adtran Hardware or Software Support and Compatibilities

Use this fallback password to access a network element if an interruption occurs to the
Ensemble Controller (ENC) connection. You can also use the fallback password if a failure
occurs when you request administrative user rights on the network element.

For more information about how to request or grant administrative user rights on
network elements, see Granting Temporary Admin User Rights on Network Elements.

com.adva.fnm.option.FallbackPasswordManagement
If you set this property to 'true', you enable the NE-fallback user-password management
tool. Additionally you must specify the property com.adva.fnm.option.FallbackNEUserID.
By default, the management tool is disabled, that is set to false.

The NE-fallback password management tool manages the password of the fallback user
(the user of "last resort") for each individual network element.

com.adva.fnm.option.SSOviaFBP
If you set this property to 'true', you enable the Establishing an SSO Connection Using
Fallback Passwords. You must also specify the property
com.adva.fnm.option.FallbackNEUserID. By default, SSO connection through fallback
password is disabled (set to 'false').

com.adva.fnm.option.SSOviaAHA
If you set this property to 'true', you enable an SSO Connection through Ad Hoc Local NE
Account. See . By default, SSO connection through Ad Hoc Account is disabled (set to
'false').

com.adva.fnm.option.ssoDisabled.device.types
This property permanently disables an SSO connection for specified NE types. For more
information about how to specify NE types, see .

com.adva.fnm.option.maxFtpPasswordLength
This property controls the maximum length of the ftp server passwords. The default value
is 64 characters, which is also the maximum length that Ensemble Controller supports.
With this property you can limit the maximum password length to a value that is
supported by all devices installed in the network.

Ensemble Controller R15.2 Administrator Manual - Issue: A 572

Adtran Hardware or Software Support and Compatibilities

Self-Monitoring
Self-Monitoring is a metric-collection mechanism that is used to monitor and assess the
overall health of the Ensemble Controller. If you suspect a problem with the Ensemble
Controller, such as slow system performance or high memory consumption, you can
monitor application, system, and network element attributes for these cases:
l short-term interval
l long-term interval
l “on demand”

You activate and deactivate short-term and long-term monitoring from the
fnm.properties file. Generally, you use long-term monitoring under normal conditions,
while you use short-term monitoring if you suspect a problem such as slow system
performance.

“On demand” monitoring is activated by using the Ensemble Controller GUI or the
nmsadmin script. You can obtain a current snapshot of the system to analyze a known
problem such as slow system performance.

Specifying Monitored Attributes

Configuration files, one per each monitoring scheme, are located in the
monitoringConfig subfolder of the Ensemble Controller installation directory. They
specify the application, system, and NE-related parameters to monitor.
l Application attributes are variables of the Ensemble Controller Server modules
such as performance, polling, persistence, event processing, events, and server.
l System attributes are parameters of the Java VM such as operating system,
memory, threading, and logging.
l The number of timeouts can be monitored per NE.

You can either use the default configuration files or customize them as follows:

1. Navigate to the folder corresponding to a monitoring scheme you wish to use:

l ENC Installation Directory\monitoringConfig\longTerm
l ENC Installation Directory\monitoringConfig\shortTerm
l ENC Installation Directory\monitoringConfig\onDemand
2. Modify the corresponding .properties file as follows:
l Add each new attribute to a separate row.
l To exclude an attribute from monitoring, place a “#” in the beginning of the row.

Ensemble Controller R15.2 Administrator Manual - Issue: A 573

Adtran Hardware or Software Support and Compatibilities

l To monitor NE(s), add this attribute:

com.adva.nlms.mediation.neComm.SNMP4JConfiguration$SNMPAdapterInfoMBe
an.getTimeoutsNoPerNE

3. Repeat Step 1 to Step 2 for each remaining monitoring scheme you will use.
4. If you wish to monitor network element attributes, add the corresponding network
element names to these files, depending on the monitoring scheme you will use:
ENC Installation Directory\monitoringConfig\monitoredNEList\onDemand.properties
ENC Installation Directory\monitoringConfig\monitoredNEList\periodical.properties

Use the periodical.properties file for short-term and long-term

monitoring.

5. Restart the Ensemble Controller Server.

Triggering Self-Monitoring
The procedure to activate self-monitoring depends on the scheme you use:
l To trigger short-term or long-term monitoring, proceed to Activating Short-Term
or Long-Term Monitoring.
l To trigger “on demand” monitoring.

1. Proceed to Activating Short-Term or Long-Term Monitoring.

2. Next, proceed to either On-Demand Monitoring Using Ensemble Controller or On-
Demand Monitoring Using nmsadmin .

Activating Short-Term or Long-Term Monitoring

By default, both short-term and long-term monitoring are disabled. Activating either or
both schemes involves modifying the corresponding time interval in the fnm.properties
file.

Also, either short-term monitoring or long-term monitoring must be activated to use “on
demand” monitoring.

1. To activate short-term monitoring, set this attribute in the fnm.properties file to 5,

10, 15, 20, 25, 30, 35, 40, 45, 50, 55, or 60 minutes.
com.adva.fnm.mediation.monitoring.shortTermInterval
If you set an invalid value, including an alphabetical string, Ensemble Controller uses
the default value of 15 minutes as the short-term interval.

Ensemble Controller R15.2 Administrator Manual - Issue: A 574

Adtran Hardware or Software Support and Compatibilities

2. To activate long-term monitoring, set this attribute in the fnm.properties file to

{hours} multiplied by 60 minutes, where {hours} is an integer from 0 to 24:
com.adva.fnm.mediation.monitoring.longTermInterval
For example, if the long term interval is 10 hours, you must enter 600 (10*60). If you
configure an invalid value, including an alphabetical string, Ensemble Controller uses
the default value of 1440 minutes (24*60) as the long-term interval.
3. Restart the Ensemble Controller Server to activate the new values.

On-Demand Monitoring Using Ensemble Controller

Execute this procedure to start on-demand monitoring using the Ensemble Controller
GUI:

On-demand monitoring works only if short-term or long-term

monitoring is enabled. To enable short-term or long-term
monitoring, see Activating Short-Term or Long-Term Monitoring.

1. In the Ensemble Controller Settings, select System, and then Self-Monitoring

Actions. A window opens asking for confirmation.
2. Click Continue to start the monitoring. A Save window opens prompting you to
select a location to save the monitoring log.
3. Select the file name and location to save your results, and then click Save. A window
opens indicating the file name and location you just selected.
4. Press OK. The file you specified in Step 3 is populated with the monitoring results.

On-Demand Monitoring Using nmsadmin

Complete these steps to start on-demand monitoring using the nmsadmin script located
in the Ensemble Controller installation directory, bin folder.

On-demand monitoring works only if short-term or long-term

monitoring is enabled. To enable short-term or long-term
monitoring, see Activating Short-Term or Long-Term Monitoring.

1. Launch the nmsadmin script.

2. Type W to start on-demand monitoring, and then press Enter.
3. Type V to exit.

Ensemble Controller R15.2 Administrator Manual - Issue: A 575

Adtran Hardware or Software Support and Compatibilities

Retrieving Monitoring Data

The resulting monitoring data are stored in /var/monitoring under the Ensemble
Controller installation directory. These include:
l CSV monitoring logs such as shortTerm.csv, longTerm.csv and onDemand.csv files
l Thread dump log files resulting from “on demand” monitoring
l NE-related log files such as shortTermNE_<NE-name>.csv, longTermNE_<NE-
name>.csv and onDemandNE_<NE-name>.csv.NE-related log files such as
shortTermNE_<NE-name>.csv, longTermNE_<NE-name>.csv and onDemandNE_
<NE-name>.csv.

Deletion of Log Files

Ensemble Controller deletes old log files according to these rules:
l Short-term and long-term monitoring logs are rolled at Ensemble Controller
Server startup, while “on demand” monitoring logs are rolled when you trigger “on
demand” monitoring again. The logs are also rolled when the file size exceeds the
maximum value configured in log4j2.xml. Afterwards, the backup index of the files
get increased by one. When the backup index of a file exceeds the maximum value
configured in log4j2.xml, this file gets deleted.
l Once you remove an NE from the monitoring list(s), the Ensemble Controller
deletes logs associated with this NE. Hence we recommend that you save NE logs
in a separate folder, if you wish to keep them for future reference.

Server Access Options

Properties for Servers with Multiple IP Interfaces
If the Ensemble Controller Server (ENC Server) needs to interact with multiple IP
interfaces, you can use these properties to configure them:

Properties Description
com.adva.fnm.option.serverIP For communication from the
server to the client, and from the
server to the server.

Ensemble Controller R15.2 Administrator Manual - Issue: A 576

Adtran Hardware or Software Support and Compatibilities

Properties Description
com.adva.fnm.option.trapsink For SNMP trap registrations. The
property supports only IPv4
addresses or host names. Type a
trapsink IP address that faces
network elements.
com.adva.fnm.option.trapsinkport The port that the server uses for
SNMP trap notifications. The
default is 162. If you do not define
a port, the system uses the default.
com.adva.fnm.option.trapsink.ip6 For SNMP trap registrations. The
property supports only IPv6
addresses. Local link addresses are
not accepted.
com.adva.fnm.option.trapsink.IpValidationEnabled To enable the property, set it to
true. After you enable it, the
system validates the trapsink IPv4
and IPv6 addresses to verify
whether they belong to the
system. The validation process
takes place during server restart.
com.adva.fnm.option.snmpProviderHost For Element Manager SNMP
communication. Type an IP
address that faces Ensemble
Controller Server clients.
com.adva.nlms.mediation.mtosi.hostName Displays in MTOSI responses.
com.adva.fnm.option.snmpNBISource You can configure Ensemble
Controller to transmit SNMP
northbound interface (NBI) traps. If
configured, the software reports
the source IP address that you
specify with this property as
varbind within the event.

For details about these properties and the requirements when specifying respective IP
addresses for each of them, see Configuring Multiple Network Interfaces.

Ensemble Controller R15.2 Administrator Manual - Issue: A 577

Adtran Hardware or Software Support and Compatibilities

com.adva.fnm.option.webserver.port
This property specifies the Jetty web server port that the Ensemble Controller Client uses.
The default port is set to 8080, which is commonly used for web services and which
customer firewalls should not block. By default, the client will try to connect to the ports
80, 8080 and 9000.

To disable (close) these ports so that the server can no longer connect to them, set the
property to none.

Recommendation:
If you set the property to none, we recommend that you adapt these
tile server properties to use https.
l com.adva.fnm.option.TileServerLayer.street=https:[...]

l com.adva.fnm.option.TileServerLayer.satellite=https:[...]

For information about map tile servers, see Installing the Local
Geographical Map-Tile Server in Linux.

com.adva.fnm.option.rest.securePort
This property specifies the port that the Jetty web server and the GUI use. The default
port is set to 8443. To disable (close) this port so that the server can no longer connect to
it, set the property to none.

com.adva.fnm.option.rest.securePortWithMutualAuth
This property specifies the port that server to server authentication uses based on
certificates (mutual authentication). The mutual authentication process allows for secure
communication between the various Ensemble Controller applications. The default value
for this port is 9543.

com.adva.nlms.mediation.server.proxy.startModule
This parameter specifies whether the internal HTTP proxy is enabled (set to 'yes') or
disabled (set to 'no'). The proxy is by default disabled.

com.adva.nlms.mediation.server.proxy.port
This parameter specifies the port where the HTTP proxy is working. By default, port 9090
is used.

Ensemble Controller R15.2 Administrator Manual - Issue: A 578

Adtran Hardware or Software Support and Compatibilities

Properties for Configuring the Java Messaging System

(JMS)
The Java messaging system is used to internally communicate events on the server and
between server and client. It is preconfigured and active upon Ensemble Controller
installation. As appropriate, the JMS. can be customized by using these properties:
l jms.transportProtocol
The transport protocol to communicate between the server and the JMS broker
service. These protocol options are available:
o nio1+ssl: With the release version 12.3, the default protocol including

encryption in the messaging system.

If you upgrade your Ensemble Controller version to 12.3 without

uninstalling the existing version, ensure that in the
fnm.properties file, you change the jms.transportProtocol from
nio to nio+ssl.

To change to an unencrypted JMS transport, set these properties:

jms.transportProtocol=nio
jms.additional.args=
The jms.additional.args property must be empty if the transport protocol is
nio.
o nio1: Before the release version 12.3, the default protocol in the messaging
system.
o tcp: The alternative protocol in the messaging system. If the nio protocol
causes any installation or system problems, we recommend to use the tcp
protocol.
o ssl: The alternative protocol for secure client-server connections. Only enable
ssl if you really need it. If you enable it and you experience any performance
issues, revert to nio+ssl.
l jms.additional.args
You can use additional arguments while the JMS connections establish.
l jms.url
The IP that the nms server, activemq, and the client uses for communication. The
default value is 0.0.0.0 unless the Ensemble Controller Server has more than one
network interface, or a specific network interface was needed for the server-client
communication.

1. nio stands for non-blocking input or output (I/O). It provides access to low-level I/O operations of modern
operating systems and directly uses the most efficient operations of the underlying platform.
Ensemble Controller R15.2 Administrator Manual - Issue: A 579
Adtran Hardware or Software Support and Compatibilities

l jms.port
The port that the nms server, activemq, and the client uses for communication.
Change this property if you use the default port 33028.
l activemq.useJMX
Use this property to enable or disable the activemq-jmx communication for
monitoring purposes. The default value is true.
We recommend against setting this property to false. If you do so, the JMS does
no longer use the default activemq.jmx.port 33092 and therefore cannot monitor
the health and performance status of the ActiveMQ broker anymore. Instead, set
the property to true and use a firewall to block any external access to this port to
warrant monitoring.
l activemq.jmx.port
The port that the broker uses to communicate with JMX. Change this property only
if the default port 33092 is in use. You can use the ActiveMQ settings to connect to
port 33092 only from the localhost. The system discards remote connections. You
can use the firewall to hide this port without influencing the Ensemble Controller
operations.

com.adva.fnm.mediation.monitoring.commandLineInterf
acePORT
The RMI port is used by the command line interface to trigger the Ensemble Controller
functionality.

com.adva.fnm.option.server_timeout
This property specifies the session idle time. The session idle time governs how many
seconds of inactivity is accepted from any connected Ensemble Controller session, before
Ensemble Controller automatically closes the client session. If the computer running the
Ensemble Controller Server is slow, or the Ensemble Controller database is very large, you
can increase the property value. The default setting is 300 seconds, which is 5 minutes.

com.adva.fnm.option.maxClientConnectionAlarmThresh
old
This property specifies the maximum number of clients that can be connected. If this
number is exceeded, an alarm is raised. The default value is 20.

Ensemble Controller R15.2 Administrator Manual - Issue: A 580

Adtran Hardware or Software Support and Compatibilities

com.adva.fnm.option.maxClientConnectionAllowed
This property specifies the maximum number of clients that can be connected. The
default value is 20.

For the Ensemble Controller Server the maximum number of clients that simultaneously
can access the Ensemble Controller depends on the server hardware. See the
Dimensioning Guide for details. The maximum allowed number is 75 clients.

TCA Monitoring Option

com.adva.nlms.mediation.thresholdCrossingAlert.tcaClea
rDelay=30
# Delay in seconds applied at the 15-minute boundary before TCA is raised

# during the previous 15-minute interval are cleared

This option sets the hold-off delay used by the TCA Monitoring feature, see the Packet
Management Guide for details. The default value is 30.

com.adva.nlms.mediation.thresholdCrossingAlert.tcaDet
ectionByParamId
A boolean property that indicates whether latency-related TCAs are detected using
'parameterId' value in internal events. If the value is set to 'false', 'newStringValue'
property is used to detect latency-related TCAs.

Error-free Output of Database

Validation Verification
Prior to upgrading the Ensemble Controller Server, we recommend that you perform
database consistency verification by using printDBInconsistenciesPostgres
script provided in the Salesforce Customer Portal.

This is the error-free output obtained from running the

printDBInconsistenciesPostgres script.

======================================================================================
====

Ensemble Controller R15.2 Administrator Manual - Issue: A 581

Adtran Hardware or Software Support and Compatibilities

=
=
= SEARCHING FOR DB INCONSISTENCIES. PLEASE CONTACT TECH SUPPORT TEAM IF ANY ARE
FOUND! =
=
=
======================================================================================
====
Searching for not supported devices:
find_unsupported_devices
--------------------------
check_aps_group_inconsistecies
--------------------------------
======================================================================================
====
=
=
= SEARCHING FOR ORPHAN ENTITIES. FNM UPGRADE WILL FAIL IF THERE ARE ANY!
=
=
=
======================================================================================
====
check_entity_db_impl_relations
--------------------------------
check_cn_network_element_table
--------------------------------
find_entities_with_invalid_ne_reference
-----------------------------------------
check_mac_address_duplications
--------------------------------
=====================================================================================
Services on FSP3000 R7 nodes where the optical channels are missing network ptp
information:
check_fsp3000r7_services_missing_network_port_ptp
---------------------------------------------------
=====================================================================================
Services containing optical channels which are missing port or module information:
label | subchconn_id
-------+--------------
=====================================================================================
Services which are missing port or module information:
label | id
-------+----
=====================================================================================

Ensemble Controller R15.2 Administrator Manual - Issue: A 582

Adtran Hardware or Software Support and Compatibilities

Modules referencing services which do not exist:

name0 | aidstring | id
-------+-----------+----
=====================================================================================
List of duplicated aids:
ne_id | aidstring | count
-------+-----------+-------
=====================================================================================
Duplicate entities have such ids:
name0 | id | id
-------+----+----
Entities in cycle size 1 have such ids:
id
----
Entities in cycle size 2 have such ids:
id | id
----+----
Entities in cycle size 3 have such ids:
id | id | id
----+----+----
Entities in cycle size 4 have such ids:
id | id | id | id
----+----+----+----
Duplicated CC825 shapers:
ne_id | portindex | flowindex | qosindex
-------+-----------+-----------+----------
=====================================================================================
Fdfr ends without parent:
id | shortdescription
----+------------------
=====================================================================================
Duplicated PG Ports:
shortdescription | ne_id | count
------------------+-------+-------
=====================================================================================
Entities which have reference to non existent Network Element:
id | ne_id | shortdescription | jdoclass
----+-------+------------------+----------
=====================================================================================
List of Alarms associated to multiple Services:
source_ne | entity_description | moduletype_name | services
-----------+--------------------+-----------------+----------

Ensemble Controller R15.2 Administrator Manual - Issue: A 583

Adtran Hardware or Software Support and Compatibilities

Entity Index or AID Values

Ensemble Controller (ENC) generates unique access identifiers (AIDs) to identify its
different entities. An existing AID address is a well-formed address whose supporting
entity (from an addressing point of view) is assigned in the database.

These entities are then used in all types of reports and windows in which to view
information and configure Ensemble Controller.

For some devices, Ensemble Controller uses AID values, which directly come from the
individual network elements. This is especially true for FSP 3000R7 that is, Ensemble
Controller uses the AID that is provided by the SNMP interface of the FSP 3000R7
management software.

In general, this also applies to these devices, although there are select cases where
Ensemble Controller generates the AID values to ensure uniqueness, and thus the AIDs
will differ from the ones received from the network element SNMP interface:
l FSP 150EG-M
l FSP 150EG-X
l FSP 150-GE112
l FSP 150-GE114
l FSP 150-GE114S
l FSP 150CC-GE206V
l FSP 150CC-T1804
l FSP 150CC-T3204
l FSP 150-XG210
l FSP 150-XG116Pro
l FSP 150-XG116Pro-H
l FSP 150-XG120Pro
l FSP 150-XG120Pro-SH
l FSP 3000 C
l FSP 3000R7 - SH1PCS

Other Ethernet devices not listed have AID values that are defined in the Ensemble
Controller and generally do not match the AID values as defined on the device.

This section describes the AIDs that Ensemble Controller generates and uses for all
supported network element types. These are the product families:

Ensemble Controller R15.2 Administrator Manual - Issue: A 584

Adtran Hardware or Software Support and Compatibilities

FSP 150 585

GE11x/XG210 585
FSP 150CC 586
f825 586
GE20x/Txx04 587
FSP 150CM 588
FSP 150CP 589
FSP 150EG-M[2|4|8] 589
FSP 150EG-X 589
FSP 1500 590
FSP 3000 C 590
FSP 3000R7 591
FSP 3000R7 - SH1PCS 591
Hatteras HN[400|4000] 592

For information about the FSP 3000R7 AIDs, see the corresponding product user
documentation obtainable from the Customer Portal at http://www.advaoptical.com/.

FSP 150
This section contains the AID value descriptions of these FSP 150 device types:

GE11x/XG210 585

GE11x/XG210
These devices conform to this AID format:

<entity type>-<network element>-<shelf>-<slot>-<instance>

l entity type
o Purpose: The entity type.

o Usage: Used for all entities.

l network element
o Purpose: The network element instance number.

o Usage: Not used for all entities.

Ensemble Controller R15.2 Administrator Manual - Issue: A 585

Adtran Hardware or Software Support and Compatibilities

l shelf
o Purpose: The shelf instance number.
o Usage: Not used for all entities.
l slot
o Purpose: The slot instance number.
o Usage: Not used for all entities.
l instance
o Purpose: The entity instance number.

o Usage: Not used for all entities.

Examples:

NETWORK PORT-1-1-1-2
Network port 2 in NE 1, shelf 1, and slot 1

XFP-1-1-3-1
XFP 1 in NE 1, shelf 1, and slot 3

SFP-1-1-2-1
SFP 1 in NE 1, shelf 1, and slot 2

FSP 150CC
This section contains the AID value descriptions of these FSP 150CC device types:

f825 586
GE20x/Txx04 587

f825
These devices have a fixed virtual shelf numbered 1 that is assumed and not shown. The
AID is in this format:

<entity type>-<instance>
l entity type
o Purpose: The entity type.

o Usage: Used for all entities.

Ensemble Controller R15.2 Administrator Manual - Issue: A 586

Adtran Hardware or Software Support and Compatibilities

l instance
o Purpose: The entity instance number.

o Usage: Used for all entities.

Examples:
l WAN-1
l LAN-2
l PSU-1

Other Ensemble Controller device types not shown above are similar to
the f825.

GE20x/Txx04
These devices conform to this AID format:

<entity type>-<network element>-<shelf>-<slot>-<instance>

l entity type
o Purpose: The entity type.

o Usage: Used for all entities.

l network element
o Purpose: The network element instance number.

o Usage: Not used for all entities.

Examples:

NETWORK PORT-1-1-1-2
Network port 2 in NE 1, shelf 1, and slot 1

Ensemble Controller R15.2 Administrator Manual - Issue: A 587

Adtran Hardware or Software Support and Compatibilities

XFP-1-1-3-1
XFP 1 in NE 1, shelf 1, and slot 3

SFP-1-1-2-1
SFP 1 in NE 1, shelf 1, and slot 2

FSP 150CM
The naming for CM devices is different than for other FSP 150 devices. The name includes
the shelf number. The AID is in this format:

<entity type>-<instance> <shelf>-<slot>

l entity type
o Purpose: The entity type.

o Usage: Used for all entities.

l instance
o Purpose: The entity instance number.

o Usage: Not used for all entities.

l shelf
o Purpose: The shelf instance number.
o Usage: Not used for all entities.
l slot
o Purpose: The slot instance number.
o Usage: Not used for all entities.

Examples:

Complete AID: NET-1 1-6

NET 1 in shelf 1 and slot 6

No <instance>: ACC 1-5

ACC in shelf 1 and slot 5

No <shelf>-<slot>: PSU-1; FAN-1

Some entities such as PSUs are inconsistent and do not indicate the shelf
number.

Ensemble Controller R15.2 Administrator Manual - Issue: A 588

Adtran Hardware or Software Support and Compatibilities

FSP 150CP
The FSP 150CP AID is in this format:

<entity type>-<instance>
l entity type
o Purpose: The entity type.

o Usage: Used for all entities.

l instance
o Purpose: The entity instance number.

o Usage: Used for all entities.

FSP 150EG-M[2|4|8]
This device conforms to this AID format:
l Port: <ifName>
l Service: <serviceIndex>
l Service Port: <serviceIndex>-<servicePortIndex>
l Classification Rule: <servicePortIndex>-<ruleIndex>
l QOS: <serviceNumber>-<servicePortIndex>-<entCos>

FSP 150EG-X
This device conforms to this AID format:

<entity type>-<network element>-<shelf>-<slot>-<instance>

l entity type
o Purpose: The entity type.

o Usage: Used for all entities.

l network element
o Purpose: The network element instance number.

o Usage: Not used for all entities.

Ensemble Controller R15.2 Administrator Manual - Issue: A 589

Adtran Hardware or Software Support and Compatibilities

o Usage: Not used for all entities.

Examples:

OC3-1-1-3-4
OC3 4 in NE 1, shelf 1, and slot 3

WAN-1-1-19-12
WAN 12 in NE 1, shelf 1, and slot 19

ETH PORT-1-1-23-7
Ethernet port 7 in NE 1, shelf 1, and slot 23

FSP 1500
FSP 1500 AIDs display in the network element (NE) properties, and the reports differ from
the AIDs that display for the events and performance monitoring entities. Small form
pluggables (SFPs) that display in the NE properties correspond to AIDs displayed in the
tab pane as shown in here:
l SFP-1 in NE properties is Link A on Events tab.
l SFP-2 in NE properties is Link B on Events tab.
l SFP-3 in NE properties is High Speed Service Port 1 on Events tab.
l SFP-4 in NE properties is High Speed Service Port 2 on Events tab.

For the FSP 1500 NE type, "STM-4 prot", SFP-3, and SFP-4 is not supported. For more
information about the NE types assigned to the different FSP 1500 variants, see the WDM
Management Guide.

FSP 3000 C
This device conforms to this AID format:

Ensemble Controller R15.2 Administrator Manual - Issue: A 590

Adtran Hardware or Software Support and Compatibilities

<entity type>-<shelf>/<slot>/<port>/<instance>
l entity type
o Purpose: The entity type.

o Usage: Used for all entities.

l shelf
o Purpose: The shelf instance number.
o Usage: Not used for all entities.
l slot
o Purpose: The slot instance number.
o Usage: Not used for all entities.
l port
o Purpose: The port instance number.
o Usage: Not used for all entities.
l instance
o Purpose: The entity instance number.

o Usage: Not used for all entities.

Examples:

Plug-1/5/n1
Plug in shelf 1, slot 5, and port n1.

ODU4-1/1/c1/otu4/odu4
Facility ID ODU4 in shelf 1, slot 1, port c1, first facility ID otu4, and second facility ID odu4.

For more information about the FSP 3000 C entity AIDs, see the Integration Manual, FSP
3000 C Access Identifier Changes.

FSP 3000R7
For information about the FSP 3000R7 AIDs, see the corresponding product user
documentation that you can obtain from the Customer Portal.

FSP 3000R7 - SH1PCS

This device conforms to this AID format:

<entity type><network element><shelf><slot><instance>

Ensemble Controller R15.2 Administrator Manual - Issue: A 591

Adtran Hardware or Software Support and Compatibilities

l entity type
o Purpose: The type of the entity.

o Usage: Used for all entities.

l network element
o Purpose: The network element instance number.

o Usage: Not used for all entities.

Examples:

NETWORK PORT-1-1-1-2
Network port 2 in NE 1, shelf 1, and slot 1

XFP-1-1-3-1
XFP 1 in NE 1, shelf 1, and slot 3

SFP-1-1-2-1
SFP 1 in NE 1, shelf 1, and slot 2

Hatteras HN[400|4000]
This device conforms to this AID format:

<entity type> <shelf>-<slot>-<instance> or <entity type>-<instance>

l entity type
o Purpose: The type of the entity.

o Usage: Used for all entities.

Ensemble Controller R15.2 Administrator Manual - Issue: A 592

Adtran Hardware or Software Support and Compatibilities

l instance
o Purpose: The entity instance number.

o Usage: Used for all entities.

l shelf
o Purpose: The shelf instance number.
o Usage: Not used for all entities.
l slot
o Purpose: The slot instance number.
o Usage: Not used for all entities.

Examples:
l ETH 1-2-2; STACK 1-2-1
l PSU-B
l Shelf 2

Some entities such as PSUs are inconsistent and do not indicate the shelf
number.

Ensemble Controller R15.2 Administrator Manual - Issue: A 593

Adtran Roles and Allocated Actions

Appendix B

Roles and Allocated Actions

For each role supported in Ensemble Controller (Administrator, Configurator, Operator,
Monitor) default actions are allocated.

For some actions, the 2-Man Rule feature can be set. When the 2-Man Rule feature is set,
then the respective action first has to be approved by an authorized second person
before it can be carried out. For more information about the 2-Man Rule (or two-man
approval) feature, see Enabling Two-Man Approval for Actions.

This table provides an overview of the roles and their respective actions allowed to
perform. There are dependent actions listed in the 'Dependencies' column, which are at
the same time allowed to perform when the action in the 'Name' column is allowed.

For more information about the Ensemble Controller roles and how to customize them as
required, see Roles Tab.

Ensemble Controller R15.2 Administrator Manual - Issue: A 594

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

Application Allow Configuration x x

View License Information x x x x

View Contact Information x x x x

View Support Information x x x x

View About Information x x x x

HA Administration Allow Configuration x x

Modify Security Preferences Allow Configuration x x

Modify Connected Servers Allow Configuration x

View Recurring Actions Allow Configuration x x x x

Modify Recurring Actions View Recurring x x x

Actions

Second Approval Allow Configuration x

Control NBI Trap Transmitter Settings Allow Configuration x

Create System Health Report Allow Configuration, x

View Support
Information

Ensemble Controller R15.2 Administrator Manual - Issue: A 595

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

View Messages x x x x

Modify Global Layout Templates Allow Configuration x

Fix DB Inconsistency Allow Configuration x x

Immediate ENC Server Database Allow Configuration x x

Backup
Server Preferences Allow Configuration x x

Show Streaming Replication HA x x x x

Status
Enable REST NBI Allow Configuration x

Access to ELS from ENC x x x x

View ENC-ELS Single Sign-On settings x

Modify ENC-ELS Single Sign-On View ENC-ELS x

Settings Single Sign-On
settings

Perform ELS Single Sign-On as x

Administrator

Ensemble Controller R15.2 Administrator Manual - Issue: A 596

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

Perform ELS Single Sign-On as x

Restricted Administrator

Perform ELS Single Sign-On as Read x x x x

User Management Log In x x x x

Multiple Login Log In x x x x
Disconnect User View User List, x
View Security
Manager
Add User View User List, x x
View Security
Manager
Modify User View User List, x x
View Security
Manager
Delete User View User List, x x
View Security
Manager

Ensemble Controller R15.2 Administrator Manual - Issue: A 597

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule
View User List View Security x x
Manager
Reset User Password View User List, x
View Security
Manager

Modify Own Password x x x x

Add User Group View User Groups, x x
View Security
Manager
Modify User Group View User Groups, x x
View Security
Manager,
Add User Group
Delete User Group View User Groups, x x
View Security
Manager
View User Groups View Security x
Manager

Ensemble Controller R15.2 Administrator Manual - Issue: A 598

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule
Add User Role View User Roles, x x
View Security
Manager
Modify User Role View User Roles, x x
View Security
Manager
Delete User Role View User Roles, x x
View Security
Manager
View User Roles View Security x
Manager
Modify Action Log Settings View Security x x
Manager
Reset Security Settings to Factory Add User Group, x x
Defaults Modify User Group,
Add User Role,
Modify User Role,
Modify Action Log
Settings

Ensemble Controller R15.2 Administrator Manual - Issue: A 599

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule
View Security Manager Allow Configuration x x
Modify Own Notification Filters x x x
Modify All Notification Filters Modify Own x
Notification Filters
User Broadcast User Messages x
Communication

Ensemble Controller R15.2 Administrator Manual - Issue: A 600

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule
Rename Root Level Subnetwork Modify Subnetwork x
Topology, Allow
Configuration,
Add New
Subnetwork
Modify Subnetwork Topology Allow Configuration x x x
Delete Subnetwork Allow Configuration, x x x
Modify Subnetwork
Topology
Delete Subnetwork from root level Allow Configuration, x x
Delete Subnetwork
Delete Non-Empty Subnetwork Allow Configuration, x x
Delete Subnetwork
Add Network Element Allow Configuration, x x x
Modify Subnetwork
Topology
Delete Network Element Allow Configuration, x x x
Modify Subnetwork
Topology

Ensemble Controller R15.2 Administrator Manual - Issue: A 601

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule
Manual Line Protection Switch Allow Configuration x x x
Modify Graph Layout Allow Configuration, x x
Modify Network
Element Properties
Move Subnetworks in hierarchy Allow Configuration x x
Move Network Element in hierarchy Allow Configuration x x

Add New Customer Allow Configuration x x

Create customer/customer group on Allow x

root level Configuration,
Add new Customer

Delete Customer Allow Configuration x x x

Move Customers in hierarchy Allow Configuration x x

Add New Group Allow Configuration x x

Delete Group Allow Configuration x x x

Move Groups in Hierarchy Allow Configuration x x

Scan IP Range x x

Ensemble Controller R15.2 Administrator Manual - Issue: A 602

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

Configuration - Modify Global Network Properties View Global Network x x

Network Elements Properties, Allow
Configuration
View Global Network Properties x x x x
Modify Subnetwork Properties View Subnetwork x x
Properties, Allow
Configuration
View Subnetwork Properties x x x x
Modify Network Element Properties View Network x x x
Element Properties,
Allow Configuration
View Network Element Properties x x x x
Modify Line Properties View Link Properties, x x
Allow Configuration
View Line Properties x x x x
Modify Group Properties View Group x x
Properties,
Allow Configuration

Ensemble Controller R15.2 Administrator Manual - Issue: A 603

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule
View Group Properties x x x x
Modify Customer Properties View Customer x x
Properties, Allow
Configuration
View Customer Properties x x x x
Delete Module from Ensemble Modify Network x x
Controller Database Element Properties,
Allow Configuration
Upgrade Network Element Software Allow Configuration x x x
Backup Network Element Configuration Allow Configuration x x

Restore Network Element Allow Configuration x x

Configuration
Perform Manual Polling (Update) x x x x
Run Element Manager in Read-Write Run Element x x x
Mode Manager in Read-
Only Mode

Ensemble Controller R15.2 Administrator Manual - Issue: A 604

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule
Run Element Manager in Read-Only x x x x
Mode

Run WEB Manager x x x x

Run CLI Client x x x x

Run Sync View Plus x x x

Enable Alarm Reporting Allow Configuration x x

Inhibit Alarm Reporting Allow Configuration x x

Run RAYtracer x x x

Reset SNMP Session View Global x x

Network Properties,
Allow Configuration

Modify Network Element Password x

Temporary Privilege Request Approval Allow Configuration x x

Temporary Privilege Session Kill Temporary Privilege x x

Request Approval

Ensemble Controller R15.2 Administrator Manual - Issue: A 605

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

Reveal Fallback NE Password Allow Configuration x x

SSO NE Login through Temporary Allow Configuration, x

Account Run WEB Manager
Configuration - Manager Master Profiles Allow Configuration x
Profile
Management Distribute Master Profiles Allow Configuration x

Manage SNMP Profiles View SNMP Profiles x

View SNMP Profiles x

Modify SNMP Settings View SNMP Settings x

View SNMP Settings x

Configuration - Add Service Browse Services, x x

Services Modify Service,
Allow Configuration,
Service Admin State
Modify Service Browse Services, x x x
Allow Configuration
Delete Service Browse Services, x x x
Allow Configuration

Ensemble Controller R15.2 Administrator Manual - Issue: A 606

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

Service Admin State Browse Services, x x x

Read Access to
Supported
Connections

Service Protection Switch Browse Services x x x

Service Protection Swap Browse Services x x x

Browse Services x x x x

Service Ownership Transfer Browse Services, x

Allow Configuration

Equalize Service Browse Services, x x x

Modify Service

Run Service Test Browse Services x x x

Acknowledge / Unacknowledge Browse Services x x

Faulted Service

Export Service List Browse Services x x x

View Encryption x

Ensemble Optical Director Usage x x

Ensemble Controller R15.2 Administrator Manual - Issue: A 607

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

Modify Encryption View Encryption x

Ensemble Bandwidth Manager x x x x

Read Access to Supported Browse Services x x

Connections

Write Access to Supported Read Access to x x x

Connections Supported
Connections

Save ROADM Configuration x x

Replace ROADM Configuration Save ROADM x x

Configuration

Re Equalize ROADM Save ROADM x x

Configuration,
Replace ROADM
Configuration

Remove Saved ROADM Data Save ROADM x x

Configuration

Ensemble Packet Director Usage x x

Ensemble Controller R15.2 Administrator Manual - Issue: A 608

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

Adopt/Add Ethernet Ring Ensemble Packet x x

Director Usage

Modify Ethernet Ring Ensemble Packet x x

Director Usage

Delete Ethernet Ring Ensemble Packet x x

Director Usage

Events Modify Event Severity Settings View Event Severity x x

Settings, Allow
Configuration

View Event Severity Settings Allow Configuration x x

Modify Event Log Size Control View Event Log Size x x

Control

View Event Log Size Control x x

Acknowledge/Unacknowledge Browse x x x
Event/Alarm Events/Alarms

Delete Event Browse x x x x

Events/Alarms

Ensemble Controller R15.2 Administrator Manual - Issue: A 609

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

Delete Security Event Browse Security x x x

Events, Delete Event

Create Archive Browse x

Events/Alarms

Browse Events/Alarms x x x x

Modify Event/Alarm Filter Settings Browse x x x x

Events/Alarms

Browse Security Events Browse x x x x

Events/Alarms

Ensemble Controller R15.2 Administrator Manual - Issue: A 610

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

Performance Modify Performance Collection View Performance x x

Templates Collection Settings

Modify Performance Collection View Performance x x

Template Assignments Collection Settings

View Performance Collection Settings x x x x

View Performance Data x x x x

View Fiber Assurance Data View Performance x x x x

Data

View Health Center Server Dashboard x

View Health Center Network x

Dashboard

Reports Generate Report View Report, Browse x x x

Reports

Delete Report View Report, Browse x x x x

Reports

Browse Reports x x x x

View Report Browse Reports x x x x

Ensemble Controller R15.2 Administrator Manual - Issue: A 611

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

Export Report View Report, Browse x x x x

Reports

Generate Security Report View Security x

Report, Generate
Report, Browse
Security Events

Delete Security Report View Security x x

Report,
Delete Report,
Browse Security
Events

View Security Report View Report, x

Browse Security
Events

Self-Monitoring Run Self-Monitoring x x

TCA-Monitoring View TCA Monitoring x x x x

View Add ESA Probes Window View TCA x x x

Monitoring

Ensemble Controller R15.2 Administrator Manual - Issue: A 612

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule

Rapid-Monitoring Run Rapid-Monitoring x x

Ensemble Sync View Synchronization x x x x

Director
Modify Synchronization View x x
Synchronization
View SyncJack x x x x

Modify SyncJack View SyncJack x x

View GNSS Assurance View x x x x

Synchronization

Modify GNSS Assurance View x

Synchronization
View PTP (Time And Phase) Assurance x x x x

Modify PTP (Time And Phase) View PTP (Time And x x

Assurance Phase) Assurance
Ensemble Run Ensemble Command-Based x x
Command-Based Manager
Manager

Ensemble Controller R15.2 Administrator Manual - Issue: A 613

Adtran Roles and Allocated Actions

Table 43: Overview of Roles and Their Allowed Actions

Actions Roles
2-Man
Category Name Dependencies Admin. Config. Oper. Mon.
Rule
Ensemble Fiber Modify Fiber Director Server Settings View Fiber Director x x
Director
Modify Fiber Route View Fiber Director x x
View Fiber Director x x x x
Read EFD Related Data x x x
Start Tone Generation Read EFD Related x x
Data

Ensemble Controller R15.2 Administrator Manual - Issue: A 614

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Appendix C

Pro-Vision – Service
Provisioning and
Management Platform
Discovering Your Network 615
Fault Management 623
Auditing and Authorization 641

Discovering Your Network

Pro-Vision automatically discovers your network and the elements in the network.

This chapter explains:

Discovery Configuration 615

Setting the Display Name to the System Name 621
Zero Touch Configuration 622

Discovery Configuration
The options explained in this topic are as follows:

Discovery Configuration 616

Viewing Discovery Networks 619

Ensemble Controller R15.2 Administrator Manual - Issue: A 615

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Running Discovery Manually 619

Viewing Discovery Information through the Task Manager 620
Setting Discovery Threads 621

Discovery Configuration
Use this feature to configure Discovery for Pro-Vision. The SNMP Properties are used as
defaults for Network Discovery.

1. Select Settings: Server Options to open the Server Options window and then select
the Discovery tab.

Discovery Tab
Discovery Settings
Field Description
Enable Enable the toggle switch render this feature functional. The switch is
Discovery disabled by default.
Rediscovery Interval (in hours) between two complete discoveries of a network.
Interval The default is 24 hours. If a negative value is given, it is replaced by
(hours) 24.
Inter-Device The inter-device gap time between discovering nodes.
Discovery
Gap (ms)

Ensemble Controller R15.2 Administrator Manual - Issue: A 616

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Discovery Tab
SNMP Settings
SNMP Choose the appropriate SNMP version: v1, v2, or v3.
Version
SNMP Port Specify the ports while trying to communicate to the SNMP agents
on each node. The default is 161.
SNMP Specify the timeout (in seconds) to wait for the first response before
Timeout attempting a retransmission. The default is 10 seconds.
(sec)
SNMP Specify the number of retries to be made to query a device. The
Retries default is 0 (i.e., only one attempt is made to query a particular node).
Read Specify a community string (such as private or public) that can be
Community given to discover the devices when an SNMP request is given. The
default is public.
Write Specify the community; such as private or public to set the write
Community community property for all SNMP-enabled devices. The default is
private.
SNMPv3 If you selected SNMPv3 in the SNMP Version field, enter a user name
User Name of up to 32 characters. Click on CLICK TO SELECT in the SNMPv3 User
Name field to open the Select from SNMPv3 Users Table (see below
for how to configure).
SNMPv3 If you have selected SNMPv3, enter a context name of up to 32
Context characters.
Name

2. If you chose SNMPv3 in the SNMP Version field, click on CLICK TO SELECT in the
SNMPv3 User Name field to open the Select from SNMPv3 Users Table. Choose a
user from the table and click Select to fill in the SNMPv3 User Name field. Optionally,
click Add to open a window in which you can create a new profile.

Ensemble Controller R15.2 Administrator Manual - Issue: A 617

Pro-Vision – Service Provisioning and Management
Adtran
Platform

SNMPv3 User Name Add Window

Field Description
User Name A user name between 1 and 32 characters.
Host/Network The hostname/network name. The syntax is A.B.C.D. and/or
A.B.C.D.E.F.G.H.
Netmask (IPv4 Specify the netmask. By default, the value is 255.255.255.0.
only)
Port Enter a port number between 1 and 65,535. The default is 161.
Security Level Choose the security level. Options are No Authentication No
Privacy, Authentication No Privacy, and Authentication and
Privacy.
Authentication Enter the appropriate authentication protocol. Options are MD5
Protocol and SHA.
Authentication Enter the authentication password, between 8 and 50 characters.
Password

Ensemble Controller R15.2 Administrator Manual - Issue: A 618

Pro-Vision – Service Provisioning and Management
Adtran
Platform

SNMPv3 User Name Add Window

Re-enter Re-enter the authentication password.
Authentication
Password
Privacy Protocol Enter the appropriate privacy protocol. Options are CBC DES and
CFB AES 128.
Privacy Enter the privacy password, between 8 and 50 characters.
Password
Re-enter Privacy Re-enter the privacy password.
Password

3. Click Save to add the entry to the Select from SNMPv3 Users Table. Choose a user
from the table and click Select to fill in the SNMPv3 User Name field.
4. Fill in the other fields as appropriate and click Save in the Discovery tab.

Viewing Discovery Networks

You can view discovered networks by selecting Network: Networks to open the
Discovery Networks Table.

You can select a network entry in the table to open a detailed view below.

Running Discovery Manually

You can run discovery manually by right-clicking on the appropriate discovered network
in the Discovery Networks Table and clicking Run Discovery Now. Alternatively, you can
select the appropriate discovered network in the table and click Run Discovery Now in
the upper right of the menu bar above the table.

Ensemble Controller R15.2 Administrator Manual - Issue: A 619

Pro-Vision – Service Provisioning and Management
Adtran
Platform

When you click Run Discovery Now, a Network Discovery window appears that shows
discovery progress and results.

Viewing Discovery Information through the Task

Manager
You can view Discovery details in Task History and Task Schedules by selecting Tools:
Task Management: History/Schedules.

Here you can view scheduling details and persisted historical discovery results (the last
three runs per network). The same information shown in real-time in the Network
Discovery window is shown in the "Output" here.

Ensemble Controller R15.2 Administrator Manual - Issue: A 620

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Setting Discovery Threads

You can set the number of threads that can run Discovery by selecting Server Options
and choosing the Tasks tab. Here you can adjust the Discovery Threads field to
between 1 and 40 threads (the default is 3).

Setting the Display Name to the System Name

When a device is discovered, the Display Name property for the device is set to the IP
address of the device.

Use this feature to set the device Display Name to the device System Name (hostname)
when the device is discovered.

1. With the editor of your choice, open the PvConfig.properties file in the
var/web/pvconf directory and find #DEVICE_DISPLAYNAME ipaddress.
2. Replace ipaddress with sysname.
3. Start the Pro-Vision server and client.

When you next run discovery, the device icons will contain System Names.

Avoiding Devices with Duplicate Display Names

Current Pro-Vision design requires that devices in the database have unique display
name values. The default value for a device system name is the device model name, for
example OS904. With the addition of system names to the discovery process, multiple
devices of the same model could end up with the same display name in the database.

To avoid this, complete these steps:

1. Before you add a device, verify whether a device with the same System Name
already exists in the database.
2. If no such device exists, set the Display Name to System Name, and then add the
device.
3. If such a device does exist, create a new unique name by appending the IP address of
the device to the System Name and set the Display Name to this unique string, for
example [email protected].

Ensemble Controller R15.2 Administrator Manual - Issue: A 621

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Zero Touch Configuration

Pro-Vision supports an automatic turn-up process for access devices with Zero Touch,
which significantly reduces the operator’s total cost of ownership.

The Zero Touch Configuration allows you to manually add a device in the offline mode
and have that device perform some or all of these actions automatically.
l Receive its address manually, or through DHCP.
l Check the device for the correct Software Version, download the correct version in
the event of a software mismatch, and perform a restart to activate the
downloaded version.
l Check for a customized startup configuration, download the configuration, and
restart the device to set that configuration as the running configuration.

You can configure any or all of the features listed below to perform together or
separately.

DNS Update
This feature is not supported on Windows platforms.

This release adds RFC 2136 support, which allows you to use Dynamic DNS (Domain
Name Server). Pro-Vision can now notify the DNS to change the DNS configuration of a
currently configured IP address.

Configure the DNS Update using the PvConfig.properties file.

See the Pro-Vision User Manual.

DHCP
In Pro-Vision, the DHCP server does not dynamically hand out IP addresses. Instead, the
server relies on pre-configured IP addresses being returned on the DHCP client's
discovery message.

Currently, adding a device to Pro-Vision involves using the user interface and specifying
the device name and characteristics. When the DHCP server is enabled, the Pro-Vision
Add Device screen provides an additional field where you can enter the device MAC
address.

Ensemble Controller R15.2 Administrator Manual - Issue: A 622

Pro-Vision – Service Provisioning and Management
Adtran
Platform

The DHCP server stores configuration information in the DeviceObject table. This table is
updated directly when you add or edit device information from the Pro-Vision GUI.

See the Pro-Vision User Manual.

Image Download Software/FPGA

This feature allows you to specify a preferred Software version, FPGA version, and Device
Custom Configuration running on your discovered devices. When you perform the initial
Discovery, Pro-Vision checks the discovered device’s Software and FPGA against the
preferred Software and FPGA versions that are configured in the Zero Touch Image
Upgrade and verifies the correct images are running on the device. If not, Pro-Vision
generates a critical alarm message, stating that the Software and/or FPGA versions do
not match. If there is a mismatch and the image filename is defined, the device is
automatically upgraded through the settings in the File Transfer Profile.

Also, when you perform the initial Discovery, the feature runs automatically and loads
your preconfigured custom configuration files onto any newly discovered devices.

Startup Config
You can now add custom configurations to devices during Discovery. This feature runs
automatically.

When you create a device startup configuration file, you can add special tags to the CLI
commands you enter. You can replace these tag fields by entering your own data, which
is then written out to a device custom file. Enter the tags in UPPERCASE and bracketed by
“<” and “>” characters.

Zero Touch Offline Sync/NTU Replacement

NTU (Network Termination Unit) replacement support has been added to the Zero Touch
features. NTU replacement behavior has been modified to synchronize all configurable
port attributes, including those that are in or out of a default state. All other non-port
related attributes will continue to be synchronized as in the past.

Fault Management
The detection of fault is an online process that gives indication of malfunctioning. Fault
detection and notification are two functional areas which should identify problems and
effectively inform the system administrator. Fault Management handles error conditions

Ensemble Controller R15.2 Administrator Manual - Issue: A 623

Pro-Vision – Service Provisioning and Management
Adtran
Platform

(that cause users to lose the full functionality of a network resource) and provides
network administrators with sophisticated event management, including generation of
alerts, automated actions, event correlation, or trap, event, alert filtering, and so on to
detect, isolate, and repair malfunctions in the network and its control sub-system.

This chapter explains:

Configuring Alarm Filters 624

Performing Alarm Operations 639

Configuring Alarm Filters

When events are generated from devices in a network, you can configure Pro-Vision to
send notifications.

Pro-Vision supports these types of built-in filter notifications:

l Suppressing multiple events in a given interval
l Running system commands on the server
l Sending e-mails
l Sending traps

The processed events are stored in the database and can be viewed in the Events Viewer.
The Events Viewer is asynchronously notified as soon as an event is processed.

You can configure an Event Filter using the Create Filter tool. You can use the properties
of the event object or of the associated trap (if the event has been generated by a trap) in
some of the fields, such as the Suppress Event notification, Run Command notification,
Send Trap notification, and Send E-mail notification.

The rest of the page will cover these items:

Event Log Parameters 625

Opening the Event/Alarm Filter Configuration Tool 626
Configuring Actions 626
Adding Alarm Filters 633
Configuring SNMP Trap Forwarding Profiles 635
Configuring Custom SNMP Traps 636
Viewing Events 638
Viewing Alarms 639

Ensemble Controller R15.2 Administrator Manual - Issue: A 624

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Event Log Parameters

Use this feature to configure events for Pro-Vision. Event configuration influences device
polling in this sense: if a device changes state, an Event is created. How quickly these
events are processed has an impact on overall performance.

Reducing Maximum Event Log Size improves table load speed when there are many
events and saves space in the database, although you can lose information about past
events.

1. Select Settings: Server Options to open the Server Options window and then
select the Events tab.

Event Log Tab - Truncation Area

Field Description
Maximum The maximum number of events that the live table can hold. Enter
Event Log Size 1 to 200,000 records. The default is 30,000 records.
(Records)
You can increase the maximum size of 200,000 by changing the
property com.adva.nlms.mediation.event.maxEventLogSize
located in the fnm.properties file.
For details regarding the log size, see Log Size Details of Live
Events.
Wait Before The waiting time in minutes before events are automatically
Auto-Delete deleted. Enter 1 to 10,080 minutes. The default is 30 minutes.
(Minutes)
Event Log Size The event log size in percentage that triggers a warning to be
Warning raised. Enter 1 to 100 percent. The default is 95 percent.
Threshold (%)
Minimal The minimal interval in hours of sending out warnings. Enter 1 to
Warning 672 hours. The default is 24 hours.
Interval (Hours)
Remaining Log The log size in percentage remaining after events have been
Size After deleted. Enter 1 to 100 percent. The default is 90 percent.
Deletion (%)
Event Log Tab - Truncation Area

Ensemble Controller R15.2 Administrator Manual - Issue: A 625

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Event Log Tab - Truncation Area

History The time period in days of retaining events in the history table.
Retention Enter 1 to 360 days. The default is 211 days.
Period (Days)
History The maximum number of events that the history table can hold.
Capacity Enter 1 to 1,499,999 records. The default is 1,000,000 records.
(Records)

2. Fill in the fields as appropriate and click Save in the Events Log tab.

Opening the Event/Alarm Filter Configuration Tool

The Event/Alarm Filters can be created or modified using the Event/Alarm Filter
Configuration tool.

To open the Event/Alarm Filter Configuration Tool

1. From the Fault menu, select Filters. The Filters table opens.

Configuring Actions
This section explains how to configure the various actions, so that you can then apply
their Action Profiles to the appropriate filter.

Configuring Email Servers 626

Configuring Email Profiles 628
Configuring SNMP Trap Profiles 629
Configuring Suppress Profiles 630
Configuring System Command Profiles 631
Configuring Remark Action Profiles 632

Configuring Email Servers

You must first configure an Email server if you want to send Emails.

To configure an Email server

Ensemble Controller R15.2 Administrator Manual - Issue: A 626

Pro-Vision – Service Provisioning and Management
Adtran
Platform

1. Select Fault: Actions: Email Servers. The Email Servers table opens.

2. Click Add to open the Create Email Server window.

Field Description
Email Server Enter an Email Server Name of up to 64 characters (this cannot
Name contain a ‘, !, &, \, or TAB).
Host IP or hostname of the email server.
Port Must be between 5 and 65, 535. Usually the SMTP port is 25 or 587
with SSL/TSL.
Use SSL Enable this toggle switch to use an SSL/TSL connection.
To Designate who you want the mail to be sent to, to a maximum of
255 characters.
From Designate who you want the mail to come from, to a maximum of
255 characters.
Username If you specify a username, it performs the authentication necessary
to send the email.
Password If you specify a password, it performs the authentication necessary
to send the email.

Ensemble Controller R15.2 Administrator Manual - Issue: A 627

Pro-Vision – Service Provisioning and Management
Adtran
Platform

3. Configure the fields as appropriate and click Save. The new Email Server appears in
the Email Servers list.

Configuring Email Profiles

Once you configure an Email server, you can link it to an Email Profile.

To configure an Email profile

1. Select Fault: Actions: Email Profiles. The Email Profiles table opens.

2. Click Add to open the Create Email Action Profile window.

Field Description
Email Enter an Email Profile Name of up to 64 characters (this cannot contain a
Profile ‘, !, &, \, or TAB).
Name
Email The selected Email Server Profile. Click on CLICK TO SELECT to choose
Server from the Select From Email Servers window or click Add in that same
Profile window to create a new Email Server.
Subject Click in the Subject field to open the token selector window, where you
choose from among $text, $source, $entity, $time, $sourceType,
$severity, and $category and click Select to add them to the Subject
field.
Message Click in the Message field to open the token selector window, where you
choose from among $text, $source, $entity, $time, $sourceType,
$severity, and $category and click Select to add them to the Message
field.

Ensemble Controller R15.2 Administrator Manual - Issue: A 628

Pro-Vision – Service Provisioning and Management
Adtran
Platform

3. Configure the fields as appropriate and click Save. The new Email Profile appears in
the Email Profiles list.

Configuring SNMP Trap Profiles

Use this feature to generate a SNMPv1, SNMPv2, or SNMPv3 trap with the specified
criteria. Complete these steps to configure an SNMP trap profile:

1. From the Fault menu, Actions list, select SNMP Trap Profiles. The SNMP Trap
Action Profiles table opens.

2. Click Add to open the Create SNMP Trap Action Profile window. This window
differs depending on whether you select v1, v2c, or v3 in the Version field. This
window shows the v1 version.

Field Description
SNMP Trap Enter an SNMP trap profile name of up to 64 characters. This name
Profile cannot contain these characters: ‘, !, &, \, or the TAB key.
Name
Destination IP address or hostname of the destination.

Ensemble Controller R15.2 Administrator Manual - Issue: A 629

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Field Description
Port Must be 5 to 65,535.
Community Must be 1 to 100 characters.
Version Select the applicable SNMP version.
l v1: Select to render the Enterprise, Generic Type, and Specific Type
fields visible and configurable.
l v2c: Select to render the OID field visible and configurable.
l v3: If you select this option, you must configure a v3 user in server
options that will be used to send the trap. See Server Settings
Configuration in the Pro-Vision User Manual for more information.
Enterprise Appears if you select SNMP version v1. Identifies the type of
managed object that generates the trap.
Generic Appears if you select SNMP version v1. Indicates one of a number of
Type generic trap types.
Specific Appears if you select SNMP version v1. Indicates one of a number of
Type specific trap codes.
OID This trap identification field appears if you select SNMP version v2c.
Enter an object ID that has 1 to 255 characters.
Varbinds Click Add to open the Adding Table Entry window, where you can
configure the Varbinds.
In the Adding Table Entry window:
l OID: Enter the applicable trap identification field. For an SNMP
OID such as 1.1.0, if no leading dot is specified, the standard prefix
1.3.6.1.2.1 will be prepended.
l Value: Select the appropriate substitution token(s).
l Type: Select String, Integer, Counter, or IP Address.

3. Configure the fields as appropriate, and then click Save. The new SNMP Trap Action
Profile displays in the SNMP Trap Action Profile list.

Configuring Suppress Profiles

Create a suppression profile to allow a single event through, if it is greater than 0, and so
that all events are discarded up to the interval you set here.

Complete these steps to configure a suppression profile

Ensemble Controller R15.2 Administrator Manual - Issue: A 630

Pro-Vision – Service Provisioning and Management
Adtran
Platform

1. Select Fault: Actions: Suppress Profiles. The Suppress Action Profiles table
opens.

2. Click Add to open the Create Suppress Action Profile window.

Field Description
Suppress Enter a Suppress Profile Name of up to 64 characters (this cannot
Profile contain a ‘, !, &, \, or TAB).
Name
Interval If you set this to greater than 0 seconds, the first event is let through
(secs) and all others are discarded up to this time interval.

3. Configure the fields as appropriate and click Save. The new Suppress Action Profile
appears in the Suppress Action Profiles list.

Configuring System Command Profiles

Create a system command profile to automatically execute a system command.

To configure a system command profile

1. Select Fault: Actions: System Command Profiles. The System Command Profiles
table opens.

Ensemble Controller R15.2 Administrator Manual - Issue: A 631

Pro-Vision – Service Provisioning and Management
Adtran
Platform

2. Click Add to open the Create System Command Action Profile window.

Field Description
System Enter a System Command Profile Name of up to 64 characters (this
Command cannot contain a ‘, !, &, \, or TAB).
Profile
Name
Command Click in the Command field to open the token selector window, where
you choose from among $text, $source, $entity, $time, $sourceType,
$severity, and $category and click Select to add them to the
Command field.
Abort The amount of time (in seconds) before aborting the execution of the
Timeout System Command.
(secs)

3. Configure the fields as appropriate and click Save. The new System Command Action
Profile appears in the System Command Action Profiles list.

Configuring Remark Action Profiles

Create a remark action profile to change the severity of an event or alarm.

To configure a remark action profile

1. Select Fault: Actions: Remark Profiles. The Remark Action Profiles table opens.

Ensemble Controller R15.2 Administrator Manual - Issue: A 632

Pro-Vision – Service Provisioning and Management
Adtran
Platform

2. Click Add to open the Create Remark Action Profile window.

Field Description
Remark Profile Enter a Remark Profile Name of up to 64 characters (this cannot
Name contain a ‘, !, &, \, or TAB).
Severity Choose the appropriate severity. Options are Critical, Major, Minor,
Warning, Clear, and Info.

3. Configure the fields as appropriate and click Save. The new Remark Action Profile
appears in the Remark Action Profiles list.

Adding Alarm Filters

To add an Alarm Filter

Ensemble Controller R15.2 Administrator Manual - Issue: A 633

Pro-Vision – Service Provisioning and Management
Adtran
Platform

1. From the Filters table, click Add to open the Create Filter window.

Field Description
Filter Enter a filter name of up to 64 characters (this cannot contain a ‘, !, &, \,
Name or TAB).
Enabled This toggle switch enables or disables the filter.
Severity Choose a severity level, such as Critical, Major, Minor, Warning, Clear, and
Info. If you select Info, the filter will be classified as an Event. If you
select any other Severity, it is an Alarm. You can select multiple
severity levels. Note that if you want only alarms, you must select every
severity except Info.
Source Select a Source Type. Options are Device, Module, Port, Ethernet Service,
Type Optical Transport Service, ERP Service, Link, and Pro-Vision.
Source This field uses string based matching to filter. The special characters are
'*' to match zero or more characters and '?' to match one character. If
neither is specified then it must be an exact match.
Entity This field uses string based matching to filter. The special characters are
'*' to match zero or more characters and '?' to match one character. If
neither is specified then it must be an exact match.

Ensemble Controller R15.2 Administrator Manual - Issue: A 634

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Field Description
Text This field uses string based matching to filter. The special characters are
'*' to match zero or more characters and '?' to match one character. If
neither is specified then it must be an exact match.
Action The selected Action Profile. Click on CLICK TO SELECT to choose from the
Select From Actions window or click Add in that same window to create a
new Action.

2. Click on CLICK TO SELECT in the Actions field to choose from the Select From
Actions window.

3. Choose the appropriate action in the Select From Actions window and click Select.
The Select From Actions window closes and the profile you selected now appears in
the Create Filter window in place of CLICK TO SELECT. Perform this procedure for all
appropriate filters.
To clear an action, click the highlighted row to un-highlight it, and then click Select.
The Select From Actions window closes and the action you cleared is replaced by
CLICK TO SELECT in the Create Filter window.
4. Configure the remaining fields as appropriate, and then click Save.

Configuring SNMP Trap Forwarding Profiles

Create an SNMP Trap Forwarding profile to forward all traps Pro-Vision receives to the
configured destination port. Note that only SNMPv1 and SNMPv2c traps are forwarded
unless an SNMPv3 user is configured in Server Options. SNMPv3 does not forward Pro-
Vision generated events.

To configure an snmp trap forwarder profile

Ensemble Controller R15.2 Administrator Manual - Issue: A 635

Pro-Vision – Service Provisioning and Management
Adtran
Platform

1. Select Fault: SNMP Trap Forwarders. The SNMP Trap Forwarders table opens.

2. Click Add to open the Create SNMP Trap Forwarder window.

Field Description
SNMP Trap Forwarder Enter a SNMP Trap Forwarder Name of up to 64 characters
Profile Name (this cannot contain a ‘, !, &, \, or TAB).
Destination The hostname of the destination.
Port Must be between 1 and 65,535.

3. Configure the fields as appropriate and click Save. The new SNMP Trap Forwarder
Profile appears in the SNMP Trap Forwarder list.
Trap forwarding includes IPv6 addresses of devices using this OID from FSP:
FSP-NM-MIB::neIpAddress OBJECT-TYPE
SYNTAX SnmpAdminString (for example, 1.3.6.1.4.1.2544.1.13.1.1.1.10)
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Network element ip address"
::= { trapObjects 10 }

Configuring Custom SNMP Traps

Create custom SNMP Traps so that Pro-Vision can process traps it does not know about
from third party devices or traps that Pro-Vision did not natively implement.

To configure a custom snmp trap

Ensemble Controller R15.2 Administrator Manual - Issue: A 636

Pro-Vision – Service Provisioning and Management
Adtran
Platform

1. Select Fault: Custom SNMP Traps. The Custom SNMP Traps table opens.

2. Click Add to open the Create Custom Trap window.

Field Description
Custom Enter a Custom Trap Profile Name of up to 64 characters (this cannot
Trap contain a ‘, !, &, \, or TAB).
Profile
Name
Enable This toggle switch enables or disables the trap.
Entity This field uses string based matching to filter. The special characters are
'*' to match zero or more characters and '?' to match one character. If
neither is specified then it must be an exact match.
Message Click in the Message field to open the token selector window, where
you choose from among $source, $name, and $N and click Select to
add them to the Message field.

Ensemble Controller R15.2 Administrator Manual - Issue: A 637

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Field Description
Severity Choose the appropriate severity. Options are Unknown, Critical, Major,
Minor, Warning, Clear, and Info.
Category Match criteria based on an event object property with a category name
to which the event belongs. This is used to organize events. Options
are Topology or Pro-Vision.
V2/V3 OID Enter a V2/V3 Object ID of up to 255 characters (numeric or text).
V1 Identifies the type of V1 managed object that generates the trap.
Enterprise
V1 Generic Indicates one of a number of generic V1 trap types.
Type
V1 Specific Indicates one of a number of specific V1 trap codes.
Type

3. Configure the fields as appropriate and click Save. The new Custom SNMP Trap
appears in the Custom SNMP Trap list.

Viewing Events
From the Fault menu, select Events to open the Events table. Click on the appropriate
event in the table to open a detail window for that event.

Viewing Events
Field Description
NMS Time The time of event creation.
Severity The event severity, either Critical, Informational, Minor, or Warning.

Ensemble Controller R15.2 Administrator Manual - Issue: A 638

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Viewing Events
Source The source type the event is from. Source types are Device, Port, Module,
Type Ethernet Service, Optical Transport Service, ERP Service, Link, and Provision.
Source The IP address of the event source.
AID The event access identifier.
Text The event’s text description.

Viewing Alarms
From the Faultmenu, select Alarms to open the Alarms table. Click on the appropriate
alarm in the table to open a detail window for that alarm.

Viewing Alarms
Field Description
NMS Time The time of alarm creation.
Severity The alarm severity, either Critical, Informational, Minor, or Warning.
Source The source type the alarm is from. Source types are Device, Port, Module,
Type Ethernet Service, Optical Transport Service, ERP Service, Link, and Provision.
Source The IP address of the alarm source.
AID The alarm access identifier.
Text The alarm’s text description.

Performing Alarm Operations

The administrative tasks that you can perform in the Alarm View are

Ensemble Controller R15.2 Administrator Manual - Issue: A 639

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Clearing Alarms 640

Configuring Alarm Severity 640

Clearing Alarms
The alarms that the system generates in the network, automatically clear during runtime.
You can also clear an alarm manually after resolved it or if it is inconsequential.
Sometimes, the agent sends fault only when there is a crisis and does not send
notifications when that crisis is resolved. In such a scenario, you can manually clear the
alarm.

To clear an alarm:

1. Open the Alarm Viewer.

2. To select the alarm that you want to clear, click the corresponding row.
3. From the menu, select Clear Alarms.

If you clear an alarm, the system adds an event to the event table.

Configuring Alarm Severity

You can now configure trap severities for filters defined in the trap.filters file. Set the
severities in the var/web/pvconf/trap_sev.conf file. The file is located at C:\Pro-
Vision\conf\trap_sev.conf.

This file is used to specify the trap severities for the trap filters defined in the trap.filters
file.

Trap Severity Values:

l 1 is for Critical
l 2 is for Major
l 3 is for Minor
l 4 is for Warning
l 6 is for Info

Clear is set to Info.

For most traps, you need only specify either the clear_severity value or the fault_
severity value. However, in some cases, for example OamCcmAlarm, the same trap is
generated for both a fault and clear indication (you must look inside the trap varbind to

Ensemble Controller R15.2 Administrator Manual - Issue: A 640

Pro-Vision – Service Provisioning and Management
Adtran
Platform

determine which one it is). In this case, you should specify both clear_severity and
fault_severity values.

Auditing and Authorization

This chapter explains how to configure and view the auditing and authorization features.

Configuring the Auditing Feature 641

Configuring Authorization 643

Configuring the Auditing Feature

Use the auditing fields to enable and configure auditing.

1. From the Settings menu, select Server Options to open the Server Options
window and configure these fields:

Server Options – Auditing Settings

Field Description
Audit Select On to enable auditing at a system level. The default is enabled.
Enabled Selecting On disables any Pro-Vision generated audits, but does not
disable audits such as authentication.
Audit Enter 0 to 365 days for an audit clean (cleanup) interval. The default is 7.
Clean Any audit trails older than this value are deleted.
Interval
(Days)

2. Configure the fields appropriately, and then click Save.

Viewing Audit Information through the Task Manager 641

Sylsog Server Filters 642
Viewing the Audit Log 642

Viewing Audit Information through the Task Manager

You can view audit details in Task History and Task Schedules by selecting Tools, then
Task Management, and then History/Schedules.

Ensemble Controller R15.2 Administrator Manual - Issue: A 641

Pro-Vision – Service Provisioning and Management
Adtran
Platform

In the Task Schedules window, you can see an Audit Clean task. This task runs when the
server starts and also every night. The task deletes any audit trails older than the
configured value.

In the History window, you can view audit cleanup details to see how many rows or
records the system deleted and the how much time it took to delete them.

Sylsog Server Filters

The audit log filters Audit Logs and All Alarms and Audit Logs are in the Filter field in the
Syslog table Editing Table Entry window. Use these to filter for the appropriate alarms
and audit logs. See the Pro-Vision User Manual for more information.

Viewing the Audit Log

To view the audit details in the Audit Log window, select Settings, and then Audit Log.
Select the appropriate audit username and operation to open a detailed view, shown
here:

Ensemble Controller R15.2 Administrator Manual - Issue: A 642

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Configuring Authorization
You create, update, list, and delete authorized users in the User Management window,
Pro-Vision ENC Users table.

Complete these steps to configure an ENC user.

1. From the Settings menu, select User Management. The ENC Users table opens.

Ensemble Controller R15.2 Administrator Manual - Issue: A 643

Pro-Vision – Service Provisioning and Management
Adtran
Platform

2. Click Add to open the Create a new ENC User window.

Create a New ENC User

Field Description
User Name Enter a Pro-Vision user name that has 1 to 64 characters.
Full Name Enter a user name that has 1 to 1000 characters.
Description Enter a description that has 1 to 10,000 characters.
Email Enter an email address that has 1 to 255 characters.
Password Enter a password that has 1 to 32 characters.
Re-enter Re-enter the password you entered in the previous field.
Password
Enabled Select to set Enabled to On.

Ensemble Controller R15.2 Administrator Manual - Issue: A 644

Pro-Vision – Service Provisioning and Management
Adtran
Platform

Create a New ENC User

Groups Select the applicable group name.
l Administrator: Select to set administrator as the role name for
this group. With this privilege level, all group members have full
read-and-write access to all Pro-Vision features, including system
and user administration.
l Configurator: Select to set configurator as the role name for this
group. With this privilege level, all group members have full read-
and-write access to all Pro-Vision features. This group has no
system or user administration access.
l Operator: Select to set operator as the role name for this group.
With this privilege level, all group members can:
o Use SSH to communicate with devices.
o Toggle the EService administration status.
o Run tests.
o Clear alarms.
o Generate reports.
l Monitor: Select to set monitor as the role name for this group.
With this privilege level, all group members have read-only access
to devices and services. This access includes topology views,
inventory views, and making upgrades. This group has no system
or user administration access.
Depending on which role you select, some views are either visible or
invisible in the menus.

3. Configure the fields as appropriate, and then click Save. The new Pro-Vision user is
displayed in the ENC Users list.

Modifying an ENC User 645

Deleting an ENC User 646
Viewing Authentication Type LDAP Users 646

Modifying an ENC User

1. From the ENC Users table, right-click the appropriate ENC User entry.
2. Select View to open a detailed information view of that user. The fields are the same

Ensemble Controller R15.2 Administrator Manual - Issue: A 645

Pro-Vision – Service Provisioning and Management
Adtran
Platform

as those of the Create a new ENC User window.

3. Modify the appropriate fields, and then click Save.

Deleting an ENC User

1. From the ENC Users table, right-click the appropriate ENC User entry.
2. Select Delete to delete the user.

Viewing Authentication Type LDAP Users

When you log in through LDAP, Ensemble Controller creates a user with the
authentication type LDAP in the database. Pro-Vision shows this additional user in the
ENC Users table. This user is not editable.

From the Settings menu, select User Management to open the ENC Users table.

Ensemble Controller R15.2 Administrator Manual - Issue: A 646

Task 4 Part G - Assessmentcommentary
90% (10)
Task 4 Part G - Assessmentcommentary
6 pages
Rev2.3 GPR ReferenceManual
0% (2)
Rev2.3 GPR ReferenceManual
326 pages
OSA542211 5 1CLIReferenceGuide
No ratings yet
OSA542211 5 1CLIReferenceGuide
884 pages
System 800xa Information Management Technical Support Reference
100% (1)
System 800xa Information Management Technical Support Reference
166 pages
BLL UI User Guide
100% (1)
BLL UI User Guide
126 pages
Danone-Wahaha Full Case Study PDF
No ratings yet
Danone-Wahaha Full Case Study PDF
15 pages
ENC Administrator Manual
No ratings yet
ENC Administrator Manual
572 pages
ENC Integration Manual
No ratings yet
ENC Integration Manual
164 pages
Network Element Director FSP3000
No ratings yet
Network Element Director FSP3000
483 pages
Cross-Industry Blockchain Technology: Opportunities and Challenges in Industry 4.0
From Everand
Cross-Industry Blockchain Technology: Opportunities and Challenges in Industry 4.0
Rajesh Singh
No ratings yet
Smart Home and Industrial IoT Devices: Critical Perspectives on Cyberthreats, Frameworks and Protocols
From Everand
Smart Home and Industrial IoT Devices: Critical Perspectives on Cyberthreats, Frameworks and Protocols
Akashdeep Bhardwaj
No ratings yet
Modern Intelligent Instruments - Theory and Application
From Everand
Modern Intelligent Instruments - Theory and Application
Changjian Deng
No ratings yet
Trends in Future Informatics and Emerging Technologies
From Everand
Trends in Future Informatics and Emerging Technologies
Deepak Kumar
No ratings yet
Practical Digital Forensics: A Guide for Windows and Linux Users
From Everand
Practical Digital Forensics: A Guide for Windows and Linux Users
Akashdeep Bhardwaj
No ratings yet
Soft Robotics
From Everand
Soft Robotics
Gareth J. Monkman
No ratings yet
Introduction to Sensors in IoT and Cloud Computing Applications
From Everand
Introduction to Sensors in IoT and Cloud Computing Applications
Ambika Nagaraj
No ratings yet
Cyber Forensics and Investigation on Smart Devices: Volume 1
From Everand
Cyber Forensics and Investigation on Smart Devices: Volume 1
Akashdeep Bhardwaj
No ratings yet
Arduino and Scilab based Projects
From Everand
Arduino and Scilab based Projects
Anita Gehlot
No ratings yet
Introduction to Machine Learning with Python
From Everand
Introduction to Machine Learning with Python
Deepti Chopra
No ratings yet
Artificial Intelligence and Multimedia Data Engineering: Volume 1
From Everand
Artificial Intelligence and Multimedia Data Engineering: Volume 1
Suman Kumar Swarnkar
No ratings yet
Digital Transformation in African SMEs: Emerging Issues and Trends Volume 3
From Everand
Digital Transformation in African SMEs: Emerging Issues and Trends Volume 3
Mohammed Majeed
No ratings yet
IoT-enabled Sensor Networks: Architecture, Methodologies, Security, and Futuristic Applications
From Everand
IoT-enabled Sensor Networks: Architecture, Methodologies, Security, and Futuristic Applications
Samayveer Singh
No ratings yet
Amazon Web Services: The Definitive Guide for Beginners and Advanced Users
From Everand
Amazon Web Services: The Definitive Guide for Beginners and Advanced Users
Parul Dubey
No ratings yet
Computational Intelligence for Sustainable Transportation and Mobility: Volume 1
From Everand
Computational Intelligence for Sustainable Transportation and Mobility: Volume 1
PublishDrive
No ratings yet
Video Data Analytics for Smart City Applications: Methods and Trends
From Everand
Video Data Analytics for Smart City Applications: Methods and Trends
Abhishek Singh Rathore
No ratings yet
Dominant Algorithms to Evaluate Artificial Intelligence:From the View of Throughput Model
From Everand
Dominant Algorithms to Evaluate Artificial Intelligence:From the View of Throughput Model
Waymond Rodgers
No ratings yet
Human-Computer Interaction and Beyond: Advances Towards Smart and Interconnected Environments (Part I)
From Everand
Human-Computer Interaction and Beyond: Advances Towards Smart and Interconnected Environments (Part I)
PublishDrive
No ratings yet
COVID 19 – Monitoring with IoT Devices
From Everand
COVID 19 – Monitoring with IoT Devices
Ambika Nagaraj
No ratings yet
Data Science for Agricultural Innovation and Productivity
From Everand
Data Science for Agricultural Innovation and Productivity
S. Gowrishankar
No ratings yet
Digital Innovation Adoption: Architectural Recommendations and Security Solutions
From Everand
Digital Innovation Adoption: Architectural Recommendations and Security Solutions
Muhammad Ehsan Rana
No ratings yet
The Role of AI in Enhancing IoT-Cloud Applications
From Everand
The Role of AI in Enhancing IoT-Cloud Applications
Ambika Nagaraj
No ratings yet
Deep Learning for Healthcare Services
From Everand
Deep Learning for Healthcare Services
Parma Nand
No ratings yet
Medical Imaging Technologies and Methods for Health Care
From Everand
Medical Imaging Technologies and Methods for Health Care
Fuk-Hay Tang
No ratings yet
Handbook of Mobile Application Development: A Guide to Selecting the Right Engineering and Quality Features
From Everand
Handbook of Mobile Application Development: A Guide to Selecting the Right Engineering and Quality Features
Mohamed Sarrab
No ratings yet
The Future of Computing: Ubiquitous Applications and Technologies
From Everand
The Future of Computing: Ubiquitous Applications and Technologies
Neha Kishore
No ratings yet
Technology Enterprise Business Models: A Handbook For The Post Pandemic Era
From Everand
Technology Enterprise Business Models: A Handbook For The Post Pandemic Era
Joosung J. Lee
No ratings yet
Polarity Index In Proteins - A Bioinformatics Tool
From Everand
Polarity Index In Proteins - A Bioinformatics Tool
Carlos Polanco
No ratings yet
AI Agents Made Easy: Build Your Digital Workforce with No-Code Tools
From Everand
AI Agents Made Easy: Build Your Digital Workforce with No-Code Tools
Barron Wilson
No ratings yet
Business Models and Innovative Technologies for SMEs
From Everand
Business Models and Innovative Technologies for SMEs
Ignitia Motjolopane
No ratings yet
Coherent Wireless Power Charging and Data Transfer for Electric Vehicles
From Everand
Coherent Wireless Power Charging and Data Transfer for Electric Vehicles
Chih-Cheng Huang
No ratings yet
doCONTROL - Guide Utilisateur
No ratings yet
doCONTROL - Guide Utilisateur
53 pages
WWGMCATIAV5Guide 130768
No ratings yet
WWGMCATIAV5Guide 130768
345 pages
2PAA111691-610 A en System 800xa 6.1 Central Licensing System
No ratings yet
2PAA111691-610 A en System 800xa 6.1 Central Licensing System
56 pages
Nortel VPN Client Release Notes - VPN Client Software Release 10.04.016
No ratings yet
Nortel VPN Client Release Notes - VPN Client Software Release 10.04.016
33 pages
SIMATIC WinCC OA Security Guideline v317
No ratings yet
SIMATIC WinCC OA Security Guideline v317
330 pages
CertificateHandlingTIAPortal V1 0 en
No ratings yet
CertificateHandlingTIAPortal V1 0 en
100 pages
SmartAdvisor V20.4.1 Manual V4.1 en
No ratings yet
SmartAdvisor V20.4.1 Manual V4.1 en
37 pages
AppNote Run MyVirtual Machine Open en
No ratings yet
AppNote Run MyVirtual Machine Open en
51 pages
UsingCertificatesWithTIAPortal DOC V2 0 en
No ratings yet
UsingCertificatesWithTIAPortal DOC V2 0 en
69 pages
OpenVPN SC PC V10 en
No ratings yet
OpenVPN SC PC V10 en
63 pages
WWGMCATIAV5Guide 157413
No ratings yet
WWGMCATIAV5Guide 157413
407 pages
Win10 SC600 DOKU V20 en
No ratings yet
Win10 SC600 DOKU V20 en
47 pages
System Configuration Guide PDF
No ratings yet
System Configuration Guide PDF
488 pages
Nortel bs425
No ratings yet
Nortel bs425
488 pages
2PAA110154-610 A en System 800xa 6.1 Operator Workplace Support For Mobile Device
No ratings yet
2PAA110154-610 A en System 800xa 6.1 Operator Workplace Support For Mobile Device
180 pages
INet Database Transition Guide
No ratings yet
INet Database Transition Guide
50 pages
2PAA101888-610 A en System 800xa 6.1 Tools
No ratings yet
2PAA101888-610 A en System 800xa 6.1 Tools
118 pages
Adtran SmartOS For 800-Series SDGs - User Guide - 2022-11
No ratings yet
Adtran SmartOS For 800-Series SDGs - User Guide - 2022-11
92 pages
MultiUser Engineering DOC v15 en
No ratings yet
MultiUser Engineering DOC v15 en
62 pages
Loadmanagement DOC PCS7 V90 SP1 en
No ratings yet
Loadmanagement DOC PCS7 V90 SP1 en
43 pages
MindConnect HardwareTerms Americas v1801
No ratings yet
MindConnect HardwareTerms Americas v1801
4 pages
Passport 8600 PDF
No ratings yet
Passport 8600 PDF
226 pages
LoadMaster Manual 6.0
No ratings yet
LoadMaster Manual 6.0
152 pages
Adtran AOS Commands!
100% (1)
Adtran AOS Commands!
507 pages
FSP3000R7 R19.2 Maintenance and Troubleshooting Manual IssA
No ratings yet
FSP3000R7 R19.2 Maintenance and Troubleshooting Manual IssA
1,256 pages
ColorImages
No ratings yet
ColorImages
40 pages
Chapter 11: Virtual Wan Part 1 - S2S VPN and Vnet Connections
No ratings yet
Chapter 11: Virtual Wan Part 1 - S2S VPN and Vnet Connections
40 pages
Commands SNMP
No ratings yet
Commands SNMP
6 pages
CMD
No ratings yet
CMD
18 pages
Western Equipment and Supply Co. v. Reyes
100% (2)
Western Equipment and Supply Co. v. Reyes
2 pages
2324 Mil Met07 Atg
No ratings yet
2324 Mil Met07 Atg
9 pages
The Modern Hack
100% (2)
The Modern Hack
12 pages
Networker Module For Sap - 19.10 - 1060607
No ratings yet
Networker Module For Sap - 19.10 - 1060607
14 pages
Innovation Benefits of Software Patents in Kenya: Josphat Ayamunda and Ian K. Tum
No ratings yet
Innovation Benefits of Software Patents in Kenya: Josphat Ayamunda and Ian K. Tum
22 pages
Correction Instruction: VIM, CI No. 60
No ratings yet
Correction Instruction: VIM, CI No. 60
5 pages
Due Diligence Checklist Cross-Border
No ratings yet
Due Diligence Checklist Cross-Border
16 pages
Research Paper Kolang Kalaala
No ratings yet
Research Paper Kolang Kalaala
2 pages
Sporta Technologies Pvt. Ltd. and Ors. vs. Edream 11 Skill Power Private Limited
No ratings yet
Sporta Technologies Pvt. Ltd. and Ors. vs. Edream 11 Skill Power Private Limited
2 pages
Aku Berharap Ini Sampai Padamu Lailil Wakhidatus Solikha Faizatul Fitria Tara Deviani Miftahun Ni Mah
No ratings yet
Aku Berharap Ini Sampai Padamu Lailil Wakhidatus Solikha Faizatul Fitria Tara Deviani Miftahun Ni Mah
48 pages
D04 - L02 - R01 Additional Inlines Commands
No ratings yet
D04 - L02 - R01 Additional Inlines Commands
17 pages
Mossack Fonseca & Co.
No ratings yet
Mossack Fonseca & Co.
8 pages
Adams 2020 Getting Started Using Adams Machinery
No ratings yet
Adams 2020 Getting Started Using Adams Machinery
148 pages
Geographical Indication (DARJEELING TEA REPORT)
No ratings yet
Geographical Indication (DARJEELING TEA REPORT)
8 pages
Page 1 of 6
No ratings yet
Page 1 of 6
6 pages
Illusionists: A Basic Fantasy RPG Supplement
No ratings yet
Illusionists: A Basic Fantasy RPG Supplement
9 pages
Counterfeiting
No ratings yet
Counterfeiting
11 pages
DetroitDiesel III IV Suite 8.4
100% (1)
DetroitDiesel III IV Suite 8.4
234 pages
Trademark Cases
No ratings yet
Trademark Cases
7 pages
Kylone Microcms Installation & Setup Guide For Tbs Iptv System
No ratings yet
Kylone Microcms Installation & Setup Guide For Tbs Iptv System
18 pages
Ansys Fluent Battery Module Manualpdf
No ratings yet
Ansys Fluent Battery Module Manualpdf
24 pages
Tips and Techniques For Large Files Aug 2010 SAS
No ratings yet
Tips and Techniques For Large Files Aug 2010 SAS
34 pages
Teladin TX700 Hardware Guide - V1 - 01
No ratings yet
Teladin TX700 Hardware Guide - V1 - 01
41 pages
Previewpdf
No ratings yet
Previewpdf
35 pages
Manual Técnico de Bomba Vertical SCHURCO
100% (2)
Manual Técnico de Bomba Vertical SCHURCO
45 pages
(PHILO) Presentation Chapters17-19 JT Siana
100% (1)
(PHILO) Presentation Chapters17-19 JT Siana
52 pages