iManager NetEco
V600R010C10
Administrator Guide
Issue
Draft B
Date
2020-11-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address:
Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
https://e.huawei.com
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
i
iManager NetEco
Administrator Guide
Contents
Contents
1 NetEco Administrator Guide................................................................................................. 1
1.1 Getting Started......................................................................................................................................................................... 2
1.1.1 Logging In to the NetEco.................................................................................................................................................. 2
1.1.2 Logging In to the PowerEcho.......................................................................................................................................... 3
1.2 Power On and Power Off the NetEco System...............................................................................................................4
1.2.1 Powering On the System................................................................................................................................................... 4
1.2.2 Powering Off the System.................................................................................................................................................. 5
1.3 System Monitoring and Task Management................................................................................................................... 5
1.3.1 Monitoring Products........................................................................................................................................................... 5
1.3.2 Monitoring Nodes................................................................................................................................................................ 6
1.3.3 Monitoring Services.............................................................................................................................................................9
1.3.4 Monitoring Databases..................................................................................................................................................... 10
1.3.5 Monitoring Processes....................................................................................................................................................... 12
1.3.6 Modifying Monitoring Thresholds............................................................................................................................... 13
1.4 Starting the PowerEcho and the NetEco...................................................................................................................... 15
1.4.1 Starting Product Services and Databases..................................................................................................................15
1.4.2 Starting Product Databases........................................................................................................................................... 15
1.4.3 Starting Product Services................................................................................................................................................ 16
1.4.4 Starting Product Processes............................................................................................................................................. 17
1.4.5 Starting the PowerEcho Service and Databases..................................................................................................... 17
1.4.6 Starting the PowerEcho Databases............................................................................................................................. 20
1.4.7 Starting the PowerEcho Service....................................................................................................................................20
1.5 Stopping the PowerEcho and the NetEco.................................................................................................................... 23
1.5.1 Stopping Product Services and Databases................................................................................................................23
1.5.2 Stopping Product Services.............................................................................................................................................. 23
1.5.3 Stopping Product Databases......................................................................................................................................... 24
1.5.4 Stopping Product Processes........................................................................................................................................... 25
1.5.5 Stopping the PowerEcho Service and Databases................................................................................................... 25
1.5.6 Stopping the PowerEcho Service.................................................................................................................................. 27
1.5.7 Stopping the PowerEcho Databases........................................................................................................................... 29
1.6 Configuring Network Information.................................................................................................................................. 30
1.6.1 Modifying Hostnames......................................................................................................................................................30
1.6.2 Configuring Network Interfaces................................................................................................................................... 31
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
ii
iManager NetEco
Administrator Guide
Contents
1.6.3 Configuring IP Addresses................................................................................................................................................ 33
1.6.4 Configuring Routes........................................................................................................................................................... 35
1.6.5 Configuring Floating IP Addresses............................................................................................................................... 37
1.6.6 Configure Southbound IP address............................................................................................................................... 38
1.7 Configuring Time.................................................................................................................................................................. 43
1.7.1 Changing the Time Zone and Time............................................................................................................................ 43
1.7.2 Configuring NTP Servers................................................................................................................................................. 45
1.8 Collecting Equipment Serial Numbers...........................................................................................................................49
1.9 Alarm Dump........................................................................................................................................................................... 50
1.10 Software Management..................................................................................................................................................... 52
1.10.1 Managing Software Packages.................................................................................................................................... 52
1.10.2 Upgrading Product Software.......................................................................................................................................57
1.10.3 Expanding Product Software Capacity.....................................................................................................................58
1.10.4 Uninstalling NetEco Product Software.................................................................................................................... 59
1.10.5 Modifying Configuration Parameters of Product Software.............................................................................. 60
1.10.6 Adding Product Features.............................................................................................................................................. 61
1.10.7 Deleting Product Features............................................................................................................................................61
1.11 Backup and Restore........................................................................................................................................................... 62
1.11.1 Overview............................................................................................................................................................................ 62
1.11.2 Backup and Restoration Scenarios and Policies................................................................................................... 65
1.11.2.1 Backup Scenarios and Policies................................................................................................................................ 65
1.11.2.2 Restoration Scenarios and Policies........................................................................................................................ 70
1.11.3 Backup Server Requirements...................................................................................................................................... 72
1.11.4 Configuring Backup Parameters................................................................................................................................ 74
1.11.5 Backing Up Products...................................................................................................................................................... 75
1.11.5.1 Backing Up Product on a Scheduled Basis..........................................................................................................75
1.11.5.2 Backing Up Product Data......................................................................................................................................... 77
1.11.5.3 Backing Up Product Applications........................................................................................................................... 78
1.11.5.4 Backing Up Database Applications....................................................................................................................... 79
1.11.6 Backing Up the PowerEcho......................................................................................................................................... 80
1.11.6.1 Manually Backing Up the Application and Data of the PowerEcho.......................................................... 80
1.11.6.2 Backing Up the PowerEcho Applications and Data on a Scheduled Basis.............................................. 80
1.11.7 Restoring Products.......................................................................................................................................................... 82
1.11.7.1 Restoring Database Applications........................................................................................................................... 82
1.11.7.2 Restoring Product Applications............................................................................................................................... 83
1.11.7.3 Restoring Product Data............................................................................................................................................. 84
1.11.8 Restoring the PowerEcho............................................................................................................................................. 85
1.12 Remote Cold Backup......................................................................................................................................................... 88
1.12.1 Remote Cold Backup System Overview.................................................................................................................. 88
1.12.2 Managing the Remote Cold Backup System......................................................................................................... 90
1.12.2.1 Configuring a Remote Cold Backup System.......................................................................................................90
1.12.2.2 Switching Services to the Secondary Site When the Primary Site Is Faulty............................................ 92
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
iii
iManager NetEco
Administrator Guide
Contents
1.12.2.3 Switching Services to the Secondary Site When the Primary Site Is Normal......................................... 93
1.12.2.4 Switching Services Back to the Primary Site...................................................................................................... 94
1.12.2.5 Forcibly Synchronizing Product Data.................................................................................................................... 95
1.12.2.6 Modifying the Remote Cold Backup System......................................................................................................96
1.12.2.7 Deleting the Remote Cold Backup System......................................................................................................... 97
1.13 Task Management.............................................................................................................................................................. 97
1.14 Display Format Settings on the PowerEcho.............................................................................................................. 98
1.14.1 Date and Time Zone Display Format....................................................................................................................... 99
1.14.2 Time Display Format......................................................................................................................................................99
1.14.3 Number Display Format............................................................................................................................................. 100
1.15 Password Management................................................................................................................................................. 100
1.15.1 OS Users.......................................................................................................................................................................... 100
1.15.1.1 Default OS Users....................................................................................................................................................... 100
1.15.1.2 Changing Passwords for OS Users (Non-root Users)................................................................................... 103
1.15.1.3 Changing the Password of User root................................................................................................................. 105
1.15.2 Database Users.............................................................................................................................................................. 106
1.15.2.1 Default Database Users.......................................................................................................................................... 106
1.15.2.2 Changing Passwords for Database Users..........................................................................................................118
1.15.3 NetEco Web System Users and Passwords.......................................................................................................... 120
1.15.3.1 Default NetEco Web System User Information.............................................................................................. 120
1.15.3.2 Changing the Password for the admin User (NetEco)................................................................................. 121
1.15.3.3 Changing the Password for the admin User (the PowerEcho)................................................................. 122
1.15.3.4 Changing the User Name and Password of the Swift Deploy Deployment Tool................................122
1.15.4 Setting and Changing the Password of the Server BIOS................................................................................ 123
1.15.4.1 Entering the Remote Management Window of the Server........................................................................123
1.15.4.2 Setting and Changing the Password of the Server BIOS (TaiShan Server)...........................................124
1.15.4.3 Setting and Changing the Password of the Server BIOS (X86 Server)................................................... 129
1.15.5 Setting Encrypted Password for GRUB2................................................................................................................134
1.15.6 Configuring the Hacker Language Dictionary.................................................................................................... 136
1.16 Managing Certificates.................................................................................................................................................... 138
1.16.1 Certificate Overview.................................................................................................................................................... 138
1.16.2 Certificate List................................................................................................................................................................ 139
1.16.3 Uploading and Updating ER Certificates.............................................................................................................. 140
1.16.4 Uploading and Updating CA Certificates............................................................................................................. 145
1.16.5 Updating IR Certificates............................................................................................................................................. 148
1.16.6 Uploading and Updating the Trust Certificate of the Syslog Server (the PowerEcho)........................ 150
1.16.7 Updating the Certificate of User Management................................................................................................. 154
1.16.8 Updating Certificate Revocation Lists....................................................................................................................156
1.16.9 Updating the Certificate of LDAP........................................................................................................................... 156
1.16.10 Updating the CAS SSO Client Trust Certificate................................................................................................ 158
1.16.11 Updating Mail Server Certificate for Notifications......................................................................................... 159
1.16.12 Managing CAS SSO Certificates............................................................................................................................ 165
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
iv
iManager NetEco
Administrator Guide
Contents
1.16.12.1 Obtaining the CAS SSO Trust Certificate........................................................................................................ 165
1.16.12.2 Importing the CAS SSO Trust Certificate........................................................................................................ 166
1.16.12.3 Updating the CAS SSO Trust Certificate......................................................................................................... 168
1.16.13 Managing the Trust Certificate of the Syslog Server..................................................................................... 170
1.16.13.1 Importing the Trust Certificate of the Syslog Server.................................................................................. 170
1.16.13.2 Updating the Trust Certificate of the Syslog Server................................................................................... 176
1.17 Managing Keys................................................................................................................................................................. 182
1.17.1 Updating the Root Key and Working Keys.......................................................................................................... 182
1.17.2 Updating the Root Key and Working Keys of the Secondary Site...............................................................184
1.18 Managing Log................................................................................................................................................................... 188
1.18.1 Configuring Log Forwarding (the PowerEcho)...................................................................................................188
1.18.2 Configuring Log Forwarding Rules (the PowerEcho).......................................................................................191
1.18.3 Setting Log Dump (the NetEco)..............................................................................................................................191
1.18.4 Log Reference (the NetEco)...................................................................................................................................... 194
1.18.4.1 Security-related Log List......................................................................................................................................... 194
1.18.4.2 Security-related Log Description..........................................................................................................................194
1.18.4.2.1 Operation Logs....................................................................................................................................................... 194
1.18.4.2.2 System Logs............................................................................................................................................................. 195
1.18.4.2.3 Security Logs........................................................................................................................................................... 196
1.18.4.3 Server Logs.................................................................................................................................................................. 197
1.18.4.3.1 Command Audit Logs........................................................................................................................................... 197
1.18.4.3.2 Database Audit Logs.............................................................................................................................................198
1.19 Security Management.................................................................................................................................................... 201
1.19.1 Setting the System Login Mode.............................................................................................................................. 201
1.19.2 Creating Users................................................................................................................................................................201
1.19.3 Adjusting Permission After Changing Role of a User...................................................................................... 202
1.19.4 Monitoring Users.......................................................................................................................................................... 203
1.19.5 User Maintenance........................................................................................................................................................ 204
1.19.5.1 Common Operations for User Information Maintenance........................................................................... 205
1.19.5.2 Creating a Role and Granting Permissions.......................................................................................................207
1.19.5.3 Common Operations for Role Information Maintenance........................................................................... 209
1.19.5.4 Creating a User-defined Operation Set............................................................................................................. 210
1.19.5.5 Common Operations for Operation Set Information Maintenance........................................................ 211
1.19.5.6 Modifying User Information in Batches............................................................................................................ 213
1.19.5.7 Changing Personal Passwords.............................................................................................................................. 215
1.19.5.8 Resetting a User Password..................................................................................................................................... 215
1.19.6 Security Policies............................................................................................................................................................. 216
1.19.6.1 Setting the Account Policy..................................................................................................................................... 216
1.19.6.2 Setting the Password Policy...................................................................................................................................217
1.19.6.3 Configuring Service Parameters for User Management.............................................................................. 219
1.19.6.4 Setting a Client IP Address Policy........................................................................................................................ 221
1.19.6.5 Setting Login Time Policies.................................................................................................................................... 222
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
v
iManager NetEco
Administrator Guide
Contents
1.19.7 Remote Authentication Configuration.................................................................................................................. 222
1.19.7.1 Understanding Remote Authentication.............................................................................................................223
1.19.7.2 Configuring LDAP Authentication....................................................................................................................... 225
1.19.7.3 Configuring RADIUS Authentication...................................................................................................................227
1.19.7.4 LDAP Authentication Parameters........................................................................................................................ 229
1.19.7.5 RADIUS Authentication Parameter Description..............................................................................................237
1.19.8 SSO Configuration........................................................................................................................................................ 242
1.19.8.1 CAS SSO Configuration........................................................................................................................................... 243
1.19.8.1.1 About CAS SSO....................................................................................................................................................... 243
1.19.8.1.2 Configuring CAS SSO............................................................................................................................................ 244
1.20 NetEco Maintenance....................................................................................................................................................... 245
1.20.1 Network Diagnostics................................................................................................................................................... 246
1.20.2 Run Logs Collection..................................................................................................................................................... 246
1.20.3 Routine Inspection........................................................................................................................................................246
1.20.4 History Report................................................................................................................................................................ 247
1.20.5 HA Management.......................................................................................................................................................... 247
1.20.6 Viewing Server Information...................................................................................................................................... 249
1.21 File System of The NetEco............................................................................................................................................ 249
1.22 Routine Maintenance..................................................................................................................................................... 250
1.22.1 Daily Maintenance....................................................................................................................................................... 250
1.22.1.1 Checking Logs (the PowerEcho).......................................................................................................................... 250
1.22.1.2 Checking Logs (the NetEco).................................................................................................................................. 253
1.22.1.3 Checking Whether Online Users Are Authorized (the NetEco)................................................................ 255
1.22.2 Weekly Maintenance................................................................................................................................................... 256
1.22.2.1 Checking Backup Data............................................................................................................................................ 256
1.22.2.2 Checking User Configuration (the NetEco)..................................................................................................... 258
1.22.3 Monthly Maintenance................................................................................................................................................. 259
1.22.3.1 Checking the Certificate Validity Period (the PowerEcho)......................................................................... 259
1.22.3.2 Cleaning Up Disk Space.......................................................................................................................................... 260
1.22.3.3 Checking the Time Zone and Time..................................................................................................................... 262
1.22.4 Quarterly Maintenance.............................................................................................................................................. 263
1.22.4.1 Changing Passwords................................................................................................................................................ 263
1.23 FAQ....................................................................................................................................................................................... 263
1.23.1 Notifications................................................................................................................................................................... 263
1.23.1.1 How Do I Obtain a Mail Server Certificate on Google Chrome?..............................................................263
1.23.1.2 How Do I Obtain a Mail Server Certificate on Firefox?............................................................................... 264
1.23.2 How Do I Query the IP Address of the Node Where a Service Resides?...................................................264
1.23.3 How Do I Query the IP Address of the Node Where a Database Instance Resides?............................ 265
1.23.4 How Do I Query the IP Address of a Node?....................................................................................................... 266
1.23.5 How Do I Query the Floating IP Address of a Node?...................................................................................... 266
1.23.6 How Do I Log In to the OS of a Node?................................................................................................................ 267
1.23.7 How Do I Check the Disk Usage?........................................................................................................................... 267
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
vi
iManager NetEco
Administrator Guide
Contents
1.23.8 How Do I Determine the Deployment Mode of the PowerEcho?............................................................... 268
1.23.9 How Do I Determine the Deployment Mode of Nodes?................................................................................ 268
1.23.10 How Do I Determine the Deployment Mode of a Database Instance?.................................................. 269
1.23.11 How Do I Check Whether Management Nodes and Product Nodes Use the Same Database
Software?...................................................................................................................................................................................... 270
1.23.12 Performing Security Hardening or Dehardening for Internal Ports..........................................................270
1.23.13 How Do I Solve the Problem of Slow Response When Multiple Tab Pages of a Browser Are
Opened?........................................................................................................................................................................................ 272
1.23.14 How Do I Query the Node Name Corresponding to the IP Address of the Management Node?.272
1.23.15 How Do I Create a Backup Path for a Backup Server?................................................................................. 273
1.23.16 How Do I Check the Deployment Status of a Product?................................................................................273
1.23.17 How Do I View Command Audit Logs?.............................................................................................................. 274
1.23.18 How Do I View Database Audit Logs?................................................................................................................ 275
1.23.19 How Do I Prevent PuTTY from Being Disconnected upon Timeout?....................................................... 276
1.23.20 How Do I Check the Active/Standy Status of a Node?................................................................................. 277
1.24 Common Operations.......................................................................................................................................................278
1.24.1 Logging In to a Server Using PuTTY...................................................................................................................... 278
1.24.2 Transferring Files Using FileZilla..............................................................................................................................279
1.24.3 Uninstalling the NetEco............................................................................................................................................. 280
1.24.4 Encrypting the Private Key of the Signature Certificate (the PowerEcho)............................................... 281
1.24.5 How Do I Change the Database Instance Password?...................................................................................... 283
1.24.6 Querying the Version Number of the PowerEcho............................................................................................. 285
1.24.7 Checking the Status of the PowerEcho Service.................................................................................................. 285
1.24.8 Abnormal NTP Server Status.................................................................................................................................... 286
1.24.9 Managing Passwords in the Weak Password Dictionary................................................................................ 288
1.24.10 Restoring the CA Certificates That Failed to Be Updated............................................................................ 289
1.24.11 Updating IR Certificates on the Product Nodes Failed When CA Certificates Are Being Updated
......................................................................................................................................................................................................... 293
1.24.12 Faults of Multiple Management Nodes............................................................................................................. 295
1.24.13 Querying a Product Name...................................................................................................................................... 300
1.24.14 Product Node Faults.................................................................................................................................................. 301
1.25 Appendix............................................................................................................................................................................. 303
1.25.1 Description of the unopened menus of the PowerEcho................................................................................. 304
1.25.2 Description of the unopened menus of the NetEco......................................................................................... 305
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
vii
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1
NetEco Administrator Guide
Overview
This describes how to maintenance NetEco system.
Product Version
The following table lists the product versions related to this document.
Product Name
Product Version
NetEco
V600R010C10
Intended Audience
This document is intended for the following engineers:
●
Technical support engineers
●
Maintenance engineers
Change History
Changes between document issues are cumulative. The latest document issue
contains all the changes made in previous issues.
Draft B (2020-11-30)
This issue is the second release of the iManager NetEco V600R010C10 beta
version.
Draft A (2020-09-30)
This issue is the first release of the iManager NetEco V600R010C10 beta version.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
1
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.1 Getting Started
After NetEco is installed, you can maintain it through the PowerEcho and
implement service functions through the NetEco.
1.1.1 Logging In to the NetEco
This section describes how to use a browser to log in to the NetEco.
Prerequisites
●
The current PC can communicate properly with the client IP address of the
NetEco and the services of the NetEco are running properly.
●
You have obtained the username and password for login.
●
The OS and browser of your PC must meet the following requirements.
Context
Table 1-1 Configuration requirements
Issue Draft B
(2020-11-30)
Software Type
Requirements
OS
Windows 10 Professional 64bit is recommended
Browser
Latest Chrome (Stable Channel) and Firefox (ESR
Release) are recommended
Resolution
Optimal resolution: 1920 x 1080 (px)
●
The NetEco provides the default user admin as the system administrator that
has permissions on all resources. The initial password for the user is
Changeme_123. For security purposes of the NetEco, change the password
periodically and keep the new password secure. If the admin user enters
incorrect passwords for five consecutive times within 10 minutes, the login IP
address will be locked for 10 minutes.
●
If three accounts using an IP address are locked within 10 minutes, this IP
address will be locked for 30 minutes.
●
If the login of an IP address meets the IP address lockout conditions specified
on the Account Policy page, this IP address will be locked.
●
If the login of a local account meets the account lockout conditions specified
on the Account Policy page, this account will be locked for 30 minutes by
default.
●
All users can log in to the system again after their accounts are automatically
unlocked. Local users can also contact security administrators to unlock their
accounts for login again.
Copyright © Huawei Technologies Co., Ltd.
2
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 Access the NetEco at https://client IP address of the NetEco:31943.
Step 2 On the login page, enter the username and password, and click Log In.
NOTE
● If you have changed your password after login, keep the new password secure. If you
forget the password for the admin user, you can reset the password only by reinstalling
the NetEco.
● For security purposes, do not set the browser to remember the password.
Step 3 Optional: If Two-factor authentication is enabled, you also need to obtain a
verification code. Enter the obtained verification code and click Log In.
NOTE
Click Switch Account to return to the login page and use another account to log in.
----End
1.1.2 Logging In to the PowerEcho
This section describes how to use a browser to log in to the PowerEcho.
Prerequisites
●
The network connection between your PC and the client IP address of the
PowerEcho is normal.
●
You have obtained the password for the current login user.
●
The operating system (OS) and browser of your PC must meet the
requirements listed in Table 1-2.
Context
Table 1-2 Configuration requirements
Issue Draft B
(2020-11-30)
Software Type
Requirements
OS
Windows 10 Professional 64bit is recommended
Browser
Latest Chrome (Stable Channel) and Firefox (ESR
Release) are recommended
Resolution
Optimal resolution: 1920 x 1080 (px)
●
The PowerEcho provides the default user admin. The initial password for the
admin user is Changeme_123. For security purposes, change the password
periodically and keep the new password secure.
●
If you enter the password for the admin user incorrectly for five consecutive
times within 10 minutes, your IP address will be locked for 10 minutes.
●
The management node in the document is the node where the PowerEcho is
installed, and the product node is the node where the NetEco is installed.
Copyright © Huawei Technologies Co., Ltd.
3
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 Access the PowerEcho at https://client IP address of the PowerEcho:31945.
NOTE
If the PowerEcho is deployed in cluster mode, use the floating IP address of the
management node to log in.
Step 2 On the login page, enter the username and password, and click Log In.
NOTE
● When you log in to the system in local mode, enter the username admin and its
password. The initial password for the admin user is Changeme_123. For security
purposes, change the password periodically and keep the new password secure.
● When you log in to the PowerEcho for the first time, you are prompted to change the
initial password for the admin user. Perform operations as prompted. If the password
for the admin user is lost, you can restore the password only by reinstalling the system.
● For security purposes, do not save your password in the browser.
● By default, if you do not perform any operation within 30 minutes after a successful
login, you will be automatically logged out.
----End
1.2 Power On and Power Off the NetEco System
This section describes the procedures for powering on and off the NetEco system.
1.2.1 Powering On the System
This section describes how to power on the hardware components when installing
the NetEco system. The NetEco system consists of multiple hardware components.
You need to power on them in sequence.
Procedure
Step 1 Prepare for powering on the server.
1.
Ensure that the power switches of all the devices in the cabinet are set to OFF.
If a power switch is ON, set it to OFF.
2.
Ensure that the hardware devices are correctly placed and cable connections
(especially the power cable connections) are correct and meet ESD
specifications.
Step 2 Turn on the power switch of the server to power on it.
NOTE
After the server is started properly, the button/indicator of its power switch is displayed green.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
4
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.2.2 Powering Off the System
This section describes how to power off the NetEco system safely. If the local HA
cluster system is used, perform the operations in this section on each of the three
servers.
Prerequisites
Stopping the PowerEcho and the NetEco. For details, see 1.5.2 Stopping Product
Services and 1.5.6 Stopping the PowerEcho Service.
Procedure
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
Step 2 Run the following command to switch to the root user:
$ su - root
Password: root password
NOTE
The default password of user root is Changeme_123.
Step 3 Run the following command to shut down the NetEco:
# sync;sync;sync;sync;sync;sync
# shutdown -h now
----End
1.3 System Monitoring and Task Management
After a product is installed on the PowerEcho, you can use this function to monitor
resources such as nodes, services, databases, and processes on the PowerEcho and
the NetEco. This helps you detect and resolve exceptions in a timely manner,
ensuring efficient server running and normal product running.
1.3.1 Monitoring Products
You can monitor the indicators of each node, service, and database in a
centralized manner. By predicting and analyzing the indicators of each resource,
you can identify and rectify faults in a timely manner.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
5
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Context
The PowerEcho refreshes the status of nodes, services, and databases displayed on
the page every 30 seconds.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product or PowerEcho.
Step 3 In the upper right corner of the page, check whether any resource in Nodes,
Services, Relational Databases, and Redis Databases is abnormal.
NOTE
The number in red indicates the number of abnormal resources.
●
If the number of abnormal resources is 0, all resources of the product are
normal.
●
If the number of abnormal resources is not 0, there are abnormal resources in
the product.
Click a number of abnormal resources to view details on the tab page for the
resource type.
----End
1.3.2 Monitoring Nodes
You can monitor all nodes of the PowerEcho and the NetEco to identify and rectify
faults in a timely manner, which ensures that the node servers are running
efficiently.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Context
The PowerEcho periodically monitors resources of the system. Table 1-3 lists the
monitoring intervals. The status of monitored objects on the page is refreshed
every 30 seconds.
Table 1-3 Node monitoring intervals
Issue Draft B
(2020-11-30)
Monitoring Object
Interval (Second)
Node status
180
Node resource (for example, CPU
usage)
15
Service status
30
Copyright © Huawei Technologies Co., Ltd.
6
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Monitoring Object
Interval (Second)
Database status
60
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product or PowerEcho.
Step 3 On the Nodes tab page, view the usage of the CPU, virtual memory, physical
memory, and disk partition. Refer to Table 1-4 to check the resource statuses.
Alternatively, on the Nodes tab page, click a node name. On the page for node
details, view the disk partition usage and the resource statuses of processes on the
node.
Table 1-4 Node resource status
Object
State
Description
Measures
Conne
ction
Status
Norm
al
The connection
between the node
and the PowerEcho
is normal.
N/A
Discon
nected
The connection
between the node
and the PowerEcho
is abnormal.
● Click the abnormal node and view
the space usage and process status
of each disk in the node on the
details page.
● An alarm is reported if the node
status is abnormal. Rectify the
fault based on the alarm
information.
Databa
se
Status
Issue Draft B
(2020-11-30)
--
The node does not
have a database.
N/A
Partial
ly
Runni
ng
Some database
instances on the
node are not
running.
An alarm is reported if the database
status is abnormal. Rectify the fault
based on the alarm information.
Not
Runni
ng
All database
instances on the
node are stopped.
Some maintenance operations require
that the database is not running.
Determine whether the database is
abnormal based on site requirements.
Runni
ng
The database
instances on the
node are running
properly.
N/A
Copyright © Huawei Technologies Co., Ltd.
7
iManager NetEco
Administrator Guide
Object
Service
Status
1 NetEco Administrator Guide
State
Description
Measures
Unkno
wn
The system cannot
detect the database
instance status on
the node.
Collect related information and
contact Huawei technical support.
Startin
g
All database
instances on the
node are being
started.
If the service is in this state for a long
time, contact Huawei technical
support.
Stoppi
ng
All database
instances on the
node are being
stopped.
Uninst
alled
The node service is
not installed.
Collect related information and
contact Huawei technical support.
--
The node does not
provide services.
N/A
Partial
ly
Runni
ng
Some processes on
the node are not
running.
On the Nodes tab page, click the
node name. On the node details page,
view the processes that are not
running and determine whether the
processes are abnormal based on site
requirements.
Not
Runni
ng
All services on the
node are stopped.
Some maintenance operations require
that the service is not running.
Determine whether the service is
abnormal based on site requirements.
Runni
ng
All services on the
node are running.
N/A
Unkno
wn
The system cannot
detect the service
status on the node.
An alarm is reported if the service
status is abnormal. Rectify the fault
based on the alarm information.
Faulty
Some services on the
node are faulty.
Startin
g
All services on the
node are being
started.
Stoppi
ng
All services on the
node are being
stopped.
The startup or stopping duration of a
service does not exceed 1 minute. If
the service is in this state for a long
time, contact Huawei technical
support.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
8
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.3.3 Monitoring Services
You can monitor all services of the PowerEcho and the NetEco to identify and
rectify faults in a timely manner, which ensures that the services are running
properly.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Context
The PowerEcho monitors services of the system every 30 seconds. The status
displayed on the page is refreshed every 30 seconds.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product or PowerEcho.
Step 3 Click the Services tab page and refer to Table 1-5 to check the service status.
Alternatively, click the desired service instance name. On the page for service
details, view the status of processes and other resources of the service.
Table 1-5 Service status
Issue Draft B
(2020-11-30)
State
Description
Measures
Partiall
y
Runnin
g
Some processes of the
service are not
running.
Click the name of the corresponding service
instance. On the service details page, view
the processes that are not running, and
determine whether the processes are
abnormal based on site requirements.
Not
Runnin
g
All processes of the
service are stopped.
Some maintenance operations require that
the service is not running. Therefore, you
need to determine whether the service is
abnormal based on site requirements.
Runnin
g
All processes of the
service are running.
N/A
Unkno
wn
The system cannot
detect the status of
processes of the
service.
An alarm is reported if the service status is
abnormal. Rectify the fault based on the
alarm information.
Faulty
Some processes of the
service are faulty.
Copyright © Huawei Technologies Co., Ltd.
9
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
State
Description
Measures
Startin
g
All processes of the
service are being
started.
Stoppin
g
All processes of the
service are being
stopped.
The startup or stopping duration of a service
does not exceed 1 minute. If the service is in
this state for a long time, contact Huawei
technical support.
----End
1.3.4 Monitoring Databases
You can monitor the relational databases and Redis databases of the PowerEcho
and the NetEco to identify and rectify faults in a timely manner, which ensures
that the databases are running properly.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Context
●
The PowerEcho monitors databases of the system every 60 seconds. The
status displayed on the page is refreshed every 30 seconds.
●
A relational database is created on the basis of a relational model for storing
persistent data, such as the GaussDB T database. The PowerEcho monitors
the usage of the relational databases. This helps you to identify and rectify
the insufficiency of the database space in a timely manner.
●
A Redis database is a high-performance key-value database that stores
cached status-related data. The PowerEcho monitors the memory usage of
the Redis databases so that you can identify and rectify insufficient memory
space in a timely manner.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product or PowerEcho.
Step 3 Click the Relational Databases or Redis Databases tab page. Refer to Table 1-6
and Table 1-7 to check the database status.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
10
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-6 Database status table
State
Description
Measures
Not
Runnin
g
The database is
not running.
An alarm is reported if the database status is
abnormal. Rectify the fault based on the alarm
information.
Unkno
wn
The system
cannot detect
the database
status.
Runnin
g
The database
on the node is
running
properly.
N/A
Table 1-7 Database instance replication status
Issue Draft B
(2020-11-30)
State
Description
Measures
Norma
l
The replication
between the
master and
slave database
instances is
normal.
N/A
Abnor
mal
The replication
between the
master and
slave database
instances is
abnormal.
An alarm is reported if the database instance
replication status is abnormal. Rectify the fault
based on the alarm information.
Full
Synchr
onizing
The slave
database
instance is
rebuilt, and all
data of the
master
database
instance is
being forcibly
synchronized to
the slave
database
instance.
N/A
Copyright © Huawei Technologies Co., Ltd.
11
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
State
Description
Measures
--
The database
instance is a
single instance
and does not
have a master/
slave
relationship.
N/A
----End
1.3.5 Monitoring Processes
You can monitor the processes of the PowerEcho and the NetEco to identify and
rectify faults in a timely manner, which ensures that the processes are running
properly.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Context
The PowerEcho monitors processes of the system every 30 seconds. The status
displayed on the page is refreshed every 30 seconds.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product or PowerEcho.
Step 3 On the Processes tab page, check the process status based on Table 1-8.
Table 1-8 Process status
Issue Draft B
(2020-11-30)
State
Description
Measures
Not
Runnin
g
The process is not
running.
Some maintenance operations require that
the processes are not running. Determine
whether the process is abnormal based on
site requirements.
Copyright © Huawei Technologies Co., Ltd.
12
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
State
Description
Measures
Stoppe
d
(standb
y)
The process is
deployed in active/
standby mode, and
runs only on the active
node instead of the
standby node, which is
normal.
N/A
Runnin
g
The process is running.
N/A
Unkno
wn
The system cannot
detect the process
status.
Collect related information and contact
Huawei technical support.
Faulty
The process is faulty.
Fault
(isolate
d)
The process is faulty
and does not provide
services externally.
An alarm is reported if the process is faulty.
Rectify the fault based on the alarm
information.
Startin
g
The process is being
started.
Stoppin
g
The process is being
stopped.
If the service is in this state for a long time,
contact Huawei technical support.
----End
1.3.6 Modifying Monitoring Thresholds
The PowerEcho can report alarms if a resource is abnormal. The system has
default monitoring thresholds for nodes, relational databases, and Redis
databases. When the usage of a monitored object reaches the thresholds, the
PowerEcho reports corresponding alarms, and the alarm notifications are received
on the NetEco. If the default monitoring thresholds do not match the actual
resource usage and alarms are frequently reported, you can modify the
monitoring thresholds based on site requirements.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Context
Table 1-9 lists the default thresholds and resource objects that can be configured.
NOTE
X indicates the value of Alarm Generation Threshold, Y indicates the value of Alarm
Clearance Threshold, and N indicates the value of Threshold-crossing Times. Y must be
less than X.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
13
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-9 Configuring monitoring thresholds
Item
Object
Conditions for Reporting
Alarms
Condition for
Clearing Alarms
Node
CPU
The CPU usage sampled every
15 seconds in N consecutive
times is greater than or equal
to X%.
Any sampled CPU
usage is less than X%.
Default value: X = 85
Default value: N = 40, X = 85
Physical
memory
In a detection period (15
seconds), the physical memory
usage is greater than or equal
to X%.
Default value: X = 85
Virtual
memory
In a detection period (15
seconds), the virtual memory
usage is greater than or equal
to X%.
Default value: X = 85
Disk
partition
In a detection period (15
seconds), the disk partition
usage is greater than or equal
to X%.
Default value: X = 80
Relatio
nal
databa
se
Redis
databa
se
Database
tablespace
usage
Memory
The physical memory
usage is less than or
equal to Y%.
Default value: Y = 80
The virtual memory
usage is less than or
equal to Y%.
Default value: Y = 80
The disk partition
usage is less than or
equal to Y%.
Default value: Y = 75
In a detection period (180
seconds), the database
tablespace usage is greater
than or equal to X%.
The database
tablespace usage is
less than or equal to Y
%.
Default value: X = 95
Default value: Y = 85
In a detection period (180
seconds), the memory usage
is greater than or equal to X%.
The memory usage is
less than or equal to Y
%.
Default value: X = 80
Default value: Y = 70
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product or PowerEcho.
Step 3 Click the tab where the resource object resides.
Step 4 Click
on the right of the page and set parameters.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
14
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.4 Starting the PowerEcho and the NetEco
1.4.1 Starting Product Services and Databases
This section describes how to start product services and databases.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product. Perform required operations based on Table 1-10.
Table 1-10 Starting product services and databases
Task
Operation
Start all services and
databases of the product.
In the upper left corner of the page, click Start,
choose Start All from the drop-down menu, and
perform operations as prompted.
Start services and
databases on nodes.
On the Nodes tab page, select the nodes with
services and databases to be started, click Start on
the right of the page, and perform operations as
prompted.
Step 3 After the task is successfully executed, check that Service Status and DB Status of
the nodes are both Running on the Nodes tab page.
----End
1.4.2 Starting Product Databases
This section describes how to start product databases.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product. Perform required operations based on Table 1-11.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
15
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-11 Starting databases
Task
Operation
Start all databases of the
product.
In the upper left corner of the page, click Start,
choose Start DB from the drop-down menu, and
perform operations as prompted.
Start databases on a
node.
On the Nodes tab page, click
in the Operation
column of the row that contains the node and
perform operations as prompted.
Step 3 After the task is successfully executed, check that DB Status of the node is
Running on the Nodes tab page.
----End
1.4.3 Starting Product Services
This section describes how to start product services.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The databases of the product are running. For details, see 1.4.2 Starting
Product Databases.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product. Perform required operations based on Table 1-12.
Table 1-12 Starting services
Task
Operation
Start all services of the
product.
In the upper left corner of the page, click Start,
choose Start Service from the drop-down menu,
and perform operations as prompted.
Start services on a node.
Start one or more
services.
Issue Draft B
(2020-11-30)
On the Nodes tab page, click
in the Operation
column of the row that contains the node and
perform operations as prompted.
On the Services tab page, select the services to be
started, click Start on the right of the page, and
perform operations as prompted.
Copyright © Huawei Technologies Co., Ltd.
16
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 3 After the task is successfully executed, check the node or service status.
●
If you have started services on all nodes or a single node of the product,
check that Service Status of the nodes is Running on the Nodes tab page.
●
If you have started a single service or multiple services, check that Service
Status of the node is Partially Running on the Nodes tab page, and Status
of the services is Running on the Services tab page.
NOTE
If you have started all services on the Services tab page, check that Service Status of
the nodes is Running on the Nodes tab page.
The snmpagentservice service is controlled by a license. If no license is imported, the
service is not running. After the license containing the SNMP NBI is imported, the
service runs properly. If you import a license that does not contain the SNMP NBI
again, the license is displayed as Not Running.
----End
1.4.4 Starting Product Processes
This section describes how to start product processes.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product.
Step 3 On the Processes tab page, select processes to be started, click Start above the
process list, and perform operations as prompted.
Step 4 After the task is successfully executed, check that the processes are in the
Running state on the Processes tab page.
----End
1.4.5 Starting the PowerEcho Service and Databases
This section describes how to start the service and databases of the PowerEcho by
running commands.
Prerequisites
You have obtained the passwords for the sopuser and ossadm users of the
management node.
If the PowerEcho is deployed in cluster mode, that is, there are multiple
management nodes, you have obtained the IP addresses of active and standby
management nodes where OMMHA resides. For details, see 1.23.20 How Do I
Check the Active/Standy Status of a Node?
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
17
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
If the PowerEcho is deployed in single-server mode:
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to start the service and databases of the PowerEcho:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd startmgr
If information similar to the following is displayed, the service and databases of
the PowerEcho on the node are started successfully. Otherwise, contact Huawei
technical support.
...
============================ Starting management dc is complete
...
============================ Starting management processes is complete.
----End
If the PowerEcho is deployed in cluster mode:
Step 1 Use PuTTY to log in to the active management node where OMMHA resides, as
the sopuser user in SSH mode. For details, see 1.24.1 Logging In to a Server
Using PuTTY.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to start OMMHA:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd startapp -tenant manager -app OMMHAService
If information similar to the following is displayed and success is displayed for the
process, OMMHA is started successfully. Otherwise, contact Huawei technical
support.
Starting process ommha-0-0 ... success
Step 4 Run the following commands to start the service and databases of the PowerEcho:
> ipmc_adm -cmd startmgr
If information similar to the following is displayed, the service and databases of
the PowerEcho on the node are started successfully. Otherwise, contact Huawei
technical support.
...
============================ Starting management dc is complete
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
18
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
...
============================ Starting management processes is complete.
Step 5 Use PuTTY to log in to the standby management node where OMMHA resides, as
the sopuser user in SSH mode. For details, see 1.24.1 Logging In to a Server
Using PuTTY.
Step 6 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 7 Run the following commands to start OMMHA:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd startapp -tenant manager -app OMMHAService
If information similar to the following is displayed and success is displayed for the
process, OMMHA is started successfully. Otherwise, contact Huawei technical
support.
Starting process ommha-0-0 ... success
Step 8 Run the following commands to start the service and databases of the PowerEcho:
> ipmc_adm -cmd startmgr
If information similar to the following is displayed, the service and databases of
the PowerEcho on the node are started successfully. Otherwise, contact Huawei
technical support.
...
============================ Starting management dc is complete
...
============================ Starting management processes is complete.
Step 9 Use PuTTY to log in to other management nodes as the sopuser user in SSH
mode. For details, see 1.24.1 Logging In to a Server Using PuTTY.
Step 10 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 11 Run the following commands to start the service and databases of the PowerEcho:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd startmgr
If information similar to the following is displayed, the service and databases of
the PowerEcho on the node are started successfully. Otherwise, contact Huawei
technical support.
...
============================ Starting management dc is complete
...
============================ Starting management processes is complete.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
19
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.4.6 Starting the PowerEcho Databases
This section describes how to start the databases of the PowerEcho by running
commands.
Prerequisites
You have obtained the passwords for the sopuser and ossadm users of the
management node.
Procedure
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
NOTE
If the PowerEcho is deployed in cluster mode, open a new PuTTY window to start the
databases on Management1 within three minutes after you run the startup command on
Management0. For details about how to obtain the IP address of a node, see 1.23.4 How
Do I Query the IP Address of a Node? After you have started databases on two nodes,
check the startup result of the nodes. If the startup fails on a node, contact Huawei
technical support.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to start the PowerEcho databases:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd startdc -tenant manager
If information similar to the following is displayed and success is displayed for all
processes, the databases of the PowerEcho are started successfully. Otherwise,
contact Huawei technical support.
============================ Starting data container processes...
Starting redis process woadapterrdb-1-14 ... success
...
Starting redis process serviceinspectionrdb-1-3 ... success
Starting redis process privilegerdb-1-28 ... success
============================ Starting data container processes is complete.
----End
1.4.7 Starting the PowerEcho Service
This section describes how to start the PowerEcho service by running commands.
Prerequisites
Issue Draft B
(2020-11-30)
●
The database instances of the PowerEcho are running. For details, see 1.4.6
Starting the PowerEcho Databases.
●
You have obtained the passwords for the sopuser and ossadm users of the
management node.
Copyright © Huawei Technologies Co., Ltd.
20
iManager NetEco
Administrator Guide
●
1 NetEco Administrator Guide
If the PowerEcho is deployed in cluster mode, that is, there are multiple
management nodes, you have obtained the IP addresses of active and
standby management nodes where OMMHA resides. For details, see 1.23.20
How Do I Check the Active/Standy Status of a Node?
Procedure
If the PowerEcho is deployed in single-server mode:
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to start all services:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd startapp -tenant manager
If information similar to the following is displayed and success is displayed for all
processes, all services on the node are started successfully. Otherwise, contact
Huawei technical support.
...
Starting process user-0-0 ... success
Starting process cron-0-0 ... success
...
----End
If the PowerEcho is deployed in cluster mode:
Step 1 Use PuTTY to log in to the active management node where OMMHA resides, as
the sopuser user in SSH mode. For details, see 1.24.1 Logging In to a Server
Using PuTTY.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to start OMMHA:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd startapp -tenant manager -app OMMHAService
If information similar to the following is displayed and success is displayed for all
processes, OMMHA is started successfully. Otherwise, contact Huawei technical
support.
Starting process ommha-0-0 ... success
Step 4 Run the following command to start all services on the node:
> ipmc_adm -cmd startapp -tenant manager
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
21
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
If information similar to the following is displayed and success is displayed for all
processes, all services on the node are started successfully. Otherwise, contact
Huawei technical support.
...
Starting process user-0-0 ... success
Starting process cron-0-0 ... success
...
Step 5 Use PuTTY to log in to the standby management node where OMMHA resides, as
the sopuser user in SSH mode. For details, see 1.24.1 Logging In to a Server
Using PuTTY.
Step 6 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 7 Run the following commands to start OMMHA:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd startapp -tenant manager -app OMMHAService
If information similar to the following is displayed and success is displayed for all
processes, OMMHA is started successfully. Otherwise, contact Huawei technical
support.
Starting process ommha-0-0 ... success
Step 8 Run the following command to start all services on the node:
> ipmc_adm -cmd startapp -tenant manager
If information similar to the following is displayed and success is displayed for all
processes, all services on the node are started successfully. Otherwise, contact
Huawei technical support.
...
Starting process user-0-0 ... success
Starting process cron-0-0 ... success
...
Step 9 Use PuTTY to log in to other management nodes as the sopuser user in SSH
mode. For details, see 1.24.1 Logging In to a Server Using PuTTY.
Step 10 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 11 Run the following commands to start all services:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd startapp -tenant manager
If information similar to the following is displayed and success is displayed for all
processes, all services on the node are started successfully. Otherwise, contact
Huawei technical support.
...
Starting process user-0-0 ... success
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
22
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Starting process cron-0-0 ... success
...
----End
1.5 Stopping the PowerEcho and the NetEco
1.5.1 Stopping Product Services and Databases
Stop product services and databases as required during system maintenance.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product. Perform required operations based on Table 1-13.
Table 1-13 Stopping product services and databases
Task
Operation
Stop all services and
databases of the product.
In the upper left corner of the page, click Stop,
choose Stop All from the drop-down menu, and
perform operations as prompted.
Stopping services and
databases on a node.
On the Nodes tab page, select the nodes to be
stopped, click Stop on the right of the page, and
perform operations as prompted.
Step 3 After the task is successfully executed, check that Service Status and DB Status of
the nodes are both Not Running on the Nodes tab page.
----End
1.5.2 Stopping Product Services
Stop product services as required during system maintenance.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
23
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product. Perform required operations based on Table 1-14.
Table 1-14 Stopping services
Task
Operation
Stop all services of the
product.
In the upper left corner of the page, click Stop,
choose Stop Service from the drop-down menu,
and perform operations as prompted.
Stop services on a node.
Stop one or more
services.
On the Nodes tab page, click
in the Operation
column of the row that contains the node and
perform operations as prompted.
On the Services tab page, select the services to be
stopped, click Stop on the right of the page, and
perform operations as prompted.
Step 3 After the task is successfully executed, check the node or service status.
●
If you have stopped services on all nodes or a single node of the product,
check that Service Status of the nodes is Not Running on the Nodes tab
page.
●
If you have stopped a single service or multiple services, check that Service
Status of the nodes is Partially Running on the Nodes tab page, and Status
of the services is Not Running on the Services tab page.
NOTE
If you have stopped all services on the Services tab page, check that Service Status of
the nodes is Not Running on the Nodes tab page.
----End
1.5.3 Stopping Product Databases
Stop product databases as required during system maintenance.
Prerequisites
Issue Draft B
(2020-11-30)
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
To ensure that services are running properly, you are advised to stop the
services of the corresponding product or node before stopping the database.
For details, see 1.5.2 Stopping Product Services.
Copyright © Huawei Technologies Co., Ltd.
24
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product. Perform required operations based on Table 1-15.
Table 1-15 Stopping databases
Task
Operation
Stop all databases of the
product.
In the upper left corner of the page, click Stop,
choose Stop DB from the drop-down menu, and
perform operations as prompted.
Stop databases on a
node.
On the Nodes tab page, click
in the Operation
column of the row that contains the node and
perform operations as prompted.
Step 3 After the task is successfully executed, check that DB Status of the node is Not
Running on the Nodes tab page.
----End
1.5.4 Stopping Product Processes
Stop product processes as required during system maintenance.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select the product.
Step 3 On the Processes tab page, select processes to be stopped, click Stop above the
process list, and perform operations as prompted.
Step 4 After the task is successfully executed, check that the processes are in the Not
Running state on the Processes tab page.
----End
1.5.5 Stopping the PowerEcho Service and Databases
This section describes how to stop the service and databases of the PowerEcho by
running commands.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
25
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Prerequisites
You have obtained the passwords for the sopuser and ossadm users of the
management node.
Procedure
If the PowerEcho is deployed in single-server mode:
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to stop the service and databases of the PowerEcho:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd stopmgr
If information similar to the following is displayed, the service and databases of
the PowerEcho on the node are stopped successfully. Otherwise, contact Huawei
technical support.
...
============================ Stopping management processes is complete.
...
============================ Stopping management dc is complete
----End
If the PowerEcho is deployed in cluster mode:
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
NOTE
Perform the following operations on all the management nodes.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to stop the service and databases of the PowerEcho:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd stopnode
If success is displayed for all services, all services and databases on the node is
stopped successfully. Otherwise, contact Huawei technical support.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
26
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.5.6 Stopping the PowerEcho Service
This section describes how to stop the PowerEcho service by running commands.
Prerequisites
You have obtained the passwords for the sopuser and ossadm users of the
management node.
If the PowerEcho is deployed in cluster mode, that is, there are multiple
management nodes, you have obtained the IP addresses of active and standby
management nodes where OMMHA resides. For details, see 1.23.20 How Do I
Check the Active/Standy Status of a Node?
Procedure
If the PowerEcho is deployed in single-server mode:
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to stop all services:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd stopapp -tenant manager
If information similar to the following is displayed and success is displayed for all
processes, all services on the node are stopped successfully. Otherwise, contact
Huawei technical support.
...
Stopping process user-0-0 ... success
Stopping process cron-0-0 ... success
...
----End
If the PowerEcho is deployed in cluster mode:
Step 1 Use PuTTY to log in to the standby management node where OMMHA resides, as
the sopuser user in SSH mode. For details, see 1.24.1 Logging In to a Server
Using PuTTY.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to stop OMMHA:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd stopapp -tenant manager -app OMMHAService
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
27
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
If information similar to the following is displayed and success is displayed for the
process, OMMHA is stopped successfully. Otherwise, contact Huawei technical
support.
Stopping process ommha-0-0 ... success
Step 4 Run the following command to stop all services on the node:
> ipmc_adm -cmd stopapp -tenant manager
If information similar to the following is displayed and success is displayed for all
processes, all services on the node are stopped successfully. Otherwise, contact
Huawei technical support.
...
Stopping process user-0-0 ... success
Stopping process cron-0-0 ... success
...
Step 5 Use PuTTY to log in to the active management node where OMMHA resides, as
the sopuser user in SSH mode. For details, see 1.24.1 Logging In to a Server
Using PuTTY.
Step 6 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 7 Run the following commands to stop OMMHA:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd stopapp -tenant manager -app OMMHAService
If information similar to the following is displayed and success is displayed for the
process, OMMHA is stopped successfully. Otherwise, contact Huawei technical
support.
Stopping process ommha-0-0 ... success
Step 8 Run the following command to stop all services on the node:
> ipmc_adm -cmd stopapp -tenant manager
If information similar to the following is displayed and success is displayed for all
processes, all services on the node are stopped successfully. Otherwise, contact
Huawei technical support.
...
Stopping process user-0-0 ... success
Stopping process cron-0-0 ... success
...
Step 9 Use PuTTY to log in to other management nodes as the sopuser user in SSH
mode. For details, see 1.24.1 Logging In to a Server Using PuTTY.
Step 10 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 11 Run the following commands to stop all services:
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
28
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd stopapp -tenant manager
If information similar to the following is displayed and success is displayed for all
processes, all services on the node are stopped successfully. Otherwise, contact
Huawei technical support.
...
Stopping process user-0-0 ... success
Stopping process cron-0-0 ... success
...
----End
1.5.7 Stopping the PowerEcho Databases
This section describes how to stop the databases of the PowerEcho by running
commands.
Prerequisites
●
The PowerEcho service is in the Not Running state. For details, see 1.5.6
Stopping the PowerEcho Service.
●
You have obtained the passwords for the sopuser and ossadm users of the
management node.
Procedure
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
NOTE
If the PowerEcho is deployed in cluster mode, log in to Management0 and Management1,
and perform the following operations. For details about how to obtain the IP address of a
node, see 1.23.4 How Do I Query the IP Address of a Node?
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to stop the databases of the PowerEcho:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd stopdc -tenant manager
If information similar to the following is displayed and success is displayed for all
processes, the databases of the PowerEcho are stopped successfully. Otherwise,
contact Huawei technical support.
============================ Stopping data container processes...
Stopping redis process woadapterrdb-1-14 ... success
...
Stopping redis process privilegerdb-1-28 ... success
Stopping redis process rnrdb-1-21 ... success
============================ Stopping data container processes is complete.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
29
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.6 Configuring Network Information
On the PowerEcho, you can configure network information for each node. Ensure
that nodes can communicate with each other properly.
1.6.1 Modifying Hostnames
To identify the meaning and function of a node on the network, set a unique
hostname for each node.
Prerequisites
●
The hostname has been planned and meets the hostname naming rules.
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Precautions
If any management node is faulty, restore the node first. Otherwise, hostnames
cannot be configured. For details, see Table 1-16.
Table 1-16 Troubleshooting the management node faults
No.
Check Item
Check Method
Troubleshooting
Method
1
Network
connection
Contact the
administrator to check
whether the network
connection is normal.
Contact the network
administrator to
restore the network.
2
Running status of
VMs or physical
machines
Contact the
administrator to check
whether VMs or
physical machines are
abnormal, for
example, powered-off
or deleted.
Contact the
administrator to
restore the VMs or
physical machines.
3
The PowerEcho
running status
Log in to the
PowerEcho.
● If the login page is
displayed, the fault
is rectified.
● If the login page is
not displayed or no
response is
returned, restore
the PowerEcho. For
details, see 1.11.8
Restoring the
PowerEcho.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
30
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Context
The hostname must meet the following requirements:
●
The hostname must be unique on the network.
●
The hostname contains 2 to 63 characters, and can only contain letters, digits,
and hyphens (-).
●
The hostname cannot contain double hyphens (--).
●
The hostname cannot contain spaces.
●
The hostname must start with a letter, and cannot end with a hyphen (-).
●
The hostname is case-sensitive.
●
The hostname cannot be localhost or localhost.localdomain, regardless of
the letter case.
Procedure
Step 1 On the PowerEcho, choose Maintenance > Network Configuration > Modify
Hostname from the main menu.
Step 2 On the Modify Hostname page, perform the operations by referring to Table
1-17.
Table 1-17 Modifying hostnames
Task
Operation
Importing the
configuration
Modify the exported hostname file and then import the
modified hostname file to the system to modify the
hostnames of nodes in batches.
Click Import Configuration and perform operations as
prompted.
NOTE
● The file to be imported must be in .xlsx or .csv format. The size
of the file cannot exceed 2 MB.
● The requirements for the file name are as follows:
1. The file name can contain only letters, digits, hyphens (-),
and underscores (_).
2. The file name can contain a maximum of 60 characters.
Configuring
hostnames on the
web client
Directly change the hostnames of nodes in sequence on
the Direct Configuration page.
Click Direct Configuration and perform operations as
prompted.
----End
1.6.2 Configuring Network Interfaces
If the network interface configuration changes (for example, an equipment room
is relocated or a subnet is changed), update the network interface configuration.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
31
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
After a network interface is added to the PowerEcho, you can manage and
maintain the network interface on the PowerEcho.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The network interface to be added to the PowerEcho.
●
In a remote cold backup scenario, the remote cold backup system has been
deleted. For details, see 1.12.2.7 Deleting the Remote Cold Backup System.
●
When a network interface is deleted, its IP address is deleted, and the
network interface is removed from the PowerEcho. However, the network
interface will not be removed.
●
If you configure the network interface of the management node, the system
automatically restarts OMMHAService on all nodes. If you configure the
network interface of a product node, the system automatically restarts
OMMHAService on the product node. During the restart of OMMHAService,
the services monitored by OMMHAService are also restarted and become
unavailable temporarily. After the restart, the services become available again.
If OMMHAService is not deployed on the management node or the product
node, restart is not involved.
●
If the product services are not in the Running state, after a network interface
is added or deleted, the product services will be automatically started. In the
Warning dialog box, if you deselect Automatically start the product
services after the configuration, the product services will not be
automatically started, and you need to manually start them. For details, see
1.4.3 Starting Product Services.
Precautions
NOTE
If a network interface without IP address is added or deleted, the system does not
need to start product services and this Warning dialog box will not be displayed.
●
In a remote cold backup scenario, configure network interfaces at the primary
site and then perform the same configurations at the secondary site to ensure
that the network interface configurations at the primary and secondary sites
are consistent.
●
If the PowerEcho is deployed in cluster mode and some of Management0,
Management1, and Management2 are faulty, restore the faulty nodes first.
Otherwise, the network interface fails to be configured.
Procedure
Step 1 On the PowerEcho, choose Maintenance > Network Configuration > Configure
NIC from the main menu.
Step 2 On the Configure NIC page, perform operations as prompted.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
32
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
● If you want to perform other configuration operations that need to restart product
services after configuring the network interfaces, do not select Automatically start the
product services after the configuration in the Warning dialog box. In this case, after
the configuration, the product services will not be automatically started, preventing the
product services from being restarted for several times.
● If a network interface without IP address is added or deleted, the system does not need
to start product services and this Warning dialog box will not be displayed.
● In a remote cold backup scenario, if you are configuring the network interfaces at the
secondary site, do not select Automatically start the product services after the
configuration in the Warning dialog box, preventing the product services of the
secondary site from being restarted and causing the product to become dual-active.
Step 3 In a remote cold backup scenario, rebuild a remote cold backup system. For
details, see 1.12.2.1 Configuring a Remote Cold Backup System.
----End
Follow-up Procedure
After a network interface is configured, all historical backup files have become
invalid. Manually back up the application and data of the PowerEcho, the
database applications, product applications, and product data. For details, see
1.11.6.1 Manually Backing Up the Application and Data of the PowerEcho and
1.11.5 Backing Up Products.
1.6.3 Configuring IP Addresses
If IP address conflict occurs on the network or the overall network plan changes
(for example, an equipment room is relocated or a subnet mask is changed),
change the IP address, subnet mask, and usage accordingly.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The databases of the product to be modified are running properly. For details,
see 1.3.4 Monitoring Databases.
●
If the IP address to be changed is the client IP address of the PowerEcho, add
the route corresponding to the new IP address to the PowerEcho to ensure
that the PowerEcho can be accessed after the IP address is changed. For
details, see 1.6.4 Configuring Routes.
●
In the cluster scenario, if you want to change the IP addresses in different
network segments, change the IP addresses on all nodes.
●
In a remote cold backup scenario, the remote cold backup system has been
deleted. For details, see 1.12.2.7 Deleting the Remote Cold Backup System.
●
After you change IP address of a product node, the product services will be
automatically restarted by default. In the Warning dialog box, if you deselect
Automatically start the product services after configuring the IP
addresses, the product services will not be automatically started, and you
Precautions
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
33
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
need to manually start them after the configuration. For details, see 1.4.3
Starting Product Services.
●
After you change IP address of a database node, the databases and the
product services will be automatically restarted by default. In the Warning
dialog box, if you deselect Automatically start the product services after
configuring the IP addresses, the product services will not be automatically
started, and you need to manually start them after the configuration. For
details, see 1.4.3 Starting Product Services.
●
After you change the IP address of the management node, the databases and
the the PowerEcho service will be automatically restarted.
●
If the PowerEcho is deployed in cluster mode and some of Management0,
Management1, and Management2 are faulty, restore the faulty nodes first.
Otherwise, the IP address fails to be configured. For details, see 1.11.8
Restoring the PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Maintenance > Network Configuration > Configure
IP Address from the main menu.
Step 2 On the Configure IP Address page, refer to Table 1-18 to perform the operations.
Table 1-18 Configuring IP addresses
Task
Operation
Importing the
configuration
Configure the IP address information in the exported
network interface information file, and then import the
modified network interface information file to the system to
change the IP addresses of the network interfaces in
batches.
Click Configuration Import and perform operations as
prompted.
NOTE
● The file to be imported must be in .xlsx or .csv format. The size
of the file cannot exceed 2 MB.
● The requirements for the file name are as follows:
Modifying IP
addresses
–
The file name can contain only letters, digits, hyphens (-),
and underscores (_).
–
The file name can contain a maximum of 60 characters.
Modify the IP addresses of network interfaces in sequence
on the GUI.
Click Modify IP Address and perform operations as
prompted.
NOTE
If the PowerEcho is deployed in cluster mode, select the node to be
configured, and then modify the IP address.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
34
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Task
Operation
Adding IP
addresses
Add the IP addresses of network interfaces in sequence on
the GUI.
Click Add IP Address and perform operations as prompted.
----End
Follow-up Procedure
●
If the new and old IP addresses belong to different network segments, delete
the routes corresponding to the old IP addresses from the PowerEcho. For
details, see 1.6.4 Configuring Routes.
●
After an IP address is configured, all historical backup files have become
invalid. Manually back up the application and data of the PowerEcho, the
database applications, product applications, and product data. For details, see
1.11.6.1 Manually Backing Up the Application and Data of the PowerEcho
and 1.11.5 Backing Up Products.
●
Changing the IP address of the backup server will cause failure to save files to
the backup server. Update the backup parameters accordingly. For details, see
1.11.4 Configuring Backup Parameters.
1.6.4 Configuring Routes
If the network configuration changes (for example, an equipment room is
relocated or a subnet is changed), update the route configuration to ensure proper
system running. If no route is configured between the system and the destination
IP address, the system communicates with the destination IP address using the
default route.
Prerequisites
●
You have obtained the destination network, subnet mask, and gateway of the
route.
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
If the gateway address of the route and the IP address of corresponding
network interface are in different network segments, change the
corresponding IP address to make the route take effect. For details, see 1.6.3
Configuring IP Addresses.
●
Do not delete the route used for connecting to the management when
deleting a route of the management node. Otherwise, you cannot log in to
the PowerEcho.
●
If there are two routes with the same destination address, you need to
manually delete the unnecessary route on the Configure Route page.
Otherwise, the network connection to the destination address is abnormal.
Precautions
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
35
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 On the PowerEcho, choose Maintenance> Network Configuration > Configure
Route from the main menu.
Step 2 In the Select node and query route area, select the nodes with routes to be
configured.
Step 3 Click Query.
Step 4 In the Configure route area, modify, add, or delete routes for the selected nodes.
For details, see Table 1-19.
Table 1-19 Configuring routes
Task
Operation
Modifying
routes
If NIC Name is -, the node has the default route. If the default
route exists, you can modify it but cannot add other default
routes for the node.
IP addresses of the same protocol (IPv4 or IPv6) have only one
default route.
1. Select and modify a route.
– To modify the default route, select the corresponding
records whose NIC Name is -, and configure Gateway/
Next Hop.
– To modify a non-default route, select the desired network
interface from the NIC Name drop-down list based on
the planning information, and configure Destination
Network, Subnet Mask/Prefix Length, and Gateway/
Next Hop.
2. Click Apply.
NOTE
Clicking Reset will clear all unsaved configurations on the page and
will restore the configurations to the state before you select nodes
and query routes.
3. In the Confirm dialog box, click Yes.
The related task is created successfully. Click Task List to
view the task execution status. If the task execution fails,
rectify the fault based on the task details.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
36
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Task
Operation
Adding routes
If no default route is available or new routes need to be added,
perform the following operations:
1. Click Add Route.
2. Select nodes with routes to be added.
– To add a default route, select Default Route and
configure Gateway/Next Hop.
– To add a non-default route, select the desired network
interface from the NIC Name drop-down list, and
configure Destination Network, Subnet Mask/Prefix
Length, and Gateway/Next Hop.
3. Click OK.
4. In the Confirm dialog box, click Yes.
The related task is created successfully. Click Task List to
view the task execution status. If the task execution fails,
rectify the fault based on the task details.
Deleting
routes
If routes are no longer necessary, delete them to save
resources.
1. Select the desired routes and delete them.
– To delete default routes, select the desired routes, and
click Delete Route.
– To delete non-default routes, select one or more desired
routes and click Delete Route.
2. In the Warning dialog box, click OK.
The related task is created successfully. Click Task List to
view the task execution status. If the task execution fails,
rectify the fault based on the task details.
NOTE
Do not delete the route used for connecting to the PowerEcho when
deleting a route of the management node. Otherwise, you cannot
log in to the PowerEcho.
----End
1.6.5 Configuring Floating IP Addresses
If the PowerEcho is deployed in cluster mode, you can configure a floating IP
address for multiple nodes to prevent the system from failing to provide services
due to faults of a node. The PowerEcho allows you to configure a floating IP
address for specified nodes of a product. In addition, you can modify or delete the
configured floating IP address.
Prerequisites
Issue Draft B
(2020-11-30)
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The databases of the product to be modified are running properly. For details,
see 1.3.4 Monitoring Databases.
Copyright © Huawei Technologies Co., Ltd.
37
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
●
A floating IP address can be configured only for nodes of the same type. For
details about how to check the node type, see 1.3.4 Monitoring Databases.
●
After you change the floating IP address, the product services will be
automatically restarted by default. In the Warning dialog box, if you deselect
Automatically start the product services after configuring the floating IP
address, the product services will not be automatically started, and you need
to manually start them. For details, see 1.4.3 Starting Product Services.
●
If the PowerEcho is deployed in cluster mode and some of Management0,
Management1, and Management2 are faulty, restore the faulty nodes first.
Otherwise, the floating IP address cannot be configured. For details, see
1.11.6 Backing Up the PowerEcho.
Precautions
Procedure
Step 1 On the PowerEcho, choose Maintenance > Network Configuration > Configure
Floating IP Address from the main menu.
Step 2 On the Configure Floating IP Address page, perform operations as prompted.
----End
Follow-up Procedure
Manually back up the application and data of the management node, database
applications, product applications, and product data. For details, see 1.11.6.1
Manually Backing Up the Application and Data of the PowerEcho and 1.11.5
Backing Up Products.
1.6.6 Configure Southbound IP address
This section describes how to configure southbound IP. This section is only
applicable to the southbound and northbound network isolation scenario.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
In a remote cold backup scenario, the remote cold backup system has been
deleted. For details, see 1.12.2.7 Deleting the Remote Cold Backup System.
1.
Please configure the southbound IP address according to the following
scenarios.
Procedure
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
38
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
If
then
Adding the
Southbound IP
Address
● Single-Node System Scenario
1. Delete the southbound usage bound to the
management IP address.
a. On the PowerEcho, choose Maintenance >
Network Configuration > Configure IP
Address from the main menu.
b. Click Modify IP Address, select the IP address
to be configured, click Edit, deselect
Southbound in NIC Usage, and click Apply.
2. Adding the Southbound Network Port.
a. On the PowerEcho, choose Maintenance >
Network Configuration > Configure NIC from
the main menu.
b. Select the node to be configured, click Query
Non-Added NIC, select the NIC to be
configured, set NIC Usage to Southbound, and
click Add.
3. Adding the southbound IP address.
a. On the PowerEcho, choose Maintenance >
Network Configuration > Configure IP
Address from the main menu.
b. Click Modify IP Address, select the NIC added
in 1.ii, click Edit, set IP Address and Subnet
Mask, set NIC Usage to Southbound, click
Apply and click OK.
4. Adding the southbound IP Route.
NOTE
If the destination IP address and route are in the same
network segment, you do not need to add a southbound
IP route.
a. On the PowerEcho, choose Maintenance >
Network Configuration > Configure Route
from the main menu.
b. Select the node to be configured and click
Query to query the route information.
c. Click Add Route. On the Add Route page,
select the node to be added.
d. In the Add Route area, set NIC Name to
bond1, Destination Network to the network
number of the target NE, Subnet Mask/Prefix
Length to the planned subnet mask, and
Gateway/Next Hop to the planned
southbound IP gateway address, and click OK.
● Cluster scenario
1. Delete the southbound usage bound to the
floating IP address.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
39
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
If
then
a. On the PowerEcho, choose Maintenance >
Network Configuration > Configure Floating
IP Address from the main menu.
b. Select the IP address to be configured, deselect
Southbound in NIC Usage, and click Apply.
2. Adding the Southbound Network Port.
a. On the PowerEcho, choose Maintenance >
Network Configuration > Configure NIC from
the main menu.
b. Select the NetEco-node01 and NetEco-node02
nodes, click Query Non-Added NIC, select the
network port bond1 (select the same network
port on the two nodes), set NIC Usage to
SouthboundBaseIP, click Add. In the displayed
dialog box, click OK.
3. Adding the fixed southbound IP address.
a. On the PowerEcho, choose Maintenance >
Network Configuration > Configure IP
Address from the main menu.
b. Click Modify IP Address, select the network
port added in 1.ii, click Edit, set the IP address
and Subnet Mask, click Apply. In the displayed
dialog box, click OK.
4. Adding the floating southbound IP address.
a. On the PowerEcho, choose Maintenance >
Network Configuration > Configure Floating
IP Address from the main menu.
b. Click Add, set the Floating IP Address and
Subnet Mask, select the Product Alias, select
Southbound from the NIC Usage drop-down
list, select NetEco-node01 and NetEco-node02
from the Node Name drop-down list, select
the physical network port name bond1, enter 1
(for example, bond1:1) next to the logical
network port name, click Apply. In the
displayed dialog box, click OK.
NOTE
The two new southbound fixed IP addresses and one
new southbound floating IP address must be on the
same network segment, and they must not be on the
same network segment as the northbound IP
address.
5. Adding the southbound IP Route.
NOTE
If the destination IP address and route are in the same
network segment, you do not need to add a southbound
IP route.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
40
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
If
then
a. On the PowerEcho, choose Maintenance >
Network Configuration > Configure Route
from the main menu.
b. Select NetEco-node01 and NetEco-node02
and click Query to query the route information.
c. Click Add Route. On the Add Route page,
select NetEco-node01 and NetEco-node02.
d. In the Add Route area, set NIC Name to
bond1, Destination Network to the network
number of the target NE, Subnet Mask/Prefix
Length to the planned subnet mask, and
Gateway/Next Hop to the planned
southbound IP gateway address, and click OK.
Changing the
Southbound IP
Address
● Single-Node System Scenario
1. On the PowerEcho, choose Maintenance >
Network Configuration > Configure IP Address
from the main menu.
2. Click Modify IP Address, select Southbound IP,
click Edit, and set the new IP address and other
configuration items.
● Cluster scenario
1. On the PowerEcho, choose Maintenance >
Network Configuration > Configure Floating IP
Address from the main menu.
2. Select the southbound floating southbound IP
address, set a new IP address, and set other
configuration items.
3. On the PowerEcho, choose Maintenance >
Network Configuration > Configure IP Address
from the main menu.
4. Click Modify IP Address, select the fixed
Southbound IP address, click Edit, and set the new
IP address and other configuration items.
NOTE
The two new southbound fixed IP addresses and one
new southbound floating IP address must be on the
same network segment, and they must not be on the
same network segment as the northbound IP address.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
41
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
If
then
Deleting the
Southbound IP
Address
● Single-Node System Scenario
1. On the PowerEcho, choose Maintenance >
Network Configuration > Configure NIC from
the main menu.
2. Select a node, click Query Added NIC, select the
southbound IP address, and click Delete.
3. On the PowerEcho, choose Maintenance >
Network Configuration > Configure IP Address
from the main menu.
4. Click Modify IP Address, select the IP address to
be configured, click Edit, select Southbound in
NIC Usage, and click Apply.
5. On the PowerEcho, choose Maintenance >
Network Configuration > Configure Route from
the main menu.
6. Select the node and click Query to query the route
information.
7. Select the route whose NIC Usage is Southbound
and click Delete Route.
● Cluster scenario
1. On the PowerEcho, choose Maintenance >
Network Configuration > Configure Floating IP
Address from the main menu.
2. Locate the row that contains the southbound
floating IP address and click Delete button.
3. Select the northbound floating IP address , select
Southbound in NIC Usage, and click Apply.
4. On the PowerEcho, choose Maintenance >
Network Configuration > Configure NIC from
the main menu.
5. Select the NetEco-node01 and NetEco-node02
nodes, click Query Added NIC, select the
southbound IP address, and click Delete.
6. On the PowerEcho, choose Maintenance >
Network Configuration > Configure Route from
the main menu.
7. Select NetEco-node01 and NetEco-node02 and
click Query to query the route information.
8. Select the route whose NIC Usage is Southbound
and click Delete Route.
2.
Issue Draft B
(2020-11-30)
In a remote cold backup scenario, rebuild a remote cold backup system. For
details, see 1.12.2.1 Configuring a Remote Cold Backup System.
Copyright © Huawei Technologies Co., Ltd.
42
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.7 Configuring Time
If the time and time zone are different among nodes, you can configure the time
zone and time of each node on the PowerEcho.
1.7.1 Changing the Time Zone and Time
If the current time and time zone of a node are inconsistent with the local time
and time zone, an error may occur during data processing or service processing
accuracy may be reduced when you perform operations such as backup and
restoration and operation log recording. Therefore, you need to change the time
and time zone.
Prerequisites
●
You have obtained the local time zone and time of the node.
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
In a remote cold backup scenario, the remote cold backup system has been
deleted. For details, see 1.12.2.7 Deleting the Remote Cold Backup System.
●
DST is short for daylight saving time, and is one hour ahead compared with
the standard time.
●
The DST is associated with the time zone. When you set the time zone
correctly, the DST is also correct.
●
If DST is displayed in the Date and Time column, the DST has started in the
configured time zone.
●
For security purposes, you are not allowed to set the time of the management
node to a time point out of the validity period of SSL certificates on the web
client. Do not change the time of the management node in CLI mode. If the
time is changed to a time point out of the validity period of the SSL
certificates, unknown errors may occur.
●
Before the time zone and time are changed, the PowerEcho automatically
stops the product services and product databases.
●
After the time zone and time is changed, a task for restarting the PowerEcho
will be automatically created.
●
If an NTP server has been configured, the node time will be synchronized with
the NTP server and cannot be changed on the GUI. You are advised to keep
the time zone of nodes consistent with that of the NTP server.
●
If no NTP server is configured, you can change the node time on the GUI.
●
If the time is adjusted sharply (by more than an hour), periodic tasks and the
data synchronization between nodes in a cluster scenario of products may be
affected. The tasks and data synchronization can be executed properly after a
period of time.
Context
Precautions
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
43
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
●
If any management node is faulty, restore the node first. Otherwise, the time
zone or time cannot be configured.
●
In a remote cold backup scenario, configure the time at the primary site and
then perform the same configurations at the secondary site to ensure that the
UTC (Coordinated Universal Time) time is consistent between the two sites.
Procedure
Step 1 On the PowerEcho, choose Maintenance > Time Management > Configure Time
Zone and Time from the main menu.
Step 2 On the Configure Time Zone and Time page, perform the operations by referring
to Table 1-20.
Table 1-20 Changing or forcibly synchronizing time zone and time
Task
Operation
Change the time zone
and time.
When the time and time zone on the product node
and the management node are inconsistent with the
local time and time zone, you need to change them
accordingly.
Click Modify and perform operations as prompted.
NOTE
● After the NTP server is configured, the date and time of
product nodes and the management node will be
automatically synchronized and cannot be modified.
● After you change the time zone or time, in the Warning
dialog box, if you have deselected Automatically start
the product databases and product services after the
modification, the product databases and product
services are not automatically started after the change,
and you need to manually start them. For details, see
1.4.2 Starting Product Databases and 1.4.3 Starting
Product Services.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
44
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Task
Operation
Forcibly synchronize the
time zone and time.
Forcibly synchronize the time zone and time if one of
the following occurs:
● The time of the product node is inconsistent with
that of the management node.
● The time of the management node is inconsistent
with the NTP server time.
● New product information is added.
● An NTP server is added.
Click Forcibly Synchronize and perform operations
as prompted.
NOTE
After you forcibly synchronize the time zone and time, in
the Warning dialog box, if you have deselected
Automatically start the product databases and product
services after the forcible synchronization, the product
databases and product services are not automatically
started, and you need to manually start them. For details,
see 1.4.2 Starting Product Databases and 1.4.3 Starting
Product Services.
Step 3 In a remote cold backup scenario, rebuild a remote cold backup system. For
details, see 1.12.2.1 Configuring a Remote Cold Backup System.
----End
1.7.2 Configuring NTP Servers
To ensure time consistency and accuracy among system nodes, configure an
external clock source that uses the standard NTP protocol as the NTP server. If the
IP address of the NTP server changes, modify the corresponding configurations.
Prerequisites
●
The NTP server to be added and the management node can communicate
properly.
NOTE
If the PowerEcho is deployed in cluster mode, the preceding management node
indicates Management0 and Management1.
Issue Draft B
(2020-11-30)
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The time and time zone of the node are consistent with those of the clock
source. For details, see 1.7.1 Changing the Time Zone and Time.
●
In a remote cold backup scenario, the remote cold backup system has been
deleted. For details, see 1.12.2.7 Deleting the Remote Cold Backup System.
Copyright © Huawei Technologies Co., Ltd.
45
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Context
NTP-based time synchronization operations include identifier authentication and
information integrity authentication. This ensures time information integrity and
protects servers from being attacked during time synchronization.
●
A maximum of 10 NTP servers can be added on the PowerEcho. Only one
active NTP server can be configured and the active NTP server is mandatory.
●
After the active NTP server is configured, the management node will first
synchronize time from the NTP server, time on all product nodes will be
synchronized from the management node.
●
If the active NTP server fails, the PowerEcho will select an available NTP
server from the standby NTP servers within 15 minutes. The management
node then synchronizes time with the selected NTP server. If multiple NTP
servers configured on the PowerEcho become invalid, the management node
cannot synchronize time from the NTP servers, and the product nodes will no
longer synchronize time from the management node.
●
If you do not configure an NTP server, the management node functions as the
clock source by default.
NOTE
If the PowerEcho is deployed in cluster mode, the preceding management node indicates
Management0 and Management1.
Precautions
●
Do not set a Windows-based server as the NTP server. Otherwise, the time
may fail to be synchronized.
●
The IP address of the management node or the IP address of any product
node cannot be set to the IP address of an NTP server. Otherwise, the time of
product nodes may be incorrect.
●
If multiple NTP servers are configured, ensure that the time is consistent
between the NTP servers. Otherwise, NTP services are abnormal.
●
Do not set a VM as the NTP server. This prevents frequent time changes
caused by the interaction between the VM time and host time.
●
Do not set the clock source in a circular manner. For example, do not set A as
the clock source of B, B as the clock source of C, and C as the clock source of
A.
●
If any management node is faulty, restore the node first. Otherwise, the NTP
server cannot be configured.
●
In a remote cold backup scenario, configure the NTP server at the primary site
and then perform the same configurations at the secondary site to ensure
that the NTP server configurations at the primary and secondary sites are
consistent.
Procedure
Step 1 On the PowerEcho, choose Maintenance > Time Management > Configure NTP
from the main menu.
Step 2 On the Configure NTP page, perform operations based on Table 1-21.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
46
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-21 Adding or reconfiguring NTP servers
Task
Operation
Adding NTP servers
Click Add, and perform the operations
based on Table 1-22.
Reconfiguring NTP servers
If an alarm of abnormal NTP service is
generated for the NetEco and the
possible cause indicates that the time
synchronization relationship between
nodes is abnormal, reconfigure the
NTP server.
Click Reconfigure and perform
operations as prompted.
Table 1-22 NTP parameters
Parameter
Description
NTP Server IP Address
IP address of the NTP server.
Encryption Mode
Set this parameter to NTP v4
Authentication or NTP v4. For
security purposes, O&M personnel of
the NTP server is advised to configure
the NTP server with more secure NTP
v4 authentication mode.
● NTP v4 Authentication:
Authentication is required.
● NTP v4: Authentication is not
required.
Calculation Digest
Digest algorithm type of the time
synchronization packet.
This parameter is mandatory if
Encryption Mode is set to NTP v4
Authentication. The digest algorithm
type must be consistent with that on
the NTP server.
NOTE
Setting Calculation Digest to MD5 may
pose security risks. Exercise caution when
setting this parameter. For security
purposes, you are advised to select the
more secure SHA256 protocol.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
47
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
Description
Key Index
Parameter used to quickly search for
the key and digest algorithm type for
authentication during the
communication with the NTP server.
This parameter is mandatory if
Encryption Mode is set to NTP v4
Authentication. The key index must
be consistent with that on the NTP
server.
NOTE
The key index is an integer from 1 to
65534, excluding 10000. By default, the
index of the PowerEcho is 10000, so the
key index cannot be 10000.
Key
An important part used to generate a
digest for authentication during the
communication with the NTP server.
This parameter is mandatory if
Encryption Mode is set to NTP v4
Authentication. The key must be
consistent with that on the NTP server.
NOTE
● The key must contain 1 to 30
characters.
● The key cannot contain spaces or
number signs (#).
Role
The active or standby status of the
NTP server.
Time Sync Status
Time synchronization status between
the NTP server and the PowerEcho.
Step 3 In the NTP server list, check that the NTP server has been successfully added.
●
If the time synchronization status of the NTP server is Synchronizing, the
time between the PowerEcho and the NTP server is being synchronized. Wait
for 5 to 17 minutes. After the synchronization between the PowerEcho and
the NTP server is complete, check the synchronization status of the NTP
server, and perform the following operations based on the time
synchronization status of the NTP server.
●
If the time synchronization status of the NTP server is Normal, the time
between the PowerEcho and the NTP server is successfully synchronized. Go
to Step 4.
Step 4 Forcibly synchronize the time and time zone on the PowerEcho to the product
nodes.
1.
Issue Draft B
(2020-11-30)
On the PowerEcho, choose Maintenance > Time Management > Configure
Time Zone and Time from the main menu.
Copyright © Huawei Technologies Co., Ltd.
48
iManager NetEco
Administrator Guide
2.
1 NetEco Administrator Guide
On the Configure Time Zone and Time page, click Forcibly Synchronize.
NOTE
–
After you click Forcibly Synchronize, the management and product nodes
gradually adjust the time until it is consistent with the NTP time. This prevents
functions with high requirements on time accuracy, for example, the backup and
restore function, from being affected by sudden time change.
–
If you want to perform other configuration operations that need to restart product
services or product databases after forcibly synchronizing the time zone and time,
do not select Automatically start the product databases and product services
after the forcible synchronization in the Warning dialog box. In this case, after
the forcible synchronization, product databases and product services will not be
automatically started, preventing the product services or product databases from
being restarted for several times.
–
In a remote cold backup scenario, if you are forcibly synchronizing the time zone
and time of the secondary site, do not select Automatically start the product
databases and product services after the forcible synchronization in the
Warning dialog box, preventing the product services of the secondary site from
being restarted and causing the product to become dual-active.
Step 5 In a remote cold backup scenario, rebuild a remote cold backup system. For
details, see 1.12.2.1 Configuring a Remote Cold Backup System.
----End
Follow-up Procedure
After configuring the NTP servers, back up the following data:
The application and data of the PowerEcho. For details, see 1.11.6.1 Manually
Backing Up the Application and Data of the PowerEcho
1.8 Collecting Equipment Serial Numbers
Before applying for a product, collect the equipment serial numbers (ESNs) of the
product.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Precautions
In a remote cold backup scenario, collect the ESN of the product at both the
primary and secondary sites. When applying for a license for a product, enter the
ESNs of the primary and secondary sites in the format of ESN1,ESN2 in a random
sequence.
Procedure
Step 1 On the PowerEcho, choose Maintenance > Information Collection > Collect ESN
Information from the main menu.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
49
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 2 In the Select Product and Collect ESN Information area on the Collect ESN
Information page, select a product type and click Collect on the right.
Step 3 In the displayed dialog box, click Yes. In the displayed dialog box, click OK.
Step 4 After the task of Collecting ESN Information is complete, refresh the page. In the
ESN Information list, click the .zip package of the collected ESN to download the
file to your PC.
----End
1.9 Alarm Dump
Context
To prevent alarm data from fatiguing the database, the system processes events,
masked alarms, and historical alarms every 2 minutes according to the following
rules:
●
If the database space usage reaches 80%, the system dumps data to files in
order of occurrence time and data table types (event, masked alarm, and
historical alarm).
●
Dump files will be retained for a maximum of 180 days.
●
If dump files exceed 1024 MB or there are more than 1000 dump files, the
earliest ones will be deleted.
Configuration Guide
Currently, dump supports only the default configuration file dumpconfig.json
in /opt/oss/envs/Product-FMWebsite/20190924062526941/etc/dump. (The time
and directory levels are subject to the actual situation.)
"maxDatabaseSize": 71680,
"whenDumpPercent": 80,
"dumpPeriod": true,
"reservedDay": 90,
"saveFile": true,
"period": 2,
"periodUnit": "MIN",
"startTime": "01:00",
"fileSavePath": "alarmdump",
"fileTotalSize": 1024,
"fileSaveDay": 180,
"isCompress":1,
"fileType":"csv",
"keepFileNum":1000,
"siExportType":1
Parameter Description
dumpPeriod: specifies whether to enable the time-based dump function. The
default value is true.
fileSaveDay: specifies the maximum number of days for saving dump files in the
dump directory. The default value is 180, and the value range is 3 to 365.
fileSavePath: specifies the default path for saving dump files. The default value is
alarmdump (the name can be changed).
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
50
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
fileTotalSize: specifies the maximum size of files that can be saved in the dump
directory. The default value is 1024 MB, and the value range is 200 to 6144 MB.
fileType: specifies the dump file type. Currently, only CSV is supported.
isCompress: specifies whether to compress files. 0: no compression; 1: zip; 2: gzip;
3: tar.gz (default value: zip)
keepFileNum: specifies the maximum number of dump files that can be saved.
The default value is 1000. The value range is 200 to 3000.
maxDatabaseSize: specifies the maximum database capacity. The default value is
71680, and the value range is 5120 to 230400.
Period: specifies the dump period. The default value is 2.
periodUnit: specifies the unit of the dump period. The default value is MIN. The
value range of Period is 2 to 527040 for MIN, 1 to 8784 for HOUR, and 1 to 366
for DAY.
reservedDay: specifies the maximum number of days for which dump files can be
retained. The default value is 90, and the value range is 1 to 180. This parameter
does not take effect currently.
saveFile: specifies whether to save the file. The default value is true. Retain the
default value.
siExportType: specifies the file dump type. This parameter is provided to maintain
consistency with the iMAP. 1: automatic; 2: manual. This parameter is not used.
startTime: specifies the execution time. The default value is 01:00.
whenDumpPercent: specifies the dump threshold. The default value is 80. The
value range is 50 to 90.
If dump is based on the database capacity, data that occupies at least 20% of the
current database usage is dumped.
A maximum of 5000 records can be saved in each file.
Procedure
Step 1 Use PuTTY to log in to the node where the FM service is deployed, as user sopuser
in SSH mode. For details about how to obtain the IP address of the node where a
service resides, see 1.23.2 How Do I Query the IP Address of the Node Where a
Service Resides?
Step 2 Run the following command to switch to the ossuser user:
$ su - ossuser
Password: password for the ossuser user
Step 3 Set alarm dump parameters.
1.
Run the following command to access the directory of the configuration file:
$ cd /opt/oss/envs/Product-FMWebsite/20190924062526941/etc/dump
NOTE
The time and directory levels are subject to the actual situation.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
51
iManager NetEco
Administrator Guide
2.
1 NetEco Administrator Guide
Run the following command to open the dumpconfig.json configuration file
using the vi editor:
$ vi dumpconfig.json
The information similar to the following is displayed:
"maxDatabaseSize": 71680,
"whenDumpPercent": 80,
"dumpPeriod": true,
"reservedDay": 90,
"saveFile": true,
"period": 2,
"periodUnit": "MIN",
"startTime": "01:00",
"fileSavePath": "alarmdump",
"fileTotalSize": 1024,
"fileSaveDay": 180,
"isCompress":1,
"fileType":"csv",
"keepFileNum":1000,
"siExportType":1
3.
Press i to enter the insertion mode.
4.
Modify the alarm dump configuration file based on the information provided
in Parameter Description.
5.
Press Esc to return to the vi command line mode.
6.
Enter :wq, save the modification, and exit the vi editor.
7.
Restart the FM service. For details, see 1.5.2 Stopping Product Services and
1.4.3 Starting Product Services.
----End
1.10 Software Management
This chapter describes the operations related to product software, including
software package management, third-party patch management, and product
software installation, upgrade, capacity expansion, and uninstallation.
1.10.1 Managing Software Packages
You can upload software packages required for installation and upgrade, or
management of third-party patches, and delete unnecessary software packages if
the disk space is insufficient.
Prerequisites
●
The communication between your PC and the management node is normal.
●
To upload a software package:
●
–
You have obtained the software package and corresponding signature file
to be uploaded.
–
You have obtained the password for the sopuser and ossadm user on the
management node.
To delete a software package:
The software package to be deleted is not in the running state.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
52
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Precautions
●
Issue Draft B
(2020-11-30)
The software package to be uploaded must meet the following requirements.
Otherwise, the upload fails.
–
The software package name can contain a maximum of 128 characters,
including letters, digits, underscores (_), hyphens (-), and dots (.).
–
If the software package is in .zip, .7z, or .gz format, upload the signature
file at the same time. The signature file can be in .asc, .cms, or .crl
format.
–
If the software package is in .tar format, you do not need to upload the
signature file at the same time because the software package contains
the corresponding signature file.
●
If the software package size is less than 6 GB, the signature file size is less
than 2 MB, and the network bandwidth between your PC and the
management node is greater than 100 Mbit/s, you can upload software
packages using the software management function on the PowerEcho. If the
preceding conditions are not met, upload the software packages in resumable
transfer mode.
●
During the scanning for software packages, do not restart any management
node. Otherwise, the scanning may fail.
●
If the scanning fails, the uploaded software packages will be automatically
deleted to free up the disk space.
Copyright © Huawei Technologies Co., Ltd.
53
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Task
Operation
(Recommended) Upload the
software package to the
management in resumable
transfer mode.
1. Use PuTTY to log in to the management
node as the sopuser user in SSH mode. For
details, see 1.24.1 Logging In to a Server
Using PuTTY.
NOTE
If the PowerEcho is deployed in cluster mode,
perform operations on Management0. For details
about how to obtain the IP address of a node,
see 1.23.4 How Do I Query the IP Address of a
Node?
2. Run the following command to switch to
the ossadm user:
> su - ossadm
Password: password for the ossadm user
3. Run the following command to check the
available space in the /opt directory:
> df -h /opt
Check the value of Avail in the command
output.
● If the value is greater than or equal to
three times the size of the software
packages, go to 4.
● If the value is less than three times the
size of the software packages, refer to
operations provided in this section to
delete unnecessary software packages. If
the disk space is still less than three
times the size of the software packages,
contact Huawei technical support to
clear the disk space.
4. Use FileZilla to upload the software
package and signature file to the default
temporary directory /opt/oss/
manager/var/tmp on the management
node as the ossadm user. For details, see
1.24.2 Transferring Files Using FileZilla.
5. Log in to the PowerEcho. For details, see
1.1.2 Logging In to the PowerEcho.
6. On the PowerEcho, choose Product >
Software Management > Manage
Software Packages from the main menu.
7. Click Scan. In the Information dialog box,
click OK.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
54
iManager NetEco
Administrator Guide
Task
1 NetEco Administrator Guide
Operation
NOTE
The system automatically checks the integrity of
the software package. The result can be viewed
in the detailed information about the scanning
task on the Task List page. If the scanning task
fails, rectify the fault as prompted, and then
execute the scanning task again.
8. After the scanning task is executed
successfully, view the uploaded software
package on the Manage Software
Packages tab page.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
55
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Task
Operation
Use the software
management function of the
PowerEcho to upload the
software package.
1. Use PuTTY to log in to the management
node as the sopuser user in SSH mode. For
details, see 1.24.1 Logging In to a Server
Using PuTTY.
NOTE
If the PowerEcho is deployed in cluster mode,
perform operations on Management0. For details
about how to obtain the IP address of a node,
see 1.23.4 How Do I Query the IP Address of a
Node?
2. Run the following command to switch to
the ossadm user:
> su - ossadm
Password: password for the ossadm user
3. Run the following command to check the
available space in the /opt directory:
> df -h /opt
Check the value of Avail in the command
output.
● If the value is greater than or equal to
three times the size of the software
packages, go to 4.
● If the value is less than three times the
size of the software packages, refer to
operations provided in this section to
delete unnecessary software packages. If
the disk space is still less than three
times the size of the software packages,
contact Huawei technical support to
clear the disk space.
4. Run the following command to check the
available space in the /opt/share directory:
> df -h /opt/share
Check the value of Avail in the command
output.
● If the value is greater than the size of the
uploaded software package, go to 5.
● If the value is less than the size, upload
the software package in resumable
transfer mode.
5. Log in to the PowerEcho. For details, see
1.1.2 Logging In to the PowerEcho.
6. On the PowerEcho, choose Product >
Software Management > Manage
Software Packages from the main menu.
7. On the Manage Software Packages page,
click Upload to upload the software
package as prompted.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
56
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Task
Operation
NOTE
During the upload, the system automatically
checks the integrity of the installation package. If
the upload fails, rectify the fault as prompted
and then upload the software package again.
Delete a software package.
1. Log in to the PowerEcho. For details, see
1.1.2 Logging In to the PowerEcho.
2. On the PowerEcho, choose Product >
Software Management > Manage
Software Packages from the main menu.
On the Manage Software Packages page,
delete the software package as prompted.
1.10.2 Upgrading Product Software
After the product software upgrade package is uploaded to the PowerEcho, you
can upgrade the product.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
During the upgrade, the system backs up the product data. Ensure that
backup parameters have been configured. For details, see 1.11.4 Configuring
Backup Parameters.
●
The product software upgrade package has been uploaded. For details, see
1.10.1 Managing Software Packages.
●
The services and databases on all nodes of the product to be upgraded are
running properly. For details, see 1.3.1 Monitoring Products.
●
During the upgrade, services of the product to be upgraded are automatically
stopped. Therefore, exercise caution when performing this operation. You are
advised to perform this operation in off-peak hours.
●
After the residual data is cleared, rollback to the source version is not
supported. Exercise caution when performing this operation.
Precautions
Procedure
Step 1 On the PowerEcho, choose Product > Software Management > Deploy Product
Software from the main menu.
Step 2 On the Deploy Product Software page, click the product to be upgraded. The
product details page is displayed.
Step 3 In the upper right corner, click Upgrade, and choose Upgrade Wizard from the
drop-down menu. Perform operations as prompted. For details, see the upgrade
guide of the corresponding version.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
57
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
The management refers to PowerEcho, and the product refers to NetEco.
When you upgrade or roll back the PowerEcho (including the upgrade or rollback failure),
clicking Upgrade Wizard on the PowerEcho displays a message indicating that the upgrade
wizard fails to be started. You can log in to https://client IP address of the PowerEcho:
31050 to access the upgrade wizard page.
Step 4 (Optional) If you confirm that the rollback to the source version is not required,
clear residual data after the upgrade to free up the disk space.
In the upper right corner of the page for the product deployment details, click
More and choose Clear Residual Data from the drop-down menu. Clear
unnecessary deployment paths and databases as prompted.
NOTICE
After the data is cleared, the rollback to the source version is not supported.
Perform this operation only when you confirm that the rollback is not required.
Step 5 After the upgrade, historical backup files have become invalid. Back up the
following data:
●
The application and data of the PowerEcho. For details, see 1.11.6.1
Manually Backing Up the Application and Data of the PowerEcho
●
The product applications. For details, see 1.11.5.3 Backing Up Product
Applications.
●
The database applications. For details, see 1.11.5.4 Backing Up Database
Applications.
●
The product data. For details, see 1.11.5.2 Backing Up Product Data.
----End
1.10.3 Expanding Product Software Capacity
You can install product software on new product nodes of a product when the
product capacity needs to be expanded.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The hostname of the new node cannot be localhost or
localhost.localdomain.
●
In a remote cold backup scenario, the existing remote cold backup system has
been deleted. For details, see 1.12.2.7 Deleting the Remote Cold Backup
System.
Procedure
Step 1 On the PowerEcho, choose Product > Software Management > Deploy Product
Software from the main menu.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
58
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 2 On the Deploy Product Software page, click the product with capacity to be
expanded. The product details page is displayed.
Step 3 In the upper right corner, click More, and choose Scale Out from the drop-down
menu. Perform operations as prompted.
●
If the task is successfully executed, the capacity expansion is complete.
●
If the task fails to be executed, rectify the fault according to the suggestions
in task details.
–
If the fault is rectified, in the Deployment History area, click Retry in the
Operation column and perform operations as prompted.
–
If the fault cannot be rectified, in the Deployment History area, click
Roll Back in the Operation column and perform operations as prompted.
Step 4 In a remote cold backup scenario, set up a remote cold backup system. For details,
see 1.12.2.1 Configuring a Remote Cold Backup System.
Step 5 After the capacity expansion, historical backup files have become invalid. Back up
the following data:
●
The application and data of the PowerEcho. For details, see 1.11.6.1
Manually Backing Up the Application and Data of the PowerEcho.
●
The product applications. For details, see 1.11.5.3 Backing Up Product
Applications.
●
The database applications. For details, see 1.11.5.4 Backing Up Database
Applications.
●
The product data. For details, see 1.11.5.2 Backing Up Product Data.
----End
1.10.4 Uninstalling NetEco Product Software
You can uninstall the product software that has been installed. This operation will
uninstall both the NetEco and PowerEcho.
Prerequisites
You have obtained the password for the sopuser user and root user of the NetEco.
Procedure
Step 1 Use PuTTY to log in to management node as the sopuser user in SSH mode, for
details see 1.1.2 Logging In to the PowerEcho.
NOTE
If the PowerEcho is deployed in cluster mode, log in to any management node and perform
the uninstallation operation.
Step 2 It may takes a long time to Uninstall NetEco, so PuTTY may be disconnected due
to timeout. Configure PuTTY to prevent it from being disconnected. For details, see
1.23.19 How Do I Prevent PuTTY from Being Disconnected upon Timeout?
Step 3 Run the following command to switch to the root user:
$ su - root
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
59
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Password: password for the root user
Step 4 Run the following commands to uninstall the NetEco:
# cd /opt/NetEcoTools/
# bash uninstall.sh
When the following information is displayed, enter y or Y and press Enter:
Are you sure to continue? [y/n]
NOTE
To cancel the uninstallation, enter n or N.
If the following information is displayed, the NetEco is successfully uninstalled.
Otherwise, contact Huawei technical support.
Uninstall... done
----End
1.10.5 Modifying Configuration Parameters of Product
Software
You can use this function to modify the product configurations.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Precautions
Parameters on this page are installation and deployment procedure parameters
and have been configured during installation. Do not change the parameters
unless detailed modification scenarios and procedures are described in the
documentation.
Procedure
Step 1 On the PowerEcho, choose Product > Software Management > Deploy Product
Software from the main menu.
Step 2 On the Deploy Product Software page, click the product with configurations to
be modified. The product details page is displayed.
Step 3 In the upper right corner of the page, click More and choose Modify
Configurations from the drop-down menu, and perform operations as prompted.
Step 4 After the modification, historical backup files of the application and data of the
PowerEcho have become invalid. Back up the application and data of the
PowerEcho. For details, see 1.11.6.1 Manually Backing Up the Application and
Data of the PowerEcho.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
60
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.10.6 Adding Product Features
You can incrementally install product features.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The product to which you need to add features has been installed.
●
In a remote cold backup scenario, the remote cold backup system has been
deleted. For details, see 1.12.2.7 Deleting the Remote Cold Backup System.
Procedure
Step 1 On the PowerEcho, choose Product > Software Management > Deploy Product
Software from the main menu.
Step 2 On the Deploy Product Software page, click the product with features to be
installed. The product details page is displayed.
Step 3 In the upper right corner of the page, click More and choose Add Features from
the drop-down menu.
Step 4 In the Features area, select features to be installed, and perform operations as
prompted.
NOTE
After a feature is selected, new configuration items may be displayed in the Configurations
area. Ensure that the values of the configuration items are correct.
Step 5 In a remote cold backup scenario, rebuild a remote cold backup system. For
details, see 1.12.2.1 Configuring a Remote Cold Backup System.
Step 6 After the add, historical backup files have become invalid. Back up the following
data:
●
The application and data of the PowerEcho. For details, see 1.11.6.1
Manually Backing Up the Application and Data of the PowerEcho.
●
The product applications. For details, see 1.11.5.3 Backing Up Product
Applications.
●
The database applications. For details, see 1.11.5.4 Backing Up Database
Applications.
●
The product data. For details, see 1.11.5.2 Backing Up Product Data.
----End
1.10.7 Deleting Product Features
You can Delete unnecessary features of a product to save system resources.
Prerequisites
●
Issue Draft B
(2020-11-30)
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Copyright © Huawei Technologies Co., Ltd.
61
iManager NetEco
Administrator Guide
●
1 NetEco Administrator Guide
In a remote cold backup scenario, the remote cold backup system has been
deleted. For details, see 1.12.2.7 Deleting the Remote Cold Backup System.
Procedure
Step 1 On the PowerEcho, choose Product > Software Management > Deploy Product
Software from the main menu.
Step 2 On the Deploy Product Software page, click the product with features to be
deleted. The product details page is displayed.
Step 3 In the upper right corner of the page, click More and choose Delete Features
from the drop-down menu.
Step 4 On the Delete Features page, click on the left of the product with features to
be uninstalled. Select the features to be uninstalled, and perform operations as
prompted.
Step 5 In a remote cold backup scenario, rebuild a remote cold backup system. For
details, see 1.12.2.1 Configuring a Remote Cold Backup System.
Step 6 After the delete, historical backup files have become invalid. Back up the following
data:
●
The application and data of the PowerEcho. For details, see 1.11.6.1
Manually Backing Up the Application and Data of the PowerEcho.
●
The product applications. For details, see 1.11.5.3 Backing Up Product
Applications.
●
The database applications. For details, see 1.11.5.4 Backing Up Database
Applications.
●
The product data. For details, see 1.11.5.2 Backing Up Product Data.
----End
1.11 Backup and Restore
Backup and restore can improve system reliability by reducing the data loss of the
PowerEcho or the NetEco caused by misoperations or faults.
1.11.1 Overview
To improve the reliability of the PowerEcho and the NetEco, periodically back up
the application and product data. If the PowerEcho or the NetEco is faulty, you
can restore the PowerEcho or the NetEco to the state before backup by using the
backup data.
Concepts
Table 1-23 lists the concepts in backup and restore. This helps you understand the
function.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
62
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-23 Common concepts
Concept
Description
Application
Data that does not change in real time during
the system running, including product
applications (such as files in the /opt/oss/
NetEco directory) and database applications
(such as files in the /opt/redis directory and
the /opt/zenith directory).
Product data
Data and configuration files that change in
real time during system running, such as files
in the /opt/neteco directory.
Scheduled backup
The system automatically backs up all data to
the backup server at the scheduled time. Data
can be backed up once or periodically.
Manual backup
Manually back up data of a time point to the
backup server.
Principles
After the backup server is configured, you can back up the data of products and
applications. The backup data is transferred to the backup server through a
transfer protocol, for example, Secure File Transfer Protocol (SFTP). You can back
up any type of data independently.
If the data of the PowerEcho or the NetEco is missing or damaged, you can
restore the corresponding data. Before restoring a type of data, ensure that its
lower-layer data is normal. For example, before restoring the product data, ensure
that the application data and OS data are normal.
Advantages
●
Issue Draft B
(2020-11-30)
Flexibility and ease of use
Function
Description
Multi-dimensional
backup
Data backup of instances, nodes, and products is
supported.
Multi-dimensional
restoration
Data restoration of instances, nodes, and products is
supported.
Scheduled backup
Periodic scheduled data backup of products and the
PowerEcho is supported. Manual operations are not
required.
Easy operations
On the web client of the PowerEcho, the backup
and restore operations are easy with guidance
provided.
Copyright © Huawei Technologies Co., Ltd.
63
iManager NetEco
Administrator Guide
●
●
1 NetEco Administrator Guide
Security and reliability
Function
Description
Secure transfer of
backup data
Data is transferred over SFTP, and security measures
are provided to ensure data security.
Real-time task status
display
The details of backup and restore tasks is displayed
in real time in the task list.
High performance
Function
Description
Concurrent backup
Backup tasks of different products can be executed
at the same time.
Time-specific
restoration
Data can be restored to a specific time point.
Function Description
The application and data of a product and the PowerEcho can be backed up and
restored. Before restoring upper-layer data, ensure that its lower-layer data is
normal. For example, before restoring the product data, ensure that the
application and OS are normal. Before restoring the application, ensure that the
OS is normal. When you restore the database application or product application,
the two types of restoration are independent from each other.
Configuration Requirements
Table 1-24 Configuration requirements
Issue Draft B
(2020-11-30)
Item
Description
Database type
The GaussDB and Redis databases are
supported.
OS
EulerOS is supported.
Copyright © Huawei Technologies Co., Ltd.
64
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Item
Description
Disk space
Calculate the backup space based on site
requirements of each product and the
PowerEcho in different network scales.
Total backup space = Sum of backup space for
all products + Backup space for the PowerEcho
Backup space for a product = Backup space for
the product data + Backup space for the
product application + Backup space for the
database applications + Backup space for the
product OS
Backup space for the PowerEcho = Backup
space for the application and data of the
PowerEcho + Backup space for the OS of the
PowerEcho
Data transfer protocol
The data can be transferred over Secure File
Transfer Protocol (SFTP).
Backup Contents
Table 1-25 Backup Contents
Backup Item
Backup Contents
Product Data
Database data, and /opt/neteco
Product Applications
/opt/oss/NetEco
Database Applications
/opt/zenith(The service dynamic data file is
not included)
1.11.2 Backup and Restoration Scenarios and Policies
This section describes typical backup and restoration scenarios and policies, which
helps you back up and restore data when using the PowerEcho and the NetEco
and ensure stable system running.
1.11.2.1 Backup Scenarios and Policies
Before using the backup function, you are advised to learn the backup scenarios
and policies to create backup tasks properly.
Typical Backup Scenarios and Recommended Policies
Table 1-26 lists common backup scenarios and methods. You can adjust the
policies based on site requirements.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
65
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-26 Typical backup scenarios and recommended policies
Scenario
Description
Backup
Object
Method
Initial
installation
and
commissionin
g
The PowerEcho and
product have been
installed and
commissioned.
The
application,
and data of
the
PowerEcho
1. Create a periodic
scheduled task for
backing up the
PowerEcho. For
details, see
1.11.6.2 Backing
Up the PowerEcho
Applications and
Data on a
Scheduled Basis.
2. Manually create
tasks for backing
up the PowerEcho
by following
instructions
provided in:
1.11.6.1 Manually
Backing Up the
Application and
Data of the
PowerEcho
The
application,
and data of
the product
1. Create periodic
scheduled tasks for
backing up the
product. For
details, see
1.11.5.1 Backing
Up Product on a
Scheduled Basis.
2. Manually create
tasks for backing
up the product by
following
instructions
provided in:
● 1.11.5.2
Backing Up
Product Data
● 1.11.5.3
Backing Up
Product
Applications
● 1.11.5.4
Backing Up
Database
Applications
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
66
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Scenario
Description
Backup
Object
Method
Major
configuration
changes
For example, the IP
address or route has
been changed.
● The
application
, and data
of the
product
Back up all the
required data by
following instructions
provided in:
● The
application
, and data
of the
PowerEcho
● 1.11.5.2 Backing
Up Product Data
● 1.11.5.3 Backing
Up Product
Applications
● 1.11.5.4 Backing
Up Database
Applications
● 1.11.6.1 Manually
Backing Up the
Application and
Data of the
PowerEcho
Upgrade or
patch
installation
For example, the
database user
password on the
PowerEcho node has
been changed.
The
application,
and data of
the
PowerEcho
1.11.6.1 Manually
Backing Up the
Application and Data
of the PowerEcho
The OS will be
upgraded, or an OS
patch will be installed.
● The
application
, and data
of the
product
Back up all the
required data by
following instructions
provided in:
● The
application
, and data
of the
PowerEcho
● 1.11.5.2 Backing
Up Product Data
● 1.11.5.3 Backing
Up Product
Applications
● 1.11.5.4 Backing
Up Database
Applications
● 1.11.6.1 Manually
Backing Up the
Application and
Data of the
PowerEcho
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
67
iManager NetEco
Administrator Guide
Scenario
1 NetEco Administrator Guide
Description
Backup
Object
Method
The product
application will be
upgraded.
The
application
and data of
the product
Back up all the
required data by
following instructions
provided in:
The product
application has been
upgraded.
● 1.11.5.2 Backing
Up Product Data
● 1.11.5.3 Backing
Up Product
Applications
The database
application will be
upgraded, or a
database application
patch will be installed.
● The
application
and data
of the
product
The database
application has been
upgraded, or a
database application
patch has been
installed.
● The
application
and data
of the
PowerEcho
Back up all the
required data by
following instructions
provided in:
● 1.11.5.2 Backing
Up Product Data
● 1.11.5.3 Backing
Up Product
Applications
● 1.11.5.4 Backing
Up Database
Applications
● 1.11.6.1 Manually
Backing Up the
Application and
Data of the
PowerEcho
The PowerEcho will be
upgraded, or a patch
will be installed.
The PowerEcho has
been upgraded, or a
patch has been
installed.
Issue Draft B
(2020-11-30)
The
application
and data of
the
PowerEcho
Copyright © Huawei Technologies Co., Ltd.
1.11.6.1 Manually
Backing Up the
Application and Data
of the PowerEcho
68
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Scenario
Description
Backup
Object
Method
Routine
maintenance
Routine maintenance
is performed.
● The
application
, and data
of the
product
Back up all the
required data by
following instructions
provided in:
● The
application
, and data
of the
PowerEcho
● 1.11.5.2 Backing
Up Product Data
● 1.11.5.3 Backing
Up Product
Applications
● 1.11.5.4 Backing
Up Database
Applications
● 1.11.6.1 Manually
Backing Up the
Application and
Data of the
PowerEcho
Backup File Storage Threshold
Backup file storage threshold indicates the maximum number of latest backup
files that can be stored. If the number of backup files exceeds the storage
threshold, the earliest backup files are automatically deleted until the number of
backup files is equal to the storage threshold.
Table 1-27 lists the default number of latest backup files that can be stored.
Table 1-27 Backup file storage thresholds
Issue Draft B
(2020-11-30)
Type
Number of
Backup Files
Description
Product data
2
The storage threshold is configurable
and must be an integer from 1 to 100.
For details, see 1.11.4 Configuring
Backup Parameters.
Product application
2
The storage threshold is not
configurable.
Database application
2
The storage threshold is not
configurable.
the PowerEcho
3
The storage threshold is configurable
and must be integer from 1 to 10. For
details, see 1.11.4 Configuring
Backup Parameters.
Copyright © Huawei Technologies Co., Ltd.
69
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Execution Sequence of Backup Tasks
When multiple backup tasks are to be executed at the same time, the system
follows the rules in Table 1-28:
Table 1-28 Execution sequence of backup tasks
Description
Example
For a product, tasks for backing up
other data are executed in serial
mode, that is, the system executes the
backup tasks in sequence based on
their creation time.
The backup tasks 1 and 2 of product A
are both scheduled to start at
01:00:00, and task 1 is created earlier
than task 2.
For different products, tasks for
backing up the PowerEcho and other
data that are scheduled to start at the
same time are executed in serial mode,
that is, the system executes the
backup tasks in sequence based on
their creation time. Other backup tasks
scheduled to start at the same time
are executed concurrently.
The backup task 1 of product A and
backup task 2 of product B are
scheduled to start at 01:00:00, and
task 1 is created earlier than task 2.
If the tasks for backing up other data,
task 1 starts at 01:00:00, and task 2
starts only after task 1 is complete (for
example, at 03:00:00).
If task 1 is for backing up the
PowerEcho, and task 2 is for product
applications or other data, task 1
starts at 01:00:00, and task 2 starts
only after task 1 is complete (for
example, at 03:00:00).
If the tasks are for other data, both
task 1 and task 2 start at 01:00:00.
1.11.2.2 Restoration Scenarios and Policies
Before using the restoration function, you are advised to learn the restoration
scenarios and policies to create restoration tasks properly.
Typical Restoration Scenarios and Recommended Policies
Table 1-29 lists common restoration scenarios and recommended policies. You can
adjust the policies based on site requirements.
Table 1-29 Recommended policies
Issue Draft B
(2020-11-30)
Scenario
Recommended Policy
The physical machine or VM is faulty.
For details, see Table 1-30.
The database is faulty.
For details, see Table 1-31.
Other faults.
For details, see Table 1-32.
Copyright © Huawei Technologies Co., Ltd.
70
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-30 Typical restoration scenarios and recommended policies for physical
machine or VM faults
Scenario
Object
Restoration Method
The physical machine or
VM is faulty.
The management node
and product node
Prepare the backup
physical machine, or
restore the VM, and then
perform the operations
provided in:
1. 1.11.7.1 Restoring
Database
Applications
2. 1.11.7.2 Restoring
Product Applications
3. 1.11.7.3 Restoring
Product Data
Table 1-31 Typical restoration scenarios and recommended policies for database
faults
Scenario
Object
Restoration Method
The database file of the
product node is
damaged but the OS of
the database node is
running properly.
The product database
application
Perform the following
operations in sequence:
1. 1.11.7.1 Restoring
Database
Applications
2. 1.11.7.3 Restoring
Product Data
Table 1-32 Typical restoration scenarios and recommended policies for other
faults
Scenario
Description
Object
Restoration Method
The
product
applicatio
n is
faulty.
The product application is
abnormal, but the OS of
the product node is
normal.
The product
application
Perform the following
operations in
sequence:
1. 1.11.7.2 Restoring
Product
Applications
2. 1.11.7.3 Restoring
Product Data
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
71
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Scenario
Description
Object
Restoration Method
The
product
data is
faulty.
The database instance is
normal, but the product is
abnormal due to product
data exceptions.
The product
data
1.11.7.3 Restoring
Product Data
PowerEch
o is
faulty.
The PowerEcho is
unreachable.
The
PowerEcho
and product
application
and data
Perform the following
operations in
sequence:
1. 1.11.8 Restoring
the PowerEcho
2. 1.11.7.1 Restoring
Database
Applications
3. 1.11.7.2 Restoring
Product
Applications
4. 1.11.7.3 Restoring
Product Data
1.11.3 Backup Server Requirements
The backup server stores backup data. You need to prepare a backup server that
meets certain requirements. A third-party server or the management node can be
used as the backup server.
Table 1-33 lists the requirements for the backup server.
●
●
Issue Draft B
(2020-11-30)
If the management node is used as the backup server:
–
If the disk space usage is greater than the configured upper limit of the
backup server usage, the PowerEcho automatically clears the backup files
of product data, application data in sequence to ensure that the disk
space usage is less than the lower limit of the backup server usage.
–
If management node is damaged, the backup data stored on the
management node may also be damaged, which hinders the data
restoration of the PowerEcho.
If a third-party server is used as the backup server:
–
You are advised to periodically clear the product data, application data in
sequence. Retain at least one latest backup file for each data type.
–
NAT cannot be configured between the third-party backup server and the
PowerEcho.
Copyright © Huawei Technologies Co., Ltd.
72
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-33 Backup server requirements
Item
Requirement
SFTP requirements
● The server supports the SFTP protocol. The
username and password of the backup server
that uses SFTP to transfer files are available.
● The user who logs in to the backup server using
SFTP has read and write permissions to the SFTP
shared directory.
● The number of SFTP concurrent connections of
the backup server cannot be less than 50.
Port
The default port number of the backup server is 22,
and the port number range is 1 to 65535.
Username
● The username cannot be empty.
● The username contains a maximum of 32
characters.
● The username cannot contain spaces, newline
characters, carriage return characters, tab
characters, form feeds, or special characters
<>&"',;$()`|@
Password
To ensure the security of backup server users, you
are advised to periodically change the password for
the backup server users. The password must meet
the following requirements:
● Contain 8 to 64 characters.
● Contain at least two of the following: lowercase
letters, uppercase letters, digits, and special
characters ~@#%=^*-_+[{}]:./?!
● Not be the same as the username or the reverse
of the username.
● Ensure that the correct password is obtained.
The user may be locked if an incorrect password
is entered. Exercise caution.
Backup path
● The path must be a relative path under the
default SFTP user directory and cannot start
with a slash (/). It can contain only letters, digits
from 0 to 9, hyphens (-), or underlines (_).
● The path can contain a maximum of 60
characters.
Issue Draft B
(2020-11-30)
Connectivity
Data can be transferred between the backup server
and all nodes over SFTP.
Back up server IP address.
If the PowerEcho is deployed in cluster mode, use
the fixed IP address instead of the floating IP
address of the backup server to configure the
backup server.
Copyright © Huawei Technologies Co., Ltd.
73
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Item
Requirement
Disk space
600 GB or above
NOTE
You are advised to periodically clear the disk space.
Otherwise, the backup and restoration may take a long
time.
Bandwidth
Recommended: 1.5 Gbit/s
Minimum: 1 Gbit/s
1.11.4 Configuring Backup Parameters
Backup files are backed up to the corresponding backup server according to the
preconfigured backup policy. Configure backup server parameters and backup file
storage policies before backing up data on the PowerEcho.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
For the SFTP transfer mode, you have obtained the IP address and port
number of the backup server, the username and password for a user who has
permission to transfer files over SFTP.
Context
A maximum of 10 backup servers can be added on the PowerEcho. If multiple
backup servers are configured, the same backup files are saved on all the backup
servers. If a backup server is faulty, other backup servers can still provide backup
files for data restoration.
Precautions
If the parameters of the backup server are changed, update the parameters in the
Backup Server area and back up the application and data of the PowerEcho
again. Otherwise, the PowerEcho cannot be backed up or restored. For details, see
1.11.6.1 Manually Backing Up the Application and Data of the PowerEcho. In a
remote cold backup scenario, update the parameters of the SFTP backup server on
the HA > Remote High Availability System > Manage Cold Backup System
page.
Procedure
Step 1 On the PowerEcho, choose Backup and Restore > Configuration > Configure
Backup Parameters from the main menu.
Step 2 Configure the backup parameters.
1.
Configure the backup server parameters.
a.
Issue Draft B
(2020-11-30)
In the Backup Server area, click Add Backup Server, configure the
backup server parameters as prompted.
Copyright © Huawei Technologies Co., Ltd.
74
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
b.
2.
Click
.
Perform the following operations to modify the storage thresholds for the
product data backup files as required.
In the Storage Strategy for the Product Data Backup Files area, perform
the operations.
3.
a.
Select the products for which you want to configure the backup file
storage threshold.
b.
Click Modify Product Threshold.
c.
In the dialog box that is displayed, configure the number of backup files
and click Save.
Perform the following operations to modify the storage thresholds for the the
PowerEcho backup files as required.
a.
In the Storage Strategy for the the PowerEcho Backup Files area,
configure the number of stored backup packages.
b.
Click Save.
----End
1.11.5 Backing Up Products
After backup parameters are configured, periodically back up product data to
ensure the reliability. If the product is abnormal due to misoperations or other
situations, you can use the backup data to restore it.
1.11.5.1 Backing Up Product on a Scheduled Basis
When a product is running properly, you can create scheduled tasks for backing up
its application, and data, so that the backup data is periodically saved to the
backup server. If a product becomes abnormal due to misoperations or other
situations, you can restore the product to the state at a certain time point.
Prerequisites
Issue Draft B
(2020-11-30)
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The backup parameters have been configured. For details on how to configure
the parameters, see1.11.4 Configuring Backup Parameters.
●
When backing up the product data, ensure that the database instances on all
nodes are in the Running state. For details, see 1.3.4 Monitoring Databases.
●
When backing up the product data, ensure that the product deployment
status of the product is Installed. For details, see 1.23.16 How Do I Check
the Deployment Status of a Product?
●
The time is consistent among nodes. Otherwise, the scheduled task for
backing up the product data fails. For details, see 1.7.1 Changing the Time
Zone and Time.
Copyright © Huawei Technologies Co., Ltd.
75
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Context
●
When the product information is imported on the PowerEcho for the first
time, the PowerEcho creates a default scheduled task for backing up the
product data. After the product is installed and backup parameters are
configured, the task automatically backs up the product data at 01:00:00
every day. When the number of products, nodes or service instances is
changed due to upgrade or capacity expansion, the modified product data is
automatically backed up by the scheduled backup task after the upgrade or
capacity expansion is complete.
●
The backup files of the application and product data are stored on the backup
server. For details about the backup file path, see Table 1-34. Do not delete
the backup files in this directory. Otherwise, the product cannot be restored.
Table 1-34 Backup file path
Data
Path
Database application
/root directory of the backup server user/
path specified in the backup parameters/
product name/static/timestamp/node
name/DB
Product application
/root directory of the backup server user/
path specified in the backup parameters/
product name/static/timestamp/node
name/APP
Product data
/root directory of the backup server user/
path specified in the backup parameters/
product name/dynamic
Precautions
●
You are advised to stagger the start time of each scheduled backup task, for
example, at an interval of two hours. For details about the execution
sequence of backup tasks, see 1.11.2.1 Backup Scenarios and Policies.
●
To prevent high resource usage caused by conflicts between scheduled backup
tasks and NE data synchronization, stagger the execution period of the
scheduled backup tasks and that of NE data synchronization or service
provisioning.
●
For periodic scheduled backup, you are advised to set the backup interval to
24 hours. A long interval is not recommended, because data backup at long
intervals may result in data loss during data restoration. Specify a backup
interval as required.
●
In a remote cold backup scenario, scheduled tasks for backing up product
data are executed only at the primary site.
Procedure
Step 1 On the PowerEcho, choose Backup and Restore > Configuration > Configure
Scheduled Backup Task from the main menu.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
76
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 2 On the Configure Scheduled Backup Task page, Click Create.
Step 3 Perform operations as required to manually create a scheduled backup task.
●
Select Product Data and create a scheduled task for backing up the product
data.
●
Select Product Application and create a scheduled task for backing up the
product application.
●
Select Database Application and create a scheduled task for backing up the
database application.
Step 4 In the Backup Object area, select the backup object. Refer to Table 1-35 to
perform the operations.
Table 1-35 Backing up product on a scheduled basis
Task
Operation
Perform one-time backup at a
specified time point.
Select One-Time and perform operations as
prompted.
Perform periodic backup
within a specified period.
Select Periodic and perform operations as
prompted.
NOTE
After a scheduled backup task is created successfully, you can enable or disable the task in
the Enabled State column.
----End
1.11.5.2 Backing Up Product Data
Before a configuration file that affects product functions is modified and before
and after the product is upgraded, you can use the PowerEcho to manually back
up the product data. This ensures that the product can be restored by using the
backup data if the product is abnormal due to misoperations or other situations.
Prerequisites
Issue Draft B
(2020-11-30)
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The backup parameters have been configured. For details, see 1.11.4
Configuring Backup Parameters.
●
The database instances on all nodes are in the Running state. For details, see
1.3.4 Monitoring Databases.
●
The deployment status of the product is Installed. For details, see 1.23.16
How Do I Check the Deployment Status of a Product?
●
The time among nodes is consistent. Otherwise, the scheduled task for
backing up the product data fails. For details, see 1.7.1 Changing the Time
Zone and Time.
Copyright © Huawei Technologies Co., Ltd.
77
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Context
The backup files of the product data are stored in the /root directory of the
backup server/path specified in the backup parameters/product name/dynamic/
directory on the backup server. Do not delete the backup files in this directory.
Otherwise, no backup file can be used for restoring product data, causing
restoration failures.
Precautions
●
To ensure product data accuracy during backup, do not manually back up
data during service provisioning.
●
If you need to execute a task with higher priority, you can forcibly stop the
tasks for backing up product data.
●
In a remote cold backup scenario, tasks for backing up product data can be
executed only at the active site.
Procedure
Step 1 On the PowerEcho, choose Backup and Restore > Data Backup > Back Up
Product Data
Step 2 On the Back Up Product Data page, select the product and perform operations as
prompted.
----End
1.11.5.3 Backing Up Product Applications
After the initial installation of the product application or before and after the
upgrade of the product application, you can back up the product application in
real time on the PowerEcho. If a product application runs abnormally or fails to be
upgraded and needs to be rolled back to the previous state, you can use the
backup file to restore the product application to the state before the backup.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The backup parameters have been configured. For details on how to configure
the parameters, see1.11.4 Configuring Backup Parameters.
Context
The backup files of the product applications are stored in the /root directory of the
backup server user/path specified in the backup parameters/product name/static/
timestamp/node name/APP directory on the backup server. Do not delete the
backup files in this directory. Otherwise, no backup file can be used for restoring
product applications, causing restoration failures.
Precautions
In a remote cold backup scenario, tasks for backing up product applications can be
executed at both the active and standby sites.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
78
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 On the PowerEcho, choose Backup and Restore > Data Backup > Back Up
Product Application from the main menu.
Step 2 On the Back Up Product Application page, perform operations as prompted.
----End
1.11.5.4 Backing Up Database Applications
After the initial installation of the database application or before and after the
upgrade of the database application, you can back up the database application,
that is, the database data that does not change in real time when the system runs,
on the PowerEcho. If the database is not running properly because a file in the
database application is damaged or lost, but the OS of the node is running
properly, you can use the backup file to restore the database application to the
state before the backup.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The backup parameters have been configured. For details on how to configure
the parameters, see1.11.4 Configuring Backup Parameters.
Context
The backup files of the database applications are stored in the /root directory of
the backup server/path specified in the backup parameters/product name/static/
timestamp/node name/DB directory on the backup server. Do not delete the
backup files in this directory. Otherwise, no backup file can be used for restoring
database applications, causing restoration failures.
Precautions
If the management node and the product node are the same node and use the
same database software, the database applications cannot be backed up using
this function. In this case, back up the database applications by backing up the
PowerEcho. For details, see 1.11.6.1 Manually Backing Up the Application and
Data of the PowerEcho. Refer to 1.23.11 How Do I Check Whether
Management Nodes and Product Nodes Use the Same Database Software? to
determine whether you can back up database applications by backing up the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Backup and Restore > Data Backup > Back Up
Database Application from the main menu.
Step 2 On the Back Up Database Application page, perform operations as prompted.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
79
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.11.6 Backing Up the PowerEcho
Periodically back up the application and data of the PowerEcho on the PowerEcho.
If the PowerEcho is abnormal due to exceptions or misoperations, you can use the
backup files to restore the OS, application, and data of the PowerEcho.
1.11.6.1 Manually Backing Up the Application and Data of the PowerEcho
After initial installation of the PowerEcho, before and after an upgrade or patch
installation, or before major service adjustment, you are advised to manually back
up the PowerEcho. If the service is abnormal or the database is abnormal, you can
use the backup package to restore the PowerEcho to the state before the backup.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The backup parameters have been configured. For details on how to configure
the parameters, see1.11.4 Configuring Backup Parameters.
●
The database and service instances on the management node are in the
Running state. For details, see 1.3.4 Monitoring Databases.
Context
The backup files of the PowerEcho are stored in the /root directory of the backup
server/path specified in the backup parameters/management/management/
timestamp/node name directory on the backup server. Do not delete the backup
files in this directory. Otherwise, no backup file can be used for restoring the
PowerEcho, causing restoration failures.
Precautions
Ensure that no database-related operations are being performed, such as
modifying IP addresses and routes. Otherwise, the backup data will be incomplete.
In a remote cold backup scenario, the task for backing up the PowerEcho can be
executed at both the active and standby sites.
Procedure
Step 1 On the PowerEcho, choose Backup and Restore > Data Backup > Back Up
PowerEcho from the main menu.
Step 2 On this page, perform operations as prompted.
----End
1.11.6.2 Backing Up the PowerEcho Applications and Data on a Scheduled
Basis
In routine maintenance, you can create scheduled backup tasks for backing up the
application and data of the PowerEcho on a scheduled basis. If the PowerEcho is
unreachable due to service or database exceptions, you can use the backup
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
80
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
package to restore it. In this manner, no manual operation is required, reducing
maintenance costs.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The backup parameters have been configured. For details, see 1.11.4
Configuring Backup Parameters.
●
The database and service instances on the PowerEcho node are in the
Running state. For details, see 1.3.4 Monitoring Databases.
Context
The backup files of the PowerEcho are stored in the /root directory of the backup
server user/path specified in the backup parameters/management/management/
timestamp/node name directory on the backup server. Do not delete the backup
files in this directory. Otherwise, the PowerEcho cannot be restored.
Precautions
●
To prevent high resource usage caused by conflicts between scheduled backup
tasks and NE data synchronization, stagger the execution period of the
scheduled backup tasks and that of NE data synchronization or service
provisioning.
●
You are advised to stagger the start time of each scheduled backup task, for
example, at an interval of two hours. For details about the execution
sequence of backup tasks, see 1.11.2.1 Backup Scenarios and Policies.
●
For periodic scheduled backup, you are advised to set the backup interval to
24 hours. A long interval is not recommended, because data backup at long
intervals may result in data loss during data restoration. Specify a backup
interval as required.
Procedure
Step 1 On the PowerEcho, choose Backup and Restore > Configuration > Configure
Scheduled Backup Task from the main menu.
Step 2 On the Configure Scheduled Backup Task page, Click Create.
Step 3 Select PowerEcho and refer to Table 1-36 to perform operations.
Table 1-36 Scheduled the PowerEcho backup
Issue Draft B
(2020-11-30)
Task
Operation
Perform one-time backup at a
specified time point.
Select One-Time and perform operations as
prompted.
Perform periodic backup
within a specified period.
Select Periodic and perform operations as
prompted.
Copyright © Huawei Technologies Co., Ltd.
81
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
After a scheduled backup task is created successfully, you can enable or disable the task in
the Enabled State column.
----End
1.11.7 Restoring Products
If a product is abnormal due to misoperations or other situations, you can use the
backup data to restore the product OS, database application, product application,
and product data.
1.11.7.1 Restoring Database Applications
If the database is abnormal due to damages but the OS of the product node is still
running properly, restore the database application.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
There are backup files of the database application to be restored.
●
Before the database application is restored, the PowerEcho will automatically
stop all the NetEco services and databases on nodes where the database
application to be restored resides.
●
If the backup files on the backup server are manually deleted, or the files are
not displayed in the Backup File column, click Synchronize to synchronize
the information about the backup files to the PowerEcho.
●
The system automatically verifies the integrity of backup files. Only
successfully verified files can be used for restoration.
●
In the single-server mode, this function cannot restore database applications,
please restore the database applications by 1.11.8 Restoring the PowerEcho.
●
In the cluster mode, perform the following operations to restore the database
application.
Precautions
Procedure
Issue Draft B
(2020-11-30)
a.
On the PowerEcho, choose Backup and Restore > Data Restoration >
Restore Database Application.
b.
On the Restore Database Application page, select the backup server
where the files to be restored reside. If multiple backup servers are
available, select the IP address of the desired backup server from the
Backup Server drop-down list. Otherwise, skip this step.
c.
Select an object to be restored and select the target file in the Backup
File column. Restore the data based on Table 1-37.
Copyright © Huawei Technologies Co., Ltd.
82
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-37 Restoring database applications
d.
Task
Operation
Restore database
applications of a product.
Select the product and perform
operations as prompted.
Restore database
applications of product
nodes.
Select the product and click to view
nodes under a product. Select nodes to be
restored, and perform operations as
prompted.
On the PowerEcho, choose System > Task List from the main menu and
view the execution status of the task for restoring the database
applications.
▪
▪
If Task Status is Execution Succeeded, the database applications are
restored successfully.
If Task Status is Execution Failed, the database applications fail to
be restored. Contact Huawei technical support.
e.
Restore the product data. For details, see 1.11.7.3 Restoring Product
Data.
f.
Start the restored services. For details, see 1.4.3 Starting Product
Services.
1.11.7.2 Restoring Product Applications
If the product applications are abnormal due to damaged files of the product
applications or configuration files, but the OS of the product node is still running
properly, the product applications need to be restored.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
There are backup files of the product application to be restored.
●
Before the product application is restored, The PowerEcho automatically stops
the NetEco service to be restored.
●
If the backup files on the backup server are manually deleted, or the files are
not displayed in the Backup File column, click Synchronize to synchronize
the information about the backup files to the PowerEcho. Ensure that the
parameters, including Backup Server IP Address, Username, Password, and
Backup Path, of the backup server on the Configure Backup Parameters
page on the PowerEcho are consistent with those of the backup server where
the desired backup files reside.
●
The system automatically verifies the integrity of backup files. Only
successfully verified files can be used for restoration.
Precautions
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
83
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 On the PowerEcho, choose Backup and Restore > Data Restoration > Restore
Product Application from the main menu.
Step 2 On the Restore Product Application page, select the backup server where the
backup files used for the restoration reside. If multiple backup servers are
available, select the IP address of the backup server from the Backup Server dropdown list. Otherwise, skip this step.
Step 3 Select an object to be restored and select the target file in the Backup File
column. Restore the data based on Table 1-38.
Table 1-38 Restoring product applications
Task
Operation
Restoring the application of a
product
Select the product and perform operations as
prompted.
Restoring the product
application for product nodes
Select the product and click to view nodes
under a product. Select nodes to be restored,
and perform operations as prompted.
Step 4 Restore the product data. For details, see 1.11.7.3 Restoring Product Data.
Step 5 Start the restored services. For details, see 1.4.3 Starting Product Services.
----End
1.11.7.3 Restoring Product Data
If the product cannot be used when database instances are running properly but
product data is abnormal, you can restore the product data based on the
restoration scenario.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
There are backup files of the product data to be restored.
●
All databases of the product are in the Running state. To confirm the
database status, see 1.3.4 Monitoring Databases.
Context
If multiple backup servers are configured, the same backup data is stored on all
the backup servers. The backup servers work in redundancy mode. During data
restoration, all the backup servers can provide backup data. By default, the system
randomly selects data from one of the backup servers. You can also specify a
backup server to provide backup data.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
84
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Precautions
●
If the backup files on the backup server are manually deleted, or the files are
not displayed in the Backup File column, click Synchronize to synchronize
the information about the backup files to the PowerEcho. Ensure that the
parameters, including Backup Server IP Address, Username, Password, and
Backup Path, of the backup server on the Configure Backup Parameters
page on the PowerEcho are consistent with those of the backup server where
the desired backup files reside.
●
The system automatically verifies the integrity of backup files. Only
successfully verified files can be used for restoration.
Procedure
Step 1 On the PowerEcho, choose Backup and Restore > Data Restoration > Restore
Product Data from the main menu.
Step 2 On the Restore Product Data page, select the backup server where the files to be
restored reside. If multiple backup servers are available, select the IP address of
the desired backup server from the Backup Server drop-down list. Otherwise, skip
this step.
Step 3 Select an object to be restored and select the target file in the Backup File
column. Select the product and perform operations as prompted.
NOTE
In the dialog box displayed when you create a product data restoration task, set the
product services to be automatically or manually started after the restoration is complete.
For details about how to start product services, see 1.4.3 Starting Product Services.
Step 4 On the PowerEcho, choose System > Task List from the main menu and view the
task execution status.
●
If Task Status is Execution Succeeded, the product data is restored
successfully.
●
If Task Status is Execution Failed, the product data fails to be restored.
Contact Huawei technical support.
----End
1.11.8 Restoring the PowerEcho
If the PowerEcho is unreachable due to service or database exceptions, perform
the operations provided in this section to restore the PowerEcho application,
database application, and product data.
Prerequisites
●
You have obtained the backup package of the PowerEcho and the signature
file from stored on the backup server as user backupuser using FileZilla..
The backup files are stored in /backup/management/management/
timestamp/node name.
If the PowerEcho is deployed in cluster mode, you have obtained the backup
package in the directory named after the node name. For details about how
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
85
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
to query the node name, see 1.23.14 How Do I Query the Node Name
Corresponding to the IP Address of the Management Node?
The backup package of the PowerEcho is management.tar.gz, and the
corresponding signature file is management.tar.gz.sign.
●
The OS of the management node is running properly .
●
You have obtained the passwords for the sopuser and ossadm users of the
management node to be restored.
Procedure
Step 1 Perform operations based on the deployment mode of and database type of the
PowerEcho. For details, see Table 1-39.
Table 1-39 Operations in different scenarios
Scenario
Operation
The PowerEcho is deployed in singleserver mode and uses the GaussDB
database.
Perform Step 2 to Step 7.
The PowerEcho is deployed in cluster
mode and uses the GaussDB database.
One of the management nodes is
faulty.
Perform Step 2 to Step 7 on the faulty
node.
The PowerEcho is deployed in cluster
mode and uses the GaussDB database.
Multiple management nodes are
faulty.
For details, see 1.24.12 Faults of
Multiple Management Nodes.
The PowerEcho is deployed in cluster
mode and uses the GaussDB database.
The management nodes are running
properly. The application and data of
the PowerEcho need to be restored to
a specified time point.
The application and data of the
PowerEcho cannot be restored to a
specified time point.
Step 2 Use FileZilla to upload the backup file of the PowerEcho, and the signature file to
the /tmp directory on the faulty management node, as the sopuser user in SFTP
mode. For details, see 1.24.2 Transferring Files Using FileZilla.
Step 3 Use PuTTY to log in to the faulty management node as the sopuser user in SSH
mode. For details, see 1.24.1 Logging In to a Server Using PuTTY.
Step 4 Run the following command to switch to the ossadm user and copy the thirdparty integrity check tool package to the /tmp directory:
> su - ossadm
Password: password for the ossadm user
> cp /opt/oss/manager/tools/BKSigntool-tool version-OS_system
type_pkg.tar /tmp
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
86
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
The restoration of the PowerEcho takes a long time, so PuTTY may be disconnected during
the restoration due to timeout. Configure PuTTY to prevent it from being disconnected. For
details, see 1.23.19 How Do I Prevent PuTTY from Being Disconnected upon Timeout?
Step 5 Restore the application and data of the PowerEcho. For details, see Table 1-40.
Table 1-40 Restoring the PowerEcho
Scenario
Operation
The management
plane is deployed
in single-server
mode and uses
the GaussDB
database.
> sudo /usr/local/uniepsudobin/execute.sh /tmp/
BKSigntool-tool version-OS_system type_pkg.tar /opt/
backupManagement restoreManagement.sh /tmp/
management.tar.gz
NOTE
If the management node and product node are the same node and
use the same database software, and the database software needs
to be restored if the database software is damaged, add yes to the
end of the command. If yes is not added, the database software is
not restored by default. During database software restoration, the
product functions may be unavailable for a short period of time.
For example:
> sudo /usr/local/uniepsudobin/execute.sh /tmp/BKSigntool-tool
version-OS_system type_pkg.tar /opt/backupManagement
restoreManagement.sh /tmp/management.tar.gz yes
When the following information is displayed, enter y and press
Enter:
Are you sure you want to restore the database applications? [y/n]
The management
plane is deployed
in cluster mode
and uses the
GaussDB
database. One of
the management
nodes is faulty.
> sudo /usr/local/uniepsudobin/execute.sh /tmp/
BKSigntool-tool version-OS_system type_pkg.tar /opt/
backupManagement recoveryGaussManagement.sh /tmp/management.tar.gz
NOTE
If the management node and product node are the same node and
use the same database software, and the database software needs
to be restored if the database software is damaged, add yes to the
end of the command. If yes is not added, the database software is
not restored by default. During database software restoration, the
product functions may be unavailable for a short period of time.
For example:
> sudo /usr/local/uniepsudobin/execute.sh /tmp/BKSigntool-tool
version-OS_system type_pkg.tar /opt/backupManagement
recoveryGaussManagement.sh /tmp/management.tar.gz yes
When the following information is displayed, enter y and press
Enter:
Are you sure you want to restore the database applications? [y/n]
●
If the following information is displayed, the management plane is
successfully restored, and the database instances and the management plane
service are started successfully.
Management restored successfully.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
87
iManager NetEco
Administrator Guide
●
1 NetEco Administrator Guide
If the following information is displayed, the management plane service fails
to be started during the restoration. Contact Huawei technical support to
check the statuses of the database instances of the management plane.
ERROR: Start management app service falied.
ERROR: Please check if the dbInstance status is ok, if its not ok, please recovery the dbInstance first,
and then try to start management.
ERROR: Restore management failure.
●
–
If the statuses of the management plane database instances are normal,
the management plane service startup failure is not caused by exceptions
in the database instances of the management plane. Contact Huawei
technical support.
–
If the statuses of the management plane database instances are
abnormal, restore the databases first. For details, see 1.4.7 Starting the
PowerEcho Service.
If information similar to the following is displayed, the management plane
backup file fails to be verified. Contact Huawei technical support.
ERROR: Verify /opt/backupManagement/management.tar.gz failed.
ERROR: Restore management failure.
●
If the following information is displayed, the task execution fails. Contact
Huawei technical support.
ERROR: Restore management failure.
Step 6 Run the following command to exit the ossadm user:
> exit
Step 7 Run the following commands to delete the files uploaded to the temporary
directory:
> cd /tmp/
> rm -rf management.tar.gz
> rm -rf management.tar.gz.sign
> rm -rf BKSigntool-tool version-OS_system type_pkg.tar
----End
1.12 Remote Cold Backup
The remote cold backup system effectively reduces losses caused by disastrous
incidents such as earthquakes, fires, and power failures, and improves the disaster
recovery capabilities of products against various security risks.
1.12.1 Remote Cold Backup System Overview
In a remote cold backup system, a set of the PowerEcho and product is deployed
at both the primary and secondary sites. When the remote cold backup system is
normal, data of the site that provides services externally is periodically
synchronized to the peer site to ensure data consistency between the two sites. If
a fault occurs at the site that provides services externally, you can quickly switch
services from the faulty site to the peer site. This ensures service continuity and
reduces the loss caused by disastrous incidents.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
88
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Concepts
Table 1-41 lists the concepts in the remote cold backup system that may be
confusing. This helps you understand the remote cold backup system.
Table 1-41 Common concepts in the remote cold backup system
Concept
Description
Primary site
Physical primary site. The primary site is
determined during the installation and will not
change with the active/standby switchover. The
primary site is active at most time and provides
services.
Secondary site
Physical secondary site. The secondary site is
determined during the installation and will not
change with the active/standby switchover. The
secondary site is standby at most time and
provides protection for the primary site.
Active status
Status of the site that provides services.
Standby status
Status of the site that provides protection for
the primary site.
Principles
As shown in Figure 1-1, two identical sets of the PowerEcho and product are
deployed and are configured as a remote cold backup system. The remote cold
backup system synchronizes data from the SFTP server at the primary site to that
at the secondary site. The SFTP servers are used to transfer backup data between
the primary and secondary sites. If SFTP is used for data transfer during
synchronization, the backup server functions as the SFTP server. If NFS is used for
data transfer during synchronization, the management node functions as the SFTP
server. (You are advised to use SFTP because it is more secure than NFS.)
Figure 1-1 Data synchronization principles
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
89
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Data Synchronization Mode
Scheduled synchronization and manual synchronization are supported.
●
Scheduled synchronization: The product data at the primary site is
automatically synchronized to the secondary site at a specified time point or
periodically.
●
Manual synchronization: The product data at the primary site is manually
synchronized to the secondary site.
1.12.2 Managing the Remote Cold Backup System
After the remote cold backup system is set up, the product can be protected. This
section describes the operations related to the remote cold backup system in
different scenarios.
1.12.2.1 Configuring a Remote Cold Backup System
This section describes how to create a remote cold backup system using the
primary and secondary sites.
Prerequisites
●
The deployment scheme of the primary site must be the same as that of the
secondary site. That is, the PowerEcho version, OS version, database version,
services and their versions, products and their versions, node name, node
quantity, UTC time, and keys must be consistent between the two sites.
●
If you cannot determine whether the keys of the primary and secondary sites
are the same, use the keys of the primary site to update those of the
secondary sites. For details, see 1.17.2 Updating the Root Key and Working
Keys of the Secondary Site.
The keys of the two sites are the same in the following scenarios:
Issue Draft B
(2020-11-30)
–
The PowerEcho is installed for the first time.
–
The keys of the secondary site are updated by those of the primary site.
●
You have configured the parameters for the backup server and storage policy
for the backup files at the primary and secondary sites. Ensure that the
backup servers at the primary and secondary sites share the same transfer
mode, such as SFTP or NFS.
●
The default scheduled backup tasks of the primary and secondary sites have
been enabled. For details, see 1.11.5.1 Backing Up Product on a Scheduled
Basis.
●
You have obtained the backup server IP address, port number of the backup
servers of the primary and secondary sites, the username and password for a
user who can transfer files using the SFTP protocol, and the path for storing
the backup files.
●
All services and database instances at the primary and secondary sites are
running properly. For details, see 1.3.1 Monitoring Products.
●
Ensure that the backup server users of the primary and secondary sites can
communicate over SFTP before and after the security hardening is performed.
●
You have logged in to the PowerEcho of the primary and secondary sites. For
details, see 1.1.2 Logging In to the PowerEcho.
Copyright © Huawei Technologies Co., Ltd.
90
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Precautions
●
If multiple backup servers are available, set the backup server that is first
added on the Backup and Restore > Configuration > Configure Backup
Parameters page as the peer SFTP backup server.
●
Add a remote cold backup system on the PowerEcho at both the primary and
secondary sites.
Procedure
Step 1 On the PowerEcho of the secondary site, stop the product services at the
secondary site. For details, see 1.5.2 Stopping Product Services.
Step 2 On the PowerEcho of the primary site, choose HA > Remote High Availability
System > Manage Cold Backup System from the main menu.
Step 3 On the Manage Cold Backup System page, click Add.
Step 4 Create a remote cold backup system as prompted.
NOTE
● It is recommended that the primary and secondary site names are different.
● Log in to the peer site to query the product name. For details, see 1.24.13 Querying a
Product Name.
● You are advised to set interval to 24 hours.
Table 1-42 Parameters of the peer SFTP backup server
Parameter Name
Parameter example
Transfer protocol
SFTP
Server IP address
IP address of the peer backup server
Port number
22
Username
backupuser
Password
Changeme_123
Save path
backup
Step 5 Add a remote cold backup system at the secondary site. For details, see Step 2 to
Step 4.
Step 6 Check whether product data at the primary site can be synchronized to the
secondary site.
Issue Draft B
(2020-11-30)
1.
Back up product data on the PowerEcho of the primary site. For details, see
1.11.5.2 Backing Up Product Data.
2.
On the PowerEcho of the secondary site, choose HA > Remote High
Availability System > Manage Cold Backup System from the main menu.
3.
in the Operation
On the Manage Cold Backup System page, click
column of the remote cold backup system whose data is to be synchronized.
Copyright © Huawei Technologies Co., Ltd.
91
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
4.
Perform operations as prompted.
5.
Use PuTTY to log in to the backup server of the secondary site as a backup
server user in SSH mode. For details, see 1.24.1 Logging In to a Server Using
PuTTY.
NOTE
If the management node is used as the backup server, log in to the backup server as
the sopuser user in SFTP mode and then switch to the backup server user.
6.
Run the following commands to check whether the manually synchronized
backup data exists:
> cd /root directory of the backup server user/storage directory of the backup
server/product name/dynamic
> ll
–
If the backup data exists, the remote cold backup system is created
successfully.
–
If the backup data does not exist, check that all the parameters are
correct and create the remote cold backup system again.
----End
1.12.2.2 Switching Services to the Secondary Site When the Primary Site Is
Faulty
If the primary site is faulty, manually start the secondary site to take over services
from the primary site.
Prerequisites
The product services at the secondary site have been stopped. For details, see
1.5.2 Stopping Product Services.
Precautions
53081 Remote cold backup system heartbeat abnormal may be reported
during the takeover. This is normal, and no action is required. This alarm is
automatically cleared after the service takeover is complete.
Procedure
Step 1 Log in to the PowerEcho of the original primary site.
●
If the login is successful, go to Step 2.
●
If the login fails, go to Step 3.
Step 2 Switch the original primary site to standby.
Issue Draft B
(2020-11-30)
1.
On the PowerEcho of the primary site, stop the product services at the current
site. For details, see 1.5.2 Stopping Product Services.
2.
On the PowerEcho, choose HA > Remote High Availability System >
Manage Cold Backup System from the main menu.
Copyright © Huawei Technologies Co., Ltd.
92
iManager NetEco
Administrator Guide
3.
1 NetEco Administrator Guide
On the Manage Cold Backup System page, click
in the Operation
column of the remote cold backup system whose services have been taken
over.
NOTE
If the connection status of the product node is abnormal, the primary site cannot be
switched to standby. Go to Step 3 and then rectify the faulty node. For details, see
1.24.14 Product Node Faults. After the faulty node is recovered, go to Step 2.
4.
Perform operations as prompted.
Step 3 Switch the secondary site to active and start the product services at the secondary
site.
1.
Log in to the PowerEcho of the secondary site. For details, see 1.1.2 Logging
In to the PowerEcho.
2.
On the PowerEcho, choose HA > Remote High Availability System >
Manage Cold Backup System from the main menu.
3.
in the Operation
On the Manage Cold Backup System page, click
column of the remote cold backup system that will take over the services.
4.
Perform operations as prompted.
5.
Start the product services at the current site. For details, see 1.4.3 Starting
Product Services.
----End
1.12.2.3 Switching Services to the Secondary Site When the Primary Site Is
Normal
When the system is running properly, you can perform a drill to verify the active/
standby switchover capability of the remote cold backup system.
Prerequisites
You have logged in to the PowerEcho of the primary and secondary sites. For
details, see 1.1.2 Logging In to the PowerEcho.
Precautions
53081 Remote cold backup system heartbeat abnormal may be reported
during the takeover. This is normal, and no action is required. This alarm is
automatically cleared after the service takeover is complete.
Procedure
Step 1 On the PowerEcho of the secondary site, check that the services at the secondary
site are in the Not Running state and the databases at the secondary site are in
the Running state. For details, see 1.3 System Monitoring and Task
Management.
Step 2 To ensure that the latest backup data is used after the secondary site takes over
services, back up the latest product data on the PowerEcho of the primary site. For
details, see 1.11.5 Backing Up Products.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
93
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 3 Forcibly synchronize the product data between the primary and secondary sites.
1.
On the PowerEcho of the secondary site, choose HA > Remote High
Availability System > Manage Cold Backup System from the main menu.
2.
On the Manage Cold Backup System page, click
in the Operation
column of the remote cold backup system whose data is to be synchronized.
3.
Perform operations as prompted.
Step 4 After the data synchronization between the primary and secondary sites is
complete, stop the product services at the primary site. For details, see 1.5.2
Stopping Product Services.
Step 5 Switch the original primary site to standby.
1.
On the PowerEcho of the primary site, choose HA > Remote High
Availability System > Manage Cold Backup System from the main menu.
2.
in the Operation
On the Manage Cold Backup System page, click
column of the remote cold backup system whose services have been taken
over.
3.
Perform operations as prompted.
Step 6 Switch the secondary site to active and start the product services at the secondary
site.
1.
On the PowerEcho of the secondary site, choose HA > Remote High
Availability System > Manage Cold Backup System from the main menu.
2.
in the Operation
On the Manage Cold Backup System page, click
column of the remote cold backup system that will take over the services.
3.
Perform operations as prompted.
4.
Start the product services of the current site. For details, see 1.4.3 Starting
Product Services.
----End
1.12.2.4 Switching Services Back to the Primary Site
When the primary site recovers and can provide services, you can switch the
services back to the primary site.
Prerequisites
Issue Draft B
(2020-11-30)
●
The databases at the primary site are in the Running state. For details, see
1.3.4 Monitoring Databases.
●
The product services at the primary site have been stopped. For details, see
1.5.2 Stopping Product Services.
●
The services of the PowerEcho and product at the secondary site are in the
Running state. For details, see 1.3.3 Monitoring Services.
●
You have logged in to the PowerEcho of the primary and secondary sites. For
details, see 1.1.2 Logging In to the PowerEcho.
Copyright © Huawei Technologies Co., Ltd.
94
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Precautions
53081 Remote cold backup system heartbeat abnormal may be reported
during the takeover. This is normal, and no action is required. This alarm is
automatically cleared after the service takeover is complete.
Procedure
Step 1 To ensure that the latest backup data is used after the primary site takes over
services, back up the latest product data on the PowerEcho of the secondary site.
For details, see 1.11.5 Backing Up Products.
Step 2 Forcibly synchronize the product data between the primary and secondary sites.
1.
On the PowerEcho of the primary site, choose HA > Remote High
Availability System > Manage Cold Backup System from the main menu.
2.
in the Operation
On the Manage Cold Backup System page, click
column of the remote cold backup system whose data is to be synchronized.
3.
Perform operations as prompted.
Step 3 Switch the secondary site to standby.
1.
Stop the product services of the secondary site. For details, see 1.5.2 Stopping
Product Services.
2.
On the PowerEcho of the secondary site, choose HA > Remote High
Availability System > Manage Cold Backup System from the main menu.
3.
On the Manage Cold Backup System page, click
column of the remote cold backup system.
4.
Perform operations as prompted.
in the Operation
Step 4 Switch the primary site to active.
1.
On the PowerEcho of the primary site, choose HA > Remote High
Availability System > Manage Cold Backup System from the main menu.
2.
On the Manage Cold Backup System page, click
column of the remote cold backup system.
3.
Perform operations as prompted.
4.
Start the product services of the primary site. For details, see 1.4.3 Starting
Product Services.
in the Operation
----End
1.12.2.5 Forcibly Synchronizing Product Data
If the communication between the primary and secondary sites recovers or when
you perform routine maintenance, you can forcibly synchronize the product data
to ensure data consistency between the primary and secondary sites.
Prerequisites
You have logged in to the PowerEcho of the secondary site. For details, see 1.1.2
Logging In to the PowerEcho.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
95
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Context
●
The product data at the primary site is automatically synchronized to the
secondary site. The scheduled synchronization automatically triggers the Copy
backup File and Restore product Data tasks.
●
Forcible synchronization contains the following tasks: Forced synchronization
data, Copy backup file, Synchronize backup data (synchronizing backup
information to the PowerEcho of the secondary site), and Restore product
data. Forced synchronization data is complete only after the other three
tasks are complete. Restore product data will be executed after Synchronize
backup data if data is available at the primary site. Otherwise, Restore
product data will not be executed.
Precautions
During product data synchronization, do not perform any other operations, such
as configuring the current system information, switching over the primary and
secondary sites, and deleting the remote cold backup system.
Procedure
Step 1 On the PowerEcho, choose HA > Remote High Availability System > Manage
Cold Backup System from the main menu.
Step 2 On the Manage Cold Backup System page, click
in the Operation column of
the remote cold backup system whose data is to be synchronized.
Step 3 Perform operations as prompted.
----End
1.12.2.6 Modifying the Remote Cold Backup System
When the configuration of the remote cold backup system changes, modify the
configuration as required.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Precautions
●
The name, local product type of the remote cold backup system, and the
transfer mode of the peer SFTP backup server cannot be modified.
●
During the product data synchronization, information about the remote cold
backup system cannot be modified.
Procedure
Step 1 On the PowerEcho, choose HA > Remote High Availability System > Manage
Cold Backup System from the main menu.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
96
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 2 On the Manage Cold Backup System page, click
the remote cold backup system to be modified.
in the Operation column of
Step 3 Perform operations as prompted.
Step 4 Back up the application and data of the PowerEcho again. This is because after
the parameters of the remote cold backup system are changed, the historical
backup files of the application and data of the PowerEcho have become invalid.
For details about how to back up, see 1.11.6.1 Manually Backing Up the
Application and Data of the PowerEcho.
----End
1.12.2.7 Deleting the Remote Cold Backup System
If the remote cold backup system is no longer required, you can delete the remote
cold backup system.
Prerequisites
You have logged in to the PowerEcho of the primary and secondary sites. For
details, see 1.1.2 Logging In to the PowerEcho.
Precautions
●
During the product data synchronization, do not delete the remote cold
backup system.
●
Delete the remote cold backup system at both primary and secondary sites.
Procedure
Step 1 On the PowerEcho of the primary site, choose HA > Remote High Availability
System > Manage Cold Backup System from the main menu.
Step 2 On the Manage Cold Backup System page, select the remote cold backup system
to be deleted and click Delete.
Step 3 Perform operations as prompted.
Step 4 Delete the remote cold backup system at the secondary site. For details, see Step
1 to Step 3.
Step 5 Back up the application and data of the PowerEcho again. This is because after
the remote cold backup system is deleted, the historical backup files of the
application and data of the PowerEcho have become invalid. For details about
how to back up, see 1.11.6.1 Manually Backing Up the Application and Data of
the PowerEcho.
----End
1.13 Task Management
By viewing task details, you can learn about task execution status and locate
causes of failed tasks. In addition, you can terminate a pending or running task to
perform another task with higher priority.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
97
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Context
Table 1-43 lists the types and description of tasks that you can view on the
PowerEcho.
Table 1-43 Task management
Task Type
Description
Condition
System task
Tasks that are
automatically
triggered by the
system.
System operations, for
example:
● Default scheduled backup
tasks
● Scheduled tasks for backing
up the PowerEcho
User task
Tasks that are
manually executed by
users.
Manual operations, for
example:
● Adding products
● Scanning software
packages
● Manually backing up the
PowerEcho
Precautions
The time required for backing up the product data increases with the data volume.
If you need to execute another task with higher priority, you can terminate the
task for backing up product data when the task is in the Initialization,
Preliminary checks, Pre operation, or Execution stage. After the task with higher
priority is complete, you can create the terminated backup task again.
Procedure
Step 1 On the PowerEcho, choose System > Task List from the main menu.
Step 2 On the Task List page, perform operations as prompted.
----End
1.14 Display Format Settings on the PowerEcho
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
98
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.14.1 Date and Time Zone Display Format
The PowerEcho allows you to set the display format of the date and time zone on
the web client. After the setting takes effect, the date on the PowerEcho is
displayed in the configured format.
Prerequisites
You have logged in to the PowerEcho. For details, see1.1.2 Logging In to the
PowerEcho.
Precautions
This setting takes effect only for the current user who logs in to the PowerEcho
web client.
Procedure
Step 1 On the PowerEcho, choose System > System Configuration > Set Date and
Timezone Display Format from the main menu.
Step 2 On the Set Date and Timezone Display Format page, perform operations as
prompted.
----End
1.14.2 Time Display Format
The PowerEcho allows you to set the time display format on the web client. After
the setting takes effect, the time on the PowerEcho is displayed in the configured
format.
Prerequisites
You have logged in to the PowerEcho. For details, see1.1.2 Logging In to the
PowerEcho.
Precautions
This setting takes effect only for the current user who logs in to the PowerEcho
web client.
Procedure
Step 1 On the PowerEcho, choose System > System Configuration > Set Time Display
Format from the main menu.
Step 2 On the Set Time Display Format page, perform operations as prompted.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
99
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.14.3 Number Display Format
The PowerEcho allows you to set the number display format on the web client.
After the setting takes effect, the time on the PowerEcho is displayed in the
configured format.
Prerequisites
You have logged in to the PowerEcho. For details, see1.1.2 Logging In to the
PowerEcho.
Precautions
This setting takes effect only for the current user who logs in to the PowerEcho
web client.
Procedure
Step 1 On the PowerEcho, choose System > System Configuration > Set Number
Display Format from the main menu.
Step 2 On the Set Number Display Format page, perform operations as prompted.
----End
1.15 Password Management
1.15.1 OS Users
This section provides information about default OS users and describes how to
change the passwords for these default users.
1.15.1.1 Default OS Users
The system provides default users and initial passwords, and grants different
permissions to these users. Before performing operations, learn the default users
and their permissions to improve operation efficiency. You are advised to change
the passwords periodically (every three months) and set new passwords according
to the password requirements.
NOTICE
For security purposes, change the password on first login, update it periodically,
and keep it secure.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
100
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-44 Default OS users
User
Initial
Password
Description
How to Change
the Password
root
Changeme_
123
● OS administrator
For details, see
1.15.1.3
Changing the
Password of
User root.
ossuser
dbuser
ossadm
Issue Draft B
(2020-11-30)
● This user is used to log in to
the OS of a node. It is
authorized to run all
commands.
Changeme_
123
● OS user
Changeme_
123
● Common user
Changeme_
123
● OS user
● This user is created when the
NetEco is installed. It is used to
install, upgrade, and maintain
the product software.
NOTE
Keep the
password for the
root user secure.
The password
cannot be reset or
retrieved if lost,
and you need to
reinstall the OS,
affecting O&M.
For details, see
1.15.1.2
Changing
Passwords for
OS Users (Nonroot Users).
● This user is created when the
operating system is installed. It
is authorized to install, start,
stop, and manage the Gauss or
Redis database of the
operating system. The Gauss
database is an embedded
database used by the
management node to store
service data. The Redis
database caches service
operation data. The OS user
dbuser and the database user
dbuser can access the Gauss or
Redis database only in a LAN.
The OS user dbuser and the
database user dbuser have
only the minimum permissions
to execute their tasks.
● This user is created when the
operating system is installed. It
is authorized to install, start,
stop, and manage the
operating system.
Copyright © Huawei Technologies Co., Ltd.
101
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
User
Initial
Password
Description
sopuser
Changeme_
123
Maintenance account, users can
remotely log in to the
management node through SSH.
backupu
ser
Changeme_
123
Backup account.
How to Change
the Password
Table 1-45 Host account list
Issue Draft B
(2020-11-30)
Account
Owner
Group
Account Description
User Status
root
root
Super administrator account
Enabled
bin
bin
BIN account
Locked
daemon
daemon
daemon account
Locked
adm
adm
adm account
Locked
lp
lp
Printing service account
Locked
sync
root
Synchronization service account
Locked
shutdow
n
root
Shutdown service account
Locked
halt
root
Shutdown service account
Locked
mail
mail
Mail service account
Locked
operator
root
Operator account
Locked
games
users
games account
Locked
ftp
ftp
FTP account
Locked
nobody
nobody
nobody account
Locked
dbus
dbus
dbus service account
Locked
sshd
sshd
SSH service account
Locked
ntp
ntp
NTP service account
Locked
systemd
network
systemdnetwork
systemd-network service account
Locked
tss
tss
tcsd service account
Locked
rpc
rpc
rpcbind service account
Locked
polkitd
polkitd
polkitd service account
Locked
Copyright © Huawei Technologies Co., Ltd.
102
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Account
Owner
Group
Account Description
User Status
chrony
chrony
chronyd service account
Locked
dhcpd
dhcpd
dhcpd service account
Locked
ldap
ldap
slapd service account
Locked
nfsnobo
dy
nfsnobody
NFS service account
Locked
nscd
nscd
Account used by the LDAP cache
daemon process
Locked
rpcuser
rpcuser
RPC service account
Locked
saslauth
saslauth
saslauth service account
Locked
sssd
sssd
sssd service account
Locked
systemd
coredum
p
systemdcoredump
systemd-coredump account
Locked
systemd
-resolve
systemdresolve
Account used by the network
name resolution service
Locked
unbound
unbound
Account used by the Domain
name resolution service
Locked
systemd
timesync
systemdtimesync
systemd-timesync service account
Locked
mailnull
mailnull
Sendmail service account
Locked
smmsp
smmsp
Sendmail service account
Locked
1.15.1.2 Changing Passwords for OS Users (Non-root Users)
For security purposes, change the initial passwords for OS users. You are advised
to periodically change the password for the OS users (for example, every three
months). Set new passwords according to the password rules of the OS.
Prerequisites
Issue Draft B
(2020-11-30)
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
Before changing the operating system user password, ensure that the
database is running properly. Otherwise, the operating system password fails
to be changed.
Copyright © Huawei Technologies Co., Ltd.
103
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Context
The user password must meet the password complexity requirements.
The password rules are as follows:
●
The password must contain 8 to 64 characters.
●
The password must be a combination of the following four types of
characters:
–
At least one uppercase letter
–
At least one lowercase letter
–
At least one digit
–
At least one special character from ~@#^*-_+[{}]:./?%=! (Starting with ! is
not allowed.)
●
The password cannot contain more than two consecutive identical characters.
●
The password cannot be the same as the reverse of it, regardless of the case.
●
In addition to the preceding requirements, the password must meet the
following requirements:
–
The password cannot be the same as any of the last five passwords.
–
The password cannot be a password in the weak password dictionary.
NOTE
● The weak password dictionary is a collection of weak and common passwords
that are vulnerable to cracking. Using a password in the weak password
dictionary is not allowed, which is a commonly adopted measure in the
industry to ensure security.
● For details about how to check and change passwords in the weak password
dictionary, see 1.24.9 Managing Passwords in the Weak Password
Dictionary.
–
The password must contain at least five different characters from the
username or reverse of the username, and consecutive identical
characters are regarded as one character.
–
The password cannot contain the username or the reverse of the
username, regardless of the case.
For example, if the username is ossadm, the password Ossadm or
mdAsso is not allowed.
Precautions
Issue Draft B
(2020-11-30)
●
To prevent password change failure, do not change the OS user password in
command and GUI mode at the same time.
●
If the GaussDB T V3 database has multiple nodes, the password for the OS
user dbuser on all the nodes must be the same. Otherwise, patches of the
GaussDB T V3 database cannot be installed.
●
If the PowerEcho is deployed in cluster mode and some management nodes
are faulty, restore the faulty nodes first. Otherwise, the OS password fails to
be modified.
Copyright © Huawei Technologies Co., Ltd.
104
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 On the PowerEcho, choose Maintenance > Password Modification > Change OS
User Password from the main menu.
Step 2 On the Change OS User Password page, change the OS user password as
prompted.
----End
Follow-up Procedure
If the management node is used as the backup server and the password for the
backup server user is changed, update the password in the backup parameters.
Otherwise, the backup file cannot be saved to the backup server. For details, see
1.11.4 Configuring Backup Parameters.
1.15.1.3 Changing the Password of User root
Periodic password change is required to improve security of the password of the
NetEco server user root.
Prerequisites
●
The old password of user root is available.
●
The new password of user root is available.
●
You have logged in to the NetEco server as user sopuser in SSH mode. For
details, see 1.24.1 Logging In to a Server Using PuTTY.
●
The password of user root must meet the requirements for the minimum
complexity. The password must contain at least seven characters consisting of
letters, digits, or their combination. Ensure that the password contains at least
one digit or one special character.
●
The NetEco does not restrict the validity periods of user passwords. To ensure
user password security, you are advised to change the password once every
three months.
Context
Procedure
Step 1 Run the following command to switch to the root user.
$ su - root
Password: root password
NOTE
After you switch to user root, "root@Host name:~#" is displayed.
The default password of user root is Changeme_123.
Step 2 Run the following command to change the password of user root:
# passwd root
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
105
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
New Password:new password
Retype New Password:new password
If Password changed or Changed successfully is displayed, the password is
changed successfully.
----End
1.15.2 Database Users
This section provides information about default database users and describes how
to change the passwords for these users.
1.15.2.1 Default Database Users
A database provides default usernames and initial passwords. For security, change
the initial passwords for related users. You are advised to change the passwords
periodically (every three months) and set new passwords according to the
password requirements.
NOTICE
For security purposes, change the password on first login, update it periodically,
and keep it secure.
To change the database password, ensure that the passwords of the sys user for
all instance databases are the same.
Precautions
Use the ossdbuser user when writing data. If you use another user, the
relationship between master and slave databases may be incorrect.
Table 1-46 GaussDB users and passwords of the PowerEcho
Issue Draft B
(2020-11-30)
Usernam
e
Initial
Password
Description
How to Change the
Password
sys
Admin@12
3
● Administrator user. This
user is used to modify
database configurations,
to add, delete, modify, and
query users and databases,
and to change user
passwords. This user is
only allowed to log in
locally.
For details, see
1.15.2.2 Changing
Passwords for
Database Users.
Copyright © Huawei Technologies Co., Ltd.
106
iManager NetEco
Administrator Guide
Usernam
e
1 NetEco Administrator Guide
Initial
Password
Description
How to Change the
Password
{ossdbus Changeme_ ● Application user. This user
er} and
123
is used by services to read,
ossdbuse
write the database, and to
r
create and delete
database tables.
● {ossdnuser} indicates the
name of a product
database. Each application
database has a
corresponding user.
Therefore, there are
multiple database users
and passwords. The
ossdbuser is a virtual user
and is not allowed to log
in the database. When
changing the passwords
for these application users,
enter the username
ossdbuser so that you can
change the passwords for
all the application users at
a time.
The involved users are as
follows:
APPCONTROLLERDB
AUDITLOGDB
BACKUPDB
CRONDB
DBMGRDB
DEPLOYCONTROLLERDB
DEPLOYCOREDB
ENGRCOMMONSERVICEDB
MAINTENANCESERVICEDB
OSPATCHDB
PKGREPODB
PRIVILEGEDB
PRODUCTMONITORDB
SECURITYCONFIGDB
SIADB
SYSFENSDB
SYSLOGDB
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
107
iManager NetEco
Administrator Guide
Usernam
e
1 NetEco Administrator Guide
Initial
Password
Description
How to Change the
Password
SYSMGRDB
TASKMGRDB
USERDB
switchdb
user
321_emegn
ahC
● Switchover management
user. This user is used to
perform database
switchover and configure
read-only settings.
readdbu
ser
Changeme
@123
● O&M read-only user. This
user is used to read the
database status and
configurations.
public
N/A
Pre-configured database user.
This user is a public user and
cannot log in to the
database. It is a collection of
all database users. If a
permission is assigned to the
public user, this permission is
shared by all database users.
To ensure the data security of
the database, do not assign
any object permission to the
public user.
N/A
Table 1-47 Redis database users and passwords of the PowerEcho
Issue Draft B
(2020-11-30)
Username
Initial
Password
Description
How to
Change the
Password
dbuser
Admin@123
● Administrator user. This user is
used to modify database
configurations, to add, delete,
modify, and query users, and
to change user passwords.
ossdbuser
Changeme_12
3
● Application user. This user is
used by services to read, write,
and delete key values in the
database.
For details,
see 1.15.2.2
Changing
Passwords
for Database
Users.
readdbuser
Changeme@1
23
● O&M read-only user. This user
is used to read the database
status and configurations.
Copyright © Huawei Technologies Co., Ltd.
108
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-48 Redis database users and passwords of the NetEco
Userna
me
Initial
Password
Description
How to Change
the Password
dbuser
Admin@123
● Database administrator
For details, see
1.15.2.2 Changing
Passwords for
Database Users.
● This user is used to log in
to the database of a node.
It is authorized to run all
commands.
ossdbus
er
Changeme_123
readdbu
ser
Changeme@12
3
● Common user
● This user is used to read
and write data in the
database, and to create
and delete database
tables.
● Read-only user
● This user is used to read
the database status,
database configurations,
and data in the database.
Table 1-49 GaussDB users and passwords of the NetEco
Issue Draft B
(2020-11-30)
Usernam
e
Initial
Password
Description
How to Change the
Password
sys
Admin@12
3
● Administrator user. This
user is used to modify
database configurations,
to add, delete, modify, and
query users and databases,
and to change user
passwords. This user is
only allowed to log in
locally.
For details, see
1.15.2.2 Changing
Passwords for
Database Users.
Copyright © Huawei Technologies Co., Ltd.
109
iManager NetEco
Administrator Guide
Usernam
e
1 NetEco Administrator Guide
Initial
Password
Description
How to Change the
Password
{ossdnus Changeme_ ● Application user. This user
er} and
123
is used by services to read,
ossdbuse
write the database, and to
r
create and delete
database tables.
● {ossdnuser} indicates the
name of a product
database. Each application
database has a
corresponding user.
Therefore, there are
multiple database users
and passwords. The
ossdbuser is a virtual user
and is not allowed to log
in the database. When
changing the passwords
for these application users,
enter the username
ossdbuser so that you can
change the passwords for
all the application users at
a time.
The involved users are as
follows:
DASHBOARD
MEDDB
MONITORDB
NELOGDB
NETECOFMDB
OMCDB
PHONEAPPDB
PMDB
REPORTMGR
SECURITYPLATDB
SITEDB
SWMDB
switchdb
user
Issue Draft B
(2020-11-30)
321_emegn
ahC
● Switchover management
user. This user is used to
perform database
switchover and configure
read-only settings.
Copyright © Huawei Technologies Co., Ltd.
110
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Usernam
e
Initial
Password
Description
readdbu
ser
Changeme
@123
● O&M read-only user. This
user is used to read the
database status and
configurations.
public
N/A
Pre-configured database user.
This user is a public user and
cannot log in to the
database. It is a collection of
all database users. If a
permission is assigned to the
public user, this permission is
shared by all database users.
To ensure the data security of
the database, do not assign
any object permission to the
public user.
How to Change the
Password
N/A
Table 1-50 GaussDB users and passwords of the NetEco service side
Issue Draft B
(2020-11-30)
Usernam
e
Initial
Password
Description
How to Change the
Password
sys
Admin@12
3
● Administrator user. This
user is used to modify
database configurations,
to add, delete, modify, and
query users and databases,
and to change user
passwords. This user is
only allowed to log in
locally.
For details, see
1.15.2.2 Changing
Passwords for
Database Users.
Copyright © Huawei Technologies Co., Ltd.
111
iManager NetEco
Administrator Guide
Usernam
e
1 NetEco Administrator Guide
Initial
Password
Description
How to Change the
Password
{ossdnus Changeme_ ● Application user. This user
er} and
123
is used by services to read,
ossdbuse
write the database, and to
r
create and delete
database tables.
● {ossdnuser} indicates the
name of a product
database. Each application
database has a
corresponding user.
Therefore, there are
multiple database users
and passwords. The
ossdbuser is a virtual user
and is not allowed to log
in the database. When
changing the passwords
for these application users,
enter the username
ossdbuser so that you can
change the passwords for
all the application users at
a time.
The involved users are as
follows:
NBICOMMONDB
EAMDB
RMTASKMGMTDB
INFOCENTERSERVICEDB
SYSLOGDB
FMDB
CMDBCORESVRDB
APIGOVERNANCEDB
PRIVILEGEDB
SIADB
APIGATEWAY_AM_DB
LIFECYCLEDB
TEMPDB
SYSFENSDB
INVMETADATADB
MOUISERVICEDB
SECONDARYAUTHDB
NBIFRMNOTIFYDB
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
112
iManager NetEco
Administrator Guide
Usernam
e
1 NetEco Administrator Guide
Initial
Password
Description
How to Change the
Password
AUDITLOGDB
RCACCESSCONFIGDB
SYSPREFERENCESDB
CMDBCOREHISTORYDB
RMCOORDINATEDB
NBIFRMFTPDB
AUTODISCOVERYDB
MERESGRPDB
SNBCERTMGMTSERVICEDB
IDGENDB
HOFSDB1
RNDB
ADMINHOMEDB
USERDB
SECURITYCONFIGDB
TOPODB
DOMAINDB
LICENSEDB
CRONDB
CMCCLOUDSERVICEDB
Issue Draft B
(2020-11-30)
switchdb
user
321_emegn
ahC
● Switchover management
user. This user is used to
perform database
switchover and configure
read-only settings.
readdbu
ser
Changeme
@123
● O&M read-only user. This
user is used to read the
database status and
configurations.
Copyright © Huawei Technologies Co., Ltd.
113
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Usernam
e
Initial
Password
Description
How to Change the
Password
public
N/A
Pre-configured database user.
This user is a public user and
cannot log in to the
database. It is a collection of
all database users. If a
permission is assigned to the
public user, this permission is
shared by all database users.
To ensure the data security of
the database, do not assign
any object permission to the
public user.
N/A
Table 1-51 GaussDB users and passwords of the inference softcomai
Issue Draft B
(2020-11-30)
Usernam
e
Initial
Password
Description
How to Change the
Password
sys
Admin@12
3
● Administrator user. This
user is used to modify
database configurations,
to add, delete, modify, and
query users and databases,
and to change user
passwords. This user is
only allowed to log in
locally.
For details, see
1.15.2.2 Changing
Passwords for
Database Users.
Copyright © Huawei Technologies Co., Ltd.
114
iManager NetEco
Administrator Guide
Usernam
e
1 NetEco Administrator Guide
Initial
Password
Description
How to Change the
Password
{ossdbus Changeme_ ● Application user. This user
er} and
123
is used by services to read,
ossdbuse
write the database, and to
r
create and delete
database tables.
● {ossdnuser} indicates the
name of a product
database. Each application
database has a
corresponding user.
Therefore, there are
multiple database users
and passwords. The
ossdbuser is a virtual user
and is not allowed to log
in the database. When
changing the passwords
for these application users,
enter the username
ossdbuser so that you can
change the passwords for
all the application users at
a time.
The involved users are as
follows:
APPMGMTDB
EVALUATIONDB
SAMPLEDB
APPENGINEDB
DISPATCHERDB
RETRAINSERVICEDB
MSAGENTDB
NAIEDB
RETRAINMGMTDB
CASEDB
Issue Draft B
(2020-11-30)
switchdb
user
321_emegn
ahC
● Switchover management
user. This user is used to
perform database
switchover and configure
read-only settings.
readdbu
ser
Changeme
@123
● O&M read-only user. This
user is used to read the
database status and
configurations.
Copyright © Huawei Technologies Co., Ltd.
115
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Usernam
e
Initial
Password
Description
How to Change the
Password
public
N/A
Pre-configured database user.
This user is a public user and
cannot log in to the
database. It is a collection of
all database users. If a
permission is assigned to the
public user, this permission is
shared by all database users.
To ensure the data security of
the database, do not assign
any object permission to the
public user.
N/A
Table 1-52 GaussDB users and passwords of the inference softcomainobackup
Issue Draft B
(2020-11-30)
Usernam
e
Initial
Password
Description
How to Change the
Password
sys
Admin@12
3
● Administrator user. This
user is used to modify
database configurations,
to add, delete, modify, and
query users and databases,
and to change user
passwords. This user is
only allowed to log in
locally.
For details, see
1.15.2.2 Changing
Passwords for
Database Users.
Copyright © Huawei Technologies Co., Ltd.
116
iManager NetEco
Administrator Guide
Usernam
e
1 NetEco Administrator Guide
Initial
Password
Description
How to Change the
Password
{ossdbus Changeme_ ● Application user. This user
er} and
123
is used by services to read,
ossdbuse
write the database, and to
r
create and delete
database tables.
● {ossdnuser} indicates the
name of a product
database. Each application
database has a
corresponding user.
Therefore, there are
multiple database users
and passwords. The
ossdbuser is a virtual user
and is not allowed to log
in the database. When
changing the passwords
for these application users,
enter the username
ossdbuser so that you can
change the passwords for
all the application users at
a time.
The involved users are as
follows:
APPMGMTNOBACKUPDB
Issue Draft B
(2020-11-30)
switchdb
user
321_emegn
ahC
● Switchover management
user. This user is used to
perform database
switchover and configure
read-only settings.
readdbu
ser
Changeme
@123
● O&M read-only user. This
user is used to read the
database status and
configurations.
public
N/A
Pre-configured database user.
This user is a public user and
cannot log in to the
database. It is a collection of
all database users. If a
permission is assigned to the
public user, this permission is
shared by all database users.
To ensure the data security of
the database, do not assign
any object permission to the
public user.
Copyright © Huawei Technologies Co., Ltd.
N/A
117
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-53 Database users and passwords of InfluxDB
Usernam
e
Initial
Password
Description
How to Change the
Password
ossdbus
er
Changeme_
123
Influxdb database user, which
is used to read, write, and
delete the database by using
the Influxdb database service.
For details, see
1.15.2.2 Changing
Passwords for
Database Users.
1.15.2.2 Changing Passwords for Database Users
For security purposes, change the initial passwords for the database users to
reduce security risks of violent password cracking. You are advised to periodically
change the passwords for the database users (every three months) and set new
passwords based on the password rules.
Prerequisites
Issue Draft B
(2020-11-30)
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The PowerEcho service is running properly. For details about how to check the
status of the PowerEcho service, see 1.3.3 Monitoring Services.
●
Before the database user password of the PowerEcho is changed, the
PowerEcho database with user password to be changed must be in the
Running state. For details about how to check the database status, see 1.3.4
Monitoring Databases.
●
Before the database user password of a product is changed, the services of
the product with database user password to be changed must be in the Not
Running state, and the product database with user password to be changed
must be in the Running state. For details, see 1.3.3 Monitoring Services and
1.3.4 Monitoring Databases.
–
If the services of the product with database user password to be changed
are in the Running state, the PowerEcho will automatically stop the
product services before the password is changed.
–
If the product database with user password to be changed is in the Not
Running state, the PowerEcho will automatically start the product
database before the password is changed.
●
If the database is deployed in master/slave mode, Status of the database with
user password to be changed must be Running, and Replication Status of
the database must be Normal. Otherwise, the system may become abnormal.
For details about how to check the status and replication status of a
database, see 1.3.4 Monitoring Databases.
●
If any management node is faulty, restore the node first. Otherwise, user
passwords of databases cannot be changed. For details, see Table 1-16.
●
In a remote cold backup scenario, the remote cold backup system has been
deleted. For details, see 1.12.2.7 Deleting the Remote Cold Backup System.
Copyright © Huawei Technologies Co., Ltd.
118
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Context
The user password must meet the password complexity requirements.
The password rules are as follows:
●
The password must contain 8 to 64 characters.
●
The password must be a combination of the following four types of
characters:
–
At least one uppercase letter
–
At least one lowercase letter
–
At least one digit
–
At least one special character ~@#^*-_+[{}]:./?
●
The password cannot contain more than two consecutive identical characters.
●
The same character can be used three times at most.
●
The password must contain at least two different characters from the initial
password.
●
The password cannot contain username or the reverse of it (case insensitive).
NOTE
● For the GaussDB database, the new password must meet the complexity
requirements and contain at least two different characters from the old password.
The new password cannot be the same as any used in the past 60 days, and
cannot be the same as any of the last three passwords.
Procedure
Step 1 On the PowerEcho, choose Maintenance > Password Modification > Change
Database User Password from the main menu.
Step 2 On the Change Database User Password page, change the password as
prompted.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
119
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
● After the database user passwords are changed, the system automatically restarts
services. You are advised to change all the database user passwords you need to change
at a time to reduce the number of automatic service restarts.
● For security purposes, you are advised to change the passwords for the GaussDB
database user and Redis database user to different passwords before using the
PowerEcho. For example, change the password for the GaussDB database user dbuser
and that for the Redis database user dbuser to different passwords.
● If you change database user passwords in batches and passwords of some database
instances fail to be changed, record the failure details in the task list. Change passwords
of the failed database instances one by one by referring to 1.24.5 How Do I Change
the Database Instance Password?.
● If you need to restart product services after changing the password for the product
database user, do not select Automatically start product services after the change of
product database user passwords in the Warning dialog box. In this case, after the
password change, all product services will not be automatically started, preventing the
product services or product databases from being restarted for several times.
● In a remote cold backup scenario, if you are changing the product database user
password of the secondary site, do not select Automatically start product services
after the change of product database user passwords in the Warning dialog box,
preventing the product services of the secondary site from being restarted and causing
the product to become dual-active.
Step 3 In a remote cold backup scenario, rebuild a remote cold backup system. For
details, see 1.12.2.1 Configuring a Remote Cold Backup System.
----End
Follow-up Procedure
Manually back up the product applications, product data, and database
applications. For details, see 1.11.5.3 Backing Up Product Applications, 1.11.5.2
Backing Up Product Data, and 1.11.5.4 Backing Up Database Applications.
1.15.3 NetEco Web System Users and Passwords
This section describes the default NetEco web system users and how to change
the users' passwords.
1.15.3.1 Default NetEco Web System User Information
The system provides default users and initial passwords. Change the password
upon first login and you are advised to change a password periodically (every
three months) and set a new password based on the specified password rules.
NOTICE
For NetEco web system security, change the password upon first login, update it
periodically, and keep it secure.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
120
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-54 Default NetEco web system user information
Web
Syste
m
User
Initial
Password
Description
How to Change the
Password
NetEco
client
admi
n
Changem
e_123
The admin user is the
default administrator
provided by the NetEco
client. The admin user
is authorized to manage
and operate all devices.
For details, see 1.15.3.2
Changing the
Password for the
admin User (NetEco).
The admin user is the
default administrator
provided by the
PowerEcho client.
For details, see 1.15.3.3
Changing the
Password for the
admin User (the
PowerEcho).
PowerE
cho
client
admi
n
Changem
e_123
NOTE
Keep the password of the
admin user secure. If the
password is lost, it
cannot be reset or
retrieved. You need to
reinstall the NetEco
system, which has great
impact on O&M.
NOTE
Keep the password of the
admin user secure. If the
password is lost, it
cannot be reset or
retrieved. You need to
reinstall the NetEco
system, which has great
impact on O&M.
Swift
Deploy
upgrad
e tool
admi
n
Changem
e_123
The user name and
password are the same
as those of the
PowerEcho client.
-
Swift
Deploy
deploy
ment
tool
admi
n
Changem
e_123
The admin user is the
default administrator
provided by Swift
Deploy deployment
tool.
For details, see 1.15.3.4
Changing the User
Name and Password
of the Swift Deploy
Deployment Tool.
1.15.3.2 Changing the Password for the admin User (NetEco)
To prevent security risks, such as violent password cracking, change the initial
password for the admin user. You are also advised to change the password for the
admin user periodically (for example, every three months) based on password
requirements.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
121
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Prerequisites
You have logged in to the NetEco as the admin user. For details, see 1.1.1
Logging In to the NetEco.
Procedure
Step 1 Choose System > Personal Settings > Change Password.
Step 2 Set Old password, New password, and Confirm password.
Step 3 Click Apply.
----End
1.15.3.3 Changing the Password for the admin User (the PowerEcho)
The admin user is the administrator of the PowerEcho. For security purposes,
change the initial password for the admin user to reduce security risks of bruteforce password cracking. You need to periodically change the password for the
admin user based on the password policy in the system.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose System > Security Management > Change Password
from the main menu.
Step 2 On the Change Password page, change the password for the admin user as
prompted.
NOTICE
User information is more secure if a password is changed more frequently. If you
forget the password for the admin user due to frequent password changes, you
can reset the password only by reinstalling the system.
----End
1.15.3.4 Changing the User Name and Password of the Swift Deploy
Deployment Tool
To improve system security, you need to change the password of user admin for
Swift Deploy. To improve account security, you are advised to change the default
user name admin. You are advised to periodically change the password to ensure
system security.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
122
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Prerequisites
You have obtained the password of user admin for Swift Deploy. The default
password is Changeme_123.
Context
●
To improve password security, set the password based on the following
complexity requirements:
–
The password must contain 8 to 32 characters.
–
The password must contain at least the following three character types:
▪
▪
▪
▪
–
●
Uppercase letter;
Lowercase letter;
Digit;
Special character `~!@#$%^&*()-_=+\|[{}];:'",<.>/? and space.
The password cannot be any user name or user name in reverse order.
The naming rules of the user are as follows:
–
1 to 32 characters.
–
Contain only letters a-z and A-Z and digits 0-9 and underscores (_).
–
The user name must begin with a letter or digit.
Procedure
1.
Use PuTTY to log in to the NetEco server as user sopuser. For details, see
1.24.1 Logging In to a Server Using PuTTY.
2.
Run the following command to change the user name and password:
$ su - ossadm
password: ossadm password
$ cd /opt/repo/deploytool/bin
$ bash user_mgr.sh
3.
Based on the command output, enter the original user name admin and its
password, set a new user name, new password, and confirm password for
Swift Deploy, and press Enter.
If the following information is displayed, the password is changed successfully:
Update user password success.
1.15.4 Setting and Changing the Password of the Server BIOS
You are advised to set the password of the BIOS for the NetEco server and change
the password periodically, thereby improving the server setting security.
1.15.4.1 Entering the Remote Management Window of the Server
This section describes how to navigate to the remote management window of the
server to manage the server.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
123
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Prerequisites
●
The communication between the PC and the management network port on
the server is proper.
●
The IP address of the remote terminal is on the same network segment as
that of the remote management port on the server.
Context
NOTICE
The remote management window provides the remote password change function.
However, this function does not limit the number of times of entering incorrect
old passwords, and passwords may be violently cracked. Therefore, you need to set
the password meeting the complexity requirements and change it periodically to
reduce such a risk. For details about the functions in the remote management
window, see the online help in this window.
Procedure
Step 1 Open browser on the PC. Type the IP address https://IP address of the remote
management port for logging in to the remote management system in the
address bar, and press Enter. The page for logging in to the remote management
system is displayed.
NOTE
During login, if the system displays There is a problem with this website's security
certificate, click Continue to this website.
Step 2 Type the user name and the password, then click Log In.
Step 3 Start the remote console.
NOTE
Log in to the iBMC and view the iBMC version information on the home page.
●
If the iBMC version is 3.XX, after choose Remote Control from the main
menu, then choose HTML5 Integrated Remote Console (Private) from the
displayed Remote Control page.
●
If the iBMC version is 5.XX, on the home page, drag the page downwards. In
the Virtual Console area, click Start and select HTML5 Integrated Remote
Console (Private).
----End
1.15.4.2 Setting and Changing the Password of the Server BIOS (TaiShan
Server)
You are advised to set the password of the BIOS for the server and change the
password periodically, thereby improving the server setting security.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
124
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Prerequisites
You have remotely logged in to the server through the iBMC web interface on a
PC. For detailed operations, see 1.15.4.1 Entering the Remote Management
Window of the Server.
NOTE
If the remote management port is used, you are advised to hold down Shift when entering
uppercase letters. Caps Lock is not recommended.
Procedure
Step 1 Start or restart the server. When the window shown in Figure 1-2 is displayed,
press Delete. The BIOS (Basic Input Output System) window is displayed.
NOTE
● Please wait until the system switchs to BIOS. This process may use one minute.
● If the server is running, please restart the server by click the restart button on the upper
part of the page. Restarting the system will cause the NetEco to be unavailable
temporarily. Exercise caution when performing this operation.
Figure 1-2 The server booting page
Step 2 Enter the password on the BIOS screen,and press Enter. Shown as Figure 1-3.
NOTE
If the default password of the server is set before delivery, you need to enter the default
password before entering the BIOS. The default password is Admin@9000. If the default
password is not used, skip this step.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
125
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Figure 1-3 BIOS screen
Step 3 Prompt the current password is the default password needs to be modified, press
Enter. Shown as Figure 1-4.
Figure 1-4 Configuration interface
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
126
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 4 Select Security screen as shown in Figure 1-5.
Figure 1-5 Security screen
Step 5 Select Set Supervisor Password and press Enter. You can set the administrator
login password, as shown in Figure 1-6. Press after setting is completed Enter,.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
127
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Figure 1-6 Setting the password of the BIOS
NOTE
Set administrator password
●
The default BIOS password is Admin@9000..
●
The password must be between 8 and 16 digits long. It must contain special
characters (including spaces) and at least two of uppercase letters, lowercase letters,
and numbers.
●
The new password cannot be the same as the previous five passwords.
●
After the administrator password is set, the "Clear Supervisor Password" parameter
appears, which can be used to clear the administrator password.
●
To change the administrator password, you need to enter the current administrator
password first. If there are three input errors, the machine will be locked, and the
server will be unlocked after restart.
Step 6 On the Security interface, press F10 select Yes save and exit.as shown in Figure
1-7.
NOTE
You are advised to change the password of the BIOS every three months.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
128
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Figure 1-7 Save and exit
----End
1.15.4.3 Setting and Changing the Password of the Server BIOS (X86 Server)
You are advised to set the password of the BIOS for the server and change the
password periodically, thereby improving the server setting security.
Prerequisites
You have remotely logged in to the server through the iBMC web interface on a
PC. For detailed operations, see 1.15.4.1 Entering the Remote Management
Window of the Server.
NOTE
If the remote management port is used, you are advised to hold down Shift when entering
uppercase letters. Caps Lock is not recommended.
Procedure
Step 1 Start or restart the server. When the window shown in Figure 1-8 is displayed,
press Delete. The BIOS (Basic Input Output System) window is displayed.
NOTE
● Please wait until the system switchs to BIOS. This process may use one minute.
● If the server is running, please restart the server by click the restart button on the upper
part of the page. Restarting the system will cause the NetEco to be unavailable
temporarily. Exercise caution when performing this operation.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
129
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Figure 1-8 The server booting page
Step 2 Enter the password on the BIOS screen,and press Enter. Shown as Figure 1-9.
NOTE
If the default password is set before delivery, you need to enter the default password before
entering the BIOS. The default password is Admin@9000. If the default password is not used,
skip this step.
Figure 1-9 Boot screen
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
130
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 3 Prompt the current password is the default password needs to be modified,
pressEnter. As shown in Figure 1-10.
Figure 1-10 Configuration interface
Step 4 Select BIOS Configuration as shown in Figure 1-11.
Figure 1-11 Home page
Step 5 Select Security screen as shown in Figure 1-12.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
131
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Figure 1-12 Security screen
Step 6 Select Manage Supervisor Password and press Enter. You can set the
administrator login password. To change the administrator password, you need to
enter the current administrator password first. If there are three input errors, the
machine will be locked, and the server will be unlocked after restart. As shown in
Figure 1-13.
Figure 1-13 Setting the password of the BIOS
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
132
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
Set administrator password
●
The default BIOS password is Admin@9000.
●
The password must be between 8 and 16 digits long. It must contain special
characters (including spaces) and at least two of uppercase letters, lowercase letters,
and numbers.
●
The new password cannot be the same as the previous five passwords.
●
After the administrator password is set, the "Clear Supervisor Password" parameter
appears, which can be used to clear the administrator password.
●
If "Simple Password" is set to "Enabled", the system will not check the complexity of
the password, but the password length must still be between 8 and 16 bits.
Step 7 After setting is completed, press Enter to select OK, and then press Enter. As
shown in Figure 1-14.
Figure 1-14 Confirm interface
Step 8 Press Enter to return to the Security interface, press F10 and select Yes to save
and exit. As shown in Figure 1-15.
NOTE
You are advised to change the password of the BIOS every three months.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
133
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Figure 1-15 Save and exit
----End
1.15.5 Setting Encrypted Password for GRUB2
Description
Grand unified bootloader (GRUB) is a boot manager for operating systems (OSs)
such as Windows and Linux. GRUB2 is a later version of GRUB.
When starting the system, you can modify the startup parameters of the system
on the GRUB2 interface. To prevent unauthorized modification of the startup
parameters of the system, you need to encrypt the GRUB2 interface. In this way,
the startup parameters can be modified only when you enter the correct GRUB2
password.
NOTE
The default password of grub2 is Changeme_123. You are advised to change the default
password upon the first login and periodically update the password. If the password is
leaked, startup item configurations may be modified, causing the system startup failure.
Implementation
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
Step 2 Run the following command to generate an encrypted password:
$ su - root
Password:password for root
# grub2-setpassword
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
134
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Enter password:
Confirm password:
NOTE
SHA-512 is used as the GRUB2 encryption algorithm.
Step 3 Run the cat command to view the grub.cfg file.
# cd /boot/efi/EFI/euleros/
# cat grub.cfg
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub2-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
set pager=1
...
terminal_output console
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
set superusers=root
password_pbkdf2 root
grub.pbkdf2.sha512.10000.D4D775602C4E9F76EF4A9A6E726486941C8AAFB4762227E6973690ED5A760D59
247E7E6ECA72472FBEEBFD9DB60F8EE56A4078094542C790BF0967879BE2D60C.B2742F38995B4B716EA7B0
E639D02BE6C4E649E30576E5F5505B85844172B831841DA80D264FD14B025F3C8804158E7FC082998664BD
03A92663FB4CE293807B
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/01_menu_auto_hide ###
if [ "${boot_success}" = "1" -o "${boot_indeterminate}" = "1" ]; then
set last_boot_ok=1
else
set last_boot_ok=0
fi
# Reset boot_indeterminate after a successful boot
if [ "${boot_success}" = "1" ] ; then
set boot_indeterminate=0
# Avoid boot_indeterminate causing the menu to be hidden more then once
elif [ "${boot_indeterminate}" = "1" ]; then
set boot_indeterminate=2
fi
set boot_success=0
save_env boot_success boot_indeterminate
if [ x$feature_timeout_style = xy ] ; then
if [ "${menu_show_once}" ]; then
unset menu_show_once
save_env menu_show_once
set timeout_style=menu
set timeout=60
elif [ "${menu_auto_hide}" -a "${last_boot_ok}" = "1" ]; then
set orig_timeout_style=${timeout_style}
set orig_timeout=${timeout}
if [ "${fastboot}" = "1" ]; then
# timeout_style=menu + timeout=0 avoids the countdown code keypress check
set timeout_style=menu
set timeout=0
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
135
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
else
set timeout_style=hidden
set timeout=1
fi
fi
fi
### END /etc/grub.d/01_menu_auto_hide ###
### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
source ${prefix}/user.cfg
if [ -n "${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root ${GRUB2_PASSWORD}
fi
fi
### END /etc/grub.d/01_users ###
...
NOTE
● The superusers field is used to set the account name of the super GRUB2 administrator.
● Following the password_pbkdf2 field, the first parameter is the GRUB2 account name,
and the second parameter is the ciphertext password of the account.
● Currently, GRUB2 menu management commands including grub2-mkconfig cannot be
used in the AARCH64 architecture.
----End
1.15.6 Configuring the Hacker Language Dictionary
A hacker language dictionary is used to store character conversion rules.
Passwords are converted based on these rules. If a converted password exists in
the password dictionary, do not use the password as a user password for account
security purposes. This section describes how to update the hacker language
dictionary if it does not meet user requirements.
Prerequisites
You have obtained the passwords for the sopuser and ossuser users for logging in
to the node where SMLogLic resides.
Context
Issue Draft B
(2020-11-30)
●
The hacker language dictionary defines the rules of converting a character or
string into an uppercase or lowercase letter. For example, if a rule for
converting the string |-|1234 a into x exists in the hacker language dictionary
and x exists in the password dictionary file, a password cannot be set to |-|
1234 abcd! when Password cannot contain words in password dictionary
and Password complies with requirements in hacker language dictionary
are enabled.
●
A hacker dictionary file can contain multiple rules. In each rule, the string on
the left of the last equal sign (=) is replaced with the first letter on the right
of the last equal sign. For example, |-|1234 a = x indicates that |-|1234 a in
the password will be replaced with x.
●
In a hacker dictionary file, each row contains only one rule. Hacker dictionary
configuration constraints are as follows:
Copyright © Huawei Technologies Co., Ltd.
136
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
–
The spaces, \n, \r, and tab characters at the beginning and end of the
strings on the left and right sides of the last equal sign are filtered out.
For example, x=x = y indicates that x=x will be replaced with y.
–
After the filtering, the first character of the string retaining on the right
of the last equal sign must be a letter and the string retaining on the left
of the last equal sign will be replaced with this letter. For example, x=x =
ya indicates that x=x will be replaced with y.
Procedure
Step 1 On the local PC, create a hacker language dictionary file in .txt format. Ensure
that the file size does not exceed 200 KB. Configure a conversion rule in the file.
The following is an example:
1234 a = x
x=%x = 2ya
user = y
Step 2 Use FileZilla to log in to the node where SMLogLic resides, as the sopuser user in
SFTP mode. Upload the hacker language dictionary file to the /home/sopuser
directory. For details, see 1.24.2 Transferring Files Using FileZilla.
Step 3 Use PuTTY to log in to the node where SMLogLic resides, as the sopuser user in
SSH mode. For details about how to obtain the IP address of the node where a
service resides, see 1.23.2 How Do I Query the IP Address of the Node Where a
Service Resides?
Step 4 Run the following command to switch to the ossuser user:
$ su - ossuser
Password: password for the ossuser user
Step 5 Run the following commands to change the owner and permission of the hacker
language dictionary file:
$ cp /home/sopuser/hacker language dictionary file/home/ossuser/hacker
language dictionary file
$ chown ossuser:ossgroup hacker language dictionary file
$ chmod 600 hacker language dictionary file
Step 6 Run the following command to go to the target directory:
$ cd /opt/oss/NetEco/apps/SMLogLicService/bin
Step 7 Run the following command to update the hacker language dictionary:
$ ./updateComplexDic.sh -file /home/ossuser/hacker language dictionary file
●
If the following information is displayed, the hacker language dictionary is
successfully updated:
Successfully updated 1 lines of complex dictionary data.
●
Otherwise, the hacker language dictionary fails to be updated. Check whether
the hacker language dictionary meets requirements. If it does not, modify the
language dictionary and try again. If it does, contact Huawei technical
support to troubleshoot the update failure.
Step 8 Run the following command to switch to the sopuser user:
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
137
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
$ exit
Step 9 Run the following command to delete files in the /home/sopuser directory:
$ cd /home/sopuser
$ rm -rf hacker language dictionary file
----End
1.16 Managing Certificates
1.16.1 Certificate Overview
Huawei SSL certificates are preconfigured during the PowerEcho and the NetEco
installation. You are advised to replace the preconfigured certificates with new
ones after the PowerEcho or the NetEco is installed for the first time and
periodically update the certificates, which can prevent system security risks caused
by expired certificates and increase communication security of the PowerEcho or
the NetEco.
Certificate Principles and Functions
The SSL certificate is a digital certificate based on the SSL protocol. It is similar to
the electronic copy of a driving license or passport and is used for identity
authentication between the client and the server. After the SSL encryption
mechanism is used, an encrypted communication channel is established between
the client and the server, which can ensure security and efficiency. Hyper Text
Transfer Protocol over Secure Socket Layer (HTTPS), a secure variant of HTTP, is
used for the internal communication of nodes or services of the PowerEcho and
the NetEco, communication between the PowerEcho or the NetEco and browsers
or other systems. The SSL protocol is the security foundation of HTTPS.
An SSL certificate provides the following functions:
●
Data confidentiality: Both parties obtain encrypted private keys after
negotiating using a handshake protocol and transfer encrypted messages. A
single key encryption algorithm is used, such as Advanced Encryption
Standard (AES).
●
Identity authentication: A public key encryption algorithm, such as Digital
Signature Standard (DSS), is used to add signatures to all the involved
communication parties.
●
Data integrity: All messages transmitted during communication contain
digital signatures to ensure the message integrity. Digital signatures include
the message digest and message authentication code (MAC) generated by
the hash algorithm, such as secure hash algorithm (SHA).
Certificate Usage Scenarios
SSL certificates of the PowerEcho including ER certificates, CA certificates, and IR
certificates are used by the PowerEcho in different scenarios. Table 1-55 shows
functions of the certificates.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
138
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-55 Certificate usage scenarios
Certificate Type
Scenario
ER certificate
The browser uses the ER certificate to perform
authentication on the PowerEcho or the
NetEco.
IR certificate
The IR certificates are used for authentication
during internal communication of the system.
CA certificate
Certificate for issuing IR certificates of the
PowerEcho and the NetEco.
Certificate Update Methods
The methods for updating certificates of the PowerEcho and applicable scenarios
are as follows:
●
Update online: If the PowerEcho is interconnected with a certificate authority
(CA), you are advised to update certificates online on the web client, so that
you do not need to manually obtain and upload new certificates and the
operations are simple.
●
Upload and update: If you have obtained a new certificate, you are advised to
manually upload it on the web client to update the certificate.
●
Update in CLI mode: If you cannot log in to the PowerEcho web client due to
expiration of some certificates, you can only log in to the management node
and run commands to update the certificates.
IR certificates are used for mutual authentication during internal
communication and can be updated only in CLI mode. The IR certificates are
authenticated by the CA certificate. The IR certificates are updated when the
CA certificate is updated.
1.16.2 Certificate List
Certificates are required in some scenarios of the NetEco, so that SSL can be used
to improve the security of internal and external communication. When an SSL
certificate expires or a specific certificate is required, replace the certificate.
Table 1-56 lists the certificates used by the NetEco.
Table 1-56 Certificate list
Portal
Service
Certificate
Purpose
Operation
PowerE
cho
UniEPMgr
ER certificate
Certificate for one-way
authentication during login to
the PowerEcho through a
browser.
1.16.3 Uploading
and Updating ER
Certificates
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
139
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Portal
Service
Certificate
Purpose
Operation
NetEco
UniEPMgr
ER certificate
Certificate for one-way
authentication during login to
the NetEco through a browser.
1.16.3 Uploading
and Updating ER
Certificates
PowerE
cho
UniEPMgr
CA certificate
Certificate for internal
communication of the system.
1.16.4 Uploading
and Updating
CA Certificates
PowerE
cho
UniEPMgr
IR certificate
Certificate for bidirectional
authentication for internal
communication of system.
1.16.5 Updating
IR Certificates
PowerE
cho
UniEPMgr
Syslog server
trust certificate
Certificate for the PowerEcho to
verify the identity of the Syslog
server to ensure communication
security.
1.16.6 Uploading
and Updating
the Trust
Certificate of
the Syslog
Server (the
PowerEcho)
NetEco
SMLogLic
User
management
certificate
Certificate used to sign a token
to ensure token security through
internal user authentication.
1.16.7 Updating
the Certificate
of User
Management
PowerE
cho
UniEPMgr
CAS SSO client
trust certificate
Trust certificate on the client,
which needs to be updated
together with the corresponding
CRL after their equivalents on
the server are updated.
1.16.10
Updating the
CAS SSO Client
Trust Certificate
NetEco
SMLogLic
LDAP certificate
Certificate used to ensure data
security during the
communication between the
NetEco and the LDAP server.
1.16.9 Updating
the Certificate
of LDAP
NetEco
Basic
SSO certificate
Certificate used to ensure that
users can log in to the system in
SSO mode.
1.16.12
Managing CAS
SSO Certificates
NetEco
HomePage
Notice
Mailbox server
SSL/TLS
certificate
Certificate used for two-way
authentication between the
system and mail server. The
system and mail server can
communicate with each other
only after both of them trust the
certificate.
1.16.11
Updating Mail
Server
Certificate for
Notifications
1.16.3 Uploading and Updating ER Certificates
When you log in to the PowerEcho or the NetEco using a browser, the browser
uses the ER certificate to perform authentication on the PowerEcho or the NetEco.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
140
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
A Huawei ER certificate has been preconfigured when the PowerEcho or the
NetEco is installed. The certificate is used only for commissioning. You need to
replace the preconfigured certificate with a new ER certificate to improve
communication security of the PowerEcho or the NetEco. To prevent security risks
caused by expired certificates, you are advised to periodically update certificates.
Prerequisites
●
You have obtained new trust certificate in .cer or .p12 format and
corresponding certificate files. The format and name of the certificate and
private key files must be consistent with the following, and only lowercase
letters are allowed in the file name:
–
If the identity certificate is in .cer format, obtain the following certificate
files and private key password:
server.cer: identity certificate file
server_key.pem: private key to the identity certificate
The private key of the identity certificate must be encrypted. If the
certificate is uploaded in plaintext, the certificate replacement fails.
trust.cer: trust certificate file
If a trust certificate contains CA certificates of multiple levels, the trust
certificate must contain the content of each CA certificate in the
sequence of sub-CA and root CA certificates. Otherwise, the certificate
replacement fails.
–
If the identity certificate is in .p12 format, obtain the following certificate
files, store password for the certificate, private key password:
server.p12: identity certificate file
trust.cer: trust certificate file
If a trust certificate contains CA certificates of multiple levels, the trust
certificate must contain the content of each CA certificate in the
sequence of sub-CA and root CA certificates. Otherwise, the certificate
replacement fails.
NOTE
The complexity requirements for the store password for the certificate and the private
key password are as follows:
●
Issue Draft B
(2020-11-30)
●
Contain 10 to 32 characters.
●
Be a combination of the following four types of characters:
●
Uppercase letters
●
Lowercase letters
●
Digits
●
Special characters !"#$%&'()*+,-./:;<=>?@[]^`{_|}~
●
Not contain double quotation marks (") and single quotation marks (') at the
same time.
●
Contain less than three consecutive identical characters.
●
Contain less than four identical characters.
●
Be different from the old password for the certificate.
You have obtained the password for the old ER certificate. The password
contains 6 to 64 characters.
Copyright © Huawei Technologies Co., Ltd.
141
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
If you need to use the default password during certificate replacement,
contact Huawei technical support.
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
Table 1-57 lists the certificate application requirements.
Context
Table 1-57 Certificate requirements
Issue Draft B
(2020-11-30)
Item
Requirements
Certificate signature
algorithm
Use industry-leading security algorithms,
such as sha256WithRSAEncryption.
Length of the public and
private keys
For the RSA encryption algorithms, the
recommended length is 3072 bits or longer.
Certificate validity period
Set this parameter based on the customer's
IT security management requirements.
Extended certificate
attributes
The X509v3 Subject Alternative Name
attribute is mandatory. The value is an IP
address or a domain name. If an IP address
is used to log in the PowerEcho or the
NetEco client, set the value to the IP
address. If a floating IP address is used, set
the value to the floating IP address. If a
domain name is used for access, the value is
the domain name.
Copyright © Huawei Technologies Co., Ltd.
142
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Item
Requirements
Certificate storage format
NOTE
● The certificate in .cer format must be encoded
using Base64. The file name extension can
be .cer, .pem, or .crt.
● The trust certificate (trust.cer) contains the
trusted root certificate and intermediate CA
certificate. The root certificate must be placed
at the beginning.
● If the identity certificate is in .cer format,
obtain the following certificate files and
password for the private key of the
identity certificate file: The format and
name of the certificate and private key
files must be consistent with the
following, and only lowercase letters are
allowed in the file name.
server.cer: identity certificate file
server_key.pem: private key of the
identity certificate
trust.cer: trust certificate file
● If the identity certificate is in .p12 format,
obtain the following certificate files and
password for the private key of the
identity certificate file. The format and
name of the certificate and private key
files must be consistent with the
following, and only lowercase letters are
allowed in the file name.
server.p12: identity certificate file
trust.cer: trust certificate file
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
143
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Item
Requirements
Password complexity of the
private key file
● Contain 10 to 32 characters.
● Be a combination of the following four
types of characters:
– Uppercase letters
– Lowercase letters
– Digits
– Special characters !"#$%&'()*
+,-./:;<=>?@[]^`{_|}~
● Not contain double quotation marks (")
and single quotation marks (') at the
same time.
● Contain less than three consecutive
identical characters.
● Contain less than four identical
characters.
● Be different from the password for the
old certificate.
●
To prevent the initial password for the new ER certificate from being
tampered with, you are advised to change the initial password for the new ER
certificate. The new ER certificate password must meet the following
password complexity requirements:
–
Contain 10 to 32 characters.
–
Be a combination of the following four types of characters:
▪
▪
▪
▪
●
●
Lowercase letters
Digits
Special characters !"#$%&'()*+,-./:;<=>?@[]^`{_|}~
–
Not contain double quotation marks (") and single quotation marks (') at
the same time.
–
Contain less than three consecutive identical characters.
–
Contain less than four identical characters.
–
Be different from the old password of the new certificate.
The path for storing the ER certificate is as follows:
–
On the management node, the certificate is stored in the /opt/oss/
manager/etc/ssl/er directory.
–
On the product nodes, the certificate is stored in the /opt/oss/
NetEco/etc/ssl/er directory.
The files related to the ER certificate are as follows:
–
Issue Draft B
(2020-11-30)
Uppercase letters
cert_pwd: file that stores the encrypted password for the identity
certificate
Copyright © Huawei Technologies Co., Ltd.
144
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
–
manifest.json: certificate configuration file
–
server.cer: identity certificate file
–
server_chain.cer: certificate chain file
–
server.p12: identity certificate file in .p12 format
–
server_key.pem: private key to the identity certificate file
–
trust.cer: trust certificate file
–
trust.jks: trust certificate file in .jks format
If the identity certificate is in .cer format, the PowerEcho automatically
generates the manifest.json, server.p12, and trust.jks files when the ER
certificate is updated. If the identity certificate is in .p12 format, the
PowerEcho automatically generates the manifest.json, server.cer, and
trust.jks files.
Precautions
●
If the private key of a certificate is disclosed, you can update the certificate
revocation list (CRL) when updating the certificate to prevent unauthorized
operations. This improves system security.
●
During the ER certificate update of the PowerEcho, the ER service of the
PowerEcho is automatically for the update to take effect and you cannot
operate in the PowerEcho during the restart. You are advised to refresh the
page after about 3 minutes and log in again.
●
During the ER certificate update of the NetEco, the ER service of the NetEco is
automatically for the update to take effect.
Procedure
Step 1 On the PowerEcho, choose System > Certificate and Key > Update ER
Certificate from the main menu.
Step 2 On the Update ER Certificate page, perform operations as prompted.
Step 3 Back up the PowerEcho and product. This is because after the update is successful,
all historical backup data has become invalid. For details, see 1.11.6 Backing Up
the PowerEcho and 1.11.5 Backing Up Products.
----End
1.16.4 Uploading and Updating CA Certificates
After you have applied for and obtained a new CA certificate, you can update the
CA certificate generated during the installation by uploading the new CA
certificate. To prevent security risks caused by expired certificates, you are advised
to periodically update certificates.the PowerEcho and the NetEco
Prerequisites
Issue Draft B
(2020-11-30)
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
You have obtained the password for the ossadm user of the management
node.
Copyright © Huawei Technologies Co., Ltd.
145
iManager NetEco
Administrator Guide
●
1 NetEco Administrator Guide
You have obtained the following certificate files and the password for the
private key file ca_key.pem:
–
ca.cer: identity certificate file of the root certificate
–
ca_key.pem: private key of the identity certificate file of the root
certificate
The password for the CA certificate private key must meet the following
requirements:
–
Contain 10 to 32 characters.
–
Be a combination of the following four types of characters:
▪
Uppercase letters
▪
Lowercase letters
▪
Digits
▪
Special characters !"#$%&'()*+,-./:;<=>?@[]^`{_|}~
–
Not contain double quotation marks (") and single quotation marks (') at
the same time.
–
Contain less than three consecutive identical characters.
–
Contain less than four identical characters.
Context
●
Table 1-58 lists the certificate application requirements.
Table 1-58 Certificate requirements
Item
Requirements
Certificate signature
algorithm
Use industry-leading security algorithms,
such as sha256WithRSAEncryption.
Length of the public and
private keys
For the RSA encryption algorithms, the
recommended length is 3072 bits or longer.
Certificate validity period
Set this parameter based on the customer's
IT security management requirements.
Extended certificate
attributes
The X509v3 Basic Constraints attribute is
mandatory and its value is CA:TRUE.
Certificate storage format
NOTE
The certificate in .cer format must be encoded
using Base64. The file name extension can
be .cer, .pem, or .crt.
● ca.cer: identity certificate file of the root
certificate
● ca_key.pem: private key of the identity
certificate file of the root certificate
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
146
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Item
Requirements
Password complexity of the
private key file
● Contain 10 to 32 characters.
● Be a combination of the following four
types of characters:
– Uppercase letters
– Lowercase letters
– Digits
– Special characters !"#$%&'()*
+,-./:;<=>?@[]^`{_|}~
● Not contain double quotation marks (")
and single quotation marks (') at the
same time.
● Contain less than three consecutive
identical characters.
● Contain less than four identical
characters.
●
CA certificates are stored in the /opt/oss/manager/var/ca directory on the
management node.
●
The CA certificate contains the following files:
–
ca.cer: identity certificate file of the root certificate
–
ca_key.pem: private key of the identity certificate of the root certificate
–
manifest.json: certificate configuration file
–
server.conf: certificate configuration file
When the CA certificate is updated, the manifest.json file is automatically
generated.
Precautions
●
IR certificates are authenticated by the CA certificate of the management
node. After the CA certificate is updated, the IR certificates are reauthenticated, that is, the IR certificates of all nodes are automatically
updated when the CA certificate is updated.
●
When the CA certificate is updated, the system automatically backs up the CA
certificate and IR certificates to the /tmp/cert/CA and /tmp/cert/internal
directories respectively on the management node. After the update is
successful, the backup certificates are automatically deleted.
●
During the CA certificate update, all services on the nodes of the PowerEcho
and the NetEco are automatically restarted for the update to take effect, and
you cannot log in to the PowerEcho and the NetEco during the restart. You
are advised to perform this operation in off-peak hours.
Procedure
Step 1 On the PowerEcho, choose System > Certificate and Key > Update CA
Certificate from the main menu.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
147
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 2 On the Update CA Certificate page, configure the parameters based on Table
1-59 and click Update.
Table 1-59 Parameter description
Parameter
Description
Scenario
Select Local.
OS username
Retain the default value ossadm.
OS user password
Enter the password for the OS user ossadm.
CA certificate
Select the certificate file ca.cer you have
obtained.
CA certificate private key
Select the private key file ca_key.pem you
have obtained.
Private key password
Enter the password for the private key file
ca_key.pem you have obtained.
Step 3 Check the task execution result.
1.
Log in to the PowerEcho.
If the login fails, the CA certificate fails to be updated. Restore the CA
certificate by referring to 1.24.10 Restoring the CA Certificates That Failed
to Be Updated, and then contact Huawei technical support engineers.
NOTE
All services are updated during the CA certificate update. You cannot log in to the
PowerEcho during the restart of the PowerEcho service.
2.
On the PowerEcho, choose System > Task List from the main menu.
3.
On the Task List page, check the execution result of the task for updating the
CA certificate.
–
If the task details indicate that the CA certificate is updated successfully,
go to Step 4.
–
If the task details indicate that the IR certificates fail to be updated,
restored the IR certificates of the failed nodes by referring to 1.24.11
Updating IR Certificates on the Product Nodes Failed When CA
Certificates Are Being Updated. Then, go to Step 4.
Step 4 Back up the application and data of the PowerEcho, database applications,
product applications, and product data. For details, see 1.11.6.1 Manually
Backing Up the Application and Data of the PowerEcho and 1.11.5 Backing Up
Products.
----End
1.16.5 Updating IR Certificates
IR certificates are certificates in the trust domain which are used for two-way
authentication during internal communication. The IR certificates are dynamically
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
148
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
generated by the CA certificate when the PowerEcho and the NetEco are installed,
and you can update the IR certificates generated during the installation. To
prevent security risks caused by expired certificates, you are advised to periodically
update certificates.
Prerequisites
You have obtained the password for the ossadm user on the management node.
Context
●
On the management node, the IR certificates are stored in the /opt/oss/
manager/etc/ssl/internal directory.
●
On the product nodes, the IR certificates are stored in
the /opt/oss/SOP/etc/ssl/internal directory.
●
The files related to the IR certificate are as follows:
–
cert_pwd: file that stores the encrypted password for the identity
certificate
–
manifest.json: certificate configuration file
–
server.cer: identity certificate
–
server_key_crypto.pem: private key to the identity certificate
–
server.p12: identity certificate in .p12 format
–
server_key.pem: private key to the identity certificate file
–
trust.cer: trust certificate
–
trust.jks: trust certificate in .jks format
Precautions
●
When IR certificates are updated, the IR certificates of all nodes where the
PowerEcho and the NetEco reside are also updated.
●
During the IR certificate update, the system automatically backs up the old IR
certificates to the /opt/oss/manager/var/tmp/internal_random code
directory on the management node, for example, /opt/oss/
manager/var/tmp/internal_101011111. After the certificate is updated, the
directory is automatically deleted.
●
Services on all nodes where the PowerEcho and the NetEco reside are
automatically restarted so that the certificates can take effect after the
update. You are advised to perform this operation in off-peak hours.
Procedure
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
NOTE
● If the PowerEcho is deployed in cluster mode, perform operations on Management0. For
details about how to obtain the IP address of a node, see 1.23.4 How Do I Query the IP
Address of a Node?
● It takes a long time to update the IR certificate, so PuTTY may be disconnected due to
timeout. Configure PuTTY to prevent it from being disconnected. For details, see 1.23.19
How Do I Prevent PuTTY from Being Disconnected upon Timeout?
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
149
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to update the IR certificates:
> cd /opt/oss/manager/apps/UniEPService/tools/common
> bash updatecertificate.sh -certtype internal
The following information is displayed:
Replacing the certificate will interrupt services. Are you sure you want to continue? (y/n)
Step 4 Enter y and press Enter.
The system automatically stops the services, updates the IR certificates of all the
nodes, and then starts the services.
●
If the following information is displayed, the IR certificates are updated
successfully. Go to Step 5.
Certificates replaced successfully.
●
If other information is displayed, the IR certificates fail to be updated. Restore
the IR certificates, and then contact Huawei technical support.
Step 5 Back up the PowerEcho and product. This is because after the update is successful,
all historical backup data has become invalid. For details, see 1.11.6 Backing Up
the PowerEcho and 1.11.5 Backing Up Products.
----End
1.16.6 Uploading and Updating the Trust Certificate of the
Syslog Server (the PowerEcho)
If logs of the PowerEcho are forward over TLS, certificate authentication is
required for the secure communication between the PowerEcho and the Syslog
server. If the trust certificate of the PowerEcho is about or expire or the Syslog
server trusts a new trust certificate, you can upload and update the trust
certificate of the Syslog server to ensure normal communication between the
PowerEcho and the Syslog server. To prevent security risks caused by expired
certificates, you are advised to periodically update certificates.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
You have obtained the trust certificate in .cer or .p12 format issued by the CA
and corresponding certificate files. The format and name of the certificate
and private key files must be consistent with the following. Only lowercase
letters are allowed in the file name.
The CA must be a CA trusted by the Syslog server or a subordinate CA of the
trusted CA.
–
If the identity certificate is in .cer format, obtain the following certificate
files and password for the private key to the identity certificate file:
server.cer: identity certificate file
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
150
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
server_key.pem: private key to the identity certificate file
trust.cer: trust certificate file
–
If the identity certificate is in .p12 format, obtain the following certificate
files, password and store password for the private key to the identity
certificate file:
server.p12: identity certificate file
trust.jks: trust certificate file
Context
Table 1-60 lists the certificate application requirements.
Table 1-60 Certificate requirements
Issue Draft B
(2020-11-30)
Item
Requirements
Certificate signature algorithm
Use industry-leading security algorithms, such
as sha256WithRSAEncryption.
Length of the public and
private keys
For the RSA encryption algorithms, the
recommended length is 3072 bits or longer.
Certificate validity period
Set this parameter based on the customer's IT
security management requirements.
Copyright © Huawei Technologies Co., Ltd.
151
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Item
Requirements
Certificate storage format
NOTE
● The certificate in .cer format must be encoded
using Base64. The file name extension can
be .cer, .pem, or .crt.
● The trust certificate (trust.cer) contains the
trusted root certificate and intermediate CA
certificate. The root certificate must be placed at
the beginning.
● If the identity certificate is in .cer format,
obtain the following certificate files and
password for the private key of the identity
certificate file: The format and name of the
certificate and private key files must be
consistent with the following, and only
lowercase letters are allowed in the file
name.
server.cer: identity certificate file
server_key.pem: private key of the identity
certificate. The private key must be
encrypted using the AES-128-CBC
algorithm. If the private key is not
encrypted, encrypt it by referring to 1.24.4
Encrypting the Private Key of the
Signature Certificate (the PowerEcho).
trust.cer: trust certificate file
● If the identity certificate is in .p12 format,
obtain the following certificate files and
password for the private key of the identity
certificate file. The format and name of the
certificate and private key files must be
consistent with the following, and only
lowercase letters are allowed in the file
name.
server.p12: identity certificate file
trust.jks: trust certificate file
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
152
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Item
Requirements
Password complexity of the
private key file
● Contain 10 to 32 characters.
● Be a combination of the following four
types of characters:
– Uppercase letters
– Lowercase letters
– Digits
– Special characters !"#$%&'()*+,-./:;<=>?
@[]^`{_|}~
● Not contain double quotation marks (") and
single quotation marks (') at the same time.
● Contain less than three consecutive identical
characters.
● Contain less than four identical characters.
Precautions
During the certificate update, services are automatically restarted for the update
to take effect and you cannot log in to the PowerEcho during the restart. You are
advised to perform this operation in off-peak hours.
Procedure
Step 1 On the PowerEcho, choose System > Certificate and Key > Update Syslog
Certificate from the main menu.
Step 2 On the Update Syslog Certificate page, perform operations as prompted.
Step 3 If the Syslog server uses an insecure encryption algorithm, perform the following
operations:
1.
Use PuTTY to log in to the management node as the sopuser user in SSH
mode.
NOTE
If the PowerEcho is deployed in cluster mode, log in to Management0 and then
Management1 to perform operations. For details about how to obtain the IP address
of a node, see 1.23.4 How Do I Query the IP Address of a Node?
2.
Run the following command to switch to the ossadm user:
$ su - ossadm
Password: password for the ossadm user
3.
Issue Draft B
(2020-11-30)
Run the following commands to modify the configuration file
ssl.client.properties. Skip this step if the Syslog server uses a secure
encryption algorithm.
Copyright © Huawei Technologies Co., Ltd.
153
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTICE
For security purposes, you are advised to use the Syslog server with a secure
encryption algorithm and use secure protocols for data transfer.
$ cd /opt/share/oss/manager/MCCommonService/etc
$ vi ssl.client.properties
Change ssl.protocols=TLSv1.2 to ssl.protocols=TLSv1.1, and add the insecure
encryption algorithms, for example, TLS_RSA_WITH_AES_256_CBC_SHA256, to
ssl.ciphers. The file content is as follows:
ssl.protocols=TLSv1.1
ssl.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_
SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TL
S_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RS
A_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_C
BC_SHA256
After the modification, press Esc and run the :wq! command to save the file
and exit the vi editor.
4.
If the Syslog server uses SSLv3, create the sm.java.property file to enable
SSLv3. Skip this step if SSLv3 is not used.
NOTE
For security purposes, you are advised to use the Syslog server that supports TLSv1.1
or later for data transfer.
Create an sm.java.property file on the local PC.
jdk.tls.disabledAlgorithms=RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224,
3DES_EDE_CBC, anon, NULL
Refer to Step 3.3 to change ssl.protocols=TLSv1.2 in the ssl.client.properties
file to ssl.protocols=SSLv3.
Use FileZilla to upload the modified sm.java.property file to the /opt/
share/oss/manager/MCCommonService/etc directory, as the ossadm user.
Use PuTTY to set the file permission, as the ossadm user:
chmod 600 /opt/share/oss/manager/MCCommonService/etc/
sm.java.property
5.
Run the following commands to restart the log forwarding service:
$ cd /opt/oss/manager/agent/bin
$ . engr_profile.sh
$ ipmc_adm -cmd restartapp -tenant manager -app MCCommonService
If success is displayed for all command outputs, the log forwarding service
has been restarted. Otherwise, contact Huawei technical support.
----End
1.16.7 Updating the Certificate of User Management
When you log in to the PowerEcho web client, the PowerEcho use the user
management certificates to verify your identity. Huawei certificates have been
preconfigured when the PowerEcho is installed. The certificates are used only for
commissioning. You need to replace the certificates with new ones to improve the
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
154
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
security of the PowerEcho. To prevent security risks caused by expired certificates,
you are advised to periodically update certificates.
Prerequisites
●
You have obtained the passwords of the following certificate files and identity
certificate private keys. The format and name of the certificate and private
key files must be consistent with the following, and only lowercase letters are
allowed in the file name.
–
signing_cert.pem: identity certificate of user management
–
ca.pem: trust certificate of user management
–
signing_key.pem: private key of the identity certificate of user
management. The private key must be encrypted using the AES-128-CBC
algorithm. If the private key is not encrypted, encrypt it by referring to
1.24.4 Encrypting the Private Key of the Signature Certificate (the
PowerEcho).
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
It is recommended that the storage password or password for the private key
of the identity certificate meets the following requirements:
Context
–
Contain 10 to 32 characters.
–
Be a combination of the following four types of characters:
▪
▪
▪
▪
●
Uppercase letters
Lowercase letters
Digits
Special characters !"#$%&'()*+,-./:;<=>?@[]^`{_|}~
–
Not contain double quotation marks (") and single quotation marks (') at
the same time.
–
Contain less than three consecutive identical characters.
–
Contain less than four identical characters.
–
Be different from the password for the old certificate.
The user management certificates are stored in the /opt/share/oss/manager/
MCCommonService/etc/certificate directory on the management node.
Precautions
Services are automatically restarted so that the certificate can take effect after the
update, and you cannot log in to the PowerEcho during the restart. You are
advised to perform this operation in off-peak hours.
Procedure
Step 1 On the PowerEcho, choose System > Certificate and Key > Update User
Management Certificate from the main menu.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
155
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 2 On the Update User Management Certificate page, perform operations as
prompted.
Step 3 Back up the PowerEcho and product. This is because after the update is successful,
all historical backup files have become invalid. For details, see 1.11.6 Backing Up
the PowerEcho and 1.11.5 Backing Up Products.
----End
1.16.8 Updating Certificate Revocation Lists
If the private key of a certificate is disclosed, you need to update the CRL in a
timely manner to prevent unauthorized operations. For security purposes, you
need to update the CRL periodically. If you have obtained the CRL file, you can
upload it to update the CRL.
Prerequisites
●
You have obtained the latest CRL file crl.pem.
●
You have uploaded new certificate files to update the certificate (ER
certificate or Syslog certificate), and have uploaded the CRL corresponding to
the certificate with disclosed private key. For details about how to update the
certificate, see the corresponding certificate update section.
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
Only CRLs of ER certificates and Syslog certificates can be updated.
●
During CRL update, all services on the nodes of the PowerEcho and the
NetEco are automatically restarted for the update to take effect. You cannot
log in to the PowerEcho and the NetEco during the restart. You are advised to
perform this operation in off-peak hours.
Precautions
Procedure
Step 1 On the PowerEcho, choose System > Certificate and Key > Update Certificate
Revocation List from the main menu.
Step 2 On the Update Certificate Revocation List page, perform operations as
prompted.
----End
1.16.9 Updating the Certificate of LDAP
The LDAP certificate is used to guarantee data security during communication. To
improve data security and prevent certificate expiration, you are advised to update
this certificate periodically, for example, every three months.
Prerequisites
You have logged in to NetEco as the system administrator.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
156
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Precautions
●
When configuring LDAP authentication, you are advised to use a secure
connection such as TLS to ensure security of communication data. If Enable
TLS is selected, you need to configure the LDAP certificates.
●
For data security during communication, you are advised to use TLS v1.2 or
later.
Procedure
Step 1 Choose Security > System Secutiry > Security Settings.
Step 2 In the navigation pane, choose Remote Authentication Configuration.
Step 3 On the Remote Authentication Configuration page, click LDAP Authentication.
Step 4 Click Enable TLS, and select the required protocol version and certificate type.
Step 5 Upload the certificate based on the value of Certificate type you set.
●
If Certificate type is set to JKS,P12, upload the corresponding root certificate
and identity certificate, and enter their passwords respectively.
●
If Certificate type is set to CER,DER,PEM,PVK, upload the corresponding root
certificate and identity certificate.
NOTE
● If the CA has issued a CRL, you are advised to upload the CRL in a timely manner to
ensure secure interconnection with the LDAP server.
● If Enable TLS is selected and Certificate type is set to JKS,P12, obtain the following
certificates:
–
Root certificate (trust certificate with the .jks file name extension) and password of
the LDAP server
–
Identity certificate (with the .p12 file name extension) and password of NetEco, if
two-way authentication is enabled on the LDAP server
● If Enable TLS is selected and Certificate type is set to CER,DER,PEM,PVK, obtain the
following certificates:
–
Root certificate (that is, the trust certificate with the name extension .cer, .der,
or .pem) of the third-party LDAP server
–
Identity certificate (with the .cer, .der, or .pem file name extension) and password
of NetEco, if two-way authentication is enabled on the LDAP server
–
Private key file and password of the LDAP server if two-way authentication is
enabled on the LDAP server
Step 6 Click Test. In the Test Connection dialog box, enter User name and Password of
the remote user on the LDAP server.
●
If "Test successful." is displayed, interconnection between the system server
and LDAP server is successful.
●
If the connection test fails, a failure message is displayed. Check whether the
LDAP server is correctly configured and try again until the interconnection is
successful.
Step 7 Click Apply for the LDAP authentication settings to take effect.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
157
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.16.10 Updating the CAS SSO Client Trust Certificate
When configuring the CAS SSO client, you need to upload the trust certificate of
the SSO server to the SSO client. Otherwise, users cannot log in to the system. For
security purposes and to prevent security risks caused by certificate expiration, you
need to update the certificate periodically.
Prerequisites
●
You have obtained the CAS SSO server trust certificate. Table 1-61 lists the
certificate requirements.
●
You have logged in to the PowerEcho as the admin user. For details, see 1.1.2
Logging In to the PowerEcho.
Context
Table 1-61 lists the requirements for the obtained certificates.
Table 1-61 Certificate requirements
Item
Requirements
Certificate signature algorithm
Use industry-leading security algorithms, such
as sha256WithRSAEncryption.
Length of the public and
private keys
For the RSA encryption algorithms, the
recommended length is 3072 bits or longer.
Certificate validity period
Set this parameter based on the customer's IT
security management requirements.
Certificate storage format
NOTE
The certificate in CER format must be encoded using
Base64.
trust.cer: trust certificate of the SSO server.
Precautions
When the CAS SSO client trust certificate is updated, the service of the PowerEcho
is automatically restarted for the update to take effect. You cannot log in to the
PowerEcho during the restart. You are advised to perform this operation in offpeak hours.
Procedure
Step 1 On the PowerEcho, choose System > Certificate and Key > Update SSO Client
Trust Certificate from the main menu.
Step 2 On the Update SSO Client Trust Certificate page, perform operations as
prompted.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
158
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.16.11 Updating Mail Server Certificate for Notifications
The notifications feature provides the function of sending notifications by emails.
When O&M personnel needs to be notified by emails, you need to set email
notification parameters and verify the settings to ensure that the emails can be
sent properly.
Prerequisites
●
You have logged in to the NetEco as a user which has the Email Server
Settings permission.
●
The interconnected mail server supports Simple Mail Transfer Protocol
(SMTP).
●
You have obtained the server information from the SMTP server administrator,
such as the domain name or IP address, port number, whether identity
authentication is required, username, and user password.
●
The physical IP addresses of all nodes where the notifications service
(HomePageNoticeService) is deployed are routable to the mail server.
●
The SMTP port is available.
–
In common connection mode, port 25 is used.
–
In TLS connection mode, port 587 is used.
–
In SSL connection mode, port 465 is used.
●
The node where notifications service resides can access the mail server.
●
For data transmission security purpose, use TLSv1.2 by default when
configuring the mail server.
●
To send notifications to relevant personnel, you need to enter their personal
information, such as mobile numbers and email addresses. You are obligated
to take considerable measures, in compliance with the laws of the countries
concerned and the user privacy policies of your company, to ensure that users'
personal data is fully protected.
●
For security purposes, personal data such as mobile numbers and email
addresses are anonymized on the GUI and encrypted during transmission.
Context
Procedure
Step 1 Choose System > System Settings > Notifications.
Step 2 In the navigation pane, choose Email Server Settings and set the SMTP server
domain name or IP address, email address for sending notifications, code, and port
number. For details about the parameters, see Table 1-62.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
159
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-62 Email parameters
Issue Draft B
(2020-11-30)
Parameter
Description
Example
SMTP server domain
name/IP address
Domain name or IP
address of the SMTP
server.
10.1.1.1
Sender email address
Sender email address
displayed when email
notifications are sent.
The email address must
be complete and
registered on the
interconnected SMTPbased mail server.
Otherwise, the email
fails to be sent.
Recipients can view the
email address when
receiving the email. You
are not advised to use a
private email address to
send notifications.
s@example.com
Charset
Encoding format of the
email server. The default
value is UTF-8.
UTF-8
Copyright © Huawei Technologies Co., Ltd.
160
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
Description
Example
Enable secure connection
over SMTP (Applies
when an email server
certificate for SMTP
server is already
installed. TLS is
recommended.)
● When secure
connections are
required, if TLS is
selected, the default
server port is 587 and
the default protocol
version is TLSv1.2. If
SSL is selected, the
default server port is
465 and the default
protocol version is
SSLv3. SSLv3 is an
insecure protocol. You
are advised to use the
default TLS for secure
connection. To ensure
that emails are sent
successfully, check
that the email server
port is available and
the configuration
certificate is valid.
TLS
● When secure
connections are not
required, the default
SMTP port is 25. To
ensure that emails are
sent successfully,
check that the email
server port is
available.
Server port
Issue Draft B
(2020-11-30)
Port on the SMTP server.
Copyright © Huawei Technologies Co., Ltd.
25
161
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
Description
Example
Require identity
authentication for the
SMTP server
Whether the SMTP email
server authenticates the
user identity before
sending an email, which
needs to be obtained
from the mail server
administrator. If the
SMTP server requires
user identity verification,
obtain the username and
password from the
administrator.
-
NOTE
Select the check box only if
the SMTP mail server
requires identity
verification. If the SMTP
mail server does not
require identity
verification, clear the
Requires identity
authentication for the
SMTP server check box.
Otherwise, the email fails
to be sent.
User name
Name of the user for
logging in to the SMTP
server. This username
must be the same as
that of Sender email
address.
test123
NOTE
This parameter is
mandatory if Requires
identity authentication
for the SMTP server is
selected. Private
usernames are not
recommended.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
162
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
Description
Example
Password
If no authorization code
is available for logging in
to the SMTP email
server, set this parameter
to the password of
Sender email address.
Otherwise, set this
parameter to the
authorization code for
logging in to the SMTP
email server.
-
NOTE
This parameter is
mandatory if Requires
identity authentication
for the SMTP server is
selected.
Customized email
subject
You can add a prefix or
suffix to the email
subject as required. By
default, this parameter is
left blank.
-
Customized email
signature
You can add a signature
to the email as required.
By default, this
parameter is left blank.
-
Enabled
By default, Yes is
selected. If No is
selected, the
configuration cannot be
used and emails cannot
be sent.
Yes
Step 3 (Optional) If Enable secure connection over SMTP (Applies when an email
server certificate for SMTP server is already installed. TLS is recommended.) is
selected, select TLS or SSL, and configure a certificate and CRL. For data security
purposes, TLS is recommended.
●
Configuring certificates
a.
Issue Draft B
(2020-11-30)
Obtain a mail server SSL/TLS certificate and save it to your local PC.
Copyright © Huawei Technologies Co., Ltd.
163
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
▪
▪
▪
For details about how to obtain a mailbox server certificate, see FAQ.
The certificate is used for two-way authentication between the system and
the mail server. The system and the mail server communicate with each other
only if both trust the certificate.
For security purposes, the notifications feature supports the email server
certificate generated using the following signature algorithms by default:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
b.
Press win+R to open the Run dialog box. Enter CMD and click OK.
c.
Run the following command to go to the keytool directory:
cd /d Keytool directory
NOTE
▪
▪
d.
Keytool is stored in JDK installation directory\bin.
Keytool is a Java runtime environment (JRE) command. Make sure that the
JRE has been installed on your local PC.
In the command window that is displayed, run the following command to
convert the certificate format and encrypt the keystore:
keytool -import -file path for saving the original certificate\name of the
original certificate -keystore path for saving the converted certificate
\name of the converted certificate
Enter keystore Password:
Reenter New Password:
After the conversion, the name extension of the certificate must be
keystore. Record the password to be used for importing the certificate.
NOTE
The user-defined keystore password must contain 6 to 32 characters. For security
purposes, the password must meet the following requirements:
▪
▪
▪
●
Contains at least one uppercase letter, one lowercase letter, and one digit.
Contains at least one special character (!"# $%&'()*+,-./:;<=>?@[\]^`{_|}~ and
spaces).
e.
Click Configure Certificate.
f.
In the Configure Certificate dialog box, click
and select a converted certificate.
g.
Set Certificate password to the keystore password set in 4.
h.
Click Save.
next to Certificate file
Configure a CRL.
a.
Issue Draft B
(2020-11-30)
Cannot be the username or the username spelled backwards.
Obtain the latest CRL from the certificate authority (CA) and save the
CRL to your local PC.
Copyright © Huawei Technologies Co., Ltd.
164
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
b.
Click Configure CRL.
c.
In the Configure CRL dialog box, click
CRL.
d.
Click Save.
next to CRL file and select a
Step 4 Click Test to check whether the system is properly interconnected with the mail
server.
●
If "Test succeeded" is displayed, they are properly connected. The received
emails are in English.
●
If the test fails, rectify the fault based on the error information.
Step 5 Click Apply. In the Warning dialog box, click OK.
NOTE
If you click only Test, the interconnection status between the system and the mail server
can be tested and the entered parameter values cannot be stored in the database. Only
after you click Apply, all entered parameter values can be stored in the database.
----End
Follow-up Procedure
After interconnecting with the SMTP server, the system sends notifications in the
form of emails to relevant personnel through the SMTP server.
1.16.12 Managing CAS SSO Certificates
SSO is an access control mechanism used for multiple associated but independent
software systems. By configuring CAS SSO, you can log in once using your
username and password and gains access to all NetEco systems, instead of
entering the username and password at each login.
1.16.12.1 Obtaining the CAS SSO Trust Certificate
Before configuring information on CAS SSO clients, obtain the trust certificate of
the CAS SSO server and import it to the CAS SSO client. Otherwise, logins will fail.
Prerequisites
You have obtained the passwords for the sopuser and ossuser users for logging in
to the node where Basic resides.
Procedure
Step 1 Use PuTTY to log in to the node where Basic resides, as the sopuser user in SSH
mode. For details about how to obtain the IP address of the node where a service
resides, see 1.23.2 How Do I Query the IP Address of the Node Where a Service
Resides?
Step 2 Run the following command to switch to the ossuser user:
$ su - ossuser
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
165
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Password: password for the ossuser user
Step 3 Run the following commands to check whether the origintrust.cer certificate file
exists and copy the trust certificate:
$ cd /opt/oss/NetEco/etc/ssl/er/
$ ll
●
If the origintrust.cer file exists:
$ cp /opt/oss/NetEco/etc/ssl/er/origintrust.cer /home/ossuser/trust.cer
●
If the origintrust.cer file does not exist:
$ cp /opt/oss/NetEco/etc/ssl/er/trust.cer /home/ossuser/trust.cer
Step 4 Run the following command to change the permissions of the trust.cer file:
$ chmod 640 /home/ossuser/trust.cer
Step 5 Run the following command to copy the SSO trust certificate file to the /home/
sopuser directory:
$ exit
$ cp /home/ossuser/trust.cer /home/sopuser/
Step 6 Use FileZilla to log in to the node where Basic resides, as the sopuser user in SFTP
mode. Download the trust.cer file in the /home/sopuser directory. For details, see
1.24.2 Transferring Files Using FileZilla.
Step 7 Use PuTTY to delete temporary files as the sopuser user:
$ cd /home/sopuser
$ rm -rf trust.cer
Step 8 Run the following command to switch to the ossuser user and delete the
temporary file:
$ su - ossuser
Password: password for the ossuser user
$ cd /home/ossuser
$ rm -rf trust.cer
----End
1.16.12.2 Importing the CAS SSO Trust Certificate
The single sign-on (SSO) trust certificate is used for proper SSO login. Before
configuring CAS SSO, import the SSO trust certificate to the SSO server. Otherwise,
logins will fail.
NOTICE
Importing the SSO trust certificate will cause the SSO function to be temporarily
unavailable. After the import is complete, the SSO function is restored.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
166
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Prerequisites
●
The CAS SSO client trust certificate cannot be configured on the web client.
●
You have obtained the CAS SSO server trust certificate trust.cer.
●
You have obtained the passwords for the sopuser, ossadm, and ossuser users
for logging in to the node where Basic resides.
Precautions
In a cluster system, perform operations in this section on all the nodes where Basic
resides.
Procedure
Step 1 Use PuTTY to log in to the node where Basic resides, as the sopuser user in SSH
mode. For details about how to obtain the IP address of the node where a service
resides, see 1.23.2 How Do I Query the IP Address of the Node Where a Service
Resides?
Step 2 Run the following command to switch to the ossuser user:
$ su - ossuser
Password: password for the ossuser user
Step 3 Run the following command to go to the target directory:
$ cd /opt/share/oss/NetEco/BasicWebsite/
Step 4 Run the following command to check whether the external directory exists in the
current directory:
$ ls -l
●
If it does, go to Step 6.
●
If it does not, go to Step 5.
Step 5 Run the following commands to create a directory for storing the certificate and
set the owner and permissions of the directory:
$ mkdir external
$ chown -R ossuser:ossgroup external
$ chmod -R 700 external
Step 6 Use FileZilla to log in to the node where Basic resides, as the sopuser user in SFTP
mode. Upload the trust.cer file to the /home/sopuser directory. For details, see
1.24.2 Transferring Files Using FileZilla.
Step 7 Use PuTTY and run the following command to copy the certificate file, as the
ossuser user:
$ cp /home/sopuser/trust.cer /opt/share/oss/NetEco/BasicWebsite/external
Step 8 Run the following commands to change the owner and permissions of the
certificate file:
$ cd /opt/share/oss/NetEco/BasicWebsite/external/
$ chown ossuser:ossgroup *
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
167
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
$ chmod 600 *
Step 9 Run the following command to switch to the ossadm user:
$ su - ossadm
Password: password for the ossadm user
Step 10 Run the following command to execute environment variables:
$ cd /opt/oss/manager/bin
$ . engr_profile.sh
Step 11 Run the following commands to restart Basic:
$ cd /opt/oss/manager/agent/bin
$ ipmc_adm -cmd restartapp -app BasicWebsite
●
If information similar to the following is displayed, the service is successfully
restarted and the certificate is successfully updated:
Stopping process basicwebsite -1 -0 ... success
Starting process basicwebsite -1 -0 ... success
●
Otherwise, the service fails to be restarted and the certificate fails to be
updated. Contact Huawei technical support.
Step 12 Run the following command to switch to the sopuser user:
$ exit
$ exit
Step 13 Run the following command to delete the file in the /home/sopuser directory:
$ cd /home/sopuser
$ rm -rf trust.cer
----End
1.16.12.3 Updating the CAS SSO Trust Certificate
Single sign-on (SSO) is an access control mechanism used for multiple associated
but independent software systems. The CAS SSO trust certificate is used for proper
CAS SSO login. To improve system security and prevent certificate expiration, you
are advised to update this certificate periodically, for example, every three months.
NOTICE
Updating the CAS SSO client trust certificate will cause the SSO function to be
temporarily unavailable. After the update is complete, the SSO function is
restored.
Prerequisites
●
Issue Draft B
(2020-11-30)
The CAS SSO client trust certificate cannot be configured on the web client.
Copyright © Huawei Technologies Co., Ltd.
168
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
●
You have obtained the CAS SSO server trust certificate trust.cer.
●
You have obtained the passwords for the sopuser, ossadm, and ossuser users
for logging in to the node where Basic resides.
Precautions
In a cluster system, perform operations in this section on all the nodes where Basic
resides.
Procedure
Step 1 Use PuTTY to log in to the node where Basic resides, as the sopuser user in SSH
mode. For details about how to obtain the IP address of the node where a service
resides, see 1.23.2 How Do I Query the IP Address of the Node Where a Service
Resides?
Step 2 Run the following command to switch to the ossuser user:
$ su - ossuser
Password: password for the ossuser user
Step 3 Run the following command to go to the target directory:
$ cd /opt/share/oss/NetEco/BasicWebsite/
Step 4 Run the following command to check whether the external directory exists in the
current directory:
$ ls -l
●
If it does, go to Step 6.
●
If it does not, go to Step 5.
Step 5 Run the following commands to create a directory for storing the certificate and
set the owner and permissions of the directory:
$ mkdir external
$ chown -R ossuser:ossgroup external
$ chmod -R 700 external
Step 6 Use FileZilla to log in to the node where Basic resides, as the sopuser user in SFTP
mode. Upload the trust.cer file to the /home/sopuser directory. For details, see
1.24.2 Transferring Files Using FileZilla.
Step 7 Use PuTTY and run the following command to copy the certificate file, as the
ossuser user:
$ cp /home/sopuser/trust.cer /opt/share/oss/NetEco/BasicWebsite/external
Step 8 Run the following commands to change the owner and permissions of the
certificate file:
$ cd /opt/share/oss/NetEco/BasicWebsite/external/
$ chown ossuser:ossgroup *
$ chmod 600 *
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
169
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 9 Run the following command to switch to the ossadm user:
$ su - ossadm
Password: password for the ossadm user
Step 10 Run the following command to execute environment variables:
$ cd /opt/oss/manager/bin
$ . engr_profile.sh
Step 11 Run the following commands to restart Basic:
$ cd /opt/oss/manager/agent/bin
$ ipmc_adm -cmd restartapp -app BasicWebsite
●
If information similar to the following is displayed, the service is successfully
restarted and the certificate is successfully updated:
Stopping process basicwebsite -1 -0 ... success
Starting process basicwebsite -1 -0 ... success
●
Otherwise, the service fails to be restarted and the certificate fails to be
updated. Contact Huawei technical support.
Step 12 Run the following command to switch to the sopuser user:
$ exit
$ exit
Step 13 Run the following command to delete the file in the /home/sopuser directory:
$ cd /home/sopuser
$ rm -rf trust.cer
----End
1.16.13 Managing the Trust Certificate of the Syslog Server
1.16.13.1 Importing the Trust Certificate of the Syslog Server
When TLS is used to forward logs of the NetEco, use certificates for authentication
between the NetEco server and the Syslog server to ensure proper communication.
When the NetEco server and the Syslog server trust different certificate authorities
(CAs), you need to import the trust certificate of the Syslog server to the NetEco
server. On the Syslog server, the trust certificate is imported by the Syslog server
administrator based on site requirements.
NOTE
For security purposes, the NetEco server uses TLSv1.2 or later by default.
Prerequisites
●
Issue Draft B
(2020-11-30)
The trust certificate of the Syslog server cannot be imported on the web
client.
Copyright © Huawei Technologies Co., Ltd.
170
iManager NetEco
Administrator Guide
●
1 NetEco Administrator Guide
If the certificate of the Syslog server to be imported is in JKS format:
–
You have obtained the trust certificate trust.jks of the Syslog server, the
identity certificate server.p12 issued by a CA trusted by the Syslog server
or by a subordinate CA of the trusted CA, and the passwords for both
certificates.
–
When importing the trust certificate of the Syslog server, you need to
encrypt trust.jks and server.p12. A certificate password must meet the
following complexity requirements:
▪
▪
▪
▪
▪
●
The password must contain 10 to 32 characters.
The password must be a combination of the following: digits,
lowercase letters, uppercase letters, and special characters !"#$
%&'()*+,-./:;<=>?@[]^`{_|}~
The password cannot contain double quotation marks (") and single
quotation marks (') at the same time.
The password can contain no more than two consecutive identical
characters.
The password can contain no more than three identical characters.
If the certificate of the Syslog server to be imported is in PEM format:
–
You have obtained the trust certificate trust.cer of the Syslog server.
–
You have obtained the identity certificate server.cer and key file
server_key.pem issued by a CA trusted by the Syslog server or by a
subordinate CA of the trusted CA, and the password for the key file.
●
You have obtained the passwords for the sopuser, ossadm, and ossuser users
for logging in to the node where SMLogLic resides.
●
If the TCP or UDP protocol is used to forward logs, no certificate needs to be
imported.
●
If the NetEco server and the Syslog server trust the same CA, the certificates
that have already been imported to the NetEco server can be used for their
mutual authentication. In this case, no certificate needs to be imported again.
●
The NetEco server authenticates the Syslog server. For security purposes, you
are advised to enable the Syslog server to authenticate the NetEco server as
well. For details about how to enable the authentication, contact the Syslog
server administrator.
●
After the function of authenticating the NetEco server is enabled on the
Syslog server, you need to import the trust certificate of the NetEco server on
the Syslog server if the CA trusted by the NetEco server is different from that
trusted by the Syslog server. For details about how to import the certificate,
contact the Syslog server administrator.
●
After the trust certificate of the Syslog server is imported, restart SMLogLic.
You are advised to restart the service during off-peak hours.
●
In a cluster system, perform operations in this section on all the nodes where
SMLogLic resides.
Precautions
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
171
iManager NetEco
Administrator Guide
●
1 NetEco Administrator Guide
If the Syslog server uses insecure encryption algorithms (such as
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, and
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), you need to add the insecure
encryption algorithms to the ssl.client.properties file when the trust
certificate of the Syslog server is imported. Otherwise, log forwarding will be
abnormal.
Procedure
Step 1 Use PuTTY to log in to the node where SMLogLic resides, as the sopuser user in
SSH mode. For details about how to obtain the IP address of the node where a
service resides, see 1.23.2 How Do I Query the IP Address of the Node Where a
Service Resides?
Step 2 Run the following command to switch to the ossuser user:
su - ossuser
Password: password for the ossuser user
Step 3 Run the following commands to check whether the 3rdparty directory exists in
the current directory:
cd /opt/oss/NetEco/etc/ssl
ll
●
If it does, run the following command to delete the files from the 3rdparty
directory:
rm -rf 3rdparty/*
●
If it does not, run the following command to create the 3rdparty directory:
mkdir 3rdparty
Step 4 To ensure minimum file permissions, run the following commands to change the
owner and permissions of the 3rdparty directory:
chown -R ossuser:ossgroup /opt/oss/NetEco/etc/ssl/3rdparty
chmod -R 700 /opt/oss/NetEco/etc/ssl/3rdparty
Step 5 Use FileZilla to upload the certificate files to the /home/sopuser directory on the
node where SMLogLic resides, as the sopuser user in SFTP mode. For details, see
1.24.2 Transferring Files Using FileZilla.
●
If the certificate of the Syslog server is in JKS format, upload the certificate
files server.p12 and trust.jks.
●
If the certificate of the Syslog server is in PEM format, upload the certificate
files trust.cer, server.cer, and server_key.pem.
Step 6 Run the following command on PuTTY to copy the certificate files to the /opt/oss/
NetEco/etc/ssl/3rdparty directory as the ossuser user:
cp /home/sopuser/certificate file /opt/oss/NetEco/etc/ssl/3rdparty/
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
172
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 7 To ensure minimum file permissions, run the following commands to change the
file owner and permissions:
cd /opt/oss/NetEco/etc/ssl/3rdparty
chown ossuser:ossgroup *
chmod 600 *
Step 8 Run the following commands to switch to the ossadm user and load environment
variables:
su - ossadm
Password: password for the ossadm user
cd /opt/oss/manager/bin
. engr_profile.sh
Step 9 Run the following command to encrypt the passwords for the certificate files:
osskey -cmd encryptpasswd
When the following information is displayed, enter the password for the certificate
file, confirm the password, and record the encrypted password:
New Password: password for the certificate file
Reenter New Password: password for the certificate file
Repeat the preceding command if the passwords for other certificate files need to
be encrypted.
Step 10 Run the following commands to add the passwords for the certificate files in the
manifest.json file.
1.
Create the manifest.json file on the local PC.
–
If the passwords for the certificate files trust.jks and server.p12 are
encrypted in Step 9, the format of the manifest.json file is as follows:
{
}
"filelist": {
"server.p12": {
"storeType": "PKCS12",
"storePass": "password ciphertext for server.p12",
"keyPass": "password ciphertext for server.p12"
},
"trust.jks": {
"storeType": "JKS",
"storePass": "password ciphertext for trust.jks"
}
}
NOTE
Password ciphertext for trust.jks and Password ciphertext for server.p12 are
recorded in Step 9.
–
If the password for the certificate file server_key.pem is encrypted in
Step 9, the format of the manifest.json file is as follows:
{
Issue Draft B
(2020-11-30)
"filelist": {
"server_key.pem": {
"storeType": "PKCS1",
"format": "PEM",
Copyright © Huawei Technologies Co., Ltd.
173
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
}
"keyPass": "password ciphertext for server_key.pem",
}
}
NOTE
Password ciphertext for server_key.pem is recorded in Step 9.
2.
Use FileZilla to upload the manifest.json file to the /home/sopuser directory
as the sopuser user in SFTP mode.
3.
Run the following command on PuTTY to copy the manifest.json file to a
specified directory as the ossuser user:
cp /home/sopuser/manifest.json /opt/oss/NetEco/etc/ssl/3rdparty/
4.
To ensure minimum file permissions, run the following commands to set the
file owner and permissions:
chown ossuser:ossgroup /opt/oss/NetEco/etc/ssl/3rdparty/manifest.json
chmod 600 /opt/oss/NetEco/etc/ssl/3rdparty/manifest.json
Step 11 Optional: Enable the insecure encryption algorithm used by the Syslog server.
●
If the Syslog server uses a secure encryption algorithm, skip this step.
●
If the Syslog server uses an insecure encryption algorithm, perform the
following steps to modify the ssl.client.properties file.
a.
Create the ssl.client.properties file on the local PC.
NOTE
▪
▪
For security purposes, you are advised to use the Syslog server with a secure
encryption algorithm and use secure protocols for data transfer.
To disable the insecure encryption algorithm in the ssl.client.properties file,
change the insecure protocol in ssl.protocols to a secure protocol and delete
the insecure algorithm in ssl.ciphers.
The contents of the ssl.client.properties file are as follows:
ssl.storePath=3rdparty
ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GC
M_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_25
6_GCM_SHA384
ssl.trustStoreValue=trustStoreValue
ssl.allowRenegociate=false
ssl.checkCN.white.file=white.list
ssl.protocols=TLSv1.2
ssl.keyStoreValue=keyStoreValue
ssl.keyStore=server.p12
ssl.trustStoreType=JKS
ssl.authPeer=true
ssl.crl=revoke.crl
ssl.keyStoreType=PKCS12
ssl.checkCN.white=false
ssl.checkCN.host=true
ssl.trustStore=trust.jks
Change ssl.protocols=TLSv1.2 to ssl.protocols=TLSv1.1, and add the
insecure encryption algorithms, for example,
TLS_RSA_WITH_AES_256_CBC_SHA256, to ssl.ciphers. The file content is
as follows:
ssl.protocols=TLSv1.1
ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GC
M_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_25
6_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
174
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
b.
Use FileZilla to upload the ssl.client.properties file to the /home/
sopuser as the sopuser user in SFTP mode.
c.
Run the following command on PuTTY to copy the ssl.client.properties
file to a specified directory as the ossuser user:
cp /home/sopuser/ssl.client.properties /opt/share/oss/NetEco/
SMLogLicService/etc/
d.
To ensure minimum file permissions, run the following commands to set
the file owner and permissions:
chown ossuser:ossgroup /opt/share/oss/NetEco/SMLogLicService/etc/
ssl.client.properties
chmod 600 /opt/share/oss/NetEco/SMLogLicService/etc/
ssl.client.properties
Step 12 Optional: Enable the SSLv3 protocol used by the Syslog server.
●
If the Syslog server does not use SSLv3, skip this step.
●
If the Syslog server uses SSLv3, perform the following steps to create the
sm.java.property file:
NOTE
For security purposes, you are advised to use the Syslog server that supports TLSv1.2
or later for data transfer.
a.
Create an sm.java.property file on the local PC.
b.
Use FileZilla to upload the sm.java.property file to the /home/sopuser
directory as the sopuser user in SFTP mode.
c.
Run the following command on PuTTY to copy the sm.java.property file
to a specified directory as the ossuser user:
jdk.tls.disabledAlgorithms=RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224,
3DES_EDE_CBC, anon, NULL
cp /home/sopuser/sm.java.property /opt/share/oss/NetEco/
SMLogLicService/etc/
d.
To ensure minimum file permissions, run the following commands to set
the file owner and permissions:
chown ossuser:ossgroup /opt/share/oss/NetEco/SMLogLicService/etc/
sm.java.property
chmod 600 /opt/share/oss/NetEco/SMLogLicService/etc/
sm.java.property
e.
Optional: To disable the SSLv3 protocol, run the following commands to
delete the sm.java.property file:
cd /opt/share/oss/NetEco/SMLogLicService/etc
rm sm.java.property
Step 13 Run the following command to switch to the ossadm user:
su - ossadm
Password: password for the ossadm user
Step 14 Run the following commands to run the environment variables and restart the
service:
cd /opt/oss/manager/bin
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
175
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
. engr_profile.sh
ipmc_adm -cmd restartapp -app SMLogLicService
●
If information similar to the following is displayed, the service is restarted and
the certificate is imported:
Stopping process smloglicservice -0 -0 ... success
Starting process smloglicservice -0 -0 ... success
●
Otherwise, the service fails to be restarted and the certificate fails to be
imported. In this case, contact Huawei technical support.
Step 15 Run the following command to switch to the sopuser user:
su - sopuser
Password: password for the sopuser user
Step 16 Run the following commands to delete the files in the /home/sopuser directory:
rm -rf /home/sopuser/certificate file
rm -rf /home/sopuser/manifest.json
rm -rf /home/sopuser/ssl.client.properties
rm -rf /home/sopuser/sm.java.property
----End
1.16.13.2 Updating the Trust Certificate of the Syslog Server
When TLS is used to forward logs of the NetEco, use certificates for authentication
between the NetEco server and the Syslog server to ensure proper communication.
If the trust certificate on the NetEco server is about to expire or the Syslog server
trusts a new trust certificate, you need to update the trust certificate on the
NetEco server to ensure normal communication between the NetEco server and
the Syslog server. This section describes how to update the trust certificate of the
Syslog server on the NetEco server.
NOTE
For security purposes, the NetEco server uses TLSv1.2 or later by default.
Prerequisites
●
The trust certificate of the Syslog server cannot be updated on the web client.
●
If the certificate to be updated is in JKS format:
–
You have obtained the trust certificate trust.jks of the Syslog server, the
identity certificate server.p12 issued by a CA trusted by the Syslog server
or by a subordinate CA of the trusted CA, and the passwords for both
certificates.
–
When importing the trust certificate of the Syslog server, you need to
encrypt trust.jks and server.p12. A certificate password must meet the
following complexity requirements:
▪
Issue Draft B
(2020-11-30)
The password must contain 10 to 32 characters.
Copyright © Huawei Technologies Co., Ltd.
176
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
▪
▪
▪
▪
●
The password must be a combination of the following: digits,
lowercase letters, uppercase letters, and special characters !"#$
%&'()*+,-./:;<=>?@[]^`{_|}~
The password cannot contain double quotation marks (") and single
quotation marks (') at the same time.
The password can contain no more than two consecutive identical
characters.
The password can contain no more than three identical characters.
If the certificate to be updated is in PEM format:
–
You have obtained the trust certificate trust.cer of the Syslog server.
–
You have obtained the identity certificate server.cer and key file
server_key.pem issued by a CA trusted by the Syslog server or by a
subordinate CA of the trusted CA, and the password for the key file.
●
You have obtained the passwords for the sopuser, ossadm, and ossuser users
for logging in to the node where SMLogLic resides.
●
The NetEco server authenticates the Syslog server. For security purposes, you
are advised to configure the Syslog server with the same data as that on the
NetEco server.
●
After the certificate is updated on the NetEco server, restart the Log
Forwarding service. You are advised to restart the service during off-peak
hours.
●
In a cluster system, perform operations in this section on all the nodes where
SMLogLic resides.
●
If the Syslog server uses insecure encryption algorithms (such as
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, and
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), you need to add the insecure
encryption algorithms to the ssl.client.properties file when the trust
certificate of the Syslog server is imported. Otherwise, log forwarding will be
abnormal.
Precautions
Procedure
Step 1 Use PuTTY to log in to the node where SMLogLic resides, as the sopuser user in
SSH mode. For details about how to obtain the IP address of the node where a
service resides, see 1.23.2 How Do I Query the IP Address of the Node Where a
Service Resides?
Step 2 Run the following command to switch to the ossuser user:
su - ossuser
Password: password for the ossuser user
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
177
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 3 Run the following commands to check whether the 3rdparty directory exists in
the current directory:
cd /opt/oss/NetEco/etc/ssl
ll
●
If it does, run the following command to delete the files from the 3rdparty
directory:
rm -rf 3rdparty/*
●
If it does not, run the following command to create the 3rdparty directory:
mkdir 3rdparty
Step 4 To ensure minimum file permissions, run the following commands to change the
owner and permissions of the 3rdparty directory:
chown -R ossuser:ossgroup /opt/oss/NetEco/etc/ssl/3rdparty
chmod -R 700 /opt/oss/NetEco/etc/ssl/3rdparty
Step 5 Use FileZilla to upload the certificate files to the /home/sopuser directory on the
node where SMLogLic resides, as the sopuser user in SFTP mode.
●
If the certificate to be updated is in JKS format, upload the certificate files
server.p12 and trust.jks.
●
If the certificate to be updated is in PEM format, upload the certificate files
trust.cer, server.cer, and server_key.pem.
Step 6 Run the following command on PuTTY to copy the certificate files to the /opt/oss/
NetEco/etc/ssl/3rdparty directory as the ossuser user:
cp /home/sopuser/certificate file /opt/oss/NetEco/etc/ssl/3rdparty/
Step 7 To ensure minimum file permissions, run the following commands to change the
file owner and permissions:
cd /opt/oss/NetEco/etc/ssl/3rdparty
chown ossuser:ossgroup *
chmod 600 *
Step 8 Run the following commands to switch to the ossadm user and load environment
variables:
su - ossadm
Password: password for the ossadm user
cd /opt/oss/manager/bin
. engr_profile.sh
Step 9 Run the following command to encrypt the passwords for the certificate files:
osskey -cmd encryptpasswd
When the following information is displayed, enter the password for the certificate
file, confirm the password, and record the encrypted password:
New Password: password for the certificate file
Reenter New Password: password for the certificate file
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
178
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Repeat the preceding command if the passwords for other certificate files need to
be encrypted.
Step 10 Run the following commands to add the passwords for the certificate files in the
manifest.json file.
1.
Create the manifest.json file on the local PC.
–
If the passwords for the certificate files trust.jks and server.p12 are
encrypted in Step 9, the format of the manifest.json file is as follows:
{
}
"filelist": {
"server.p12": {
"storeType": "PKCS12",
"storePass": "password ciphertext for server.p12",
"keyPass": "password ciphertext for server.p12"
},
"trust.jks": {
"storeType": "JKS",
"storePass": "password ciphertext for trust.jks"
}
}
NOTE
Password ciphertext for trust.jks and Password ciphertext for server.p12 are
recorded in Step 9.
–
If the password for the certificate file server_key.pem is encrypted in
Step 9, the format of the manifest.json file is as follows:
{
}
"filelist": {
"server_key.pem": {
"storeType": "PKCS1",
"format": "PEM",
"keyPass": "password ciphertext for server_key.pem",
}
}
NOTE
Password ciphertext for server_key.pem is recorded in Step 9.
2.
Use FileZilla to upload the manifest.json file to the /home/sopuser directory
as the sopuser user in SFTP mode.
3.
Run the following command on PuTTY to copy the manifest.json file to a
specified directory as the ossuser user:
cp /home/sopuser/manifest.json /opt/oss/NetEco/etc/ssl/3rdparty/
4.
To ensure minimum file permissions, run the following commands to set the
file owner and permissions:
chown ossuser:ossgroup /opt/oss/NetEco/etc/ssl/3rdparty/manifest.json
chmod 600 /opt/oss/NetEco/etc/ssl/3rdparty/manifest.json
Step 11 Optional: Enable the insecure encryption algorithm used by the Syslog server.
●
If the Syslog server uses a secure encryption algorithm, skip this step.
●
If the Syslog server uses an insecure encryption algorithm, perform the
following steps to modify the ssl.client.properties file.
a.
Issue Draft B
(2020-11-30)
Create the ssl.client.properties file on the local PC.
Copyright © Huawei Technologies Co., Ltd.
179
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
▪
▪
For security purposes, you are advised to use the Syslog server with a secure
encryption algorithm and use secure protocols for data transfer.
To disable the insecure encryption algorithm in the ssl.client.properties file,
change the insecure protocol in ssl.protocols to a secure protocol and delete
the insecure algorithm in ssl.ciphers.
The contents of the ssl.client.properties file are as follows:
ssl.storePath=3rdparty
ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GC
M_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_25
6_GCM_SHA384
ssl.trustStoreValue=trustStoreValue
ssl.allowRenegociate=false
ssl.checkCN.white.file=white.list
ssl.protocols=TLSv1.2
ssl.keyStoreValue=keyStoreValue
ssl.keyStore=server.p12
ssl.trustStoreType=JKS
ssl.authPeer=true
ssl.crl=revoke.crl
ssl.keyStoreType=PKCS12
ssl.checkCN.white=false
ssl.checkCN.host=true
ssl.trustStore=trust.jks
Change ssl.protocols=TLSv1.2 to ssl.protocols=TLSv1.1, and add the
insecure encryption algorithms, for example,
TLS_RSA_WITH_AES_256_CBC_SHA256, to ssl.ciphers. The file content is
as follows:
ssl.protocols=TLSv1.1
ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GC
M_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_25
6_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256
b.
Use FileZilla to upload the ssl.client.properties file to the /home/
sopuser as the sopuser user in SFTP mode.
c.
Run the following command on PuTTY to copy the ssl.client.properties
file to a specified directory as the ossuser user:
cp /home/sopuser/ssl.client.properties /opt/share/oss/NetEco/
SMLogLicService/etc/
d.
To ensure minimum file permissions, run the following commands to set
the file owner and permissions:
chown ossuser:ossgroup /opt/share/oss/NetEco/SMLogLicService/etc/
ssl.client.properties
chmod 600 /opt/share/oss/NetEco/SMLogLicService/etc/
ssl.client.properties
Step 12 Optional: Enable the SSLv3 protocol used by the Syslog server.
●
If the Syslog server does not use SSLv3, skip this step.
●
If the Syslog server uses SSLv3, perform the following steps to create the
sm.java.property file:
NOTE
For security purposes, you are advised to use the Syslog server that supports TLSv1.2
or later for data transfer.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
180
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
a.
Create an sm.java.property file on the local PC.
b.
Use FileZilla to upload the sm.java.property file to the /home/sopuser
directory as the sopuser user in SFTP mode.
c.
Run the following command on PuTTY to copy the sm.java.property file
to a specified directory as the ossuser user:
jdk.tls.disabledAlgorithms=RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224,
3DES_EDE_CBC, anon, NULL
cp /home/sopuser/sm.java.property /opt/share/oss/NetEco/
SMLogLicService/etc/
d.
To ensure minimum file permissions, run the following commands to set
the file owner and permissions:
chown ossuser:ossgroup /opt/share/oss/NetEco/SMLogLicService/etc/
sm.java.property
chmod 600 /opt/share/oss/NetEco/SMLogLicService/etc/
sm.java.property
e.
Optional: To disable the SSLv3 protocol, run the following commands to
delete the sm.java.property file:
cd /opt/share/oss/NetEco/SMLogLicService/etc
rm sm.java.property
Step 13 Run the following command to switch to the ossadm user:
su - ossadm
Password: password for the ossadm user
Step 14 Run the following commands to run the environment variables and restart the
service:
cd /opt/oss/manager/bin
. engr_profile.sh
ipmc_adm -cmd restartapp -app SMLogLicService
●
If information similar to the following is displayed, the service is restarted and
the certificate is imported:
Stopping process smloglicservice -0 -0 ... success
Starting process smloglicservice -0 -0 ... success
●
Otherwise, the service fails to be restarted and the certificate fails to be
imported. In this case, contact Huawei technical support.
Step 15 Run the following command to switch to the sopuser user:
su - sopuser
Password: password for the sopuser user
Step 16 Run the following commands to delete the files in the /home/sopuser directory:
rm -rf /home/sopuser/certificate file
rm -rf /home/sopuser/manifest.json
rm -rf /home/sopuser/ssl.client.properties
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
181
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
rm -rf /home/sopuser/sm.java.property
----End
1.17 Managing Keys
1.17.1 Updating the Root Key and Working Keys
Root keys and working keys are used to encrypt and decrypt passwords for
database users and certificates to prevent the passwords from being tampered
with or stolen. Huawei-developed key files have been preconfigured when the
PowerEcho and the NetEco are installed. These keys are used only for
commissioning. For security purposes, you are advised to periodically update the
keys of the PowerEcho and the NetEco.
Prerequisites
You have obtained the password for the sopuser and ossadm user on the
management node.
Precautions
In a remote cold backup scenario, after the keys are updated at the primary site,
you need to update the keys at the secondary site using the keys of the primary
site to ensure that the two sites use the same keys.
Procedure
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
Run the following command to switch to the ossadm user:
$ su - ossadm
Step 2 Run the following commands to update the keys:
$ cd /opt/oss/manager/agent/bin
$ screen -S "osskey" bash osskey -cmd addkeyonallnodes -type all -keylen 128
-force
Replace the values of the preceding parameters based on site requirements.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
182
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
Description
-type
Type of the key.
You are advised to set this parameter to all to
update the important data corresponding to
the root key, working keys, and key files. You
can also update the key of a specified type as
required.
● root: root key. When the root key is
updated, the following three types of
working keys are encrypted, but the
important data corresponding to the
working keys is not updated.
● common_shared: common working key.
This key is used to encrypt data to be
restored, for example, certificate password
and database user password.
● redis_shared: working key of the Redis
database. This key is used to encrypt the
Redis database.
● service_token_shared: working key of the
security module. This key is used to encrypt
the token in token authentication mode.
If the -type parameter is not set, the system
updates the common_shared key file by
default.
-keylen
Length of the key.
Unit: bit.
Options: 128, 192, and 256. The longer the key
is, the higher the system security is. However,
the key encryption and decryption
performance decreases with the increase of the
key length. Set the key length based on site
requirements.
If the -keylen parameter is not set, the system
sets the length of the key to be updated to 128
bits by default.
-force
By default, the interval for updating the key
files of the same type is at least a month. If
the interval between the current time and the
last key update time is less than a month, the
update operation is not allowed. If the -force
parameter is configured, the interval is not
limited. If the -force parameter is not
configured, enter Y and press Enter when the
following information is displayed:
Are you sure to generate a new key and update the files used
the key on all nodes(Y/N):
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
183
iManager NetEco
Administrator Guide
●
1 NetEco Administrator Guide
If the following information is displayed, the keys are updated successfully. Go
to Step 4.
......
Execute osskey cmd:addkeyonallnodes Successful
●
If the following information is displayed, the keys fail to be updated. Go to
Step 3.
......
Execute osskey cmd:addkeyonallnodes Failed
Step 3 If the keys fail to be updated, perform the following operations to update the keys
again:
1.
Run the following command to update the keys again:
$ screen -S "osskey" bash osskey -cmd addkeyonallnodes -retry
The following information is displayed:
Are you sure to generate a new key and update the files used the key on all nodes(Y/N):
2.
Enter y and press Enter.
If the following information is displayed, the keys are updated successfully.
Otherwise, contact Huawei technical support.
......
Execute osskey cmd:addkeyonallnodes Successful
Step 4 Back up the database applications and product applications. For details, see
1.11.6.1 Manually Backing Up the Application and Data of the PowerEcho and
1.11.5 Backing Up Products. This is after the keys are updated, historical backup
files have become invalid, and the application and data of the PowerEcho, the
product database applications and product applications need to be manually
backed up.
Step 5 In a remote cold backup scenario, update the root key and working keys at the
secondary site. For details, see 1.17.2 Updating the Root Key and Working Keys
of the Secondary Site.
----End
1.17.2 Updating the Root Key and Working Keys of the
Secondary Site
In a remote cold backup scenario, if the keys of the primary site are successfully
updated but the keys of the secondary site fail to be updated, or the keys of the
primary site and the secondary site are inconsistent, you can copy the keys of the
primary site to the secondary site and then update the keys at the secondary site.
In this manner, the sites can properly communicate with each other.
Prerequisites
You have obtained the passwords for the sopuser and ossadm users of the
management node at the primary and secondary sites.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
184
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 Use PuTTY to log in to the management node at the primary site as the sopuser
user in SSH mode.
Step 2 Run the following command to switch to the ossadm user:
$ su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to create a temporary directory and copy the key
files to the temporary directory:
$ mkdir -p /tmp/router_keys
$ cp /opt/oss/manager/etc/cipher/base.ksf /tmp/router_keys
$ cp /opt/oss/manager/etc/cipher/common_shared.ksf /tmp/router_keys
$ cp /opt/oss/manager/etc/cipher/redis_shared.ksf /tmp/router_keys
$ cp /opt/oss/manager/etc/cipher/service_shared.ksf /tmp/router_keys
Step 4 Run the following command to configure permissions for the key files:
$ chmod 750 /tmp/router_keys/base.ksf
$ chmod 750 /tmp/router_keys/common_shared.ksf
$ chmod 750 /tmp/router_keys/redis_shared.ksf
$ chmod 750 /tmp/router_keys/service_shared.ksf
Step 5 Run the following command to exit from the ossadm user:
$ exit
Step 6 Run the following commands to copy the key files from the temporary directory to
the /home/sopuser directory and configure permissions for the key files:
$ cp /tmp/router_keys/* /home/sopuser
$ chmod 600 /home/sopuser/base.ksf
$ chmod 600 /home/sopuser/common_shared.ksf
$ chmod 600 /home/sopuser/redis_shared.ksf
$ chmod 600 /home/sopuser/service_shared.ksf
Step 7 Use FileZilla to download the key files from the management node at the primary
site to your PC as the sopuser user in SFTP mode. For details, see 1.24.2
Transferring Files Using FileZilla.
Issue Draft B
(2020-11-30)
●
Obtain the key files from the /home/sopuser directory.
●
Key files:
–
base.ksf: root key
–
common_shared.ksf: common working key
–
redis_shared.ksf: working key of the Redis database
–
service_shared.ksf: working key of the security module
Copyright © Huawei Technologies Co., Ltd.
185
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 8 Use FileZilla to upload the key files obtained in Step 7 to the /home/sopuser
directory on the management node at the secondary site, as the sopuser user in
SFTP mode.
Step 9 Use PuTTY to log in to the management node at the secondary site as the
sopuser user in SSH mode.
Step 10 Run the following command to switch to the ossadm user:
$ su - ossadm
Password: password for the ossadm user
Step 11 Run the following commands to create a temporary directory and copy the key
files to the temporary directory:
$ mkdir -p /tmp/router_keys
$ cp /home/sopuser/base.ksf /tmp/router_keys
$ cp /home/sopuser/common_shared.ksf /tmp/router_keys
$ cp /home/sopuser/redis_shared.ksf /tmp/router_keys
$ cp /home/sopuser/service_shared.ksf /tmp/router_keys
Step 12 Run the following command to configure permissions for the key files:
$ chmod 700 /tmp/router_keys
$ find /tmp/router_keys -type f| xargs chmod 600
Step 13 Run the following commands to update the keys of the secondary site:
$ cd /opt/oss/manager/agent/bin
$ bash osskey -cmd replace_key -path /tmp/router_keys/
When the following information is displayed, enter y and press Enter:
Are you sure to replace key and update the files used the key on all nodes(Y/N):
Step 14 Check the execution result of the key update and perform corresponding
operations.
Table 1-63 Execution results
Command Output
Operation
If the following information is
displayed, the keys of the secondary
sites are updated successfully:
Go to Step 15.
...
Execute osskey cmd:replace_key Successful
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
186
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Command Output
Operation
If the following information is
displayed, the keys of the secondary
sites fail to be updated:
1. Run the following commands to
update the keys of the secondary
site again:
$ bash osskey -cmd replace_key path /tmp/router_keys -retry
...
Execute osskey cmd:replace_key Failed
The following information is
displayed:
Are you sure to replace key and update the
files used the key on all nodes(Y/N):
2. Enter y and press Enter.
If the following information is
displayed, the keys of the secondary
sites are updated successfully. Go to
Step 15. Otherwise, contact Huawei
technical support.
......
Execute osskey cmd:replace_key Successful
Step 15 Delete the temporary files.
1.
Delete the temporary files on the management node at the secondary site.
a.
Run the following command to delete the files in the temporary
directory:
$ rm -rf /tmp/router_keys
b.
Run the following command to exit from the ossadm user:
$ exit
c.
Run the following commands to delete the temporary files copied to
the /home/sopuser directory:
$ rm -rf /home/sopuser/base.ksf
$ rm -rf /home/sopuser/common_shared.ksf
$ rm -rf /home/sopuser/redis_shared.ksf
$ rm -rf /home/sopuser/service_shared.ksf
2.
Delete the temporary files on the management node at the primary site.
a.
Use PuTTY to log in to the management node at the primary site as the
sopuser user in SSH mode.
b.
Run the following commands to delete the temporary files copied to
the /home/sopuser directory:
$ rm -rf /home/sopuser/base.ksf
$ rm -rf /home/sopuser/common_shared.ksf
$ rm -rf /home/sopuser/redis_shared.ksf
$ rm -rf /home/sopuser/service_shared.ksf
c.
Run the following command to switch to the ossadm user:
$ su - ossadm
Password: password for the ossadm user
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
187
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
d.
Run the following command to delete the files in the temporary
directory:
$ rm -rf /tmp/router_keys
Step 16 In a remote cold backup scenario, perform the following operations to restart the
product database:
1.
Access the PowerEcho at https://client IP address of the PowerEcho of the
secondary site:31945.
2.
On the login page, enter the username and password, and click Log In.
3.
On the PowerEcho, choose Product > System Monitoring from the main
menu.
4.
In the upper left corner of the System Monitoring page, move the pointer to
and select the product.
5.
In the upper left corner of the page, click Stop, choose Stop DB from the
drop-down menu and perform operations as prompted.
6.
After the databases are stopped, in the upper left corner of the page, click
Start, choose Start DB from the drop-down menu, and perform operations as
prompted.
----End
1.18 Managing Log
1.18.1 Configuring Log Forwarding (the PowerEcho)
During the routine operation and maintenance, a large number of logs are
generated. To ensure sufficient space for storing new logs, the historical logs are
cleared with the generation of new logs. The log forwarding function allows the
system to automatically forward logs to a Syslog server to prevent loss of
historical data.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The trust certificate of the Syslog server has been imported. For details, see
1.16.6 Uploading and Updating the Trust Certificate of the Syslog Server
(the PowerEcho).
●
The Syslog server has been configured. For details about how to configure the
Syslog server, see Table 1-64.
Table 1-64 Parameter description
Issue Draft B
(2020-11-30)
Parameter
Description
Active server IP address
IP address of the active server that receives
logs forwarded by the PowerEcho.
Copyright © Huawei Technologies Co., Ltd.
188
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
Description
Active server port
Port number of the active server that receives
forwarded logs.
The value range is 1 to 65535.
Standby server IP address
(Optional) IP address of the standby server.
The standby server is a backup of the active
Syslog server.
Standby server port
The value range is 1 to 65535.
Protocol
The TLS, UDP, and TCP protocols are
supported.
● You are advised to select TLS because it is
more secure than UDP and TCP. If Protocol
is set to TLS, the SSL certificate for the log
forwarding service is required.
● If Protocol is set to UDP, Syslog packets are
sent only to the active server. If the UDP
protocol is used, you do not need to plan
the standby Syslog server.
NOTE
For security purposes, the system uses TLSv1.2 or
later by default.
Required string
Only the logs that contain the string are
forwarded.
● Regular expressions are not supported in
the string.
● Wildcard characters are not supported in
the string.
Syslog server time zone
You can set this parameter based on the time
zone where the Syslog server is located.
After the setting, the time in the forwarded
Syslog packets is automatically converted to
the time of the time zone where the Syslog
server is located.
Enable DST
When DST is used in the region where the
Syslog server is located, you can enable the
DST.
After the DST is enabled, when the time zone
where the Syslog server is located is in the DST
period, the forwarded Syslog packets contain
DST identifiers.
Context
Figure 1-16 shows the principles of log forwarding settings.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
189
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Figure 1-16 Principles of log forwarding settings
The PowerEcho connects to the Syslog server at an interval of 30 seconds. Syslog
packets stored in the Syslog database are preferentially forwarded. Successfully
forwarded packets will be deleted from the Syslog database.
If UDP is used, the PowerEcho forwards Syslog packets only to the active Syslog
server. Therefore, no standby Syslog server is required in this case.
If TLS or TCP is used, the system attempts to connect to the active Syslog server in
each period. If the connection fails, it attempts to connect to the standby Syslog
server. The following cases may occur:
●
If the PowerEcho is successfully connected to the active Syslog server, logs are
forwarded only to the active server.
●
If the PowerEcho fails to connect to the active Syslog server, it attempts to
connect to the standby Syslog server. If the connection is successful, the
PowerEcho forwards logs only to the standby Syslog server.
●
If the PowerEcho fails to connect to the active and standby Syslog servers, it
will forward logs after it reconnects to the active or standby Syslog server.
NOTE
● After security logs, operation logs, and system logs are converted to Syslog packets, the
packets are directly forwarded to a Syslog server. Those that fail to be forwarded are
stored in the Syslog database.
● Syslog packets converted from other logs are saved in the Syslog database. If the
forwarding fails, the Syslog packets are still stored in the Syslog database.
● For security purposes, the system uses TLSv1.2 or later by default.
Procedure
Step 1 On the PowerEcho, choose System > Log Management > Log Forwarding
Settings from the main menu.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
190
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 2 In the navigation pane, choose Forwarding Server, and perform operations as
prompted.
----End
1.18.2 Configuring Log Forwarding Rules (the PowerEcho)
The log forwarding rule defines the levels of different types of logs to be
forwarded.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose System > Log Management > Log Forwarding
Settings from the main menu.
Step 2 In the navigation pane, choose Forwarding Rule.
Step 3 On the Forwarding Rule page, click the desired levels for different types of logs.
Step 4 Click Apply.
Then the system forwards logs based on the log forwarding rule and Syslog level
on the Forwarding Server page.
----End
1.18.3 Setting Log Dump (the NetEco)
Security logs, system logs, and operation logs are stored in the database after
being generated. To ensure sufficient database space, the system automatically
dumps the logs that meet specified conditions to the hard disk as files. To ensure
sufficient hard disk space, the system automatically deletes the log files that meet
specified conditions from the hard disk. You can specify the conditions for
dumping logs and deleting log files based on site requirements.
Prerequisites
You have obtained the passwords for the sopuser and ossuser users for logging in
to the node where SMLogLic resides.
Context
Issue Draft B
(2020-11-30)
●
Conditions for dumping logs: The number of logs in the database exceeds 1
million, the size of the logs in the database exceeds 80% of the capacity, or
the number of days for storing the logs exceeds 45 days. To ensure sufficient
database space, the system checks logs every hour and saves logs that meet
the requirements to the hard disk of a server. Then the dumped logs are
automatically deleted from the database.
●
Conditions for deleting log files: The size of the log files is greater than 1024
MB, the log files are stored for more than 45 days, or the total number of log
Copyright © Huawei Technologies Co., Ltd.
191
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
files exceeds 1000. To ensure sufficient disk space, the system checks log files
every hour and deletes log files meeting the requirements from the hard disk.
NOTE
The values in the preceding conditions for dumping logs and deleting log files are
default values.
Procedure
Step 1 Use PuTTY to log in to the node where SMLogLic resides, as the sopuser user in
SSH mode. For details about how to obtain the IP address of the node where a
service resides, see 1.23.2 How Do I Query the IP Address of the Node Where a
Service Resides?
Step 2 Run the following command to switch to the ossuser user:
su - ossuser
Password: password for the ossuser user
Step 3 Run the following commands to set the log dump parameters:
cd /opt/oss/NetEco/apps/SMLogLicService/bin
●
To query the settings of the log dump parameters, run the following
command:
./auditTool.sh -cmd list
If information similar to the following is displayed, the log dump parameter
settings are successfully queried:
The configuration information is as follows:
Dump file compression status: Compressed
Dump file generation status: Generated
Dump file type: CSV
Log retention days: 1000
Dump task status: Activated
Log file retention days: 365
Total number of files in the dump directory: 1000
Total file size in the dump directory (MB): 6144.00
Maximum data records stored in the database table: 1000000
Log space usage (%): 80.00
The script is executed successfully.
●
To set log dump parameters, run the following command:
./auditTool.sh -s Percentage of the database space occupied by logs -p
Number of days during which logs are stored in the database -f Number of
days during which log files are stored -a Whether to enable log dump -g
Whether to generate dump files -c Whether to compress files -n Total number
of files in the dump directory -S Total size of files in the dump directory
If information similar to the following is displayed, the log dump parameters
are successfully set:
The script is executed successfully.
For details about the parameters in the command, see Table 1-65.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
192
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-65 Parameter description
Parameter
Value
Percentage of the database
space occupied by logs
Default value: 80
Value range: an integer from 0 to 100
If this parameter is set to 0, this
parameter is not used.
Number of days during which
logs are stored in the database
Default value: 45
Value range: an integer from 0 to 1000
If this parameter is set to 0, this
parameter is not used.
Number of days during which
log files are stored
Default value: 45
Whether to enable log dump
Default value: 1
Value range: an integer from 1 to 365
Value range: 0 or 1. 0 indicates that log
dump will be disabled and 1 indicates
that log dump will be enabled.
Whether to generate dump files
Default value: 1
Value range: 0 or 1. 0 indicates that
dump files will not be generated and 1
indicates that dump files will be
generated.
Whether to compress dump files
Default value: 1
Value range: 0 or 1. 0 indicates that
dump files will not be compressed and
1 indicates that dump files will be
compressed.
Total number of files in the
dump directory
Default value: 1000
Total size of files in the dump
directory
Default value: 1024
Value range: an integer from 200 to
3000
Value range: an integer from 200 to
6144
----End
Operation Result
The system checks logs every hour, saves the logs that meet specified conditions
to a .csv or .zip file, and stores the file to the /opt/share/oss/NetEco/XXXService/
dump/timestamp/timestamp directory on the hard disk. The value of XXXService
can be SMLogLicService or MCCommonService.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
193
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.18.4 Log Reference (the NetEco)
1.18.4.1 Security-related Log List
The security-related log list includes security-related logs of all services stored in
the database.
Table 1-66 provides the security-related log list.
Table 1-66 Security-related log list
Log
Name
Function
Where to Store
Query Method
Operat
ion log
Records user
operations
performed in the
system that do not
affect system
security.
Operation logs
are stored in the
T_OPERATIONL
OG table of the
database.
Choose Security > Log
Management > Operation
Logs.
System
log
Records system
operations or tasks.
System logs are
stored in the
T_SYSTEMLOG
table of the
database.
Choose Security > Log
Management > System Logs.
Securit
y log
Records user
operations
performed in the
system that affect
system security.
Security logs are
stored in the
T_SECURITYLOG
table of the
database.
Choose Security > Log
Management > Security
Logs.
1.18.4.2 Security-related Log Description
During the running process of each service, security logs, system logs, and
operation logs are recorded into the database. The administrator can query
security-related logs in the portal of the NetEco client.
1.18.4.2.1 Operation Logs
Introduction
Operation logs record all security-irrelevant operations on the NetEco client, for
example, acknowledging alarms and clearing alarms.
Field Description
Table 1-67 describes the meanings of fields in operation logs.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
194
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-67 Description of operation log fields
Field
Name
Description
Example
Operation
Name of an operation performed
on NetEco.
Query logs
Level
Level of the damage caused by an
operation performed on NetEco,
such as warning, minor, and risk.
Warning
Operator
User who performs an operation.
admin
Time
Time when an operation is
performed. It is accurate to seconds.
2016-03-13 19:45:26
Source
Function module that a user
performs operations on.
Log Management
Terminal IP
Address
IP address of the host where an
operation is performed.
10.66.54.108
Operation
Object
Object that a user performs
operations on.
Log Management
Result
Operation result, such as successful,
failed, and partially successful.
Successful
Details
Other information about an
operation.
Operation logs queried
successfully.
1.18.4.2.2 System Logs
Introduction
System logs record tasks that affect the running status of NetEco on the NetEco
server. These tasks are triggered by the NetEco client (for example, starting or
executing a scheduled task) or by the NetEco server (for example, starting or
stopping the NetEco service).
Field Description
Table 1-68 describes the fields in system logs.
Table 1-68 Description of system log fields
Issue Draft B
(2020-11-30)
Field
Name
Description
Example
Basic
Informatio
n
Name of the system task that
generates a log.
User logout
Copyright © Huawei Technologies Co., Ltd.
195
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Field
Name
Description
Example
Level
Level of the damage caused by an
operation performed on NetEco,
such as warning, minor, and
critical.
Minor
Time
Time when an operation is
performed. It is accurate to
seconds.
2016-06-13 10:45:26
Source
Function module that a user
performs operations on.
Login management
Result
Operation result, such as
successful, failed, partially
successful, and unknown.
Successful
Details
Other information about an
operation.
The user has been idle for
more than the specified
amount of time. User name:
admin. IP address:
10.74.166.181.
1.18.4.2.3 Security Logs
Introduction
Security logs record the operations that affect system security on the NetEco
client, for example, logging in to NetEco.
Field Description
Table 1-69 describes the fields in security logs.
Table 1-69 Description of security log fields
Issue Draft B
(2020-11-30)
Field
Name
Description
Example
Operation
Name of an operation performed on
NetEco.
Change password
Level
Level of the damage caused by an
operation performed on NetEco,
such as warning, minor, and risk.
Minor
Operator
User who performs an operation.
admin
Time
Time when an operation is
performed. It is accurate to seconds.
2016-06-14 10:50:01
Copyright © Huawei Technologies Co., Ltd.
196
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Field
Name
Description
Example
Terminal
IP Address
IP address of the host where an
operation is performed.
10.66.50.141
Operation
Object
The object that a user performs
operations on. LocalNMS indicates
NetEco.
LocalNMS
Result
Operation result, such as successful,
failed, and partially successful.
Successful
Details
Other information about an
operation.
The password is successfully
changed.
1.18.4.3 Server Logs
During the operation of the service, audit logs that record the execution of
commands and audit logs that record the database status are generated. This
section describes the log locations, formats, and query methods for both types of
logs.
Table 1-70 lists server logs.
Table 1-70 Server logs
Log Type
Log File Name
Location
Query
Method
Command
audit log
messages
/var/log/
For details,
see 1.23.17
How Do I
View
Command
Audit Logs?
Database
audit log
● Redis: database
instance namelogin.log
● Redis: /opt/redis/
data/database
● GaussDB T V3:
zengine_timestam
p.aud
● GaussDB T
V3: /opt/zenith/
data/database
For details,
see 1.23.18
How Do I
View
Database
Audit Logs?
zengine.aud
instance name
instance
name/log/audit
1.18.4.3.1 Command Audit Logs
Log Path
For EulerOS, command audit logs are stored in the /var/log/messages file.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
197
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
For details about how to query command audit logs recorded in the system, see
1.23.17 How Do I View Command Audit Logs?
Log Format
For EulerOS, a command audit log is in the following format:
2019-01-08T23:16:13.371760+08:00 linux ossadm: install.sh;Successful;
127.0.0.1;Excute execution install.sh.
2019-01-08T23:16:15.101018+08:00 linux ossadm: install.sh;Successful;
172.28.199.1;Excute execution install.sh to install osconfig.
Table 1-71 describes the fields in command audit logs.
Table 1-71 Description of fields in command audit logs
Field
Example
Description
Date
Mar 12
Date when a log is
recorded.
Time
18:48:27
Time when the log is
recorded.
Node name
IAMGloble01
Name of the node where
the command is
executed.
Authorized user
ossadm
User who runs the
command.
Script
app_profile.sh
Command that is
executed.
Execution result
ErrorCode:0
Execution result of a
command.
IP address
127.0.0.1
IP address of the client
where the command is
executed.
Details
Execute app_profile.sh
Log details.
Archival Period
The archival period is determined by the OS because the OS automatically
archives logs. Archive files are saved in the same path for saving log files and
named messages.x.gz, for example, messages.5.gz.
1.18.4.3.2 Database Audit Logs
Log Path
For details about the audit log path for each type of database, Table 1-72.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
198
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-72 Paths for database audit logs
Database Type
Log path
Redis
/opt/redis/data/Database instance name/
Database instance name-login.log
GaussDB T V3
/opt/zenith/data/Database instance
name/log/audit
Log Format
●
A Redis database audit log is in the following format:
26862:M 18 Sep 22:48:31.585 * The readdbuser Logged out Successfully;10.67.178.153:56345;
26862:M 18 Sep 22:48:33.110 * The readdbuser logged in successfully;10.67.178.154:37077;
26862:M 18 Sep 22:48:37.981 * 10.67.178.153:34407 operation:config get master-read-only
Table 1-73 describes the fields in Redis database audit logs.
Table 1-73 Description of fields in Redis database audit logs
●
Field Name
Description
Example
Process number of
the Redis database
-
26862
Primary/Standby
instance
M indicates the primary
instance and S indicates the
standby instance.
M
Date
Date when the log
operation is performed.
18 Sep
Time
Time when the log is
recorded.
22:48:31.585
Execution result
Execution result.
The readdbuser
Logged out
Successfully
IP address
IP address of the client
where the command is
executed.
10.67.178.153
Peer ID
-
56345
A GaussDB T V3 database audit log is in the following format:
UTC+8 2018-08-06 22:01:10.477
LENGTH: "226"
SESSIONID:[2] "48" STMTID:[1] "0" USER:[3] "SYS" HOST:[12] "10.93.58.196" ACTION:[7] "PREPARE"
RETURNCODE:[1] "0" SQLTEXT:[97] "create database zenithdb LOGFILE('log1' size 128M, 'log2
' size 128M, 'log3' size 128M) archivelog"
Table 1-74 describes the fields in Zenith database audit logs.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
199
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-74 Description of fields in GaussDB T V3 database audit logs
Field Name
Description
Example
TIME
Date and Time when the
log is recorded.
UTC+8 2018-08-06
22:01:10.477
LENGTH
Log length.
226
SESSIONID
Database session ID.
48
STMTID
Database handle ID.
0
USER
Name of the user for
logging in to the
database.
SYS
HOST
IP address of the client
connecting to the
database.
10.93.58.196
ACTION
Operation type.
PREPARE
RETURNCODE
Operation return code.
0
SQLTEXT
SQL statement for
auditing.
create database zenithdb
LOGFILE('log1' size 128M, 'log2
' size 128M, 'log3' size 128M)
archivelog
Archival Rules
Table 1-75 shows the audit log archival period of each database type.
Table 1-75 Archival rules of the database audit logs
Database
Type
Archival Rules
Redis
● A maximum of 50 archive files can be saved. If the number of
archive files reaches 50, the earliest archive file will be deleted
upon the next file is archived.
● A Redis database archive file is named Service namelogin.log.Archive time.zip, for example, pmdataservicerdb-2-36login.log.20171119184230174.zip.
GaussDB
T V3
When the number or occupied disk space of audit files exceeds the
threshold, the system deletes the earliest audit files and record
information about deleting audit files to audit logs.
● The default disk space of audit files is 100 MB. You can set the
disk space as required.
● The maximum number of audit files is 10. You can set a larger
value as required, but the performance may be affected.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
200
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.19 Security Management
Security management prevents unauthorized users from accessing the system and
ensures system data security.
1.19.1 Setting the System Login Mode
Multi-user mode and single-user mode are available for system login. In most
cases, the system runs in multi-user mode. If you need to perform maintenance
operations on the PowerEcho (for example, adjusting the role to which a user is
attached, managed objects, or operation rights), switch to the single-user mode to
prevent other users' operations from affecting the system maintenance operations.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 Choose System > Security Management > Security Settings from the menu.
Step 2 On the System Login Mode page, select a login mode.
NOTE
● Switching to Single-user mode allows only the admin user to log in and will force a
logout of other users online. Therefore, exercise caution when performing this operation.
However, third-party users can log in.
● If Single-user mode is selected, you can set Switching duration. Value 0 indicates that
the system immediately switches to the single-user mode. Other values indicate that the
system switches to the single-user mode after the specified period of time.
● If Multi-user mode is selected, the system immediately switches to the multi-user
mode.
Step 3 Click Apply.
----End
Follow-up Procedure
You are advised to switch the system to the multi-user mode immediately after
finishing maintenance so that other users can use the system.
1.19.2 Creating Users
After a security administrator creates a user and attaches the user to a role, the
user has the permissions of this role.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
201
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Precautions
For security purposes, the PowerEcho accounts are used only by maintenance
personnel of the system. Do not disclose the accounts to external organizations or
third-party personnel.
Disabling a user will force online sessions of the user on the PowerEcho to be
logged out. Exercise caution when performing this operation.
Procedure
Step 1 Choose System > Security Management > User Management from the menu.
Step 2 In the navigation pane, choose Users.
Step 3 On the Users page, perform the following operations as prompted based on the
number of users to be created:
●
To create a single user, click Create.
NOTE
●
–
You can quickly create a user by clicking Copy in the Operation column of a user
and adjusting the information as required. The admin user has permission to
perform security operations and therefore cannot be copied.
–
When creating a user as the admin user, you are advised not to attach the user to
both the Administrators and SMManagers roles to ensure system security. Users
attached to both the Administrators and SMManagers roles have the maximum
permission on all resources in the system. Therefore, perform operations using
these user accounts with caution. Do not perform any operations affecting system
security. For example, do not share or distribute these usernames and passwords.
To create users in batches, click
and choose Import Users.
----End
Related Tasks
For details about other operations, see 1.19.5.1 Common Operations for User
Information Maintenance.
1.19.3 Adjusting Permission After Changing Role of a User
After the position of an employee is changed, security administrators need to
adjust the role to which the user account of the employee is attached to change
permissions of the employee.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Context
A position change occurs in the following situations:
●
Issue Draft B
(2020-11-30)
An employee is recruited.
Copyright © Huawei Technologies Co., Ltd.
202
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
●
The role of an employee (as a user) is changed.
●
An employee resigns.
Precautions
Disabling or deleting a user will force online sessions of the user on the
PowerEcho to be logged out. Exercise caution when performing this operation.
Procedure
●
●
●
An employee is recruited.
a.
Choose System > Security Management > User Management from the
menu.
b.
In the navigation pane, choose Users.
c.
On the Users page, click Create.
d.
On the displayed page, set basic user information and click Next.
e.
Select the role to which the user is attached and click Next.
f.
Set access control information about the user and click OK.
The role of an employee (as a user) is changed.
a.
Choose System > Security Management > User Management from the
menu.
b.
In the navigation pane, choose Users.
c.
Click the name of the user whose role is changed and go to the Roles tab
page.
d.
Click Edit in the upper right corner of the page.
e.
Add or delete the role of a user based on the user position changes.
An employee resigns.
a.
Choose System > Security Management > User Management from the
menu.
b.
In the navigation pane, choose Users. Check whether the employee
account needs to be reserved.
▪
▪
If you want to retain the account, click Disable in the Operation
column of the row that contains the user to disable the user.
If you do not want to retain the account, click Delete in the
Operation column of the row that contains the user to delete the
user.
1.19.4 Monitoring Users
User sessions can be monitored so that security administrators can know the
online users in the system, access addresses of these users, access time, and roles
of the users. When detecting an unauthorized user operation, the system sends a
message to the user or forcibly log out the user.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
203
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Context
●
A user session refers to a connection between a user and the system. A
session starts when the user logs in to the system and ends when the user
logs out of the system. A user can generate multiple sessions.
●
The maximum number of online sessions for a user is specified by the Max.
online sessions parameter.
●
Users' personal information is not monitored during session monitoring.
Procedure
Step 1 Choose System > Security Management > User Management from the menu.
Step 2 In the navigation pane, choose Online Users.
The information about all online users is displayed in the list.
NOTE
Client Name indicates the name of the client where this session is generated.
Step 3 Click Monitor in the Operation column of the target user to view the status of
the user.
●
The User Operations list displays only operations performed after the Online
Users page is opened. Operations of the monitored users are updated in the
User Operations list in real time.
●
Level indicates the risk level of an operation, including Risk, Minor, and
Warning. The value of Level is the same as that recorded in operation logs.
Step 4 To send a message to a user, click Send Message in the Operation column of the
user. Alternatively, select multiple users and click Send Message above the user
list to send messages to these users.
Step 5 When detecting that a user is performing risky operations, click Log Out in the
Operation column of the user to forcibly log out the user. Alternatively, select
multiple users and click Log Out above the user list to force a logout of these
users in batches.
NOTICE
This operation involves user login status and may force a logout of logged-in
users. Therefore, exercise caution when performing this operation.
----End
1.19.5 User Maintenance
Security administrators can maintain user, role, and operation set information, and
reset other users' passwords.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
204
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.19.5.1 Common Operations for User Information Maintenance
Common operations for user information maintenance include viewing user
information, enabling users, disabling users, deleting users, exporting user
information, and modifying user information.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 Choose System > Security Management > User Management from the menu.
Step 2 In the navigation pane, choose Users.
Step 3 Perform the following operations as needed.
Table 1-76 User maintenance operations
Common
Operation
Procedure
Viewing
user
informatio
n
Click a username to view the user information.
Disabling
a user
Click Disable in the Operation column of the row that contains
the user you want to disable.
Enabling a
user
Click Enable in the Operation column of the row that contains the
user you want to enable.
Deleting
users
Click Delete in the Operation column of the row that contains the
user to be deleted or select the users to be deleted and click
Delete.
NOTE
● Default users, current user, and users attached to the SMManagers role
cannot be deleted.
● Deleting a logged-in user will force a logout of the user. Therefore,
exercise caution when performing this operation.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
205
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Common
Operation
Procedure
Importing
user
informatio
n
1. On the Users page, click
and choose Import Users.
2. On the Import Users page, click the template name to
download the template and enter user information in the
template.
NOTE
–
The system provides two template formats: User Template.xls and
User Template.xlsx, and you can edit the template in .csv format.
Select a template format as required.
–
When editing a template in .csv format and creating a time policy,
add double quotation marks before and after the time policy to
ensure that the import is successful. The following shows an
example.
"NewTimePolicy;start-time:00:00,end-time:23:59;start-date:
2017-01-01,end-date:2017-12-31;week:135"
3. Fill in user information based on the template.
4. Set Import Mode, and click
. In the dialog box that is
displayed, select the edited template.
5. Click Create or Modify.
After the import is complete:
a. On the displayed page, view the number of successfully
imported operation sets and the number of operation sets
that fail to be imported.
b. In the Result list, view the imported users and their details.
c. If partial failure occurs, modify the user information that
failed to be imported based on the details, and import them
again.
6. Click OK.
Exporting
user
informatio
n
To export information about all users, click
and choose
Export All Users. To export information about certain users, select
these users and click Export Selected Users.
NOTE
● The Password, Mobile number, and Email address fields are not
exported. Therefore, the values of these fields are empty in the exported
user information file.
● The file is exported in .csv or .xlsx format and downloaded to the local
PC as a .zip package.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
206
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Common
Operation
Procedure
Modifying
user
informatio
n
1. Click the name of the user whose information needs to be
modified.
2. Select the tab to be modified and click Edit to modify the user
information.
NOTE
–
Auto-logout if no activity within: If a user does not perform any
operation within the period specified by this parameter, the user will
be logged out. This parameter can be set for local users and remote
users and cannot be set for third-party users.
–
During user modification, setting Enable account to No for a
logged-in user will force a logout of the user. Therefore, exercise
caution when performing this operation.
3. Click OK.
Unlocking
users
● To unlock a user: Click Unlock in the Operation column of the
row that contains the user.
● To unlock users in batches:
1. Optional: You can change All statuses to Locked to quickly
filter all locked users.
2. Select users to be unlocked.
3. Click
and choose Batch Unlock Users.
NOTE
Default users, unlocked users, current user, and users attached to the
SMManagers role cannot be unlocked.
----End
1.19.5.2 Creating a Role and Granting Permissions
If the default roles provided by the system cannot meet user authorization
requirements in the authorization plan, security administrators need to create
roles and grant them permissions based on the plan.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Context
●
If only a few roles are required, create them one by one.
●
If multiple roles are required or the roles are obtained from the files exported
from other systems, create roles in batches.
●
Creating a single role
Procedure
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
207
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 1 Choose System > Security Management > User Management from the menu.
Step 2 In the navigation pane, choose Roles.
Step 3 On the Roles page, click Create.
NOTE
You can quickly create a role by clicking Copy in the Operation column of a role and
modifying the information as required.
Step 4 On the page that is displayed, set basic role information.
Step 5 Select the users to be attached to the role.
After role authorization is complete, the users you have selected have the
permissions included in this role.
Step 6 Click Next. On the Select Operation Rights page, click Application-Level to set
application-level permissions of the role based on the authorization plan for
application-level permissions of the role.
Step 7 Click OK.
----End
●
Creating roles in batches
Step 1 Choose System > Security Management > User Management from the menu.
Step 2 In the navigation pane, choose Roles.
Step 3 On the Roles page, click
and choose Batch Create Roles.
Step 4 On the Batch Create Roles page, click a template name to download the
template.
NOTE
The system provides two template formats: Role Template.xls and Role Template.xlsx.
Select a template format as required.
Step 5 Fill in role information based on the template.
Step 6 Click
. In the displayed dialog box, select the edited template.
Step 7 Click Upload.
After roles are imported, you can perform the following operations:
1.
On the displayed page, view the number of successfully imported roles and
the number of roles that fail to be imported.
2.
In the Result list, view the imported roles and their details.
3.
If partial failure occurs, modify the role information that failed to be imported
based on the details, and import them again.
Step 8 Click OK.
Step 9 Grant permissions to the roles created in batches based on the authorization plan.
1.
Issue Draft B
(2020-11-30)
On the Roles page, click a role name.
Copyright © Huawei Technologies Co., Ltd.
208
iManager NetEco
Administrator Guide
2.
1 NetEco Administrator Guide
On the Managed Objects or Operation Rights tab page, click Edit, and grant
permissions to the role.
----End
Follow-up Procedure
If a user logs in to a third-party system in SSO mode, role information (excluding
operation rights) about this user can be synchronized to the third-party system. To
ensure that this user has the same operation rights on the third-party system as
those on the system, create the same role for the user on the third-party system
and bind the same operation rights to the role.
Related Tasks
For details about how to maintain role information, see 1.19.5.3 Common
Operations for Role Information Maintenance.
1.19.5.3 Common Operations for Role Information Maintenance
Common operations for role information maintenance include viewing role
information, deleting roles, exporting role information, and modifying role
information.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 Choose System > Security Management > User Management from the menu.
Step 2 In the navigation pane, choose Roles.
Step 3 Perform the following operations as needed.
Table 1-77 Role maintenance operations
Issue Draft B
(2020-11-30)
Common
Operation
Procedure
Viewing
role
informatio
n
Click a role name to view information about this role.
Copyright © Huawei Technologies Co., Ltd.
209
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Common
Operation
Procedure
Deleting
roles
Click Delete in the Operation column of the row that contains
the role to be deleted or select the roles to be deleted and click
Delete.
NOTE
● You cannot delete default roles and the roles to which the current user
is attached.
● Deleting roles will cause the users attached to these roles to lose the
permissions of the roles. Therefore, exercise caution when performing
this operation.
Exporting
role
informatio
n
Click
and choose Export All Roles to export information
about all roles.
NOTE
● If the number of roles exceeds 500, role information is exported to
multiple files. That is, each file contains information about a maximum
of 500 roles.
● The file is exported in .csv or .xlsx format and downloaded to the local
PC as a .zip package.
Modifying
role
informatio
n
1. Click the name of a role whose information needs to be
modified.
2. Select the tab to be modified and click Edit to modify the role
information.
NOTE
–
You cannot modify the managed objects and operation rights of the
roles to which the current user is attached.
–
You cannot modify the managed objects and operation rights of
default roles.
–
Modifying the role information will change the permissions of users
attached to this role. Therefore, exercise caution when performing
this operation. The permission changes will take effect upon page
refreshing or after next login of these users.
----End
1.19.5.4 Creating a User-defined Operation Set
If operation sets are planned during authorization planning, security
administrators need to create user-defined operation sets before authorizing users.
Authorizing roles using operation sets improves authorization efficiency.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
210
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 Choose System > Security Management > User Management from the menu.
Step 2 In the navigation pane, choose Operation Sets.
Step 3 On the Operation Sets page, click Create.
NOTE
You can quickly create an operation set by clicking Copy in the Operation column of an
operation set and adjusting the information as required.
Step 4 On the displayed page, set Operation set name, Type, and Description.
Step 5 Select the operation rights to be included in the operation set from the list of
available operation rights.
NOTE
You can delete redundant operation rights from the operation list by selecting these
operation rights and clicking Delete.
Step 6 On the Operation Sets page, click OK.
----End
Related Tasks
For details about operations related to operation sets, see 1.19.5.5 Common
Operations for Operation Set Information Maintenance.
1.19.5.5 Common Operations for Operation Set Information Maintenance
Common operations for operation set maintenance include viewing operation set
information, deleting an operation set, and modifying operation set information.
Importing and exporting operation sets are applicable to system data migration.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 Choose System > Security Management > User Management from the menu.
Step 2 In the navigation pane, choose Operation Sets.
Step 3 Perform the following operations as needed.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
211
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-78 Operation set maintenance operations
Common
Operation
Procedure
Viewing
operation set
information
Click an operation set name to view details about the operation
set.
Deleting an
operation set
Click Delete in the Operation column of the row that contains
the operation set.
NOTE
● If the deleted operation set is associated with a user, the user will
lose all operation rights included in the deleted operation set.
● You cannot delete default operation sets and the operation sets to
which the role of the current user is bound.
Modifying
operation set
information
1. Click the name of an operation set whose information needs
to be modified.
2. Click Edit and modify the operation rights in the operation
set.
NOTE
● If the modified operation set is associated with a user, the change
takes effect the next time the user logs in.
● You cannot modify operation rights included in default operation sets
or the operation sets to which the role of the current user is bound.
Importing
operation
sets
1. Click
and choose Import Operation Sets.
2. On the Import Operation Sets page, click
NOTE
Only the
admin user
can perform
this
operation.
.
3. In the displayed dialog box, select the .zip file to be imported.
4. Click Create.
When the import is complete, perform the following
operations to check the import result:
a. On the displayed page, view the number of successfully
imported operation sets and the number of operation sets
that fail to be imported.
b. In the Result list, view the imported operation sets and
their details.
c. If partial failure occurs, modify the operation set
information that failed to be imported based on the
details, and import them again.
5. Click OK to close the Import Operation Sets page.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
212
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Common
Operation
Procedure
Exporting all
operation
sets
Click
and choose Export All Operation Sets to export all
operation sets created by the user.
NOTE
Only the
admin user
can perform
this
operation.
In the .zip file to be exported, a .csv file contains a maximum of
100 operation sets of the same type. If the number of operation
sets exceeds 100, the operation sets are exported to multiple
files.
----End
1.19.5.6 Modifying User Information in Batches
Security administrators can modify user information (such as Max. online
sessions and Login Time Policy) in batches, improving system security.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Context
●
You can use the following methods to modify user information in batches:
–
Using the Batch Modify Users function
Select the users whose information needs to be modified and click Batch
Modify Users.
–
Modifying an exported user information file
Export user information as a file, edit the file, and then import it to the
system.
●
The operations in this section involve user permission adjustment, which may
force a logout of logged-in users. Therefore, exercise caution when performing
this operation.
●
Using the Batch Modify Users function
Procedure
Step 1 Choose System > Security Management > User Management from the menu.
Step 2 In the navigation pane, choose Users.
Step 3 In the user list, select one or more users, click
Users.
, and choose Batch Modify
Step 4 On the User List tab page, confirm the users whose information needs to be
modified. Then, click Next.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
213
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 5 Select the users information to be modified on the Modification Items page as
required. Click OK. On the Modification Result page, view the modification
results and details.
If the existing time policies do not meet the requirements, click Create to create a
policy and then click Refresh. Then, you can select the new time policy from the
time policy list.
NOTE
● You cannot modify the admin user and your own information.
● A maximum of 100 users can be modified at a time.
● After the login time policy is modified, the users who do not meet the policy
requirements will be forcibly logged out if Log out of sessions that do not comply
with client IP address or login time policies is selected in the account policy.
Step 6 Click OK.
----End
●
Modifying an exported user information file
Step 1 Choose System > Security Management > User Management from the menu.
Step 2 In the navigation pane, choose Users.
Step 3 Select the users whose information needs to be exported, click
Export Selected Users or Export All Users.
, and choose
Step 4 In the Select File Format dialog box, select a file format and click OK.
Step 5 Modify the exported user information file.
●
When modifying the user information file, do not change the sequence of the
fields in the file.
●
If you change the value of a field to empty or an invalid value, the value of
this field will not be changed.
●
The following user information cannot be modified:
–
Type and Region of all users
–
All information about the current user and the admin user
–
Mobile Number, Email Address, Password, Login Time Policy, Client IP
Address Policy, and Password Validity Period (Days) of remote users
–
Roles, Login Time Policy, and Allowed Logins of default users
–
Auto-Logout If No Activity Within set for third-party users
Step 6 Click
and choose Import Users.
Step 7 In the Import Users window, choose Update Users to import users.
Step 8 Click
, select the modified user information file, and click Upload.
Step 9 After the import is complete:
Issue Draft B
(2020-11-30)
●
On the displayed page, view the number of successfully imported users and
the number of users who fail to be imported.
●
In the Result list, view the imported users and their details.
Copyright © Huawei Technologies Co., Ltd.
214
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 10 Click OK.
----End
1.19.5.7 Changing Personal Passwords
If passwords are disclosed or remain unchanged for a long time, users can change
their personal passwords by setting personal information. For security purposes,
you are advised to periodically change passwords, for example, every three
months.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 Choose System > Security Management > Change Password from the menu.
Step 2 Perform operations as prompted.
NOTE
User information is more secure if a password is changed more frequently. If a user forgets
the password due to frequent password changes, contact security administrators to reset
the password.
----End
1.19.5.8 Resetting a User Password
If a user other than the admin user loses the password or cannot change the
password, this user needs to contact security administrators to reset the password.
For account security purposes, it is recommended that third-party users contact
the security administrator to periodically reset their passwords.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
To reset the password for a security administrator, you have logged in to the
PowerEcho as the admin user.
Precautions
If a user has logged in to the PowerEcho and Force logout after password
change in the password policy is selected, resetting the password for the user will
force the user to log out. Therefore, exercise caution when performing this
operation.
Procedure
Step 1 Choose System > Security Management > User Management from the menu.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
215
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 2 In the navigation pane, choose Users.
Step 3 Click Reset Password in the Operation column of the row that contains the user
and reset the password.
NOTICE
You are not allowed to reset the password for the admin user. If you forget the
password for the admin user, it cannot be retrieved and you can only reinstall the
system. Therefore, ensure that you memorize the password for the admin user.
----End
1.19.6 Security Policies
Security policies allow you to set access control rules for users. This function
improves O&M efficiency and prevents unauthorized users from accessing the
system to ensure system security.
1.19.6.1 Setting the Account Policy
Security administrators set login or lockout policies for user accounts as needed to
improve system access security. The account policy takes effect for all users.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 Choose System > Security Management > Security Policies from the menu.
Step 2 In the navigation pane, choose Account Policy.
Step 3 On the Account Policy page, set the account policy.
NOTE
● If Enable the user policy if no login within a period is selected, the system will
automatically delete the users who meet the policy. Perform this operation with caution.
● Auto-logout if no activity within: If a user does not perform any operation within the
period specified by this parameter, the user will be logged out. The setting takes effect
only for local and remote users and does not take effect for third-party users. If this
parameter is set to Unlimited, user sessions will not be automatically logged out.
● If Show warning upon successful login is selected, a login warning message is
displayed to notify users of rules that should be obeyed after users log in to the system.
The warning message provides legal declaration. Security administrators can customize
this warning message based on user management regulation.
● To improve account security, you are advised to enable all the items in the account
policy.
Step 4 Click Apply.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
216
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.19.6.2 Setting the Password Policy
Security administrators set the password complexity, change interval, and
character limitation based on site requirements to prevent users from setting weak
passwords or using a password for a long period of time, improving system access
security. The password policy takes effect for all users.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Context
●
If you disable the password complexity policy items and the item of forcibly
changing passwords after they expire, user security reduces. You are advised
to enable all items for user authentication in the password security policy
provided.
●
If the settings of the same policies in the personal policy of a user and the
password policy are different, the settings in the personal policy take effect
for the user.
●
Periodically changing passwords can improve user information security and
prevent accounts from being stolen. Exercise caution when disabling the
function of periodically changing passwords and modifying a password
change period.
●
A new password policy does not affect the existing passwords.
Procedure
Step 1 Choose System > Security Management > Security Policies from the menu.
Step 2 In the navigation pane, choose Password Policy.
Step 3 On the Password Policy page, set the password policy. Some of the policy
parameters are described in Table 1-79.
Table 1-79 Parameter description
Issue Draft B
(2020-11-30)
Parameter
Description
Force logout upon
password reset
When a user password is reset, all online sessions
generated by the user will be logged out.
Copyright © Huawei Technologies Co., Ltd.
217
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
Description
Password cannot be
an increasing,
decreasing, or
interval sequence of
digits or letters
When setting a user password, the password must meet
the following requirements:
● The password cannot be digits or letters in ascending
or descending sequence.
For example, the password cannot be abcdef, fedcba,
123456, or 654321.
● The password cannot contain an ascending or
descending arithmetic sequence in consecutive odd
digits or even digits.
For example, the password cannot be 1a2a3a,
5a3a1a, a2b2c2, or 2e2c2a.
Password cannot
contain words in
password dictionary
When you create a user and set the password, the
password cannot contain words in the password
dictionary.
● No default password dictionary is provided. You can
customize a password dictionary. For example,
abcd1234 is a weak password and if it is added to
the password dictionary, abcd1234 cannot be used as
a user password.
● In a password dictionary file, passwords are separated
by line feeds. In the dictionary, a password that
contains more than 64 characters is invalid.
NOTE
To update the password dictionary, perform the following steps:
1. Click Download Password Dictionary to download the
existing password dictionary and modify it as required.
2. Click
and select the modified password dictionary.
3. Click Upload to update the password dictionary.
Convert strings in
password based on
conversion rules
(refer to help
documentation to
configure the rules)
NOTE
This parameter is
displayed only when
Password cannot
contain words in
password dictionary
is selected.
If a password contains a character string defined in the
string conversion rules, the character string is converted
into other characters based on certain rules. The
converted password must meet complexity requirements.
The string conversion rules define the rules for
converting a character or string into an uppercase or
lowercase letter. For example, if a rule for converting the
string |-|1234 a into x exists in the string conversion
rules, and xbcd!123 is contained in the password
dictionary, and when the policy is enabled, |-|1234 abcd!
123 cannot be used as a user password.
NOTE
● For details about how to configure the string conversion
rules, see "Configuring the String Conversion Rules of User
Management".
● Strings refer to strings consisting of dangerous characters,
invisible characters, and characters incurring SQL injection.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
218
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 4 Click Apply.
----End
1.19.6.3 Configuring Service Parameters for User Management
You can modify parameters in CLI mode for the user management function
without redeploying this function.
Prerequisites
You have obtained the passwords for the sopuser and ossadm users of the
management node.
Procedure
Step 1 Use PuTTY to log in to the management node, as the sopuser user in SSH mode.
NOTE
If the PowerEcho is deployed in cluster mode, perform operations only on Management0.
For details about how to obtain the IP address of a node, see 1.23.4 How Do I Query the
IP Address of a Node?
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following command to query the settings of service parameters for user
management:
> cd /opt/oss/manager/apps/MCCommonService/bin
> bash userSettingTool.sh -cmd list
If information similar to the following is displayed, the query for service
parameters is successful:
Setting Data:
Whether the user name for login is case-sensitive: 1
Whether to forbid the operation of creating a user with the same name as a deleted user: 0
Whether the local account lockout policy and IP address lockout policy are invalid for remote users in
remote authentication: 1
Whether local authentication is performed when remote authentication fails: 1
Number of deleted users to be saved: 800
Whether a remote user can change their passwords in Oracle LDAP remote authentication: 0
The LDAP authentication scenario supports the following TLS protocols of a low version: [tlsv1.0]
Whether the userlist is simple for GMY: 1
Execute the user setting tool successfully.
Step 4 Run the following command to modify the service parameters for user
management based on the query result and site requirements:
> bash userSettingTool.sh parameter value
Add a space between parameter and value. For details about the parameters and
values, see Table 1-80.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
219
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-80 Parameter description
Pa
ra
m
et
er
Value Range
Description
-u
1: The username is case-sensitive.
Whether the username for login is
case-sensitive.
0: The username is case-insensitive.
-l
1: Local authentication is
performed after remote
authentication fails. The login
welcome information indicates
local authentication. After remote
authentication is successful, the
login welcome information
indicates remote authentication.
Whether local authentication is
performed when remote
authentication fails
0: Local authentication is not
performed when remote
authentication fails. Local
authentication or remote
authentication is not displayed in
the login welcome information.
-d
1: In remote authentication, the
local account lockout policy and IP
address lockout policy are invalid
for remote users.
Whether the local account lockout
policy and IP address lockout policy
are invalid for remote users in
remote authentication.
0: In remote authentication, the
local account lockout policy and IP
address lockout policy are valid for
remote users.
-r
1: A user with the same username
as that of a deleted local user or a
deleted third-party user cannot be
created.
Whether a user with the same
username as that of a deleted local
user or a deleted third-party user
can be created.
0: A user with the same username
as that of a deleted local user or a
deleted third-party user can be
created.
-n
Value range: an integer from 1 to
10000
Number of deleted users to be
saved.
-c
1: Remote users can change their
passwords.
Whether remote users can change
their passwords in Oracle LDAP
server remote authentication.
0: Remote users cannot change
their passwords.
Issue Draft B
(2020-11-30)
NOTE
The Oracle LDAP server connects to
customers' third-party servers for
remote authentication.
Copyright © Huawei Technologies Co., Ltd.
220
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Pa
ra
m
et
er
Value Range
Description
-p
enable value: The TLS protocol
value can be selected. The value
can be TLSv1.0 or TLSv1.1.
Whether the TLS protocol of a
specified earlier version can be
selected in the LDAP authentication
scenario.
disable value: The TLS protocol
value cannot be selected. The value
can be TLSv1.0 or TLSv1.1.
NOTE
● This command controls whether the
TLS protocol of a low version can be
selected when you add or modify
LDAP authentication configurations.
The current low version can still be
used, which is not affected by the
command execution.
● For data security during
communication, you are advised to
use TLS v1.2 or later to enable the
TLS connection for LDAP
authentication.
-g
1: The login status and enabling
status columns are not displayed,
and the All statuses option is not
displayed.
Whether to display the login status
and enabling status columns, and
whether to display the All statuses
option in the user list.
0: The login status and enabling
status columns are displayed, and
the All statuses option is displayed.
If information similar to the following is displayed, the service parameter
configuration is successful:
Execute the user setting tool successfully.
----End
1.19.6.4 Setting a Client IP Address Policy
A client IP address policy provides a control mechanism for checking the
accessibility of the IP address used by an external access request. Security
administrators set client IP address policies as needed to specify the IP addresses
used for logging in to the PowerEcho, improving system security. The policy
created in this section takes effect only for the bound users.
Prerequisites
Issue Draft B
(2020-11-30)
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
The IP address of your local PC is in the IP address range to be configured.
Copyright © Huawei Technologies Co., Ltd.
221
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 Choose System > Security Management > Security Policies from the menu.
Step 2 In the navigation pane, choose Client IP Address Policies.
Step 3 On the Client IP Address Policies page, click Create.
Step 4 Set a client IP address policy and click OK.
NOTICE
Exercise caution when you set the client IP address policies for the admin user. If
the client IP address of the admin user is not within the bound IP address range,
the user cannot log in again after logout.
----End
1.19.6.5 Setting Login Time Policies
A login time policy provides a control mechanism for checking the validity time of
an external access request during system operation. Security administrators set
login time policies as needed to specify the time period during which users are
allowed to log in to the PowerEcho, improving system security. The policy created
in this section takes effect only for the bound users.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 Choose System > Security Management > Security Policies from the menu.
Step 2 In the navigation pane, choose Login Time Policies.
Step 3 On the Login Time Policies page, click Create.
Step 4 Set the parameters of the login time policy and click OK.
NOTE
● User admin is not restricted by the login time policy.
● If the start time is later than the end time for Effective hours, the system will
automatically set the end time to the next day. For example, if Effective hours is set to
16:00–15:00, login is allowed within 16:00–24:00 today and 0:00–15:00 the next day.
----End
1.19.7 Remote Authentication Configuration
You can interconnect the PowerEcho with a third-party system by configuring an
Authentication, Authorization, and Accounting (AAA) protocol. After the
interconnection, users are authenticated by an AAA server instead of User
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
222
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Management in the PowerEcho upon user login. This section describes how to
configure and enable remote authentication.
1.19.7.1 Understanding Remote Authentication
This section describes the definition, principles, and protocol types of remote
authentication.
User Authentication Mode
The user authentication modes include local authentication and remote
authentication. In remote authentication mode, users are authenticated by an AAA
server through AAA protocols. The PowerEcho supports Lightweight Directory
Access Protocol (LDAP) and Remote Authentication Dial In User Service (RADIUS)
for AAA authentication. For details, see Table 1-81.
Table 1-81 User authentication modes
Issue Draft B
(2020-11-30)
Authenticati
on Mode
Authentication Protocol
Description
Local
authenticatio
n
N/A
During the PowerEcho login,
user authentication is
implemented by a local
server through user
management. After local
authentication is enabled,
remote authentication is
automatically disabled.
Re
mot
e
aut
hen
ticat
ion
LDAP stands for Lightweight
Directory Access Protocol. The
system communicates with the
LDAP server in common mode
(without encryption), or
Transport Layer Security (TLS)
mode.
During the PowerEcho login,
user authentication is
implemented by the LDAP
server.
LDAP
authen
tication
Copyright © Huawei Technologies Co., Ltd.
223
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Authenticati
on Mode
RADIU
S
authen
tication
Authentication Protocol
Description
RADIUS is the most widely used
AAA protocol and is defined in
the RFC2865 and RFC2866
specifications. RADIUS supports
the following authentication
modes: Password Authentication
Protocol (PAP), Challenge
Handshake Authentication
Protocol (CHAP), Microsoft
Challenge Handshake
Authentication Protocol version
1 (MS-CHAPv1), Microsoft
Challenge Handshake
Authentication Protocol version
2 (MS-CHAPv2), and Twofactor.
During the PowerEcho login,
user authentication is
implemented by the RADIUS
server.
Principles of LDAP and RADIUS Authentication
Figure 1-17 shows the interconnection between the PowerEcho and an LDAP or
RADIUS server.
Figure 1-17 Remote authentication principles
1.
Issue Draft B
(2020-11-30)
A user enters its username and password on the browser to log in to the
PowerEcho.
Copyright © Huawei Technologies Co., Ltd.
224
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
2.
The PowerEcho sends the username and password to the LDAP or RADIUS
server for authentication.
3.
After the authentication is successful, the LDAP or RADIUS server returns the
user information to the PowerEcho. Then, the user successfully logs in to the
PowerEcho.
1.19.7.2 Configuring LDAP Authentication
LDAP stands for lightweight directory access protocol. It supports multiple
authentication modes. The system authenticates users based on their usernames
and passwords or in Transport Layer Security (TLS) mode. Users can set login
information on the LDAP server, and user authentication during the login is
performed by the LDAP server.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
An LDAP server has been installed and correctly configured.
●
You have obtained the LDAP server information from the LDAP server
provider to configure LDAP authentication for the system. For details about
the parameters, see 1.19.7.4 LDAP Authentication Parameters.
●
If the username case sensitivity is enabled on the LDAP server, the username
case sensitivity configuration of the PowerEcho must be consistent with the
LDAP server. For details, see 1.19.6.3 Configuring Service Parameters for
User Management.
Precautions
The security mechanisms for remote authentication depend on the third-party
server. Security mechanisms, such as anti-brute force cracking, password
complexity check, and anti-DoS attack, must be enabled on the third-party server.
●
If the anti-brute force cracking mechanism is not enabled, the passwords may
be cracked by brute force through a large number of guesses, leading to
information leakage.
●
If the password complexity check is not enabled, there is no restrictions on
user passwords. If a password is too simple, the password is easy to be
cracked, leading to information leakage.
●
If the anti-DoS attack mechanism is not enabled, the system is vulnerable to
attacks of highly frequent requests initiated through abnormal means. In such
case, the system resources will be exhausted, and the system cannot properly
provide services.
Procedure
Step 1 Choose System > Security Management > Security Settings from the menu.
Step 2 In the navigation pane, choose Remote Authentication.
Step 3 On the Remote Authentication page, click LDAP Authentication.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
225
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 4 Enter basic information.
The basic information includes the address type, address, port number of the
LDAP server, and the communication mode between the LDAP server and system
server. Set parameters based on the information provided in 1.19.7.4 LDAP
Authentication Parameters.
1.
Set the address type, address, and port number of the LDAP server.
NOTE
If the LDAP server is deployed in dual-server mode, enter the addresses type, address,
and port numbers of both the servers.
2.
Set the communication mode between the LDAP server and system server.
Select Enable TLS as required. After Enable TLS is selected, set the related
parameters.
NOTE
–
If the CA has issued a CRL, you are advised to upload the CRL in a timely manner
to ensure secure interconnection with the LDAP server.
–
If Enable TLS is selected and Certificate type is set to JKS,P12, obtain the
following certificates:
▪
▪
–
Root certificate (trust certificate in .jks format) and password of the LDAP
server
Identity certificate (in .p12 format) and password of the PowerEcho, if twoway authentication is enabled on the LDAP server
If Enable TLS is selected and Certificate type is set to CER,DER,PEM,PVK, obtain
the following certificates:
▪
▪
▪
Root certificate (that is, the trust certificate in .cer, .der, or .pem format) of
the third-party LDAP server
Identity certificate (in .cer, .der, or .pem format) and password of the
PowerEcho, if two-way authentication is enabled on the LDAP server
Private key file of the LDAP server and its password if two-way authentication
is enabled on the LDAP server
Step 5 Set server information. Set parameters based on the information provided in
1.19.7.4 LDAP Authentication Parameters.
1.
Set User authentication mode and enter related information.
2.
Set User Attributes and User Group Attributes.
Step 6 Click Test. In the Test Connection dialog box, enter the username and password
of the remote user on the LDAP server.
●
If Test successful. is displayed, interconnection between the system and the
LDAP server is successful.
●
If the connection test fails, a failure message is displayed. Check whether the
LDAP server is correctly configured and try again until the interconnection is
successful.
Step 7 Click Apply for the LDAP authentication settings to take effect.
LDAP authentication will be displayed next time when you log in to Remote
Authentication.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
226
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 8 (Optional) If User authentication mode is set to Fixed user, click Synchronize
User Group to synchronize user groups from the remote server to the local server.
NOTE
The synchronization fails if the following cases occur:
● The remote user group name does not meet the naming rule in Role. For example, the
name length exceeds 64 characters, or the name contains special characters `~*()|[]{}:,
+;="'<>/?\ or escape characters.
● The remote user group exists in the mapping table of Use remotely stored bindings.
● The remote user group already has a role with the same name on the local server.
----End
Follow-up Procedure
After setting LDAP authentication, log out of the PowerEcho and log in again as a
remote user for the LDAP authentication settings to take effect.
NOTE
A remote user cannot log in to the the PowerEcho in the following situations:
● The remote user and the default user in the system have the same username.
● The remote user name does not meet the setting rule of Username.
1.19.7.3 Configuring RADIUS Authentication
Remote Authentication Dial In User Service (RADIUS) is the most widely used AAA
protocol and is defined in the RFC2865 and RFC2866 specifications. RADIUS
supports multiple authentication modes, such as Password Authentication Protocol
(PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge
Handshake Authentication Protocol version 1 (MS-CHAPv1), Microsoft Challenge
Handshake Authentication Protocol version 2 (MS-CHAPv2), and Two-factor.
Prerequisites
Issue Draft B
(2020-11-30)
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
A RADIUS server has been installed and correctly configured.
●
You have obtained the RADIUS server information from the RADIUS server
provider to configure RADIUS authentication for the system. For details about
the parameters, see 1.19.7.5 RADIUS Authentication Parameter
Description.
●
In Two-factor authentication mode, SecurID token has been set on the
RADIUS server.
●
If the username case sensitivity is enabled on the RADIUS server, the
username case sensitivity configuration of the PowerEcho must be consistent
with the RADIUS server. For details, see 1.19.6.3 Configuring Service
Parameters for User Management.
Copyright © Huawei Technologies Co., Ltd.
227
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Precautions
The security mechanisms for remote authentication depend on the third-party
server. Security mechanisms, such as anti-brute force cracking, password
complexity check, and anti-DoS attack, must be enabled on the third-party server.
●
If the anti-brute force cracking mechanism is not enabled, the passwords may
be cracked by brute force through a large number of guesses, leading to
information leakage.
●
If the password complexity check is not enabled, there is no restrictions on
user passwords. If a password is too simple, the password is easy to be
cracked, leading to information leakage.
●
If the anti-DoS attack mechanism is not enabled, the system is vulnerable to
attacks of highly frequent requests initiated through abnormal means. In such
case, the system resources will be exhausted, and the system cannot properly
provide services.
Procedure
Step 1 Choose System > Security Management > Security Settings from the menu.
Step 2 In the navigation pane, choose Remote Authentication.
Step 3 On the Remote Authentication page, click RADIUS Authentication.
Step 4 Enter RADIUS authentication information. Set parameters based on the
information provided in 1.19.7.5 RADIUS Authentication Parameter Description.
Step 5 Click Test. In the Test Connection dialog box, enter information about the remote
user on the RADIUS server.
NOTE
● If Authentication mode is set to CHAP, PAP, MS-CHAPv1, or MS-CHAPv2, enter the
username and password for the remote user. Password is the password for the user's
personal account.
● If Authentication mode is set to Two-factor, enter the username and password of the
remote user. Password is not the password for the user's personal account. It consists of
the PIN and token code.
–
The PIN is a string of 4 to 8 digits or letters. The initial value must be obtained
from the RADIUS server provider. Reset the PIN when performing the first test as
the user.
–
The token code is a 6-digit number generated by the RSA SecurID hardware device.
The RSA SecurID hardware device needs to be obtained from the RADIUS server
provider.
●
If Test successful. is displayed, interconnection between the system and the
RADIUS server is successful.
●
If the connection fails the test, a message describing the failure cause is
displayed. Take measures based on the displayed message until the
connection is successful.
Step 6 Click Apply for the RADIUS authentication settings to take effect.
RADIUS authentication will be displayed next time when you log in to Remote
Authentication.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
228
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Follow-up Procedure
After setting RADIUS authentication, log out of the PowerEcho and log in again as
a remote user for the RADIUS authentication settings to take effect.
NOTE
A remote user cannot log in to the the PowerEcho in the following situations:
● The remote user and the default user in the system have the same username.
● The username of the remote user does not meet the setting rule of Username.
1.19.7.4 LDAP Authentication Parameters
This section describes the parameters required for configuring remote LDAP
authentication. For actual parameter configurations, contact LDAP server
maintenance personnel.
Table 1-82 Basic Information parameters
Parameter
Description
Example
Master server
address type
Address type of the active LDAP server. The
options are IPv4, IPv6, and Domain name.
IPv4
NOTE
If the address type of the LDAP active server is
domain name, you need to configure the DNS
server in advance.
Issue Draft B
(2020-11-30)
Master server
address
Address of the active LDAP server.
192.168.0.5
Master server port
Port number of the active LDAP server. The
value range is 1 to 65535.
389
Standby server
address type
Address type of the standby LDAP server.
The options are IPv4, IPv6, and Domain
name.
IPv4
Standby server
address
Address of the standby LDAP server.
192.168.0.10
Standby server
port
Port number of the standby LDAP server.
The value range is 1 to 65535.
389
Enable TLS
Whether to enable TLS for the system
server and LDAP server. By default, it is
enabled.
-
Copyright © Huawei Technologies Co., Ltd.
229
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
Description
Example
TLS version
TLS protocol version for the secure
communication mode. The options are TLS
v1.0, TLS v1.1, and TLS v1.2.
TLS v1.2
NOTE
● For data security during communication, you
are advised to use TLS v1.2 or later.
● TLS v1.0 and TLS v1.1 are insecure protocols
and are disabled by default. For details about
how to enable and disable insecure protocols,
see "Setting Service Parameters for User
Management".
Certificate type
This parameter is displayed after TLS is
enabled. The options are JKS,P12 and
CER,DER,PEM,PVK.
JKS, P12
Certific
ate
type is
set to
JKS,P12
.
Root
certifica
te
Root certificate that needs to be configured
for the secure communication mode.
-
Root
certifica
te
passwor
d
Password for the root certificate.
-
Identity
certifica
te
Identity certificate that needs to be
configured for the secure communication
mode, if two-way authentication is enabled
on the LDAP server.
-
Identity
certifica
te
passwor
d
Password for the identity certificate.
-
Certifica
te
revocati
on list
List of certificates revoked by the certificate
authority (CA).
-
Root
certifica
te
Root certificate that needs to be configured
for the secure communication mode.
-
Identity
certifica
te
Identity certificate that needs to be
configured for the secure communication
mode, if two-way authentication is enabled
on the LDAP server.
-
Certific
ate
type is
set to
CER,DE
R,PEM,
PVK.
Issue Draft B
(2020-11-30)
NOTE
When the certificate to be imported is in .p12
format, ensure that the values of Identity
certificate password and Root certificate
password are the same.
Copyright © Huawei Technologies Co., Ltd.
230
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
Description
Example
Private
key file
Private key file of the LDAP server if twoway authentication is enabled on the LDAP
server.
-
Private
key file
passwor
d
Encrypted password for the private key file.
-
Certifica
te
revocati
on list
List of certificates revoked by the certificate
authority (CA).
-
NOTE
It is recommended that the passwords for the root certificate, identity certificate, and
private key file meet the following requirements:
● Contain a minimum of 16 random characters.
● Contain at least two of the following character types:
●
Uppercase letters
●
Lowercase letters
●
Digits
●
Special characters, including !"#$%&'()*+,-./:;\<=>?@[]^`{_|}~ and spaces
Table 1-83 User authentication mode parameters
Issue Draft B
(2020-11-30)
Parameter
Description
Example
User
authentication
mode
LDAP server user authentication mode. The
options are Fixed user, Login user DN, and
Email address.
Fixed user
Fixed
user
Adminis
trator
DN
Distinguished name (DN) of an entry that
stores administrator information in the
LDAP directory.
CN=UserNa
me,
CN=Users,
DC=test,
DC=com
Adminis
trator
passwor
d
Password corresponding to the
administrator DN.
-
Copyright © Huawei Technologies Co., Ltd.
231
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
Query
syntax
Description
Example
You can set filter criteria to specify the user
range. After the filter criteria are set, only
remote users who meet the filter criteria can
log in to the the PowerEcho.
(&(objectCl
ass=user)
(memberof
=
CN=exampl
e,
dc=com))
NOTE
● You are advised to set filter criteria for
querying users and the maximum number of
remote users meeting the query criteria
cannot exceed 1000.
● You are advised not to use sensitive data as
query criteria because the LDAP server
protects sensitive data and does not allow the
data to be queried by external systems.
Login
user DN
User
DN
prefix
Characters in front of the username in the
DN of a logged-in user.
User
DN
suffix
Characters following the username in the
DN of a logged-in user.
Query
syntax
You can set filter criteria to specify the user
range. After the filter criteria are set, only
remote users who meet the filter criteria can
log in to the the PowerEcho.
CN=
NOTE
Take CN=%s, DC=test, DC=com as an example.
%s indicates the user. Its DN prefix is CN=.
, DC=test,
DC=com
NOTE
Take CN=%s, DC=test, DC=com as an example.
%s indicates the user. Its DN suffix is , DC=test,
DC=com.
NOTE
● You are advised to set filter criteria for
querying users and the maximum number of
remote users meeting the query criteria
cannot exceed 1000.
(&(objectCl
ass=user)
(memberof
=
CN=exampl
e,
dc=com))
● You are advised not to use sensitive data as
query criteria because the LDAP server
protects sensitive data and does not allow the
data to be queried by external systems.
Email
address
Issue Draft B
(2020-11-30)
Domain
name
Email domain name of a Windows AD
server. The domain user can serve as the
username for login. For example, if you have
entered %s@example.com in Domain
name and s@example.com is the domain
account of the server, enter s in Username
to log in to the PowerEcho.
Copyright © Huawei Technologies Co., Ltd.
%s@examp
le.com
232
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
Query
syntax
Description
Example
You can set filter criteria to specify the user
range. After the filter criteria are set, only
remote users who meet the filter criteria can
log in to the the PowerEcho.
(&(objectCl
ass=user)
(memberof
=
CN=exampl
e,
dc=com))
NOTE
● You are advised to set filter criteria for
querying users and the maximum number of
remote users meeting the query criteria
cannot exceed 1000.
● You are advised not to use sensitive data as
query criteria because the LDAP server
protects sensitive data and does not allow the
data to be queried by external systems.
NOTE
The differences between Fixed User, Login user DN, and Email address are as follows:
● In Fixed User mode, remote user groups can be synchronized. Therefore, you need to
obtain the DN and password for the LDAP server administrator. In Login user DN or
Email address mode, remote user group information cannot be synchronized.
● In Fixed user mode, you can locally disable the remote users who have been deleted
from the remote server. In Login user DN or Email address mode, the system does not
support this function.
Table 1-84 User Attributes parameters
Issue Draft B
(2020-11-30)
Paramet
er
Description
Example
User base
DN
Base DN used for querying a user.
DC=test,
DC=com
User
object
class
name
Class name of a user in the corresponding LDAP
server schema.
user
Unique
user ID
Keyword of a user in the corresponding LDAP server
schema.
sAMAccount
Name
User full
name
attribute
name
Full name attribute name of a user in the
corresponding LDAP server schema.
name
User
descriptio
n
attribute
name
Description attribute name of a user in the
corresponding LDAP server schema.
description
Copyright © Huawei Technologies Co., Ltd.
233
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Paramet
er
Description
Example
User's
user
group
attribute
name
User group attribute name of a user in the
corresponding LDAP server schema.
memberOf
ServerInf
o
The server information is configured to filter the
binding relationship between a user and the user's
user group.
-
User's
user
group
separator
Separator of user groups to which remote users
belong. The value is obtained from the remote server.
If this parameter is not set or there is only one user
group on the remote server, you can set this
parameter to a special character, such as semi-colon
(;), exclamation mark (!), and colon (:), that is not
contained in the remote user group name.
,
NOTE
When Windows AD is configured on the LDAP server, the
correct user groups can be returned only after User group
member attribute name in User Group Attributes is set.
Table 1-85 User Group Attributes parameters
Issue Draft B
(2020-11-30)
Paramete
r
Description
Example
User
group
base DN
Base DN used for querying a user group.
OU=usergro
up, DC=test,
DC=com
User
group
object
class
name
Class name of a user group in the corresponding
LDAP server schema.
group
Unique
user
group ID
Keyword of a user group in the corresponding LDAP
server schema.
name
User
group
member
attribute
name
User attribute name of a user group in the
corresponding LDAP server schema.
member
NOTE
When Windows AD is configured on the LDAP server, the
correct user groups can be returned only after this
parameter is set.
Copyright © Huawei Technologies Co., Ltd.
234
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Paramete
r
Description
Example
User
group
descriptio
n
attribute
name
Description attribute name of a user group in the
corresponding LDAP server schema.
description
Table 1-86 User-to-User Group Bindings parameters
Paramete
r
Description
Example
Use
locally
stored
bindings
When a remote user logs in to the PowerEcho, the
remote user belongs to the locally bound role if this
parameter is selected.
-
Use
remotely
stored
bindings
When a remote user logs in to the PowerEcho, the
remote user belongs to the user group bound to the
remote server.
-
● If the remote user group has a local role with the
same name and the mapping between the remote
user group and the local role is not configured, the
remote user is automatically bound to the local
role with the same name.
● If the remote user group does not have a local role
with the same name, you need to configure the
mapping between the remote user group and the
local role. After the mapping is configured, the
remote user is bound to the local role mapping to
the remote user group. If this parameter is not set,
the remote user will lose the authorization of the
user group.
NOTE
User group names on the LDAP server cannot contain the
value of User's user group separator and must meet the
naming rule of Role.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
235
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-87 Other parameters
Paramete
r
Description
Example
Local user
authentic
ation
● If Local user authentication is selected for LDAP
authentication, local users and third-party users
are authenticated locally, and remote users are
authenticated on the remote server.
-
NOTE
If Local user authentication is selected for LDAP
authentication, a remote user with the same name as a
local user cannot log in. You are not advised to create a
remote user with the same username as a user in the
local system.
● If Local user authentication is not selected for
LDAP authentication, the admin user is
authenticated locally, and the third-party users
and remote users are authenticated on the remote
server.
NOTE
If Local user authentication is not selected for LDAP
authentication, and the name of the user on the remote
server is the same as the name of a created user:
● After the user on the remote server logs in to the
system through the login page, the type of the
created local user is changed to a remote user.
● After the user on the remote server logs in to the
system by calling an interface, the user type of the
created local user or remote user is changed to a
third-party user.
NOTICE
If the attributes of a user with the same name change,
the user may fail to log in to the system or the user
permissions may change. Therefore, you are not advised
to create a remote user with the same name as a user in
the system.
User
managem
ent
● If User management is selected for LDAP
authentication, security administrators can
manage local users, third-party users, and remote
users.
-
● If User management is not selected, the following
situations occur:
– If Local user authentication is enabled for
LDAP authentication, security administrators
can manage local users, and perform certain
operations on third-party users and remote
users, such as creating, querying, exporting, and
modifying the users.
– If Local user authentication is not enabled for
LDAP authentication, security administrators
can only query and modify users.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
236
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Paramete
r
Description
Example
Allow
ungroupe
d users to
log in
● If you select Allow ungrouped users to log in,
remote users who are not bound with user groups
can log in to the PowerEcho.
-
● If you do not select Allow ungrouped users to
log in, remote users who are not bound with user
groups cannot log in to the PowerEcho.
Disable
users who
are
synchroni
zed
remotely
but do
not exist
at the
remote
end
● If you select Disable users who are synchronized
remotely but do not exist at the remote end
and LDAP authentication is enabled, the system
can disable the remote users who have been
synchronized to a local server and deleted from
the LDAP server.
Server
check
interval
After LDAP authentication is enabled, the system
checks the connection between the active and
standby LDAP servers at an interval specified by this
parameter.
-
● If you do not select Disable users who are
synchronized remotely but do not exist at the
remote end, the remote user will not be disabled.
5
1.19.7.5 RADIUS Authentication Parameter Description
This section describes the parameters required for configuring remote RADIUS
authentication. For actual parameter configurations, contact RADIUS server
maintenance personnel.
Table 1-88 Basic Information parameters
Issue Draft B
(2020-11-30)
Paramete
r
Description
Example
Master
server IP
address
version
IP address type of the active RADIUS server.
IPv4
Master
server IP
address
IP address of the active RADIUS server.
192.168.0.5
Master
server port
Port number of the active RADIUS server.
1812
Copyright © Huawei Technologies Co., Ltd.
237
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Paramete
r
Description
Example
Standby
server IP
address
version
IP address type of the standby RADIUS server.
IPv4
Standby
server IP
address
IP address of the standby RADIUS server.
192.168.0.10
Standby
server port
Port number of the standby RADIUS server.
1812
Authentica
tion mode
Authentication mode for the RADIUS protocol. The
default value is CHAP.
CHAP
The options are as follows:
● CHAP: Challenge-Handshake Authentication
Protocol.
● PAP: Password Authentication Protocol.
NOTE
You are advised to use CHAP, MS-CHAPv1, MSCHAPv2, and Two-factor because they are more
secure than PAP.
● MS-CHAPv1: Microsoft Challenge Handshake
Authentication Protocol Version 1.
● MS-CHAPv2: Microsoft Challenge Handshake
Authentication Protocol Version 2.
● Two-factor: In this mode, RADIUS
authentication supports only the PAP protocol.
Shared
key
Issue Draft B
(2020-11-30)
Shared key of the RADIUS server.
-
NOTE
For system security purposes, periodically change the
shared key.
Copyright © Huawei Technologies Co., Ltd.
238
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Paramete
r
Description
Example
Local user
authentica
tion
● If Local user authentication is selected for
RADIUS authentication, local users and thirdparty users are authenticated locally, and
remote users are authenticated on the remote
server.
-
NOTE
If Local user authentication is selected for RADIUS
authentication, a remote user with the same name as
a local user cannot log in. You are not advised to
create a remote user with the same username as a
user in the local system.
● If Local user authentication is not selected for
RADIUS authentication, the admin user is
authenticated locally, and the third-party users
and remote users are authenticated on the
remote server.
NOTE
If Local user authentication is not selected for
RADIUS authentication, and the name of the user on
the remote server is the same as the name of a
created user:
● After the user on the remote server logs in to the
system through the login page, the type of the
created local user is changed to a remote user.
● After the user on the remote server logs in to the
system by invoking an interface, the type of the
created local user or the remote user is changed
to a third-party user.
NOTICE
If the attributes of a user with the same name
change, the user may fail to log in to the system or
the user permissions may change. Therefore, you are
not advised to create a remote user with the same
name as a user in the system.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
239
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Paramete
r
Description
Example
User
managem
ent
● If User management is selected for RADIUS
authentication, security administrators can
manage local users, third-party users, and
remote users.
-
● If User management is not selected, the
following situations occur:
– If Local user authentication is enabled for
RADIUS authentication, security
administrators can manage local users, and
perform certain operations on third-party
users and remote users, such as creating,
querying, exporting, and modifying the
users.
– If Local user authentication is not enabled
for RADIUS authentication, security
administrators can only query and modify
users.
Table 1-89 Accounting parameters
Parameter
Enable
accounti
ng
Description
Example
Master
server
accounti
ng port
Active RADIUS server port used for
accounting.
1813
Standby
server
accounti
ng port
Standby RADIUS server port used for
accounting.
1813
Table 1-90 Request Message parameters
Issue Draft B
(2020-11-30)
Parameter
Description
Example
Send client IP
address
Whether to send the client IP address to the
RADIUS server.
-
Send local identifier
Whether to send the local identifier to the
RADIUS server. The local identifier is the
identifier of the local environment, which is
user-defined.
GFHJKHL.J
K
Specify
user-
ID of the vendor on the RADIUS server.
2011
Vendor
ID
Copyright © Huawei Technologies Co., Ltd.
240
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
defined
attribute
s
Description
Example
Subattri
bute
Type
Attribute extended by the vendor.
188
Data
Type
Data type of Value.
String
Length
Length of Value.
6
Value
Value of the extended attribute.
100
Table 1-91 Response Message parameters
Parameter
Description
Exam
ple
Use locally stored bindings
Select this parameter if you do not
need to obtain user group bindings
from the RADIUS server.
-
If no corresponding user group
exists on the local end, a user
synchronized to the local end is not
bound to any user group. If a user
synchronized to the local end does
not have a local user with the
same username, the user has no
binding relationship.
Obtain the user group
binding relationship
from default attributes
NOTE
Select this parameter if
the user group bindings
need to be obtained
from the default
attribute ReplyMessage(18) in the
RADIUS protocol.
Obtain the user group
binding relationship
from user-defined
attributes
Issue Draft B
(2020-11-30)
User's
user
group
separat
or
Separator of user groups to which
remote users belong. The value is
obtained from the remote server. If
this parameter is not set or there is
only one user group on the remote
server, you can set this parameter
to a special character, such as
semi-colon (;), exclamation mark
(!), and colon (:), that is not
contained in the remote user group
name.
;
Vendor
ID
ID of the vendor on the RADIUS
server.
2011
Subattri
bute
type
Attribute extended by the vendor.
188
Subattri
bute
name
Subtype name of the mapping
between user groups and users.
-
Copyright © Huawei Technologies Co., Ltd.
241
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Parameter
NOTE
Select this parameter if
the user group binding
relationship needs to be
obtained from the userdefined attribute
Vendor-Specific(26) in
the RADIUS protocol.
User's
user
group
separat
or
Description
Exam
ple
Separator of user groups to which
remote users belong. The value is
obtained from the remote server. If
this parameter is not set or there is
only one user group on the remote
server, you can set this parameter
to a special character, such as
semi-colon (;), exclamation mark
(!), and colon (:), that is not
contained in the remote user group
name.
;
1.19.8 SSO Configuration
Single sign-on (SSO) configuration allows users to access multiple mutually
trusted application systems after only one login authentication.
The PowerEcho supports CAS SSO and SAML SSO. For details, see Table 1-92.
Table 1-92 SSO types
Issue Draft B
(2020-11-30)
SSO
Type
Authentication Protocol
Description
CAS
SSO
Allows SSO login complying with the
Central Authentication Service (CAS)
protocol. In this way, an SSO server is
connected to multiple SSO clients to
perform unified authentication.
When users need to
configure the server and
clients among multiple
systems based on the CAS
protocol, they can
configure CAS SSO so that
the SSO server can
authenticate users and
access the clients freely.
SAM
L
SSO
Allows SSO login complying with the SAML
2.0 (Security Assertion Markup Language
2.0) protocol. In this way, identity providers
(IdPs) and service providers (SPs) exchange
authentication and authorization data
between different security zones.
When users have their own
IdPs and need to use the
PowerEcho to provide
services, they can
configure SAML SSO so
that the IdPs can
authenticate users and use
the PowerEcho to provide
services.
Copyright © Huawei Technologies Co., Ltd.
242
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.19.8.1 CAS SSO Configuration
Single sign-on (SSO) configuration allows users to access multiple mutually
trusted application systems after only one login authentication.
1.19.8.1.1 About CAS SSO
This section describes the definition and principles of CAS SSO.
CAS SSO allows SSO login complying with the CAS protocol. In this way, an SSO
server is connected to multiple SSO clients to perform unified authentication. After
successfully logging in to the server, users can access the client without entering
the username and password repeatedly.
After completing the CAS SSO configuration and successfully logging in to the
server, users can access all the clients without entering the username and
password repeatedly. Assume that system 1 is the SSO server, and system 2,
system 3, ..., and system N are SSO clients. Figure 1-18 shows the SSO
configuration.
Figure 1-18 Authentication scheme between the SSO server and SSO clients
System configurations:
1.
Issue Draft B
(2020-11-30)
Configure system 1 as the SSO server and configure the trust addresses of the
SSO clients on the SSO Server tab page of system 1. That is, set the IP
addresses of system 2, system 3, ..., and system N to trusted addresses.
Copyright © Huawei Technologies Co., Ltd.
243
iManager NetEco
Administrator Guide
2.
1 NetEco Administrator Guide
Configure system 2, system 3, ..., and system N as SSO clients. Set
Authentication URL and Validation URL of the SSO server (IP address of
system 1) on the SSO Client tab page of system 2, system 3, ..., and system
N.
User access:
1.
To access client 1 for the first time, a user enters the IP address or domain
name of client 1 in the address box of a browser, presses Enter, and enters
the username and password.
2.
The user information is sent to the SSO server for login authentication.
3.
The SSO server authenticates the username and password and sends an
authentication success message to client 1.
4.
The user logs in to client 1 successfully.
5.
To access client 2 for the first time, a user enters the IP address or domain
name of client 2 in the address box of a browser and presses Enter.
6.
The SSO server determines that the login authentication is successful.
7.
The user logs in to client 2 successfully.
1.19.8.1.2 Configuring CAS SSO
CAS SSO configuration consists of SSO Servers and SSO Clients. In SSO mode,
you can log in to all other mutually trusted clients without entering the user name
and password again after logging in to a client.
Prerequisites
●
The SSO server has been installed and correctly configured.
●
You have obtained the address of the SSO server to be interconnected with
the SSO client, such as the domain name or IP address.
●
If the SSO server requires remote authentication, the remote authentication
must be enabled on the SSO server before you configure SSO.
●
You have logged in to the PowerEcho as the admin user. For details, see 1.1.2
Logging In to the PowerEcho.
Procedure
Step 1 Choose System > Security Management > Security Settings from the main
menu.
Step 2 In the navigation pane, choose SSO Configuration > CAS SSO Configuration.
Step 3 On the SSO Clients tab page, set Authentication URL and Validation URL of the
CAS SSO server connected to the current system. Then, set Backup
authentication URL and Backup validation URL as required.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
244
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
● Authentication URL and Validation URL are the IP addresses or domain names of the
CAS SSO server.
–
If the CAS SSO server does not distinguish the authentication server from the
verification server, the values of Authentication URL and Validation URL are the
same.
–
If the CAS SSO server distinguishes the authentication server from the verification
server, the values of Authentication URL and Validation URL are different.
● If the CAS SSO server has a standby server, configure Backup authentication URL and
Backup validation URL to improve system security.
Step 4 Click Apply.
Step 5 Verify the CAS SSO configuration after the SSO client parameters are configured.
1.
In the address box of the browser, enter the IP address or domain name of
client 1 and press Enter.
The IP address in the address box of the browser is automatically converted to
the IP address of the CAS SSO server.
2.
Enter the username and password of client 1. After the authentication is
successful, you will successfully log in to client 1.
3.
When the session of client 1 is valid, open a new tab page on the browser and
enter the IP address or domain name of client 2, and press Enter. If you can
automatically log in to client 2 without entering the username and password,
the CAS SSO configuration is successful.
NOTE
After SSO is configured, a server user cannot log in to the SSO client in the following
situations:
–
The server username is the same as the name of a third-party user or a default
user other than admin.
–
The server user name does not meet the setting rule of Username.
----End
Related Tasks
Delete the CAS SSO client configuration.
Step 1 Choose System > Security Management > Security Settings from the main
menu.
Step 2 In the navigation pane, choose CAS SSO Configuration.
Step 3 On the SSO Clients tab page, click Close.
----End
1.20 NetEco Maintenance
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
245
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.20.1 Network Diagnostics
This section describes how to check the network connection status between the
NetEco server and device.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Maintenance > NetEco Maintenance > Network
Diagnostics from the main menu.
Step 2 Set Equipment IP Address, Port Number, and Packets.
Step 3 Click Check.
----End
1.20.2 Run Logs Collection
This section describes how to obtain the running logs of each module of the
NetEco.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Maintenance > NetEco Maintenance > Run Logs
Collection from the main menu.
Step 2 Set Start Time and End Time, and select the Module Logs.
Step 3 Click Collect Logs, after the similar information Logs collected successfully is
displayed in the system, click confirm.
Step 4 Click Export to download the log file to your local PC.
Step 5 Optional: If you need to set the level of logs to be printed in the next period of
time, select logs, select Current Log Level, set Validity Period, and click Modify.
NOTE
Click Restore to reset the log level.
----End
1.20.3 Routine Inspection
This section describes how to check the health status of the NetEco server using
the PowerEcho client to learn related information about the OS, database and
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
246
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NetEco software. You can export the health check report and download it to the
local PC for view.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Maintenance > NetEco Maintenance > Routine
Inspection from the main menu.
Step 2 Select NetEco CPU usage and disk I/O status as required.
NOTE
If you select this option, the check takes at least 10 minutes. If this option is not selected,
the check result does not contain the check items NetEco CPU Usage and Disk I/O Usage
status.
Step 3 Click Inspect Health.
When the inspection is complete, you can click Export Report to download the
file to your local PC. Then decompress the file to view inspection results.
----End
1.20.4 History Report
This section describes how to download the health check reports using the
PowerEcho. You can download the health check reports for the latest 10 health
inspection report. These logs can be used for identifying the causes of NetEco
system faults.
Prerequisites
●
You have logged in to the PowerEcho For details, see 1.1.2 Logging In to the
PowerEcho.
●
Routine inspection has been performed. For details, see 1.20.3 Routine
Inspection.
Procedure
Step 1 On the PowerEcho, choose Maintenance > NetEco Maintenance > History
Report from the main menu.
Step 2 Click Download to download the health check reports to your local PC.
----End
1.20.5 HA Management
This section describes how to view the service running status, data synchronization
status, and master/slave database instance running status of the active and
standby NetEco nodes, and how to perform switchover between the active and
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
247
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
standby NetEco nodes or master and slave database instances. This function can
be used only in cluster scenarios.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 Choose Maintenance > NetEco Maintenance > HA Management from the main
menu.
If You Need To...
Then...
View the service running status on the
active and standby nodes
In the NetEco HA Management area,
check the service running status of the
active and standby nodes.
View the running status of the master
and slave database instances
In the Database HA Management
area, view the running status of the
master and slave database instances.
Perform switchover between the active
and standby nodes
When the available memory of the
active node is small or the active node
is faulty, you can perform switchover
between the active and standby nodes.
1. Start NetEco services. For details,
see 1.4.3 Starting Product
Services.
2. When Synchronization Progress is
100% and Synchronization Status
is Normal ,in the NetEco HA
Management area, click
.
3. In the displayed dialog box, click
OK.
NOTE
During the switchover, the PowerEcho
cannot be operated. After about 3 to 5
minutes, refresh the page and log in to the
PowerEcho again.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
248
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
If You Need To...
Then...
Perform switchover between the
master and slave databases
When the master database is faulty,
you can perform switchover between
the master and slave databases.
1. Stop NetEco services. For details,
see 1.5.2 Stopping Product
Services.
2. In the Database HA Management
area, click
.
3. In the displayed dialog box, click
OK.
NOTE
The switchover takes about 3 to 5 minutes.
----End
1.20.6 Viewing Server Information
This section describes how to use the PowerEcho to view Software Information,
Resource Information, and Hardware Information of a NetEco server.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 Choose Maintenance > NetEco Maintenance > Server Information from the
main menu.
On the page, view the NetEco server information such as theversion information,
CPU usage, and iBMC IP address.
NOTE
● Inthe cluster scenario, you can view the information about a NetEco server byselecting
the corresponding node tab.
● Server information is updated every 30 seconds, and CPU details are updated every 5
seconds.
----End
1.21 File System of The NetEco
This section describes the file system of the NetEco. The file system mainly
includes the information about the directory structure of the NetEco software.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
249
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-93 NetEco Software installation directories
Directory
Description
/opt/oss
Root directory for installing the NetEco
program, including subdirectories of the
the PowerEcho, the NetEco, and logs
/opt/zenith
Zenith installation directory (service
database)
/opt/neteco
Directory for storing the NetEco service
data
/opt/neteco_backup
NetEco backup directory
/opt/NetEcoTools
Directory for storing the NetEco
uninstallation script
/opt/pub
Directory for storing large files generated
during the NetEco installation
/opt/patch_manager
Third-party patch framework running
directory for the NetEco
/opt/redis
Redis installation directory
/opt/repo
Directory for storing the NetEco product
package and deployment tool
/opt/share
Shared data directory between services
1.22 Routine Maintenance
1.22.1 Daily Maintenance
This section describes daily maintenance tasks to ensure the stable system
operation.
1.22.1.1 Checking Logs (the PowerEcho)
The PowerEcho records three types of O&M logs: security logs, system logs, and
operation logs. You can periodically check whether exceptions are recorded in
these logs to proactively identify potential security risks and running exceptions on
the PowerEcho. You can locate and rectify faults in a timely manner based on the
information recorded in the logs, ensuring proper running and security of the
PowerEcho.
Prerequisites
●
Issue Draft B
(2020-11-30)
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Copyright © Huawei Technologies Co., Ltd.
250
iManager NetEco
Administrator Guide
●
1 NetEco Administrator Guide
To query logs in CLI mode, you need to obtain the passwords for the sopuser
and ossadm users of the management node.
Context
The logs are classified into security logs, system logs, and operation logs.
●
Security logs record user operations that affect system security, such as
logging in to the system, changing passwords, creating users, and logging out
of the system.
●
System logs record system-triggered events, such as abnormal system
running, network failures, and attacks against the system. These logs help you
analyze the system status and rectify faults.
●
Operation logs record user operations that do not affect system security, such
as creating subnets and exporting current alarms.
●
Query logs on the web client.
Procedure
Step 1 Open the desired log page as follows:
●
To query security logs, choose System > Log Management > Security Logs
from the main menu of the PowerEcho.
●
To query system logs, choose System > Log Management > System Logs
from the main menu of the PowerEcho.
●
To query operation logs, choose System > Log Management > Operation
Logs from the main menu of the PowerEcho.
on the left of Filter Criteria and set the following filter criteria in the
Step 2 Click
displayed area:
●
Select Risk from the Level drop-down list.
●
Select Failed and Partially successful from the Result drop-down list.
Step 3 Click Filter and check whether any exception or fault information exists in the list.
NOTE
Click Export All or Export Selected to export the logs to your local PC for query and
analysis.
----End
●
Query logs in the dump path.
NOTE
Security logs, system logs, and operation logs are stored in the database after being
generated. To ensure sufficient database space, the system automatically dumps the
logs that meet the conditions to the /opt/share/oss/manager/MCCommonService/
dump/timestamp/timestamp directory on the hard disk as files. If the dump directory
does not exist, the logs have not been dumped.
Step 1 Use PuTTY to log in to the management node, as the sopuser user in SSH mode.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
251
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
If the PowerEcho is deployed in cluster mode, perform operations only on Management0.
For details about how to obtain the IP address of a node, see 1.23.4 How Do I Query the
IP Address of a Node?
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to create a temporary directory and copy the log
files to the directory:
> mkdir -p /tmp/log
> cp /opt/share/oss/manager/MCCommonService/dump/timestamp/
timestamp/log file /tmp/log
Step 4 Run the following command to configure permissions for the log files:
> chmod 750 /tmp/log/log file
Step 5 Run the following command to switch back to the sopuser user:
> exit
Step 6 Run the following commands to copy the log files from the temporary directory to
the /home/sopuser directory and configure permissions for the log files:
> cp /tmp/log/log file /home/sopuser
> chmod 600 /home/sopuser/log file
Step 7 Use FileZilla to download the log files in .csv or zip format in the /home/sopuser
directory on the management node to a directory on your local PC, as the sopuser
user in SFTP mode. For details, see 1.24.2 Transferring Files Using FileZilla.
Step 8 Delete the temporary files.
1.
Use PuTTY to log in to the management node, as the sopuser user in SSH
mode.
2.
Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
3.
Run the following command to delete the temporary files:
> rm -rf /tmp/log
4.
Run the following command to switch back to the sopuser user:
> exit
5.
Run the following command to delete the temporary files in the /home/
sopuser directory:
rm -rf /home/sopuser/log file
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
252
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Expected Result
●
Security logs, system logs, and operation logs at the Risk level are not
displayed in the list.
●
Security logs, system logs, and operation logs with the Failed, Unknown, or
Partially successful operation result are not displayed in the list.
Exception Handling
You can click the value in the Details column of the row that contains the security
log, system log, or operation log at the Risk level or with the Failed or Partially
successful operation result to locate the fault and troubleshoot it.
1.22.1.2 Checking Logs (the NetEco)
The system records three types of logs: security logs, system logs, and operation
logs. You can periodically check whether exceptions are recorded in these logs to
proactively identify potential security risks and running exceptions on the system.
You can locate and rectify faults in a timely manner based on the information
recorded in the logs, ensuring proper running and security of the system.
Prerequisites
●
You have logged in to the NetEco as a security administrator. For details, see
1.1.1 Logging In to the NetEco.
●
You have the Query Security Log, Query System Log, and Query Operation
Log permissions.
●
You have obtained the passwords for the sopuser and ossuser users for
logging in to the node where SMLogLic resides.
Context
The logs are classified into security logs, system logs, and operation logs.
●
Security logs record user operations that affect system security, such as
logging in to the system, changing passwords, creating users, and logging out
of the system.
●
System logs record system-triggered events, such as abnormal system
running, network failures, and attacks against the system. These logs help you
analyze the system status and rectify faults.
●
Operation logs record user operations that do not affect system security, such
as creating subnets and exporting current alarms.
●
Query logs on the web page.
Procedure
Step 1 Choose one of the following menus as needed:
Issue Draft B
(2020-11-30)
●
To query security logs: Choose Security > Log Management > Security Logs.
●
To query system logs: Choose Security > Log Management > System Logs.
●
To query operation logs: Choose Security > Log Management > Operation
Logs.
Copyright © Huawei Technologies Co., Ltd.
253
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 2 Click
area:
next to Filter Criteria, and set the following filter criteria in the displayed
●
Select Risk from the Level drop-down list.
●
Select Failed and Partially successful from the Result drop-down list.
Step 3 Click Filter and check whether any exception or fault information exists in the list.
NOTE
You can click Export All or Export Selected to export logs to your local PC to facilitate log
viewing and analysis.
----End
●
Query logs in the dump path.
NOTE
Security logs, system logs, and operation logs are stored in the database after being
generated. To ensure sufficient database space, the system automatically dumps the
logs that meet the conditions to the /opt/share/oss/NetEco/XXXService/dump/
timestamp/timestamp directory on the hard disk. XXXService can be SMLogLicService
or MCCommonService. The dump directory exists only after log dump occurs.
Step 1 Use PuTTY to log in to the node where SMLogLic resides, as the sopuser user in
SSH mode. For details about how to obtain the IP address of the node where a
service resides, see 1.23.2 How Do I Query the IP Address of the Node Where a
Service Resides?
Step 2 Run the following command to switch to the ossuser user:
su - ossuser
Password: password for the ossuser user
Step 3 Run the following commands to create a temporary directory and copy the log
files to the directory:
mkdir -p /tmp/log
cp /opt/share/oss/NetEco/XXXService/dump/timestamp/timestamp/log
file /tmp/log
Step 4 Run the following command to configure permissions for the log files:
chmod 750 /tmp/log/log file
Step 5 Run the following command to exit from the ossuser user:
exit
Step 6 Run the following commands to copy the log files from the temporary directory
to /home/sopuser directory and configure permissions for the log files:
cp /tmp/log/log file/home/sopuser
chmod 600 /home/sopuser/log file
Step 7 Use FileZilla to log in to the node where SMLogLic resides, as the sopuser user in
SFTP mode. Download the .csv or .zip log file from /home/sopuser to any
directory on the local PC.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
254
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 8 Use PuTTY to run the following command to delete the log files in the /home/
sopuser directory, as the sopuser user.
rm -rf /home/sopuser/log file
Step 9 Switch to the ossuser user and run the following command to delete the log files
in the /tmp/log directory:
rm -rf /tmp/log/log file
----End
Expected Result
●
Security logs, system logs, and operation logs at the Risk level are not
displayed in the list.
●
Security logs, system logs, and operation logs with the Failed, Unknown, or
Partially successful operation result are not displayed in the list.
Exception Handling
You can click the value in the Details column of the row that contains the security
log, system log, or operation log at the Risk level or with the Failed or Partially
successful operation result to locate the fault and troubleshoot it.
1.22.1.3 Checking Whether Online Users Are Authorized (the NetEco)
You can check whether the status and operations of online users on the NetEco
comply with the plan, ensuring system security.
Prerequisites
You have logged in to the NetEco as a security administrator. For details, see 1.1.1
Logging In to the NetEco.
Procedure
Step 1 Choose Security > System Security > User Management.
Step 2 In the navigation pane, choose Online Users.
Step 3 Refresh the user list.
Step 4 Click Monitor in the Operation column of the row that contains the user to be
queried, and view operations of this user in the User Operations area.
----End
Expected Result
Issue Draft B
(2020-11-30)
●
The login IP address and login time in the user list comply with the plan.
●
The role to which the user is attached complies with the plan.
Copyright © Huawei Technologies Co., Ltd.
255
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Exception Handling
●
●
If an online user meets one of the following conditions, click Log Out in the
Operation column of the row that contains this user to forcibly log it out and
then modify the policies and information about it as planned:
–
The login time policy does not comply with the plan.
–
The client IP address policy does not comply with the plan.
–
The role to which the user is attached does not comply with the plan.
If an online user has performed operations of the Risk level, check whether
these operations comply with the plan. If they do not, modify permissions of
this user.
1.22.2 Weekly Maintenance
This section describes weekly maintenance tasks to ensure the stable system
operation.
1.22.2.1 Checking Backup Data
O&amp;M personnel must periodically check the backup file status of the
PowerEcho, product data, product applications, and database applications to
ensure that backup files can be obtained in a timely manner to restore the system
when exceptions occur.
Prerequisites
●
The IP address of the backup server has been obtained.
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 Check the backup file status of the PowerEcho, product data, product applications,
and database applications. For details, see Table 1-94.
Table 1-94 Checking backup files
Issue Draft B
(2020-11-30)
Task
Operation
Check the backup files of
product data.
Choose Backup and Restore &gt; Data
Restoration &gt; Restore Product Data from
the main menu, and check the backup files in
the Backup File column.
Check the backup file of
product applications.
Choose Backup and Restore &gt; Data
Restoration &gt; Restore Product Application
from the main menu, and check the backup
files in the Backup File column.
Copyright © Huawei Technologies Co., Ltd.
256
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Task
Operation
Check the backup files of
database applications.
Choose Backup and Restore &gt; Data
Restoration &gt; Restore Database
Application from the main menu and check
the backup files in the Backup File column.
Check the backup files of the
PowerEcho.
1. Use PuTTY to log in to the backup server as
a user with SSH access permission.
2. Run the following command to query
backup files in the backup path:
&gt; cd /root directory of the backup server
user/path specified in the backup
parameters/management/management/
timestamp/node name
NOTE
For example, if the login user of the backup
server is ossadm, the directory is /home/
ossadm/bin/management/management/
20190829002834588/node.
3. Run the following command to query the
size of the backup files in the backup path:
&gt; ll -h /root directory of the backup
server user/path specified in the backup
parameters /management/management/
timestamp/node name
Information similar to the following is
displayed. Check the size of the
management.tar.gz package. In this
example, the size is 3.2 GB.
<b id="en-us_topic_0179298209_b5128351517" class="+
topic/ph hi-d/b ">total 3.2G</b>
-rw-------. 1 root root <b id="enus_topic_0179298209_b1812123555113" class="+
topic/ph hi-d/b ">3.2G</b> Dec 7 20:57
management.tar.gz
-rw-------. 1 root root 225 Dec 7 20:57
management.tar.gz.sign
●
If backup files exist, no further action is required.
●
If the backup files do not exist, go to Step 2.
Step 2 Back up data. For details, see Table 1-95.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
257
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-95 Backing up data
Task
Operation
Back up product data.
1. Choose Backup and Restore &gt;
Configuration &gt; Configure Scheduled
Backup Task from the main menu and
check whether the scheduled backup task is
enabled.
– If it is enabled, go to Step 2.2.
– If it is not enabled, enable the scheduled
backup task.
2. Choose Backup and Restore &gt; Data
Backup &gt; Back Up Product Data from
the main menu. On the Back Up Product
Data page, manually back up the product
data as prompted.
Back up product applications.
Choose Backup and Restore &gt; Data
Backup &gt; Back Up Product Application
from the main menu. On the Back Up Product
Application page, perform operations as
prompted.
Back up database applications.
Choose Backup and Restore &gt; Data
Backup &gt; Back Up Database Application
from the main menu. On the Back Up
Database Application page, perform
operations as prompted.
Back up the PowerEcho
application and data.
Choose Backup and Restore &gt; Data
Backup &gt; Back Up PowerEcho from the
main menu. On the Back Up PowerEcho page,
perform operations as prompted.
●
If the backup task is successfully executed, no further operation is required.
●
If the backup task fails, choose System &gt; Task List from the main menu.
On the page that is displayed, click and view the failure information about
the backup task in the Details area. Then rectify the fault based on the
information or contact Huawei technical support.
----End
1.22.2.2 Checking User Configuration (the NetEco)
You can check user configuration on the NetEco, including basic user information,
the role to which a user is attached, and user access control policies, ensuring
system security.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
258
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Prerequisites
You have logged in to the NetEco as a security administrator. For details, see 1.1.1
Logging In to the NetEco.
Procedure
Step 1 Choose Security > System Security > User Management.
Step 2 In the navigation pane, choose Users.
Step 3 On the Users page, click the user to be viewed. The user details page is displayed.
NOTE
Click
and choose Export All Users, or select multiple users and click Export Selected
Users to export and view user information in batches.
Step 4 Click the Basic Information, Roles, and Access Policies tabs to check whether the
user configuration is correct.
----End
Expected Result
●
Basic user information is correctly configured.
●
The user is attached to the planned role. User permissions and managed
objects comply with the plan.
●
User access control policies are correct. That is, the login time policy and
client IP address policy comply with the plan.
Exception Handling
If the configuration of a user does not comply with the expected result, click the
username and configure the user information as planned.
1.22.3 Monthly Maintenance
This section describes monthly maintenance tasks to ensure the stable system
operation.
1.22.3.1 Checking the Certificate Validity Period (the PowerEcho)
This section uses the IR certificate as an example to describe how to check the
validity period of the certificate. Check the validity period of other certificates by
replacing the path in the command as required.
Prerequisites
You have obtained the IP address of the management node and the passwords for
the sopuser and ossadm users.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
259
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to check the certificate validity period:
> cd /opt/oss/manager/etc/ssl/internal
> cat server.cer
The following information is displayed:
Certificate:
Data:
...
Validity
Not Before: Mar 31 05:28:05 2015 GMT
Not After : Mar 28 05:28:05 2025 GMT
...
Information following Validity indicates the certificate validity period. The time on
the right of Not After indicates the time when the certificate expires.
If the certificate is about to expire, update it to ensure the proper running of the
related functions.
----End
1.22.3.2 Cleaning Up Disk Space
Symptom
Operations such as logging in to the system or installing software packages
occasionally fail due to insufficient disk space.
Prerequisites
You have obtained the passwords for the sopuser and root users of the node
whose disk space is to be cleared.
Possible Causes
The system has been running for a long time but the disk space has not been
cleared. As a result, the disk space is insufficient.
Procedure
NOTICE
Deleted files cannot be restored. Exercise caution when performing the following
operations.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
260
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 1 Use PuTTY to log in to the node whose disk space is to be cleared, as the sopuser
user in SSH mode.
NOTE
To clear the disk space of the backup server, log in to the node as the backup server user.
Step 2 Run the following command to switch to the root user:
> su - root
Password: password for the root user
Step 3 Run the following command to check the usage of each partition:
# df -h
In the command output, if the usage of a partition exceeds 80%, clear the space.
Filesystem
Size Used Avail Use% Mounted on
/dev/xvda3
17G 2.5G 14G 16% /
devtmpfs
7.8G 152K 7.8G 1% /dev
tmpfs
7.8G
0 7.8G 0% /dev/shm
/dev/xvda1
1003M 50M 903M 6% /boot
/dev/xvda5
1003M 18M 935M 2% /home
/dev/xvda10
5.0G 915M 3.9G 19% /usr
/dev/xvda6
3.0G 176M 2.7G 7% /var
/dev/xvda7
5.0G 3.0G 1.7G 64% /var/log
/dev/xvda8
1003M 18M 935M 2% /var/log/audit
/dev/xvda9
1003M 18M 935M 2% /var/tmp
/dev/mapper/oss_vg-opt_vol
89G 76G 13G 85% /opt
/dev/mapper/oss_vg-optlog_vol 30G 178M 28G 1% /opt/log
Step 4 For example, to clear the /opt directory, run the following commands to go to
the /opt directory and sort the directories in descending order of occupied space
size (unit: MB).
# cd /opt
# du -sm * |sort -rn
The following command output shows that the pub directory occupies the largest
space, that is, about 12.5 GB.
12492 pub
5887
tools
……
1
aquota.user
1
aquota.group
Step 5 Run the following commands to go to the pub directory and sort the directories in
descending order of occupied space size (unit: MB).
# cd pub
# du -sm * |sort -rn
The following command output shows that the software directory occupies the
largest space.
12492 software
557
upload
1
manager
1
backup_local
Step 6 Run the following commands to go to the software directory and find
unnecessary files that occupy large space:
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
261
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
# cd software
# du -sm * |sort -rn
Find unnecessary files that occupy large space in the displayed file list and record
the file names.
Step 7 Run the following command to delete the unnecessary files:
# rm -r xxx
NOTE
● xxx indicates files to be deleted.
● The deleted files cannot be restored. Exercise caution when performing this operation.
Step 8 Run the following command to exit the root user:
# exit
Step 9 Repeat the preceding operations to clear the space of directories whose usage
exceeds 80% if any. Otherwise, skip this step.
----End
Suggestions
Check and clear the disk space periodically.
1.22.3.3 Checking the Time Zone and Time
You need to periodically check that the time zone and time are correct. Otherwise,
time-related operations, such as backup, restoration, and operation log recording,
may be affected.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
●
You have obtained the local time zone and time of the node. You can visit
https://www.timeanddate.com to query the local standard time zone and
time of the node.
Procedure
Step 1 On the PowerEcho, choose Maintenance > Time Management > Configure Time
Zone and Time from the main menu.
Step 2 Check whether the current time zone and time of the node are consistent with the
local time zone and time of the node.
●
If the time zones and time are consistent, no further action is required.
●
If the time zones and time are not consistent, change the time zone and time
of the node. For details, see 1.7.1 Changing the Time Zone and Time.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
262
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.22.4 Quarterly Maintenance
This section describes quarterly maintenance tasks to ensure the stable system
operation.
1.22.4.1 Changing Passwords
For details, see 1.15 Password Management.
1.23 FAQ
1.23.1 Notifications
When setting the parameters for connecting the system to an email server, you
need to configure the certificate of the email server if the SSL/TLS secure
connection is enabled. This section describes how to obtain an email server
certificate on Chrome, and Firefox.
1.23.1.1 How Do I Obtain a Mail Server Certificate on Google Chrome?
Question
How do I obtain a mail server certificate on Google Chrome?
Answer
NOTE
Operations on the browser may vary depending on browser versions but are similar to the
examples in the following steps. You are advised to perform the operations based on actual
situations.
Step 1 In the address box on Google Chrome, enter the IP address for logging in to the
mail server and press Enter.
Step 2 Press F12. On the displayed console, click the Security tab and click View
Certificate.
NOTE
If the console is not displayed after you press F12, allow the console to be displayed in the
pop-up blocker and press F12 again.
Step 3 In the Certificate window, click the Certificate Path tab, and then select the
certificate root path, for example, Huawei IT Root CA.
Step 4 Click the Details tab and click Copy to File.
Step 5 In the displayed Certificate Export Wizard window, click Next.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
263
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 6 Select Base64 code X.509 (.CER) for Export Format and click Next.
Step 7 Click Browse. In the displayed Save As dialog box, select the certificate storage
path, enter a name for the certificate, and click Save.
Step 8 Click Next.
Step 9 In the displayed dialog box, click Finish."The export was successful." is displayed.
----End
1.23.1.2 How Do I Obtain a Mail Server Certificate on Firefox?
Question
How do I obtain a mail server certificate on Firefox?
Answer
NOTE
Operations on the browser may vary depending on browser versions but are similar to the
examples in the following steps. You are advised to perform the operations based on actual
situations.
Step 1 In the address box on Firefox, enter the IP address for logging in to the mail server
and press Enter.
Step 2 Click
on the left of the address box.
Step 3 Click More Information.
Step 4 On the Security tab page, click View Certificate.
Step 5 On the Details tab page, click Export.
Step 6 Select the certificate storage path, enter a name for the certificate, and click Save.
----End
1.23.2 How Do I Query the IP Address of the Node Where a
Service Resides?
Symptom
To locate faults of a service, you need to obtain the management IP address of the
node where the service resides.
Context
A service may correspond to one or more service instances. A service instance
contains one or more processes. Each process may be deployed on the same or
different nodes. FEBS is used as an example to describe how to query the
management IP address of the node where a service resides.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
264
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 Log in to the PowerEcho. For details, see 1.1.2 Logging In to the PowerEcho.
Step 2 Choose Product > System Monitoring from the main menu.
Step 3 In the upper left corner of the System Monitoring page, move the pointer to
and select the product or PowerEcho.
Step 4 On the System Monitoring page, click the Services tab.
Step 5 In the upper left corner, enter FEBS in the search box and press Enter.
All FEBS service instances of the current product are displayed.
Step 6 Click the service instance name. The page for service details is displayed.
NOTE
If there are multiple service instances, click them one by one.
Step 7 In the Processes area, click the node name corresponding to the process.
Step 8 On the top of the page for node details, view the IP address, which is the
management IP address of the node.
Step 9 Log in to the node. For details, see 1.23.6 How Do I Log In to the OS of a Node?
----End
1.23.3 How Do I Query the IP Address of the Node Where a
Database Instance Resides?
Symptom
To locate faults of a database, you need to obtain the management IP address of
the node where the database instance resides.
Procedure
Step 1 Log in to the PowerEcho. For details, see 1.1.2 Logging In to the PowerEcho.
Step 2 Choose Product > System Monitoring from the main menu.
Step 3 In the upper left corner of the System Monitoring page, move the pointer to
and select the product or PowerEcho.
Step 4 On the System Monitoring page, click the Relational Databases or Redis
Databases tab. On the tab page, click the node name corresponding to the
database instance in the database instance list.
Step 5 On the top of the page for node details, view the IP address, which is the
management IP address of the node.
Step 6 Log in to the node. For details, see 1.23.6 How Do I Log In to the OS of a Node?
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
265
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.23.4 How Do I Query the IP Address of a Node?
Symptom
During service fault locating or in other scenarios, you need to obtain the
management IP address of a node based on the name of the node where the
service resides.
Procedure
The following describes how to query the management IP address of a node:
Step 1 Log in to the PowerEcho. For details, see Logging In to the PowerEcho.
Step 2 Choose Product > System Monitoring from the main menu. In the upper left
corner of the System Monitoring page, move the pointer to and select the
product or PowerEcho. On the System Monitoring page, click the Nodes tab.
NOTE
You can determine the deployment mode of the PowerEcho by checking the number of
management nodes on the Nodes tab page of PowerEcho.
● If there is only one management node, the PowerEcho is deployed in single-server
mode.
● If there are multiple management nodes, the PowerEcho is deployed in cluster mode.
Step 3 In the Node Name column, click the name of the node whose management IP
address is to be queried.
Step 4 On the top of the page for node details, view the IP address, which is the
management IP address of the node.
Step 5 Log in to the node. For details, see 1.23.6 How Do I Log In to the OS of a Node?
----End
1.23.5 How Do I Query the Floating IP Address of a Node?
Symptom
To locate faults of a service, you need to obtain the floating IP address based on
the name of the node where the service resides.
Procedure
Step 1 Log in to the PowerEcho. For details, see 1.1.2 Logging In to the PowerEcho.
Step 2 Choose Maintenance > Network Configuration > Configure Floating IP Address
from the main menu.
Step 3 In the floating IP address list on the Configure Floating IP Address page, view
the floating IP address in the row that contains the corresponding node.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
266
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.23.6 How Do I Log In to the OS of a Node?
Symptom
The operations of logging in to the OS of a node vary according to the network
connection between the client and the node.
Procedure
The operations of logging in to the OS of a node can be classified in to two types
based on the network connection between the client and the node.
●
If the network connection between the client and the target node is normal:
Use PuTTY to log in to the target node as the OS user in SSH mode.
●
If the network connection between the client and the management node is
normal, but the network connection between the client and the target node is
isolated:
a.
Use PuTTY to log in to the management node as the OS user in SSH
mode.
NOTE
If the PowerEcho is deployed in cluster mode, use the floating IP address of the
management node to log in. If you are updating the CA certificate, you are not
advised to use the floating IP address of the management node to log in.
Otherwise, the SSH connection will be disconnected if the floating IP address
becomes abnormal.
b.
Run the following command to switch to the target node:
ssh IP address of the target node
1.23.7 How Do I Check the Disk Usage?
Periodically check the disk usage to prevent the system from being affected by
insufficient space.
Precautions
For the backup server node, if the available space of the /opt directory is
insufficient, the backup tasks may fail. Periodically check the space and rectify the
fault.
Procedure
Step 1 Use PuTTY to log in to the backup server as the backup server user in SSH mode.
For details, see 1.1.2 Logging In to the PowerEcho.
NOTE
If the management node is used as the backup server, log in to the backup server as the
sopuser user in SFTP mode and then switch to the backup server user.
Step 2 Run the following command to check the usage of each partition:
# df -h
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
267
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
The backup directory /opt/backup on the backup server is used as an example.
The /opt partition where the backup directory resides has only 13 GB free space.
Clear the space in a timely manner. For details, see 1.22.3.2 Cleaning Up Disk
Space
Filesystem
Size Used Avail Use% Mounted on
/dev/xvda3
17G 2.5G 14G 16% /
devtmpfs
7.8G 152K 7.8G 1% /dev
tmpfs
7.8G
0 7.8G 0% /dev/shm
/dev/xvda1
1003M 50M 903M 6% /boot
/dev/xvda5
1003M 18M 935M 2% /home
/dev/xvda10
5.0G 915M 3.9G 19% /usr
/dev/xvda6
3.0G 176M 2.7G 7% /var
/dev/xvda7
5.0G 3.0G 1.7G 64% /var/log
/dev/xvda8
1003M 18M 935M 2% /var/log/audit
/dev/xvda9
1003M 18M 935M 2% /var/tmp
/dev/mapper/oss_vg-opt_vol
89G 76G 13G 85% /opt
/dev/mapper/oss_vg-optlog_vol 30G 178M 28G 1% /opt/log
----End
1.23.8 How Do I Determine the Deployment Mode of the
PowerEcho?
Check the number and names of nodes to determine whether the PowerEcho is
deployed in single-server or cluster mode.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select PowerEcho.
Step 3 Click the Nodes tab, and view the Node Name column.
●
If there is only one node, that is Management, the PowerEcho is deployed in
single-server mode.
●
If there are multiple nodes, the PowerEcho is deployed in cluster mode.
----End
1.23.9 How Do I Determine the Deployment Mode of Nodes?
Check the IP addresses of the management node and product nodes to determine
whether the management node and a product node are the same node.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
268
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 Check and record the IP address of the management node.
1.
On the PowerEcho, choose Product > System Monitoring from the main
menu.
2.
In the upper left corner of the System Monitoring page, move the pointer to
and select PowerEcho.
3.
On the Nodes tab page, click the node name. In the upper left corner of the
page for node details, record the management IP address.
NOTE
If the PowerEcho is deployed in cluster mode, that is, there are multiple management
nodes on the Nodes tab page, view and record the management IP address of each
management node.
Step 2 Check and record the management IP address of each product node, and check
whether it is the same as the management IP address of the management node.
1.
On the PowerEcho, choose Product > System Monitoring from the main
menu.
2.
In the upper left corner of the System Monitoring page, move the pointer to
and select the product.
3.
On the Nodes tab page, click the name of each node. In the upper left corner
of the page for node details, check whether the management IP address is the
same as that recorded in Step 1.
–
If yes, the management node and the product node are the same node.
–
If no, the management node and the product node are different nodes.
----End
1.23.10 How Do I Determine the Deployment Mode of a
Database Instance?
Check the database information of the PowerEcho or a product to determine
whether the database instance of the PowerEcho or the product is a single
instance or has master/slave relationship.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose Product > System Monitoring from the main menu.
Step 2 In the upper left corner of the System Monitoring page, move the pointer to
and select PowerEcho or the product.
Step 3 On the Relational Database tab page, check the role of the database instance.
●
Issue Draft B
(2020-11-30)
If Role in the row that contains the database instance is Master, the database
instance is a master instance.
Copyright © Huawei Technologies Co., Ltd.
269
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
●
If Role in the row that contains the database instance is Slave, the database
instance is a slave instance.
●
If Role in the row that contains the database instance is --, the database
instance is a single instance.
----End
1.23.11 How Do I Check Whether Management Nodes and
Product Nodes Use the Same Database Software?
Check whether the database software used by the management node is the same
as that used by the product node.
Prerequisites
●
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 Check and record the database software that the management node on the codeployed node use.
1.
On the PowerEcho, choose Product > System Monitoring from the main
menu.
2.
In the upper left corner of the System Monitoring page, move the pointer to
and select PowerEcho.
3.
On the Relational Databases tab page, view and record the database type of
the management node in the Database Type column.
Step 2 Check the database software that the product node on the co-deployed node use,
and check whether the product node and the management node use the same
database software.
1.
On the PowerEcho, choose Product > System Monitoring from the main
menu.
2.
In the upper left corner of the System Monitoring page, move the pointer to
and select the product.
3.
On the Relational Databases tab page, check whether the value in the
Database Type column is the same as that recorded in Step 1.
–
If yes, the management node and the product node use the same
database software.
–
If no, the management node and the product node use different
database software.
----End
1.23.12 Performing Security Hardening or Dehardening for
Internal Ports
After the server is installed, deploy a hardware firewall to reduce risks of attacks
on the server to improve security. If the hardware firewall is unavailable, you are
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
270
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
advised to configure the OS firewall to perform security hardening for the internal
ports of the server to ensure the security.
Prerequisites
●
You have obtained the passwords for the sopuser and ossadm users of the
management node.
●
The firewall functions provided by the OS have been enabled.
●
Security hardening files have been imported when you import the planning
data package.
Context
After the security hardening has been performed for the product ports, you can
perform security hardening for all nodes of the product. After the security
hardening, internal ports can be accessed only from internal nodes. This improves
the security.
Procedure
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
NOTE
If the PowerEcho is deployed in cluster mode, perform operations only on Management0.
For details about how to obtain the IP address of a node, see 1.23.4 How Do I Query the
IP Address of a Node?
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Perform security hardening or dehardening for internal ports of the server as
required.
●
To perform security hardening for internal ports, run the following commands:
> cd /opt/oss/manager/agent/bin
> bash iptables_adm.sh -cmd setIPTables -product productName
If information similar to the following is displayed, the security hardening for
internal ports of productName is performed successfully:
Product productName setIPTables succeed.
●
To perform security dehardening for internal ports, run the following
commands:
> cd /opt/oss/manager/agent/bin
> bash iptables_adm.sh -cmd restoreIPTables -product productName
NOTE
productName indicates the product name.
If information similar to the following is displayed, the security dehardening
for internal ports of productName is performed successfully:
Product productName restoreIPTables succeed.
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
271
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.23.13 How Do I Solve the Problem of Slow Response When
Multiple Tab Pages of a Browser Are Opened?
Symptom
Limited to browser performance, when you open multiple tab pages in the same
browser for the PowerEcho, you may have a problem of slow response.
Troubleshooting Procedure
You are advised to close unnecessary tab pages so that the browser does not have
more than 10 tab pages opened at the same time.
1.23.14 How Do I Query the Node Name Corresponding to the
IP Address of the Management Node?
Symptom
If the backup server is normal but the PowerEcho cannot be accessed, you need to
check the name of the node corresponding to the management node.
Prerequisites
You have obtained the IP address, username, and password of the backup server.
Procedure
Step 1 Use PuTTY to log in to the backup server as the backup server user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
NOTE
If the management node is used as the backup server, log in to the backup server as the
sopuser user in SSH mode.
Step 2 Run the following commands to view the node name corresponding to the IP
address of the management node:
> cd /root directory of the backup server/path specified in the backup parameters/
management/management/timestamp
> cat backupNodeNameToIp.txt
If information similar to the following is displayed, you can view the node name
using the IP address of the management node:
{node0=10.18.16.148, node1=10.18.16.144, node2=10.18.16.146}
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
272
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.23.15 How Do I Create a Backup Path for a Backup Server?
Symptom
Before setting backup parameters, I need to create a backup path in the default
directory of the SFTP user for storing backup data. How can I create the path?
Creating a Backup Directory in CLI Mode
Step 1 Use PuTTY to log in to the backup server as the backup server user in SSH mode.
The username ftpuser is used as an example.
Step 2 Run the following commands to create a backup path:
NOTE
The full path can contain a maximum of 60 characters. Otherwise, the path cannot be used
for backup.
> mkdir backup
> ll
If information to the following is displayed, the backup directory is created
successfully:
drwxr-x---. 2 ftpuser ossgroup
6 Dec 27 16:44 backup
----End
Creating a Backup Path on the Web Client
Step 1 Log in to the PowerEcho. For details, see 1.1.2 Logging In to the PowerEcho.
Step 2 On the PowerEcho, choose Backup and Restore > Configuration > Configure
Backup Parameters from the main menu.
Step 3 In the Backup Server area, configure the IP address, port number, username, and
password of the backup server.
Step 4 Click
to verify the connectivity between all nodes and the backup server.
Step 5 Click
, the editing page is displayed. Click
and select a backup path.
Step 6 In the Select Backup Path dialog box, perform operations as prompted.
NOTE
The full path can contain a maximum of 60 characters. Otherwise, the path cannot be used
for backup.
----End
1.23.16 How Do I Check the Deployment Status of a Product?
This section describes how to check the status of a product after installation or
upgrade.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
273
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 Log in to the PowerEcho. For details, see 1.1.2 Logging In to the PowerEcho.
Step 2 On the PowerEcho, choose Product > Software Management > Deploy Product
Software from the main menu.
Step 3 On the Deploy Product Software page, check the status of the product.
----End
1.23.17 How Do I View Command Audit Logs?
This section describes how to query the command audit logs recorded in the
system.
Procedure (EulerOS)
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
NOTE
If the PowerEcho is deployed in cluster mode, perform operations only on Management0.
For details about how to obtain the IP address of a node, see 1.23.4 How Do I Query the
IP Address of a Node?
Step 2 Run the following command to switch to the root user:
> su - root
Password: password for the root user
Step 3 Run the following commands to create a temporary directory for storing logs, and
copy the OS logs to the temporary directory:
In the following operations, the log_info directory is used as an example. Replace
it based on site requirements.
# mkdir /tmp/log_info
# cp /var/log/messages /tmp/log_info
# chown sopuser:ossgroup -R /tmp/log_info
# chmod -R 700 /tmp/log_info
Step 4 Download the OS logs from the /tmp/log_info directory to your local PC.
1.
Run the following command to exit from the root user:
# exit
2.
Run the following command to copy the OS logs from the /tmp/log_info
directory to the home directory /home/sopuser of the sopuser user:
> cp /tmp/log_info/messages /home/sopuser
Issue Draft B
(2020-11-30)
3.
Use FileZilla to log in to the node with logs to be queried, as the sopuser user
in SFTP mode. For details, see 1.24.2 Transferring Files Using FileZilla.
4.
Download the OS log files in .csv or .zip format from /home/sopuser to any
directory on your local PC.
Copyright © Huawei Technologies Co., Ltd.
274
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 5 After the logs are downloaded successfully, delete the temporary directory.
1.
Use PuTTY to log in to the management node as the sopuser user in SSH
mode. For details, see 1.24.1 Logging In to a Server Using PuTTY.
NOTE
If the PowerEcho is deployed in cluster mode, perform operations only on
Management0. For details about how to obtain the IP address of a node, see 1.23.4
How Do I Query the IP Address of a Node?
2.
Run the following command to switch to the root user:
> su - root
Password: password for the root user
3.
Run the following command to delete the /tmp/log_info directory:
# cd /tmp
# rm -rf log_info
4.
Run the following command to exit from the root user:
# exit
5.
Run the following commands to delete the file uploaded to the temporary
directory:
> cd /home/sopuser
> rm -rf log file
----End
1.23.18 How Do I View Database Audit Logs?
This section describes how to query the database audit logs recorded in the
system.
Prerequisites
You have obtained the passwords for the sopuser and dbuser users of the
database node.
Procedure (Redis and GaussDB T V3 Databases)
Step 1 Use PuTTY to log in to the node where the abnormal database instance resides as
the sopuser user in SSH mode. For details about how to obtain the IP address of
the node, see 1.23.3 How Do I Query the IP Address of the Node Where a
Database Instance Resides?
Step 2 Run the following command to switch to the dbuser user:
su - dbuser
Password: password for the dbuser user
Step 3 Run the following commands to obtain the database instance name:
cd /opt/type/data/
ls -al
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
275
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
Type indicates the database type, such as redis, and zenith.
Step 4 Run the following commands to view the log files:
●
For the Redis database, run the following commands:
cd /opt/redis/data/database instance name
more database instance name-login.log
●
For the GaussDB T V3 database, run the following commands:
cd /opt/zenith/data/database instance name/log/audit
more zengine.aud or more zengine_times.aud
NOTE
The database instance name is obtained through Step 3.
----End
1.23.19 How Do I Prevent PuTTY from Being Disconnected
upon Timeout?
Question
How do I prevent PuTTY from being disconnected upon timeout?
Answer
When an operation is being performed on PuTTY, PuTTY may be disconnected
upon timeout. As a result, the operation result cannot be obtained. Perform the
following operations to prevent PuTTY from being disconnected:
Step 1 Use PuTTY to log in to the desired node as the sopuser user in SSH mode.
Step 2 Run the following command to query the PuTTY timeout period:
> export | grep TMOUT
If information similar to the following is displayed, PuTTY is automatically
disconnected if no operation is performed within 300 seconds:
declare -x TMOUT="300"
Step 3 Run the following command to set the PuTTY timeout period to 1 hour:
> export TMOUT=3600
NOTE
After the operation on PuTTY is complete, run the following command to restore the PuTTY
timeout period to the value obtained in Step 2.
> export TMOUT=300
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
276
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.23.20 How Do I Check the Active/Standy Status of a Node?
Question
How do I check the active/standy status of a node?
Answer
Step 1 If the web client of the PowerEcho can be accessed, perform the following
operations to obtain the IP addresses of the nodes where OMMHA resides. In
other cases, obtain the IP addresses from the system administrator.
1.
Log in to the PowerEcho. For details, see 1.1.2 Logging In to the PowerEcho.
2.
On the PowerEcho, choose Product > System Monitoring from the main
menu.
3.
In the upper left corner of the System Monitoring page, move the pointer to
and select PowerEcho.
4.
Click the Processes tab. In the upper left corner, search for ommha in the
search box.
All nodes where OMMHA resides are displayed in the list.
5.
Click the name of a node. On the top of the node details page, the IP address
is the management IP address of the node.
Step 2 Use PuTTY to log in to a node where OMMHA resides, as the sopuser user in SSH
mode.
Step 3 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 4 Run the following commands to check the active/standby status and resource
status of the node:
> cd /opt/oss/manager/apps/OMMHAService/bin
> bash status.sh
If information similar to the following is displayed, the value of HAActive
indicates the active/standby status of the node. If the value is active, the node is
the active node. If the value is standby, the node is the standby node. The value
of HostName indicates the node name. You can query the IP address of a node by
node name. For details, see 1.23.4 How Do I Query the IP Address of a Node?
Ha mode
double
NodeName HostName
HaVersion
StartTime
HAActive HAAllResOK HARunPhase
ha1
node-111
V100R001C01 2018-04-07 14:22:33 active
normal
Active
ha2
node1
V100R001C01 2018-04-07 14:23:12 standby normal
Inactive
... ...
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
277
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.24 Common Operations
1.24.1 Logging In to a Server Using PuTTY
After the OS is installed, you can use PuTTY to log in to a server in SSH mode. This
section uses PuTTY 0.70 as an example.
Prerequisites
You have obtained PuTTY of the latest version from https://
www.chiark.greenend.org.uk/~sgtatham/putty/ and have installed it on your
local PC.
NOTE
Obtain PuTTY 0.70 or later.
Procedure
Step 1 Start PuTTY.
Step 2 In the Host Name (or IP address) text box, enter the IP address of the server that
you want to log in to.
NOTE
Log in to the server using its fixed IP address to prevent floating IP address abnormalities
from interrupting the SSH connection.
Step 3 In the Connection type area, select SSH
Step 4 In the Close window on exit area, select Only on clean exit.
Step 5 Choose Window > Translation from the navigation tree.
Step 6 Set Remote character set to UTF-8.
NOTE
Set Remote character set to UTF-8 every time you open PuTTY.
Step 7 Click Open.
NOTE
If this is the first time you are using PuTTY, the PuTTY Security Alert dialog box may be
displayed. Click Yes.
Step 8 When the following information is displayed, enter a username and press Enter:
login as:
NOTE
After the OS security is hardened, only users with the SSH permission (for example,
sopuser) are allowed to log in to the server.
Step 9 When the following information is displayed, enter the user password and press
Enter:
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
278
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Username@IP address's password:
NOTE
For security purposes, change the password periodically and keep the new password secure.
----End
1.24.2 Transferring Files Using FileZilla
This section describes how to use FileZilla to transfer files. This section uses
FileZilla 3.25.1 as an example.
Prerequisites
You have obtained FileZilla of the latest version from https://filezilla-project.org
and have installed it on your PC.
NOTE
Obtain FileZilla 3.25.1 or later.
Procedure
Step 1 Start FileZilla.
Step 2 In the FileZilla window, choose File > Site Manager from the main menu.
Step 3 In the lower left area of the Site Manager dialog box, click New Site.
Step 4 On the General tab page, set site parameters based on Table 1-96.
Table 1-96 Parameters in the Site Manager dialog box
Parameter
Description
Host
IP address of the server.
Port
22
Protocol
SFTP
Logon Type
Set this parameter to Normal.
User
Enter the username and password of the server. The user has
permission to access the destination directory.
Password
NOTE
After the OS security hardening is performed, you cannot log in to the
server as the root user in SFTP mode. Instead, you can log in to the server
only as a user with SFTP access permission, for example, the sopuser user.
Step 5 Click Connect.
Step 6 In the Unknown host key dialog box, select Always trust this host, add this key
to the cache and click OK.
Step 7 In the Remote site area, set the destination directory for uploading or
downloading files.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
279
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
After you set the directory, the Remote site area displays all files stored in this
directory.
Step 8 In the Local site area, set the source directory on the PC for uploading or
downloading files.
After you set the directory, the Local site area displays all files stored in this
directory.
Step 9 Perform the following operations as required.
If You Need to...
Then...
Upload files
In the Local site area, right-click the file to be
uploaded on the PC and choose Upload from the
shortcut menu.
Download files
In the Remote site area, right-click the file to be
downloaded to the PC and choose Download from the
shortcut menu.
NOTE
You can click the Successful transfers or Failed transfers tab to view the operation
process. If the upload or download fails, click the Failed transfers tab in the lower left area
of the FileZilla window. Then right-click the file that fails to be transferred and choose
Reset and requeue selected files from the shortcut menu to resume the file transfer.
----End
1.24.3 Uninstalling the NetEco
This section describes how to uninstall the NetEco using commands. You can
perform operations in this section if you need to reinstall the NetEco.
Prerequisites
You have obtained the password for the sopuser user and root user of the NetEco.
Procedure
Step 1 Use PuTTY to log in to management node as the sopuser user in SSH mode, for
details see 1.24.1 Logging In to a Server Using PuTTY.
NOTE
If the PowerEcho is deployed in cluster mode, log in to any management node and perform
the uninstallation operation.
Step 2 Run the following command to switch to the root user:
$ su - root
Password: password for the root user
Step 3 Run the following commands to uninstall the NetEco:
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
280
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
# cd /opt/NetEcoTools/
# bash uninstall.sh
When the following information is displayed, enter y or Y and press Enter:
Are you sure to continue? [y/n]
NOTE
To cancel the uninstallation, enter n or N.
If the following information is displayed, the NetEco is successfully uninstalled.
Otherwise, contact Huawei technical support.
Uninstall... done
----End
1.24.4 Encrypting the Private Key of the Signature Certificate
(the PowerEcho)
Before updating the certificate, obtain the private key file of the signature
certificate. The private key must be encrypted using the AES-128-CBC algorithm.
This section describes how to encrypt the private key and uses the user
management certificate as the example. If the obtained private key is not
encrypted, encrypt it by following the instructions provided in this section. The
certificate name User Management is used as an example.
Prerequisites
●
You have generated or purchased the following files: signing_cert.pem,
ca.pem, and signing_key.pem.
–
signing_cert.pem: public key of the signature certificate. The following
configurations are supported when the signing_cert.pem file is
generated:
▪
▪
▪
●
Issue Draft B
(2020-11-30)
You can determine whether to configure keyUsage and
extendedKeyUsage in the configuration file.
If only keyUsage is configured, its value must contain Digital
Signature and Key Encipherment.
If both keyUsage and extendedKeyUsage are configured, the value
of keyUsage must contain Digital Signature and Key
Encipherment, and the value of extendedKeyUsage must contain
the Secure Email Object Identifier (OID) 1.3.6.1.5.5.7.3.4.
–
signing_key.pem: private key of the signature certificate.
–
ca.pem: trust certificate of the CA.
You have obtained the passwords for the sopuser and ossadm users for
logging in to the node where the service that requires private key encryption
resides.
Copyright © Huawei Technologies Co., Ltd.
281
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 Use FileZilla to upload the signing_key.pem file to the /home/sopuser directory
on the management node, as the sopuser user in SFTP mode. For details, see
1.24.2 Transferring Files Using FileZilla.
NOTE
If the PowerEcho is deployed in cluster mode, perform operations only on Management0.
For details about how to obtain the IP address of a node, see 1.23.4 How Do I Query the
IP Address of a Node?
Step 2 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
Step 3 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 4 Run the following command to copy the signing_key.pem file to the certificate
storage directory:
> cp /home/sopuser/signing_key.pem /home/ossadm
Step 5 Run the following command to change the file permission:
> cd /home/ossadm
> chmod 770 signing_key.pem
Step 6 Run the following command to encrypt the private key:
> openssl rsa -in signing_key.pem -aes128 -out signing_key.pem
Enter the password as prompted.
Enter PEM pass phrase: password for signing_key.pem
Verifying - Enter PEM pass phrase: password for signing_key.pem
NOTE
The encrypted signing_key.pem file overwrites the unencrypted signing_key.pem file in
the current directory.
Step 7 Run the following command to switch to the sopuser user:
> exit
Step 8 Run the following command to copy the newly encrypted signing_key.pem file to
the /home/sopuser directory:
> cp /home/ossadm/signing_key.pem /home/sopuser
Step 9 Use FileZilla to download the signing_key.pem file in the /home/sopuser
directory to your local PC, as the sopuser user in SFTP mode.
Step 10 Use PuTTY to delete temporary file as the sopuser user:
> cd /home/sopuser/
> rm -rf signing_key.pem
Step 11 Run the following command to switch to the ossadm user:
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
282
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
> su - ossadm
Password: password for the ossadm user
Step 12 Run the following command to delete the temporary file in the /home/ossadm/
directory:
> cd /home/ossadm/
> rm -rf signing_key.pem
----End
1.24.5 How Do I Change the Database Instance Password?
If the password of a database instance fails to be changed when you change the
database passwords of the PowerEcho in batches, and the password of the
instance cannot be changed on the GUI, you can run commands to change the
password.
Prerequisites
●
You have obtained the passwords for the sopuser and ossadm users of the
management node.
●
You have obtained information about the database whose password is to be
changed, such as the database instance name, database type, and database
username. To obtain such information, on the PowerEcho, choose System >
Log Management > Operation Logs from the main menu and view the
operation log details.
●
You have obtained the old and new passwords of the database user whose
password is to be changed.
●
All services of the product have been stopped. For details, see 1.5.2 Stopping
Product Services.
●
Services of the database with the database user password to be changed are
running properly. For details, see 1.3.4 Monitoring Databases.
Context
The user password must meet the password complexity requirements.
The password rules are as follows:
Issue Draft B
(2020-11-30)
●
The password must contain 8 to 64 characters.
●
The password must be a combination of the following four types of
characters:
–
Uppercase letters
–
Lowercase letters
–
Digits
–
Special characters ~ @ # ^ * - _ + [ { } ] : . / ?
●
The password cannot contain more than two consecutive identical characters.
●
The same character can be used three times at most.
●
The password must contain at least two characters different from the initial
password.
Copyright © Huawei Technologies Co., Ltd.
283
iManager NetEco
Administrator Guide
●
1 NetEco Administrator Guide
The password cannot contain the username or the reverse of it, regardless of
the letter case.
NOTE
● For the GaussDB T V3 database, the new password must meet the complexity
requirements and contain at least two characters different from the old password.
The new password cannot be the same as any used in the past 60 days, and
cannot be the same as any of the last three passwords.
Procedure
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
NOTE
If the PowerEcho is deployed in cluster mode, perform operations only on Management0.
For details about how to obtain the IP address of a node, see 1.23.4 How Do I Query the
IP Address of a Node?
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to change the database user password:
> cd /opt/oss/manager/agent/MaintenanceService/tools/sysmt
> bash modifydbpad.sh -pn all -dbtype "database type" -inst database instance
name -u database username [-startProduct true]
NOTE
● database type indicates the type of the database user to be changed.
● database instance name indicates the name of the database instance to be changed. If
the database has master and slave database instances, enter the master database
instance number. Obtain the master database instance number on the Relational
Databases tab page of the System Monitoring page of the corresponding product.
● database username indicates the name of the database user with password to be
changed, for example, dbuser.
● If the startProduct parameter is set to true, the product services will be automatically
restarted after the database user password is changed. If the parameter is set to false,
the product services will not be automatically started.
The following information is displayed. Enter the old password, new password, and
confirm the new password.
Old Password:
New Password:
Retype New Password:
The product information is displayed. Enter the ID of the product whose database
password needs to be changed, for example, 1.
1.productDesc:product alias productName:product name productType:product type
productNum: 1
If the following information is displayed, the password has been changed
successfully:
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
284
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
change dbpad by instance successful.
----End
1.24.6 Querying the Version Number of the PowerEcho
This section describes how to query the version number of the PowerEcho using a
browser.
Prerequisites
You have logged in to the PowerEcho. For details, see 1.1.2 Logging In to the
PowerEcho.
Procedure
Step 1 On the PowerEcho, choose System > About from the main menu.
Step 2 In the About window that is displayed, query the version number of the
PowerEcho.
----End
1.24.7 Checking the Status of the PowerEcho Service
This section describes how to check the status of the PowerEcho service by
running commands.
Prerequisites
You have obtained the passwords for the sopuser and ossadm users of the
management node.
Procedure
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details, see 1.24.1 Logging In to a Server Using PuTTY.
NOTE
If the PowerEcho is deployed in cluster mode, perform operations on Management0 and
then on Management1. For details about how to obtain the IP address of a node, see
1.23.4 How Do I Query the IP Address of a Node?
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Check the running status of the PowerEcho.
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd statusapp -tenant manager
Information similar to the following is displayed:
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
285
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Process Name
Process Type
App Name
Tenant Name Process Mode IP
PID
Status
backupwebsite-0-0
backupwebsite
BackupWebsite
manager
cluster
10.93.95.239
341187 RUNNING
unideploywebsite-0-0
unideploywebsite
UniDeployWebsite
manager
cluster
10.93.95.239
341202 RUNNING
...
[All Processes: 16] [Running: 16] [Not Running: 0]
●
If the value of Not Running is 0, all processes are running properly.
●
If the value of Not Running is not 0, there are processes that are not running
or faulty.
NOTE
You can check status of a process by checking its value of Status.
● If Status is RUNNING, the process is running properly.
● If Status is STOPPED, the process is stopped.
● If Status is ABNORMAL, the process is abnormal. Run the ipmc_adm -cmd restartapp
-tenant manager command to restart the process. If the problem persists, contact
Huawei technical support.
Step 4 If the PowerEcho is deployed in cluster mode, that is, there are multiple
management nodes, perform the following operations:
1.
Use PuTTY to log in to the node where OMMHA resides, as the sopuser user
in SSH mode. For details about how to obtain the IP address of a node, see
1.23.2 How Do I Query the IP Address of the Node Where a Service
Resides?
2.
Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
3.
Run the following commands to check the OMMHA process status:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd statusapp -app OMMHAService -tenant manager
Information similar to the following is displayed:
Process Name Process Type
ommha-0-0
ommha
RUNNING
App Name
Tenant Name Process Mode IP
PID
Status
OMMHAService manager
multi
10.93.95.239 25334
[All Processes: 1] [Running: 1] [Not Running: 0]
----End
1.24.8 Abnormal NTP Server Status
Symptom
On the PowerEcho, choose Maintenance > Time Management > Configure NTP
from the main menu. In the NTP server list, the time synchronization status of the
added NTP server is Abnormal.
Possible Causes
●
Issue Draft B
(2020-11-30)
The network is faulty.
Copyright © Huawei Technologies Co., Ltd.
286
iManager NetEco
Administrator Guide
●
1 NetEco Administrator Guide
The time synchronization relationship between the NTP server and the
management node is abnormal.
Prerequisites
You have obtained the passwords for the sopuser and root users of the
management node.
Troubleshooting Procedure
Step 1 Check whether the network connection between the management node and its
upper-level NTP server is normal.
1.
Use PuTTY to log in to the management node as the sopuser user in SSH
mode.
NOTE
If the PowerEcho is deployed in cluster mode, log in to all the management nodes and
perform the following operations. For details about how to obtain the IP address of a
node, see 1.23.4 How Do I Query the IP Address of a Node?
2.
Run the following command to switch to the root user:
> su - root
Password: password for the root user
3.
Run the following command to check whether the network connection
between the management node and its upper-level NTP server is normal.
# ntpq -np
remote
refid
st t when poll reach delay offset jitter
==============================================================================
* x.x.x.x
LOCAL(0)
6 u 90 128 377 0.199 -0.024 0.043
4.
–
If the values of reach, delay, offset, and jitter are not 0 in the command
output, the network connection between the management node and its
upper-level NTP server is normal.
–
If the values of reach, delay, offset, and jitter are 0 in the command
output, the network connection between the management node and its
upper-level NTP server is abnormal.
Run the following command to exit from the root user:
# exit
Step 2 Check whether the NTP service of the upper-level NTP server is normal.
Contact NTP engineers to check the NTP service status. Ensure that the NTP
service has started and has been provided for the PowerEcho.
Step 3 Check whether the NTP service of the management node is normal.
1.
Use PuTTY to log in to the management node as the sopuser user in SSH
mode.
NOTE
If the PowerEcho is deployed in cluster mode, log in to all the management nodes and
perform the following operations.
2.
Run the following command to switch to the root user:
> su - root
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
287
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Password: password for the root user
3.
Check whether the NTP service is running:
# service ntpd status
4.
–
If the command output contains active (running), the NTP service on
the management node is started.
–
If the command output contains inactive (dead), the NTP service on the
management node is not started. Run the service ntpd start command
to start the NTP service on the management node.
Run the following command to exit from the root user:
> exit
Step 4 If the preceding check result is normal but the time synchronization status of the
NTP server is still Abnormal, perform the following operations:
1.
Log in to the PowerEcho. For details, see 1.10.1 Managing Software
Packages.
2.
On the PowerEcho, choose Maintenance > Time Management > Configure
NTP from the main menu. On the Configure NTP page, click Reconfigure.
3.
In the Confirm dialog box, click Yes.
4.
On the PowerEcho, choose Maintenance > Time Management > Configure
Time Zone and Time from the main menu. On the Configure Time Zone
and Time page, click Forcibly Synchronize.
NOTE
If you want to perform other configuration operations that need to restart product
services or product databases after forcibly synchronizing the time zone and time, do
not select Automatically start the product databases and product services after
the forcible synchronization in the Warning dialog box. In this case, after the
forcible synchronization, product databases and product services will not be
automatically started, preventing the product services or product databases from
being restarted for several times.
In a remote cold backup scenario, if you are forcibly synchronizing the time zone and
time of the secondary site, do not select Automatically start the product databases
and product services after the forcible synchronization in the Warning dialog box,
preventing the product services of the secondary site from being restarted and causing
the product to become dual-active.
5.
Choose System > Task List from the main menu. Wait until the task for
forcibly synchronizing time zone and time is complete.
----End
1.24.9 Managing Passwords in the Weak Password Dictionary
For security purposes, do not use passwords that are vulnerable to cracking.
Passwords in the weak password dictionary are not allowed, and you can add
passwords to or change existing passwords in the weak password dictionary as
required.
Prerequisites
You have obtained the passwords for the sopuser and root users of the
management node.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
288
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Procedure
Step 1 Export the weak password dictionary to a user-defined file.
1.
Use PuTTY to log in to the node with OS user password to be changed, as the
sopuser user in SSH mode. For details about how to obtain the IP address of
a node, see 1.23.4 How Do I Query the IP Address of a Node?
2.
Run the following command to switch to the root user:
> su - root
Password: password for the root user
3.
Run the following command to export the default dictionary password to
the /usr/share/cracklib/dictionary.txt file:
# cracklib-unpacker /usr/share/cracklib/pw_dict > /usr/share/cracklib/
dictionary.txt
NOTE
The path and file name /usr/share/cracklib/dictionary.txt can be customized. Change
it as require, but ensure that the format is .txt.
Step 2 Check or change passwords in the weak password dictionary as required.
●
Checking passwords in the weak password dictionary
# cat /usr/share/cracklib/dictionary.txt
●
Changing passwords in the weak password dictionary
a.
Run the following command to open the /usr/share/cracklib/
dictionary.txt file using the vi editor:
# vi /usr/share/cracklib/dictionary.txt
b.
In the vi editor, press i to enter the editing mode. After the modification,
press Esc to exit the editing mode, and enter :wq! to save the
modification and exit the vi editor.
c.
Run the following command to update the dictionary:
# create-cracklib-dict /usr/share/cracklib/dictionary.txt
d.
Run the following command to delete the /usr/share/cracklib/
dictionary.txt file:
# cd /usr/share/cracklib/
# rm -rf dictionary.txt
e.
Run the following command to exit the root user:
# exit
----End
1.24.10 Restoring the CA Certificates That Failed to Be
Updated
If a message is displayed, indicating that services on the management node fail to
be started when you update the CA certificate of the management node, restore
the CA certificate from the backups in a timely manner. This prevents the
PowerEcho or the NetEco from being unavailable due to a certificate exception.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
289
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Prerequisites
You have obtained the passwords for the sopuser and ossadm users of the
management node.
Precautions
●
If the PowerEcho is deployed in cluster mode, do not use the floating IP
address of the management node to log in. Otherwise, PuTTY will be
disconnected during the certificate update, causing the certificate update to
fail.
●
If the CA certificate fails to be updated, the system automatically backs up
the CA certificate and IR certificates to the /tmp/cert/CA and /tmp/cert/
internal directories on the management node, respectively.
●
If the PowerEcho is deployed in cluster mode, the CA certificate and IR
certificates are backed up only to Management0 or Management1.
●
Services need to be restarted so that the certificates can take effect after the
restoration. You are advised to perform this operation in off-peak hours.
Procedure
Step 1 Use PuTTY to log in to the management node as the sopuser user in SSH mode.
For details about how to obtain the IP address of a node, see 1.23.4 How Do I
Query the IP Address of a Node?
If the PowerEcho is deployed in cluster mode, perform the following operations:
1.
Log in to Management0 and Management1.
2.
Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
3.
Run the following commands to check whether the /tmp/cert/CA and /tmp/
cert/internal directories exist:
> cd /tmp/cert
> ll
If information similar to the following is displayed, the /tmp/cert/CA
and /tmp/cert/internal directories exist. Perform Step 3 on the management
node where the directories exist.
total 8
drwx------. 5 ossadm ossgroup 4096 Mar 10 11:59 CA
drwx------. 2 ossadm ossgroup 4096 Mar 10 11:59 internal
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to restore the CA certificate by using the backup CA
certificate:
> cp -a /tmp/cert/CA/* /opt/oss/manager/var/ca/
> cp -a /tmp/cert/internal/* /opt/oss/manager/etc/ssl/internal/
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
290
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
NOTE
To roll back after you have retried the update, run the following commands:
> cp -a /tmp/cert_old/CA/* /opt/oss/manager/var/ca/
> cp -a /tmp/cert_old/internal/* /opt/oss/manager/etc/ssl/internal/
Step 4 Restore the certificates of the management node
1.
Run the following commands to restore the IR certificates:
> cd /opt/oss/manager/agent/bin
> bash osskey -cmd replace_ircerts
The following information is displayed:
Are you sure to replace IR certs(Y/N):
2.
Enter y and press Enter.
If the following information is displayed, the task is successfully executed:
Execute osskey cmd:replace_ircerts Successful
Step 5 Check whether the dbsvc_tool file exists. If yes, restore the database certificates.
1.
Run the following commands to check whether the dbsvc_tool file exists:
> ls -al /opt/oss/manager/apps/DBAgent/bin/dbsvc_tool &> /dev/null
> echo $?
2.
Perform operations based on the command output.
Table 1-97 Operations based on command outputs
Command Output
Operation
0
The dbsvc_tool file exists. Run the following
commands to restore the database certificates:
> bash /opt/oss/manager/apps/DBAgent/bin/
dbsvc_tool -cmd change-node-cert -type all
> echo $?
If 0 is displayed, the database certificates are
restored. Perform the subsequent operations.
Otherwise, contact Huawei technical support.
Values other than 0
The dbsvc_tool file does not exist. Perform the
subsequent operations.
Step 6 Restart the services on the node.
1.
Run the following commands to stop services on the node:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd stopnode
If success is displayed for all services, the services are stopped successfully.
2.
Run the following commands to start services on the node:
> ipmc_adm -cmd startnode
If success is displayed for all services, the services are started successfully.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
291
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 7 If the PowerEcho is deployed in cluster mode, restore the certificates of other
management nodes.
1.
Run the following command as the ossadm user on the management node
that you have logged in to in Step 1 to copy the backup CA certificate and IR
certificates to the temporary directory:
> cp -r /tmp/cert /tmp/cert_bak
2.
Run the following commands to configure permissions for the certificate files
in the temporary directory and then switch to the sopuser user:
> chmod -R 750 /tmp/cert_bak
> exit
3.
Run the following command to copy the certificate files from the temporary
directory to the temporary directory under /home/sopuser:
> cp -fr /tmp/cert_bak /home/sopuser/cert
4.
Use FileZilla to download the /home/sopuser/cert directory on the
management node to your local PC, as the sopuser user in SFTP mode. For
details, see 1.24.2 Transferring Files Using FileZilla.
The /cert directory contains the CA and internal folders.
5.
Use FileZilla to upload the downloaded /cert directory to the /home/sopuser
directory on the other management node, as the sopuser user in SFTP mode.
If the /cert directory is downloaded from Management0, upload the /cert
directory to Management1. If the /cert directory is downloaded from
Management1, upload the /cert directory to Management0. Upload the /cert
directory to the corresponding management node as required.
6.
Use PuTTY to delete the temporary directory created on the management
node, as the ossadm user.
> su - ossadm
> cd /home/sopuser
> rm -rf cert
7.
Run the following commands to switch to the sopuser user and delete the
temporary directories:
> exit
> cd /tmp
> rm -rf cert_bak
> cd /home/sopuser
> rm -rf cert
8.
Use PuTTY to log in to the management node to which the /cert directory has
been uploaded, as the sopuser user in SSH mode.
9.
Run the following command to copy the files from the /home/sopuser
directory to the temporary directory:
> cp -r /home/sopuser/cert /tmp/cert_new
10. Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
11. Run the following commands to copy the certificate files from the temporary
directories to certificate storage directories:
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
292
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
> cp -r /tmp/cert_new/CA/* /opt/oss/manager/var/ca
> cp -r /tmp/cert_new/internal/* /opt/oss/manager/etc/ssl/internal
12. Run the following commands to configure permissions for the certificate files
and delete temporary files:
> find /opt/oss/manager/var/ca -type f | xargs chmod 600
> find /opt/oss/manager/etc/ssl/internal -type f | xargs chmod 600
> exit
> cd /tmp
> rm -rf cert_new
13. Perform Step 4 to Step 6 to restore the CA certificate and IR certificates of
the management node that you have logged in to.
14. Restore the IR certificates on management nodes other than Management0
and Management1, as the ossadm user.
----End
1.24.11 Updating IR Certificates on the Product Nodes Failed
When CA Certificates Are Being Updated
If the new certificate is used to update the CA certificate of the management node
and the IR certificates on the product nodes fail to be updated, manually update
the IR certificates on the nodes that fail to be updated.
Prerequisites
You have obtained the passwords for the sopuser and ossadm users of the node
where the certificate update failed.
Context
When the CA certificate is updated, the system copies the CA certificate of the
PowerEcho as the certificate of the NetEco, that is, trust.cer.
Precautions
●
If the CA certificate fails to be updated, the system automatically backs up
the CA certificate and IR certificates to the /tmp/cert/CA and /tmp/cert/
internal directories on the management node, respectively.
●
Services need to be restarted so that the certificates can take effect after the
restoration. You are advised to perform this operation in off-peak hours.
Procedure
Step 1 Use PuTTY to log in to the product node where certificate update fails, as the
sopuser user in SSH mode.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
293
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Step 3 Run the following commands to stop services on the node:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd stopnode
Step 4 Run the following commands to restore the certificates on the node where the
update fails:
> cd /opt/oss/manager/agent/bin
> bash osskey -cmd replace_ircerts
The following information is displayed:
Are you sure to replace IR certs(Y/N):
Step 5 Enter y and press Enter.
If the following information is displayed, the task is successfully executed:
Execute osskey cmd:replace_ircerts Successful
Step 6 Run the following commands to check whether the time of the certificate is
consistent with the current system time:
> cd /opt/oss/manager/etc/ssl/internal
> ll
Information similar to the following is displayed:
total 40
......
-rw-------. 1 ossadm ossgroup 8025 Aug 20 11:22 trust.cer
......
●
If the time of trust.cer is consistent with the system time, the certificate is
restored successfully. Go to Step 7.
●
If the time of trust.cer is inconsistent with the system time, the certificate is
unavailable or fails to be restored. Contact Huawei technical support.
Step 7 Perform the following operations to restore database certificates on the node:
1.
Run the following commands to check whether the dbsvc_tool file exists:
> ls -al /opt/oss/manager/apps/DBAgent/bin/dbsvc_tool &> /dev/null
> echo $?
2.
–
If 0 is displayed, the file exists. Go to Step 7.2.
–
If 0 is not displayed, the file does not exist. Go to Step 8.
Run the following commands to restore the database certificates on the node:
> bash /opt/oss/manager/apps/DBAgent/bin/dbsvc_tool -cmd changenode-cert -type all
> echo $?
–
If 0 is displayed, the database certificates are restored. Go to Step 8.
–
If 0 is not displayed, the database certificates fail to be restored. Contact
Huawei technical support.
Step 8 Run the following commands to start services on the node:
> ipmc_adm -cmd startnode
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
294
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
If success is displayed for all services, the services are started successfully.
Step 9 Run the following command to delete the backup certificates:
> cd /tmp/cert/
> rm -rf *
> ll
If the following information is displayed, the certificates are deleted successfully.
Otherwise, contact Huawei technical support.
total 0
----End
1.24.12 Faults of Multiple Management Nodes
Symptom
The PowerEcho is deployed in cluster mode and uses the GaussDB database. The
PowerEcho is unreachable.
Possible Causes
●
The service or database of the PowerEcho is abnormal.
●
Multiple management nodes are faulty.
Troubleshooting Procedure
Step 1 You have obtained the backup package of the PowerEcho and the signature file
from stored on the backup server as user backupuser using FileZilla. The backup
files are stored in /backup/management/management/timestamp/node name.
Step 2 Use FileZilla to upload the backup file of the PowerEcho, and the signature file to
the /tmp directory on the all management node, as the sopuser user in SFTP
mode. For details, see 1.24.2 Transferring Files Using FileZilla.
Step 3 Disable the switchover between the master and slave database instances.
1.
Use PuTTY to log in to Management0 as the sopuser user in SSH mode. For
details, see 1.24.1 Logging In to a Server Using PuTTY.
NOTE
Perform this operation only on Management0. For details about how to obtain the IP
address of a node, see 1.23.4 How Do I Query the IP Address of a Node?
2.
Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
3.
Run the following commands to disable the switchover between the master
and slave database instances within 180 minutes:
> cd /opt/oss/manager/agent/bin
> bash dbha_switch_tool.sh -cmd set-ignore-nodes -nodes all -expire 180
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
295
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
If the following information is displayed, the command execution is successful.
Go to Step 4. If Successful is not displayed, the command execution fails. Go
to Step 4.
Successful.
Step 4 Stop the service and databases of the PowerEcho.
1.
Use PuTTY to log in to each management node as the sopuser user in SSH
mode and perform the following operations:
2.
Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
3.
Run the following commands to stop the service and databases of the
PowerEcho:
> source /opt/oss/manager/bin/engr_profile.sh
> ipmc_adm -cmd stopmgr
If information similar to the following is displayed, the service and databases
of the PowerEcho are stopped successfully. If the service and databases fail to
be stopped, go to Step 5.
...
============================ Stopping management processes is complete.
...
============================ Stopping management dc is complete
4.
Run the following commands to copy the third-party integrity check tool
package to the /tmp directory:
> cp /opt/oss/manager/tools/BKSigntool-tool version-OS_system
type_pkg.tar /tmp
Step 5 Perform the pre-restoration processing operations based on the node type.
1.
Use PuTTY to log in to Management0, Management1, and Management2 as
the sopuser user in SSH mode.
2.
Run the following command to switch to the root user:
> su - root
Password: password for the root user
3.
Run the following commands to perform the pre-restoration processing
operations:
–
On Management0 and Management1, run the following commands:
# [ -d /opt/share/oss/manager-bak ] || cp -a /opt/share/oss/
manager /opt/share/oss/manager-bak
# rm -rf /opt/share/oss/manager/{Etcd/,MCZKService/,ServiceCenter/}
–
On Management2, run the following commands:
# [ -d /opt/share/oss/manager-bak ] || cp -a /opt/share/oss/
manager /opt/share/oss/manager-bak
# rm -rf /opt/share/oss/manager/{Etcd/,MCZKService/}
Step 6 On Management0 or Management1, query the node where the master
mgrdbInstanceName database instance resides: If the faulty node you have logged
in to is not Management0 or Management1, skip this step.
1.
Issue Draft B
(2020-11-30)
Use PuTTY to log in to Management0 or Management1 as the sopuser user
in SSH mode.
Copyright © Huawei Technologies Co., Ltd.
296
iManager NetEco
Administrator Guide
2.
1 NetEco Administrator Guide
Run the following command to query the node where the master
mgrdbInstanceName database instance resides:
> cd /tmp
> zgrep --binary-files=text 'mgrdbInstanceName=managedbsvr'
management.tar.gz
–
If information similar to the following is displayed, the master
mgrdbInstanceName database instance resides on the node:
mgrdbInstanceName=managedbsvr-0-999
–
If no information is displayed, the slave instance of the
mgrdbInstanceName database instance resides on the node:
Step 7 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 8 Restore the application and data of the PowerEcho. For details, see Table 1-98.
NOTE
● Perform Step 8 to Step 10 on nodes in the following sequence to ensure the restoration
is successful: node where the master mgrdbInstanceName database instance resides,
node where the slave mgrdbInstanceName database instance resides, and other nodes.
● The restoration of the PowerEcho takes a long time, so PuTTY may be disconnected
during the restoration due to timeout. Configure PuTTY to prevent it from being
disconnected. For details, see 1.23.19 How Do I Prevent PuTTY from Being
Disconnected upon Timeout?
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
297
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Table 1-98 Restoring the PowerEcho
Node
Operation
Node where the master
mgrdbInstanceName database
instance resides
> sudo /usr/local/uniepsudobin/
execute.sh /tmp/BKSigntool-tool versionOS_system type_pkg.tar /opt/
backupManagement
restoreManagement.sh /tmp/
management.tar.gz
NOTE
If the management node and product node are the
same node and use the same database software,
and the database software needs to be restored if
the database software is damaged, add yes to the
end of the command. If yes is not added, the
database software is not restored by default. During
database software restoration, the product functions
may be unavailable for a short period of time.
For example:
> sudo /usr/local/uniepsudobin/execute.sh /tmp/
BKSigntool-tool version-OS_system
type_pkg.tar /opt/backupManagement
restoreManagement.sh /tmp/management.tar.gz
yes
When the following information is displayed, enter y
and press Enter:
Are you sure you want to restore the database
applications? [y/n]
Other nodes
> sudo /usr/local/uniepsudobin/
execute.sh /tmp/BKSigntool-tool versionOS_system type_pkg.tar /opt/
backupManagement recoveryGaussManagement.sh /tmp/management.tar.gz
NOTE
If the management node and product node are the
same node and use the same database software,
and the database software needs to be restored if
the database software is damaged, add yes to the
end of the command. If yes is not added, the
database software is not restored by default. During
database software restoration, the product functions
may be unavailable for a short period of time.
For example:
> sudo /usr/local/uniepsudobin/execute.sh /tmp/
BKSigntool-tool version-OS_system
type_pkg.tar /opt/backupManagement
recoveryGaussManagement.sh /tmp/
management.tar.gz yes
When the following information is displayed, enter y
and press Enter:
Are you sure you want to restore the database
applications? [y/n]
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
298
iManager NetEco
Administrator Guide
●
1 NetEco Administrator Guide
If the following information is displayed, the PowerEcho is successfully
restored, and the database instances and the PowerEcho service are started
successfully.
Management restored successfully.
●
If the following information is displayed, the PowerEcho service fails to be
started during the restoration. Contact Huawei technical support to check the
statuses of the database instances of the PowerEcho.
ERROR: Start management app service falied.
ERROR: Please check if the dbInstance status is ok, if its not ok, please recovery the dbInstance first,
and then try to start management.
ERROR: Restore management failure.
●
–
If the statuses of the PowerEcho database instances are normal, the
PowerEcho service startup failure is not caused by exceptions in the
database instances of the PowerEcho. Contact Huawei technical support.
–
If the statuses of the PowerEcho database instances are abnormal,
restore the databases first. Manually start the PowerEcho service. For
details, see 1.4.7 Starting the PowerEcho Service.
If information similar to the following is displayed, the PowerEcho backup file
fails to be verified. Contact Huawei technical support.
ERROR: Verify /opt/backupManagement/management.tar.gz failed.
ERROR: Restore management failure.
●
If the following information is displayed, the task execution fails. Contact
Huawei technical support.
ERROR: Restore management failure.
Step 9 Run the following command to exit the ossadm user:
> exit
Step 10 Run the following commands to delete the files uploaded to the temporary
directory:
> rm -rf /tmp/management.tar.gz
> rm -rf /tmp/management.tar.gz.sign
> rm -rf /tmp/BKSigntool-tool version-OS_system type_pkg.tar
Step 11 Enable the switchover between the master and slave database instances.
1.
Use PuTTY to log in to Management0 as the sopuser user in SSH mode.
NOTE
If the PowerEcho is deployed in cluster mode, perform the operations on
Management0.
2.
Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
3.
Run the following commands to enable the switchover between the master
and slave database instances:
> cd /opt/oss/manager/agent/bin
> bash dbha_switch_tool.sh -cmd del-ignore-nodes
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
299
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
If Successful is not displayed, the command execution fails. Contact Huawei
technical support.
----End
1.24.13 Querying a Product Name
You can query the product name based on the IP address of a product node.
Prerequisites
You have obtained the passwords for the sopuser and ossadm user of a product
node.
Procedure
Step 1 Use PuTTY to log in to a product node as the sopuser user in SSH mode.
Step 2 Run the following command to switch to the ossadm user:
> su - ossadm
Password: password for the ossadm user
Step 3 Run the following commands to query the name of the product on the node:
> cd /opt/oss/manager/etc/sysconf
> cat nodelists.json
Information similar to the following is displayed. Based on the IP address of the
node in Step 1 you have logged in to, the value of assignedToTenancy is the
name of the product to which the node belongs.
...
"1": {
...
"role": [
"APP"
],
"azName": "service",
"regionName": "cn-global-1",
"IPAddresses": [
{
"iface": "eth0",
"IP": "10.10.19.241",
"usage": [
"maintenance"
],
"alias": "ip769217480",
"mask": "255.255.254.0"
}
],
"type": "APP",
"assignedToTenancy": "product name",
----End
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
300
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.24.14 Product Node Faults
Symptom
On the PowerEcho, choose Product > System Monitoring. On the displayed page,
Connection Status of the node under the product is Disconnected.
Possible Causes
●
The network is faulty.
●
The node is powered off.
Troubleshooting Procedure
Step 1 Execute the check items and check methods in Table 1-99 and rectify the fault
according to the corresponding troubleshooting methods.
NOTE
The product node faults are caused by complicated causes. This section provides basic
troubleshooting methods for rectifying the fault. If the faults persist after you perform the
following operations, collect the fault information and contact Huawei technical support.
Table 1-99 Troubleshooting product node faults
Issue Draft B
(2020-11-30)
No.
Check Item
Check Method
Troubleshooting
Method
1
Network
connection
Contact the
administrator to check
whether the network
connection is normal.
Contact the network
administrator to
restore the network.
2
Running status of
VMs or physical
machines
Contact the
administrator to check
whether VMs or
physical machines are
abnormal, for
example, powered-off
or deleted.
Contact the
administrator to
restore the VMs or
physical machines.
Copyright © Huawei Technologies Co., Ltd.
301
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
No.
Check Item
Check Method
Troubleshooting
Method
3
Running status of
application
software
Log in to the
PowerEcho, and
choose Product >
System Monitoring
from the main menu.
In the upper left
corner of the System
Monitoring page,
move the pointer to
and select the
product. On the
Nodes tab page,
Connection Status is
Disconnected.
● If Node Type is
APP, the abnormal
node is a product
application. Restore
the abnormal
application. For
details, see
1.11.7.2 Restoring
Product
Applications.
● If Node Type is DB,
the abnormal node
is a database
application. Restore
the abnormal
database
application. For
details, see
1.11.7.1 Restoring
Database
Applications.
● If Node Type is
APP and DB, the
abnormal node is
both a database
application and a
product
application. Restore
the database
application first,
and then restore
the product
application. For
details, see
1.11.7.2 Restoring
Product
Applications and
1.11.7.1 Restoring
Database
Applications.
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
302
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
No.
Check Item
Check Method
Troubleshooting
Method
4
Database instance
status
Log in to the
PowerEcho, and
choose Product >
System Monitoring
from the main menu.
In the upper left
corner of the System
Monitoring page,
move the pointer to
and select the
product. On the
Relational Databases
or Redis Databases
tab page, the status
of the database
instance is Not
Running.
If the status of the
database instance is
Not Running, restore
the database instance.
For details, see
1.11.7.1 Restoring
Database
Applications.
5
Service instance
status
Log in to the
PowerEcho, and
choose Product >
System Monitoring
from the main menu.
In the upper left
corner of the System
Monitoring page,
move the pointer to
and select the
product. On the
Services tab page,
Status of the service
instance is Not
Running, Partially
Running, Unknown,
or Faulty.
● If the status of the
service instance is
Not Running,
Partially Running,
or Faulty, restore
the product data of
the faulty service
instance. For
details, see
1.11.7.3 Restoring
Product Data.
● If the status of the
database instance
is Unknown,
contact Huawei
technical support.
Step 2 Log in to the PowerEcho, and check the node status.
●
If the status of the restored node is Normal, the fault is rectified.
●
If the status of the restored node is Disconnected, contact Huawei technical
support.
----End
1.25 Appendix
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
303
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
1.25.1 Description of the unopened menus of the PowerEcho
The PowerEcho has some functions that are not open to users and are invisible to
the administrator on the GUI. The PowerEcho menu is as follows:
Table 1-100 Description of the unopened menus of the PowerEcho
Issue Draft B
(2020-11-30)
Navigation Path
Function
URL
Manage Third-Party
Software Patches
Installs patches of thirdparty software on the
node.
/eviewwebsite/
index.html#path=/plat/
patchmgmtwebsite/vi/
patchmgmtwebsite.entry.
patch
Product Tool
Manages the PowerEcho.
/swinstall/
ommonitortool.html?
curMenuId=ProductTool
Configure Alarm
Reporting Parameters
Configures parameters
for reporting alarms to
the upper-level system.
/engrcommonwebsite/
engrnotify/
OSSSnmpUser.html?
operstyle=maintance&cu
rMenuId=AlarmWebOSS_
Menu
Configure Disk Array
Alarm Receiving
Parameters
Configures parameters
for reporting disk array
alarms to the NetEco.
/engrcommonwebsite/
engrnotify/
Diskarray.html?
operstyle=maintance&cu
rMenuId=AlarmWebDisk
_Menu
Alarm configuration
Configures alarm
parameters.
/eviewwebsite/
index.html#path=/plat/
engrcommonapp/v1/
engrnotify/
oss&operstyle=maintanc
e&curMenuId=AlarmWeb
OSS_Menu
Back Up Operating
System
Backs up key
configuration files of the
operating system.
/eviewwebsite/
index.html#path=/plat/
backupwebsite/vi/
backupwebsite.entry.bac
kupos
Restore Product
Operating System
Restores key
configuration files of the
operating system.
/eviewwebsite/
index.html#path=/plat/
backupwebsite/vi/
backupwebsite.entry.rest
oreos
Copyright © Huawei Technologies Co., Ltd.
304
iManager NetEco
Administrator Guide
1 NetEco Administrator Guide
Navigation Path
Function
URL
Configure NAT
Configure NAT.
/eviewwebsite/
index.html#path=/plat/
engrcommonapp/v1/
engrcommonapp.entry.n
odenatconfigure
Update SSH Key
Update SSH Key.
/eviewwebsite/
index.html#path=/plat/
engrcommonapp/v1/
engrcommonapp.entry.e
ngrsshpolicy
1.25.2 Description of the unopened menus of the NetEco
The NetEco has some functions that are not open to users and are invisible to the
administrator on the GUI. The NetEco menu is as follows:
Table 1-101 Description of the unopened menus of the NetEco
Navigation Path
Function
URL
Event log
Event log
/eviewwebsite/
index.html#path=/
fmAlarmApp/event
Resource Group
Resource Group
/invgrpwebsite/
Secondary Authorization
Secondary Authorization
/eviewwebsite/
index.html#path=/plat/
secondaryauthapp/v1/
secondaryauthapp.entry.second
aryauth
Issue Draft B
(2020-11-30)
Copyright © Huawei Technologies Co., Ltd.
305