OpenCA Installation Guide-V4.3.8

openCallAgent4.3.8

Installation Guide

4.3.8 Release

May 2010

ABN 42 056 010 121

This material is copyright. No part of this document may be reproduced in any form, stored in a

retrieval system or transmitted without the prior written permission of Fastwire Limited.

Commercial in Confidence

Issued by Fastwire Pty. Ltd.

Trademarks

DiskSuite and Solaris are trademarks or registered trademarks of Sun Microsystems Inc.

in the U.S. and other countries.

UNIX is a registered registered trademark of The Open Group.

All other company and product names are trademarks or registered trademarks of their respective

companies.

Contents

Purpose ................................................................................................................................................. 9

Audience ................................................................................................................................................ 9

Scope ..................................................................................................................................................... 9

Document Conventions ........................................................................................................................ 10

Related Documentation ....................................................................................................................... 10

Abbreviations and Acronyms ............................................................................................................... 11

Software Release ................................................................................................................................. 11

Chapter 1: Introduction .................................................................................................................... 13

Overview .............................................................................................................................................. 13

Important Information ........................................................................................................................... 13

Installation Knowledge .................................................................................................................. 13

Installation Personnel ................................................................................................................... 13

System Configuration ................................................................................................................... 13

Database Schemas ...................................................................................................................... 13

Release Compatibility ................................................................................................................... 14

Package Information ............................................................................................................................ 14

Solaris ........................................................................................................................................... 14

Linux ............................................................................................................................................. 14

System Requirements .......................................................................................................................... 15

Solaris ........................................................................................................................................... 15

Linux ............................................................................................................................................. 15

Processes and Scripts ......................................................................................................................... 15

Directories ............................................................................................................................................ 16

Users .................................................................................................................................................... 17

Redundancy ......................................................................................................................................... 17

Chapter 2: Pre-Installation ............................................................................................................... 19

Introduction .......................................................................................................................................... 19

Configuring File Descriptors ................................................................................................................. 20

Solaris ........................................................................................................................................... 20

Fastwire Pty Ltd 3

Contents openCA 4.3.8

Linux ............................................................................................................................................. 20

Chapter 3: Installing openCA Application ...................................................................................... 21

Introduction .......................................................................................................................................... 21

Before You Start ................................................................................................................................... 21

Installation ............................................................................................................................................ 21

Solaris ........................................................................................................................................... 21

Linux ............................................................................................................................................. 23

Chapter 4: Post-Installation .............................................................................................................. 25

Introduction .......................................................................................................................................... 25

Creating Databases ............................................................................................................................. 25

Licenses ............................................................................................................................................... 26

Solaris .................................................................................................................................................. 27

Configuring rsh/ssh ....................................................................................................................... 27

Linux .................................................................................................................................................... 27

Configuring SSH ........................................................................................................................... 27

Configuration Review ........................................................................................................................... 27

Startup ................................................................................................................................................. 27

Chapter 5: Uninstalling openCA Application .................................................................................. 29

Introduction .......................................................................................................................................... 29

Notes .................................................................................................................................................... 29

Uninstallation ........................................................................................................................................ 30

Solaris ........................................................................................................................................... 30

Linux ............................................................................................................................................. 32

Chapter 6: Installing openCA Patches ............................................................................................ 35

Introduction .......................................................................................................................................... 35

Notes .................................................................................................................................................... 35

Installation ............................................................................................................................................ 36

Solaris ........................................................................................................................................... 36

Linux ............................................................................................................................................. 37

Chapter 7: Uninstalling openCA Patches ....................................................................................... 39

Introduction .......................................................................................................................................... 39

Notes .................................................................................................................................................... 39

UnInstallation ....................................................................................................................................... 40

Solaris ........................................................................................................................................... 40

Linux ............................................................................................................................................. 42

Chapter 8: Subscriber Web Access ................................................................................................. 45

Package Information ............................................................................................................................ 45

4 May 2010

Installation Guide Contents

System Requirements .......................................................................................................................... 45

Linux – Red Hat Enterprise Linux 5 .............................................................................................. 45

Solaris 10 ...................................................................................................................................... 46

Processes and Scripts ......................................................................................................................... 46

Directories ............................................................................................................................................ 47

Users .................................................................................................................................................... 48

Solaris ........................................................................................................................................... 48

Installing openCA Subscriber Web Access .......................................................................................... 49

Installing openCA Subscriber Web Access on Linux .................................................................... 49

Installing openCA Subscriber Web Access on Solaris ................................................................. 52

Additional Steps for Installing openCA Subscriber Web Access on a Different Host ................... 55

Creating the Subscriber Web Database ....................................................................................... 56

Appendix A: Operating System Patches ........................................................................................ 57

Solaris Patches .................................................................................................................................... 57

Linux Patches ...................................................................................................................................... 58

Appendix B: Disk Partitioning and Mirroring ................................................................................. 59

Introduction .......................................................................................................................................... 59

Solaris .................................................................................................................................................. 59

Partitioning Disk Space ................................................................................................................. 59

Solaris Disk Mirroring .................................................................................................................... 60

Linux .................................................................................................................................................... 66

Partitioning Disk Space ................................................................................................................. 66

Appendix C: IP Network Configuration ........................................................................................... 67

Solaris IP Network Configuration ......................................................................................................... 67

Redundant Configuration .............................................................................................................. 67

Standalone Configuration ............................................................................................................. 68

Solaris Configuring IP Multipathing and Point to Point Connections ............................................ 68

Related Commands ...................................................................................................................... 78

Solaris Name Service Configuration ............................................................................................. 79

Solaris Configuration of /etc/hosts ................................................................................................ 79

Linux IP Network Configuration ........................................................................................................... 80

IBM Blade Center Redundant Configuration ................................................................................ 80

Linux Server Redundant Configuration with Ethernet Bonding .................................................... 81

Standalone Configuration ............................................................................................................. 81

Linux Name Service Configuration ............................................................................................... 82

Linux Disabling Network Routing .................................................................................................. 83

Ethernet Bonding on RedHat ES 5 ............................................................................................... 84

Appendix D: Network Time .............................................................................................................. 89

Fastwire Pty Ltd 5

Contents openCA 4.3.8

Configuring Network Time .................................................................................................................... 89

Solaris ........................................................................................................................................... 90

Linux ............................................................................................................................................. 91

Appendix E: Security ........................................................................................................................ 93

Introduction .......................................................................................................................................... 93

Solaris Security .................................................................................................................................... 93

Solaris Run level and network services ........................................................................................ 93

IP FILTER (Solaris) ....................................................................................................................... 95

Linux Security ....................................................................................................................................... 96

IP TABLES (Linux) ........................................................................................................................ 97

Appendix F: Solaris Configuring rsh ............................................................................................... 99

Configuring rsh Between Two Hosts .................................................................................................... 99

Appendix G: Configuring Floating Virtual IP ................................................................................ 101

Procedure for Configuring FVIP ......................................................................................................... 101

Configuring FVIP for Solaris ....................................................................................................... 101

Configuring FVIP for Linux .......................................................................................................... 104

Appendix H: Configuring SNMP Reporting .................................................................................. 109

Procedure for Configuring SNMP Alarms and Alerts ......................................................................... 109

Solaris and Linux ........................................................................................................................ 109

Appendix I: Example Linux Installation ........................................................................................ 111

Procedure for Installing Red Hat Enterprise Server ........................................................................... 111

Appendix J: IPTABLES Configuration File ................................................................................... 117

Overview ............................................................................................................................................ 117

Appendix K: IPFILTER Configuration File .................................................................................... 119

Overview ............................................................................................................................................ 119

6 May 2010

List of Procedures

Procedure 2-1: Configuring File Descriptors for Solaris ...................................................................... 20

Procedure 2-2: Configuring File Descriptors for Linux ........................................................................ 20

Procedure 3-1: Installing openCA on Solaris ...................................................................................... 21

Procedure 3-2: Installing openCA on Linux ......................................................................................... 23

Procedure 4-1: Creating Databases .................................................................................................... 25

Procedure 5-1: Uninstalling an openCA release from a Solaris Platform ........................................... 30

Procedure 5-2: Uninstalling an openCA release from a Linux Platform .............................................. 32

Procedure 6-1: Installing an openCA patch on a Solaris Platform ...................................................... 36

Procedure 6-2: Installing an openCA patch on a Linux Platform ........................................................ 37

Procedure 7-1: Uninstalling an openCA patch from a Solaris host ..................................................... 40

Procedure 7-2: Uninstalling an openCA patch from a Linux host ....................................................... 42

Procedure 8-1: Installing openCA Subscriber Web Access for Linux. ................................................ 49

Procedure 8-2: Installing openCA Subscriber Web Access for Solaris ............................................... 52

Procedure 8-3: Additional steps when installing openCA Subscriber Web Access on another host. . 55

Procedure A-1: Configuring Solaris Patches ....................................................................................... 57

Procedure A-2: Configuring Linux Patches ......................................................................................... 58

Procedure B-1: Copying Partitioning Information ................................................................................ 61

Procedure B-2: Configuring Disk Mirroring ......................................................................................... 64

Procedure C-1: Configuring Router Discovery .................................................................................... 70

Procedure C-2: Multipath Detection Timeout ...................................................................................... 72

Procedure C-3: Configuring IP Multipathing Targets .......................................................................... 74

Procedure C-4: Configuring a bonded interface .................................................................................. 85

Procedure D-1: NTP Configuration for Solaris .................................................................................... 90

Procedure D-2: NTP Configuration for Linux ...................................................................................... 91

Procedure E-1: Rules to add to the ipf.conf file for IP filtering. ........................................................... 95

Procedure E-2: Settings required when using IP tables as a firewall. ................................................. 97

Procedure F-1: Setting up rsh between two hosts .............................................................................. 99

Procedure G-1: Solaris Configuring the Floating Virtual IP addess (FVIP) ....................................... 101

Procedure G-2: Linux Configuring the Floating Virtual IP addess (FVIP) ......................................... 105

Fastwire Pty Ltd 7

List of Procedures openCA 4.3.8

Procedure H-1: Configuring SNMP Alarm and Alert Reporting ......................................................... 109

Procedure I-1: Sample RedHat Linux ES5 Installation Procedure .................................................... 111

8 May 2010

About this Guide

Purpose

The purpose of this document is to provide an installation guide for the openCallAgent

(openCA).

Audience

The audience for this document is Fastwire customers who will be performing the

installation. This audience is assumed to have the following experience and knowledge:

• Telecommunications network protocols and equipment

• Data communication networks, protocols and equipment

• UNIX or Linux, vi or text editor skills

Scope

This document includes the following information:

• Pre-installation requirements

• Installation of openCA

This document is not intended to replace training.

Fastwire Pty Ltd 9

About this Guide openCA 4.3.8

Document Conventions

The following formatting is used throughout this document to define certain text as having

special meaning.

Related Documentation

openCallAgent 4.3.8 User Guide

openCallAgent 4.3.8 Release Notes

Note: Release Notes are specific to a particular release and patch level of openCA.

For example, the openCallAgent 4.3.8 Release Notes pertain to release

openCA-4.3.8 only.

Convention Description

Italics Used to identify

• A reference to another part of this manual or to other reference

material.

• The result of performing a step in a procedure table.

• Text that should be typed with substitutions (for example, an

instruction to type YourInitials would mean type your own initials

instead of the text).

• Emphasis

Bold Used to identify

• Menu names

• Menu options

• Field names

• Button names

Courier Used to identify:

• Package names

• Command response

Courier Bold Used to identify:

• Commands

• Text that should be typed exactly as it appears (for example, an

instruction to type YourInitials would mean type the text

YourInitials exactly as it appears).

10 May 2010

Installation Guide About this Guide

Abbreviations and Acronyms

The table below define the abbreviations and acronyms used throughout this manual.

Software Release

This document applies to release 4.3.8 of openCA.

Acronym Definition

AS Application Server

ASP Application Server Process

CIC Circuit Identification Code

DPC Destination Point Code

FVIP Floating Virtual IP

ISUP ISDN User Part

IP Internet Protocol

NI Network Indicator

NIF Nodal Interworking Function

OPC Originating Point Code

RC Routing Context

RK Routing Key

SCCP Signalling Connection Control Part

SEP Signalling End Point

SS7 Signalling System No 7 Network

SCTP Stream Control Transmission Protocol

SG Signalling Gateway

SGP Signalling Gateway Process

SIO Service Indicator Octet

SP Signalling Point

SSN SCCP Subsystem Number

STP Signalling Transfer Point

Fastwire Pty Ltd 11

About this Guide openCA 4.3.8

12 May 2010

Chapter 1: Introduction

Overview

This guide contains general information about installing and configuring release 4.3.8 of

the openCallAgent platform.

Important Information

This section highlights important details concerning this installation.

Installation Knowledge

Before you start the installation, ensure you understand the information in this section

and have carefully studied the installation procedure.

Installation Personnel

Personnel who are familiar with Linux and UNIX operating system administration should

perform the installation.

System Configuration

System configuration is carried out as a separate step to installation. See the

configuration chapter of the openCallAgent 4.3.8 User Guide.

Database Schemas

All references to the configuration database imply a database created using the

configuration database schema specified in the accompanying openCallAgent 4.3.8

Release Notes.

For the purposes of this document, the configuration database schema

“pdmandblackwhite-1-schema” is used as an example.

Fastwire Pty Ltd 13

Introduction openCA 4.3.8

Release Compatibility

The openCallAgent 4.3.8 Release Notes specify any compatibility between openCA-

4.3.8 and related products from Fastwire.

Package Information

The openCA-4.3.8 installation requires the OPENca package.

Multiple versions of the OPENca package can coexist on the same system. In the

installation directory, a current link points to the one that is currently active.

Solaris

When multiple versions of the OPENca package are installed, the system identifies them

by names that follow the format OPENca.<n>, where <n> is greater than or equal to 2, for

example OPENca.2.

The pkg family of commands, for example pkgadd, pkgrm, and pkginfo are used to

perform all operations concerning packages, for example addition, removal, retrieval of

information.

Note: When using pkg commands, it is important to know the exact version of the

package you are working with.

Linux

When multiple versions of the OPENca package are installed, the system identifies them

by names that follow the format OPENca-<w>.<x>.<y>, where <w> denotes the Release

Number and <x.y> the Version.

Use the rpm command to perform operations concerning packages on Linux systems.

Note: When using the rpm command, it is important to know the exact version of the

package you are working with.

14 May 2010

Installation Guide Introduction

System Requirements

openCA has the following system requirements:

Solaris

• openCA runs on Sun servers that use Solaris 10. See Appendix A: Operating System

Patches for more information on the operating system.

• Installation requires 2.8 GB of disk space in /opt

Linux

• openCA has been tested on IBM Blade machines using RedHat Enterprise Linux ES

5, running in 32-bit kernel mode. See Appendix A: Operating System Patches for

more information on the operating system.

• Installation requires 2.8 GB of disk space in /opt

Processes and Scripts

The openCA application has the following processes:

• ApplicationMonitor

• CDR_Distributor

• NameService

• ProcessManager

• TCAPRouter

• fvip

• ocammi

• openCallAgent

• tsacdb_server

The openCA application has the following scripts:

• FVIP

• ca

• ca_configure.pl

• ca_mmi

• ca_ps.rsh

• ca_ps.ssh

Fastwire Pty Ltd 15


• ca_report

• ca_setrelease

• create_db

• run_db

• sdf

Directories

Install openCA in the /opt directory. The directory structure created during installation

follows the convention shown below:

/opt/OPENcaversion x/version y/version z/current -> version z

The current link identifies the version that is currently active.

Note: Up to 20 versions of the OPENca package can be present on a machine at any

one time, if enough disk space is available.

The openCA installation creates the directories listed in Table 1-1.

Directory Contents

bin compiled executables

etc operational configuration files (empty on install)

help MMI help files

lib shared libraries

patch used by patching mechanism

schema configuration database schema files

skel original configuration files

util database utilities

/opt/openCallAgent/alarms alarms

/opt/openCallAgent/statistics statistics

/opt/openCallAgent/operations operations log

Table 1-1: Directories created by installation of the OPENca package (Sheet 1 of 2)

16 May 2010

Installation Guide Introduction

Note: These directories are created in /opt/OPENca/openCA-4.3.8 unless

specified otherwise.

Users

The OPENca package installs its own user, otcaop, who owns the OPENca software. This

user is added when OPENca is first installed, and is removed when the last release of

OPENca is removed.

Note: When you remove the last release of OPENca, the otcaop user must be

inactive, i.e. no processes, including logins, can be running as otcaop.

You must set the otcaop password after it is created.

The removal of otcaop also results in the removal of its home directory; however, the

contents of the home directory are automatically backed up to /tmp before removal.

Note: /tmp is cleared on reboot. Therefore, if you want to save this backup, move it

to a safe area.

Redundancy

The openCA-4.3.8 release can be installed in either a standalone or a redundant

configuration.

• In a redundant configuration, openCA is installed on two machines.

• In a standalone configuration, openCA is installed on only one machine.

The installation instructions in the following chapters are apply for both configurations.

/opt/openCallAgent/log log files

/var/run/ca Call Agent ProcessManager process list files

/var/run/fvip FVIP ProcessManager process list files

/var/run/sdf configuration database ProcessManager process list

files

Directory Contents

Table 1-1: Directories created by installation of the OPENca package (Sheet 2 of 2)

Fastwire Pty Ltd 17


18 May 2010

Chapter 2: Pre-Installation

Introduction

This chapter describes pre-installation procedures for openCA.

1. The openCA application must be able to find the addresses of both the local and

remote machines in the installation; therefore, ensure that all host names and IP

addresses of both hosts in the pair are specified in the /etc/hosts file on each host.

2. For IP Network configuration, see Appendix C: IP Network Configuration. Further, if

this installation is required to meet telecoms-standard High Availability / Fault

Tolerant requirements, Fastwire recommends that you provide redundancy on all

openCA hosts in terms of disk mirroring, partitioning and in the server/network

configuration of each host (see Appendix B: Disk Partitioning and Mirroring and

Appendix C: IP Network Configuration).

3. A redundant openCA installation uses replicated databases, which require that the

clocks on both hosts are synchronised. These clocks should be synchronised using

the Network Time Protocol (NTP). For more information on how to configure NTP

across openCA hosts, see Appendix D: Network Time.

Fastwire Pty Ltd 19

Pre-Installation openCA 4.3.8

Configuring File Descriptors

If this is the first installation of the openCA software, the default number of file descriptors

allocated to users must be reset to provide a greater number of file descriptors.

Solaris

For any Solaris system, make the system configuration change shown in Procedure 2-1

on each openCA host.

Linux

For any Linux system, make the system configuration change shown in Procedure 2-2 on

each openCA host.

Step Action

1. Log in as user root.

2. Add the following lines to /etc/system.

set rlim_fd_max = 10240 (sets the hard limit on file descriptors)

set rlim_fd_cur = 256 (sets the soft limit on file descriptors)

3. Reboot the system for these changes to become active. Enter the following

command:

reboot

Procedure 2-1: Configuring File Descriptors for Solaris

Step Action

1. Log in as user root.

2. Add the following lines to /etc/sysctl.conf

# Increase system-wide file descriptor limit. fs.file-max = 10240 fs.inode-max = 40960

3. Reboot the system for these changes to become active. Enter the following

command:

reboot

Procedure 2-2: Configuring File Descriptors for Linux

20 May 2010

Chapter 3: Installing openCA Application

Introduction

This chapter contains instructions for installing the openCA application.

Note: These instructions use an example openCA release, openCA-4.3.8, to

demonstrate the installation.

Before You Start

Before you install the openCA software:

• Ensure that the support contact information is available to help you with the

installation if needed.

• Ensure your machines conform to the disk mirroring and partitioning as defined in

Appendix B: Disk Partitioning and Mirroring.

Installation

Solaris

To install the openCA application, follow the steps in Procedure 3-1 on each host

Step Action

1. Log on as user root.

2. Enter the following command to create a temporary directory:

mkdir /opt/CA_INSTALL

Procedure 3-1: Installing openCA on Solaris (Sheet 1 of 2)

Fastwire Pty Ltd 21

Installing openCA Application openCA 4.3.8

3. Enter the following commands to extract the release file from the CD:

cd /opt/CA_INSTALLgzip -dc /cdrom/cdrom0/openCA-4.1.14.tar.gz | tar xvf –

4. Enter the following command to install the openCA-4.3.8 release:

pkgadd -d . OPENca

Answer 'y' to the questions presented.

5. Enter the following command to set the password for otcaop:

passwd otcaop

Enter and confirm the password as prompted.

6. Enter the following command to check that the openCA release is installed:

/opt/OPENca/openCA-4.3.8/bin/ca_report

The following is an example of the text that appears:

oca01# /opt/OPENca/openCA-4.3.8/bin/ca_report

-------------------------------Fully Installed OPENca Releases-------------------------------

Release Number : openCA-4.3.8 <-- currentPackage Identifier : OPENca

-------------------------------

7. You may need to install a patch for this release. Refer to the openCallAgent

4.3.8 Release Notes for details of any patches associated with this release.

If it is necessary to install a patch, see Chapter 6: Installing openCA Patches

for instructions on how to install a patch.

8. After installing openCA and any necessary patches, install the openCA

configuration files. The ca_configure.pl script copies the configuration files

from their installation area (the skel subdirectory) to their operational area

(the etc subdirectory), updating them for your configuration.

Enter the following command as user otcaop to perform this task:

/opt/OPENca/openCA-4.3.8/bin/ca_configure.pl

Answer prompts for each question. A default value may be provided within

square brackets [] and can be accepted by pressing enter.

Note: If the Subscriber Web Service is not installed, Web Database

questions can be skipped by pressing enter.

Step Action

Procedure 3-1: Installing openCA on Solaris (Sheet 2 of 2)

22 May 2010

Installation Guide Installing openCA Application

Linux

To install the openCA application, follow the steps in Procedure 3-2 on each host.

Step Action




3. Enter the following commands to extract the release file from the CD:

cd /opt/CA_INSTALLcp /cdrom/cdrom0/openCA-4.3.8-1.i686.rpm

4. Enter the following command to install the openCA-3.1 release:

rpm -i openCA-4.3.8-1.i686.rpm


passwd otcaop


6. Enter the following command to check that the openCA release is installed:

/opt/OPENca/openCA-4.3.8/bin/ca_report


oca01# /opt/OPENca/openCA-4.3.8/bin/ca_report


Release Number : openCA-4.3.8 <-- currentPackage Identifier : OPENca-4.3.8-1

7. You may need to install a patch for this release. Refer to the openCallAgent

4.3.8 Release Notes for details of any patches associated with this release.

If it is necessary to install a patch, see Chapter 6: Installing openCA Patches

for instructions on how to install a patch.

Procedure 3-2: Installing openCA on Linux (Sheet 1 of 2)

Fastwire Pty Ltd 23

Installing openCA Application openCA 4.3.8

8. After installing openCA and any necessary patches, install the openCA

configuration files. The ca_configure.pl script copies the configuration files

from their installation area (the skel subdirectory) to their operational area

(the etc subdirectory), updating them for your configuration.

Enter the following command as user otcaop to perform this task:

/opt/OPENca/openCA-4.3.8/bin/ca_configure.pl

Answer prompts for each question. A default value may be provided within

square brackets [] and can be accepted by pressing enter.

Note: If the Subscriber Web Service is not installed, Web Database

questions can be skipped by pressing enter.

Step Action

Procedure 3-2: Installing openCA on Linux (Sheet 2 of 2)

24 May 2010

Chapter 4: Post-Installation

Introduction

This chapter describes post-installation procedures for openCA.

Creating Databases

After the openCA software is installed, you must create a new configuration database.

A redundant system has two databases, the main_master and the

alternative_master. A standalone system only has a main_master.

Follow the steps in Procedure 4-1.

Step Action

1. Log on to the first server as user otcaop.

2. Confirm the location of the database is correct by checking the

SDF_Replica.database.path entry in the file

/opt/OPENca/current/openCallAgent.conf.

3. Enter the following command to create the main master database:

create_db main_master

Sample output from create_db command:

Creating main master configuration database using schema /opt/OPENca/current/schema/pdmandblackwhite-1-schema.Linux.so...Established "SDF-pdmandblackwhite.R0"setup_tsacdb_replica: OK.main master configuration database /opt/OPENca/openCA-4.3.8/SDF/SDF-pdmandblackwhite.R0 created.

Procedure 4-1: Creating Databases (Sheet 1 of 2)

Fastwire Pty Ltd 25

Post-Installation openCA 4.3.8

For more information on how to perform this task, refer to the "Creating Databases"

section in Chapter 2 : "System Management” of the openCallAgent 4.3.8 User Guide.

Licenses

openCA licence files are issued separately. The license file should be copied to the

/etc/calicense.dat or other location specified in the openCallAgent.conf

configuration file.

Refer to Chapter 2 : System Management of the openCallAgent 4.3.8 User Guide for

more details on openCA licenses.

4. For a standalone system, database creation is complete.

Continue this procedure only for a redundant system.

5. For a redundant system, log on to the second server as user otcaop.

6. On the second server, confirm the location of the database is correct by

checking the SDF_Replica.database.path entry in the file

/opt/OPENca/current/openCallAgent.conf.

7. On the second server, enter the following command to create the alternative

master database:

create_db alternative_master

Sample output from create_db command:

Creating alternative master configuration database using schema /opt/OPENca/current/schema/pdmandblackwhite-1-schema.Linux.so...Established "SDF-pdmandblackwhite.R1"setup_tsacdb_replica: OK.alternative master configuration database /opt/OPENca/openCA-4.3.8/SDF/SDF-pdmandblackwhite.R1 created.

Step Action

Procedure 4-1: Creating Databases (Sheet 2 of 2)

26 May 2010

Installation Guide Post-Installation

Solaris

Configuring rsh/ssh

During install the ca_ps script is created as a link to ca_ps.rsh. The ca_ps.rsh script

uses remote shell (rsh) to open a shell on the other host in an openCA redundant

configuration so as it can list the running processes on that host.

Another script, ca_ps.ssh, is provided to perform exactly the same task as ca_ps.rsh,

except it uses secure shell (ssh) rather than rsh to open a shell on the other host.

ca_ps may be linked to either of these scripts depending on whether rsh or ssh is the

preferred option for opening shells on the Call Agent hosts.

For the ca_ps.rsh and ca_ps.ssh scripts to operate properly in a redundant

configuration, the user otcaop must be able to open either a remote shell (rsh) or a

secure shell (ssh), without providing a password, from one openCA host to another. To

configure rsh, see Appendix F: Solaris Configuring rsh.

If ssh is the preferred option, it must be installed and configured. A number of ssh

configuration options are available and the most suitable option must be decided by the

System Administrator.

For more information on ca_ps.rsh and ca_ps.ssh, refer to Chapter 3 in the

openCallAgent 4.3.8 User Guide.

Linux

Configuring SSH

The system supports ssh in its default configuration only. For information on how to

configure ssh, refer to the Linux System Administration guide.

Configuration Review

After the openCA software is installed and before the openCA application is started,

operators should review the configuration files for correctness.

See the openCallAgent 4.3.8 User Guide for configuration information.

Startup

After the configuration files have been verified, the application can be started.

See the openCallAgent 4.3.8 User Guide for information about starting and stopping

openCA.

Fastwire Pty Ltd 27

Post-Installation openCA 4.3.8

28 May 2010

Chapter 5: Uninstalling openCA Application

Introduction

This chapter contains instructions for removing the openCA software from a host.

Note: These instructions use example openCA releases to demonstrate how an

openCA platform may be uninstalled.

Notes

Before uninstalling an openCA release, all its running processes, including its

configuration database, must first be shut down.

Fastwire Pty Ltd 29

Uninstalling openCA Application openCA 4.3.8

Uninstallation

Solaris

To remove an openCA installation, follow the steps in Procedure 5-1 on each host.

Step Action


2. Enter the following command to list all installed openCA releases and patches:

ca_report


oca01# ca_report


Release Number : openCA-1.3.7 Package Identifier : OPENca.2

Release Number : openCA-4.3.8 <-- currentPackage Identifier : OPENca.4

Fully Applied Patches : --------------------- Patch Number : openCA-4.3.8.2 Patch Identifier : OPENcaP

-------------------------------

3. If any patches have been applied to the openCA release that you wish to

uninstall, you must uninstall them before removing the openCA release.

For information on removing openCA patches, see Chapter 7: Uninstalling

openCA Patches.

4. In this example, the openCA-1.3.7 release will be removed. Enter the

following command to remove this release:

pkgrm OPENca.2


Procedure 5-1: Uninstalling an openCA release from a Solaris Platform (Sheet 1 of 2)

30 May 2010

Installation Guide Uninstalling openCA Application

5. Enter the following command to verify that the openCA-1.3.7 release has

been removed:

ca_report


oca01# ca_report




-------------------------------

Step Action

Procedure 5-1: Uninstalling an openCA release from a Solaris Platform (Sheet 2 of 2)

Fastwire Pty Ltd 31


Linux

To remove an openCA installation, follow the steps in Procedure 5-2 on each host.

Step Action



ca_report


oca01# ca_report


Release Number : openCA-1.3.7 Package Identifier : OPENca-1.3.7-1

Release Number : openCA-4.3.8.1 <-- currentPackage Identifier : OPENca-4.3.8-1

Fully Applied Patches : --------------------- Patch Number : openCA-4.3.8.2 Patch Identifier : OPENcaP-4.3.8.2-1

-------------------------------

3. If any patches have been applied to the openCA release that you wish to

uninstall, you must uninstall them before removing the openCA release.

For information on removing openCA patches, see Chapter 7: Uninstalling

openCA Patches.

4. In this example, the openCA-1.3.7 release will be removed. Enter the

following command to remove this release:

rpm -e OPENca-1.3.7-1


Procedure 5-2: Uninstalling an openCA release from a Linux Platform (Sheet 1 of 2)

32 May 2010

Installation Guide Uninstalling openCA Application

5. Enter the following command to verify that the openCA-1.3.7 release has

been removed:

ca_report


oca01# ca_report




-------------------------------

Step Action

Procedure 5-2: Uninstalling an openCA release from a Linux Platform (Sheet 2 of 2)

Fastwire Pty Ltd 33


34 May 2010

Chapter 6: Installing openCA Patches

Introduction

This chapter contains instructions for installing openCA patches.

Note: These instructions use an example openCA patch, openCA-4.3.8.2, to

demonstrate how to install an openCA patch.

Notes

Patches are cumulative, e.g. openCA-4.3.8.3 contains fixes from both openCA-4.3.8.1

and openCA-4.3.8.2.

It is not possible to install a patch to a release that is running. For instructions on how to

stop a release, see Chapter 2 : System Management, in the openCallAgent 4.3.8 User

Guide.

Fastwire Pty Ltd 35

Installing openCA Patches openCA 4.3.8

Installation

Solaris

To install an openCA patch, follow the steps in Procedure 6-1 on each host.

Step Action




3. Enter the following commands to extract the openCA-4.3.8.2 patch file from

the CD:

cd /opt/CA_INSTALLgzip -dc /cdrom/cdrom0/openCA-4.3.8.2.tar.gz | tar xvf –

4. Enter the following command to install the patch:

pkgadd -d . OPENcaP


5. Enter the following command to check that the patch is installed:

ca_report

The following is an example of the text that appears. In this example the patch

which has been installed is openCA-4.3.8.2.

oca01# ca_report





-------------------------------

Procedure 6-1: Installing an openCA patch on a Solaris Platform

36 May 2010

Installation Guide Installing openCA Patches

Linux

To install an openCA patch, follow the steps in Procedure 6-2 on each host.

Step Action




3. Enter the following commands to extract the openCA-4.1.1.2patch file from

the CD:

cd /opt/CA_INSTALLcp /cdrom/cdrom0/OPENcaP-4.3.8.2-1.i686.rpm .

4. Enter the following command to install the patch:

rpm -i OPENcaP-4.3.8.2-1.i686.rpm

5. Enter the following command to check that the patch is installed:

ca_report

The following is an example of the text that appears. In this example the patch

which has been installed is openCA-4.3.8.2.

oca01# ca_report


Release Number : openCA-1.3.7 Package Identifier : OPENca-1.3.7-1



-------------------------------

Procedure 6-2: Installing an openCA patch on a Linux Platform

Fastwire Pty Ltd 37

Installing openCA Patches openCA 4.3.8

38 May 2010

Chapter 7: Uninstalling openCA Patches

Introduction

This chapter contains instructions for removing openCA patches.

Note: These instructions use example openCA releases and patches to

demonstrate how to remove an openCA patch.

Notes

It is not possible to uninstall a patch for an openCA release that is running. For

instructions on how to stop a release, see See Chapter 2 : System Management, in the

openCallAgent 4.3.8 User Guide.

Patches must be uninstalled in reverse order, e.g. openCA-4.3.8.3 must be removed

before openCA-4.3.8.2, which must in turn be removed before openCA-4.3.8.1.

Fastwire Pty Ltd 39

Uninstalling openCA Patches openCA 4.3.8

UnInstallation

Solaris

To uninstall an openCA patch, follow the steps in Procedure 7-1 on each host.

Step Action



ca_report


oca01# ca_report





Patch Number : openCA-4.3.8.2 Patch Identifier : OPENcaP.2

-------------------------------

3. In this example, the openCA-4.3.8.2 patch will be removed. Enter the

following command to remove this patch:

pkgrm OPENcaP.2


Procedure 7-1: Uninstalling an openCA patch from a Solaris host (Sheet 1 of 2)

40 May 2010

Installation Guide Uninstalling openCA Patches

4. Enter the following command to check that the openCA-4.3.8.2 patch has

been removed:

ca_report


oca01# ca_report


Release Number : openCA-1.3.7Package Identifier : OPENca.2



-------------------------------

Step Action

Procedure 7-1: Uninstalling an openCA patch from a Solaris host (Sheet 2 of 2)

Fastwire Pty Ltd 41


Linux

To uninstall an openCA patch, follow the steps in Procedure 7-2 on each host.

Step Action



ca_report


oca01# ca_report


Release Number : openCA-1.3.7Package Identifier : OPENca-1.3.7-1



Patch Number : openCA-4.3.8.2 Patch Identifier : OPENcaP-4.3.8.2-1

-------------------------------

3. In this example, the openCA-4.3.8.2 patch will be removed. Enter the

following command to remove this patch:

rpm -e OPENcaP-4.3.8.2-1

Procedure 7-2: Uninstalling an openCA patch from a Linux host (Sheet 1 of 2)

42 May 2010

Installation Guide Uninstalling openCA Patches

4. Enter the following command to check that the openCA-4.3.8.2 patch has

been removed:

ca_report


oca01# ca_report


Release Number : openCA-1.3.7Package Identifier : OPENca-1.3.7-1



-------------------------------

Step Action

Procedure 7-2: Uninstalling an openCA patch from a Linux host (Sheet 2 of 2)

Fastwire Pty Ltd 43


44 May 2010

Chapter 8: Subscriber Web Access

Package Information

The OPENca-SUBWEB package (openCA Subscriber Web Access) provides

subscribers with access to openCA through a Web interface. You can install this package

on the same server as openCA, but for production environments Fastwire recommend

that you install it on a separate server.

System Requirements

The OPENca-SUBWEB installation requires approximately 3.5 M of disk space in /opt.

Linux – Red Hat Enterprise Linux 5

The following packages must be installed on the host prior to installing OPENca-

SUBWEB:

• distcache

• apr

• postgresql-libs

• apr-util

• httpd

• mod_ssl

• perl-DBI

• perl-DBD-Pg

• postgresql

• postgresql-server

If installing with rpm -i commands, after installing the postgresql packages you must run

the initdb command.

If installing using yum, the initdb command is not required, as yum will have run it.

Fastwire Pty Ltd 45

Subscriber Web Access openCA 4.3.8

Solaris 10

The following packages must be installed on the host prior to installing OPENca-

SUBWEB. These packages are normally included to Solaris 10 default installation.

Processes and Scripts

openCA Subscriber Web Access uses Web Server (Apache2), Web Database

(PostgreSQL) and openCA SDF Database to provide the subscribers with access to Call

Log and Call Forward services. It includes the following scripts to configure the

Subscriber Web Access service.

• sub_configure.pl

• sub_createdb.pl

Prerequisite Package Description

SUNWapch2r The Apache HTTP server program Version 2 (root components)

SUNWapch2u The Apache HTTP Server Version 2 (usr components)

SUNWpostgr-83-server PostgreSQL database server

SUNWopensslr OpenSSL (Root)

SUNWperl584core Perl 5.8.4 (core)

SUNWperl584usr Perl 5.8.4 (non-core)

SUNWpmdbdpg The DBI PostgreSQL Interface for Perl

SUNWpmdbi Perl Database Independent Interface

Table 8-1: Solaris 10 packages that must be installed for OPENca-SUBWEB.

46 May 2010

Installation Guide Subscriber Web Access

Directories

The directory structure created by the installation of OPENca-SUBWEB follows the

convention shown below:

/opt/OPENca/openCA-4.3.8/apache/

The current link identifies the version that is presently active.

The directories and files shown in are created under the above installation directory:

In addition, the following links are installed system-wide.

Directory/File Contents

bin • sub_configure.pl – subscriber access service configuration script

• apachectl – Apache web server startup script (Linux only)

• sub_createdb.pl – PostgreSQL web database creation script

• dbconfig.sql – PostgreSQL web database initialization script

• postgres_configure.pl – PostgreSQL web database configuration script

cgi-bin Source scripts to be run by the apache web server.

conf • httpd.conf – Web server configuration file

• ssl.conf – SSL configuration file

• postgresql.conf, pg_hba.conf – PostgreSQL server configuration file

• server.crt, server.csr, server.key – Self-signed SSL certificate files

htdocs index.html, CSS tables, images, java script, .htaccess

skel Original subscriber access, apache web server, postgresql database and ssl

configuration.

run (Solaris Only) Apache run directory to create httpd.pid file.

Table 8-2: OPENca-SUBWEB files and directories

Fastwire Pty Ltd 47


Users

OPENca-SUBWEB installs its own user, otcaop, if that user has not yet been created by

the OPENca package.

Similarly, removal of the OPENca-SUBWEB package also removes the otcaop user if no

OPENca packages remain installed.

OPENca-SUBWEB uses the PostgreSQL database to save subscriber service data.This

PostgreSQL database is operated by the postgres user, which is created automatically

during the installation of the postgresql-server package. You must set the password for

the postgres user.

Solaris

Installation of the OPENca-SUBWEB package, add configuration for the otcaop user to

/etc/user_attr to allow otcaop to assume the postgres role.

Platform Link Source File Location

Linux /etc/init.d/apachectl

etc/rc0.d/ K06apachectl

/etc/rc1.d/ K06apachectl

/etc/rc2.d/ K06apachectl

/etc/rc3.d/S30apachectl

/opt/OPENca/current/apache/bin/apachectl

Solaris /etc/apache2 /opt/OPENca/current/apache/conf/http.conf

/opt/OPENca/current/apache/conf/ssl.conf

Linux /var/lib/pgsql/data/post

gresql.conf

/opt/OPENca/current/apache/conf/

postgresql.conf

Solaris /var/postgres/8.3/data/

postgresql.conf

Linux /var/lib/pgsql/data/

pg_hba.conf

/opt/OPENca/current/apache/conf/

pg_hba.conf

Solaris /var/postgres/8.3/data/

pg_hba.conf

Solaris /opt/OPENca/current/

apache/logs

/var/apache2/logs

Solaris /opt/OPENca/current/

apache/modules

/usr/apache2/libexec

Table 8-3: System-wide installed links

48 May 2010


Installing openCA Subscriber Web Access

You can install the openCA Subscriber Web Access application on:

• Either of the redundant openCA servers, or

• A separate (non-openCA) connected server.

In either case, see Installing openCA Subscriber Web Access on Linux on page 49 or

Installing openCA Subscriber Web Access on Solaris on page 52 depending on your

operating system. If installing on a non-openCA host, also see Additional Steps for

Installing openCA Subscriber Web Access on a Different Host on page 55.

Installing openCA Subscriber Web Access on Linux

Step Action

1. Before you begin, ensure:

• You are logged into the server as user root.

• All pre-installation requirements described in System Requirements on

page 45 are met.

2. Ensure the PostgreSQL service is configured:

ls -l /var/lib/pgsql/data

If the directory is empty, run initdb as the postgres user:

initdb

3. Ensure postgres is not running:

service postgresql stop

4. Enter the following command to install the package:

rpm -i OPENca-SUBWEB-version-1.i686.rpm


passwd otcaop

6. Enter the following command to set the password for postgres:

passwd postgres

7. Start the PostgreSQL service:

service postgresql start

Procedure 8-1: Installing openCA Subscriber Web Access for Linux. (Sheet 1 of 3)

Fastwire Pty Ltd 49


8. As user otcaop, run the sub_configure.pl script to install the necessary

scripts and configuration files. This script performs the following actions:

a. Copies the scripts and configuration files from the installation area:

/opt/OPENca/openCA-4.3.8/apache/skel directory to their operational

area: /opt/OPENca/openCA-4.3.8/apache/conf.

b. Edits files in the operational area from your installation selections.

c. Installs links at /etc/init.d and /var/lib/pgsql/data.

d. (Optionally) Generates temporary Self-Signed Certificates for secure

Web access

e. (Optionally) Creates and configures the Subscriber Web Database

It uses the default /opt/OPENca/current/apache/bin/dbconfig.sql

schema to initialize the newly-created database.

Note: Do not create the Subscriber Web Database using this script if you

intend to restore the database with imported contents.

To run sub_configure.pl, enter the following commands:

cd /opt/OPENca/openCA-4.3.8/apache/bin./sub_configure.pl

You will be prompted to answer questions. Where available, you may select

the default value shown in [] brackets by pressing the Enter key.

[root@rhel-a bin]# ./sub_configure.pl Enter version to be configured[openCA-4.3.8]: Changing to user otcaopEnter the name of this host[rhel-a]: Enter IP address of peer OpenCA: 10.1.1.95Enter WEB Database host name or IP address: 127.0.0.1Enter the name of the WEB Database[subdb-rhel-a]: PostreSQL and APACHE server configuration has been changed.Make sure to restart the services. Would you like to generate self-signed SSL certificates: yes/no?[yes]:

9. (Optional) If you did not create a Subscriber Web Database in Step 8 and you

intend to import data from a different database, create one now by running the

following script as the postgres user:

./sub_createdb.pl -n <database_name> -f <db_dump.sql>

Note: db_dump.sql is an output from the following command, when it is

run on a database to be re-stored:

pg_dump -Fc --format=p --file= db_dump.sql <database_name>

Step Action


50 May 2010


10. (Optional) If you created the Subscriber Web Database in step 8 or 9, as the

postgres user check that the database was created and initialized

successfully using the following command:

psql -l

The output should show the newly created subscriber database in the List of

Databases.

11. Run or re-run the Apache service by performing the following steps:

a. Stop any running apache instances:

service apachectl stop

b. Ensure sure that current points to the newly-installed version of

OPENca-SUBWEB:

ls -l /opt/OPENca/

c. Sometimes the pass phrase prompt can be inconvenient, especially when

you want Apache to startup automatically on boot without user

intervention.

To disable the pass phrase, as the otcaop user, decrypt the server.key:

cd /opt/OPENca/current/apache/confmv server.key server.key.origopenssl rsa -in server.key.orig -out server.key

d. If current points to the previous version, update it:

rm /opt/OPENca/currentln -s /opt/OPENca/<new_version> /opt/OPENca/current

e. Start the HTTP daemon:

service apachectl start

12. Re-start the PostgreSQL database service to apply the updated configuration:

service postgresql restart

13. Test the subscriber database is accessible using an internet browser:

https://<web_host_address>

Step Action


Fastwire Pty Ltd 51


Installing openCA Subscriber Web Access on Solaris

Step Action


• You are logged into the server as user root.

• All pre-installation requirements described in System Requirements on

page 45 are met



3. Enter the following commands to extract the release from CD:

cd /opt/CA_INSTALLcp /cdrom/cdrom0/ openCA-SUBWEB-<version>.tar.gz .

4. Enter the following command to unzip and untar the package:

gzip -dc openCA-SUBWEB-<version>.tar.gz | tar xvf -

5. Enter the following command to install the package:

pkgadd -d . OPENca-SUBWEB


passwd otcaop


7. Enter the following command to set the password for postgres:

passwd postgres


8. Enable the PostgreSQL service:

svcadm enable postgresql_83:default_32bit

This creates PostgreSQL default configuration files in

/var/postgres/8.3/data.

Procedure 8-2: Installing openCA Subscriber Web Access for Solaris (Sheet 1 of 3)

52 May 2010


9. As user otcaop, run the sub_configure.pl script to install the necessary

scripts and configuration files. This script performs the following actions:

a. Copies the scripts and configuration files from the installation area:

/opt/OPENca/openCA-4.3.8/apache/skel directory to their operational

area: /opt/OPENca/openCA-4.3.8/apache/conf

b. Edits these files in the operational area to match your input

c. Installs links at /etc/init.d and /var/lib/pgsql/data

d. (Optionally) Generates temporary Self-Signed Certificates for secure

Web access

e. (Optionally) Creates and configures the Subscriber Web Database

To run sub_configure.pl, enter the following command:

cd /opt/OPENca/openCA-4.3.8/apache/bin./sub_configure.pl

You will be prompted to answer questions. Where available, you may select

the default value shown in [] brackets by pressing the Enter key.

When prompted to enter a pass phrase for /opt/OPENca/openCA-4.3.8/apache/conf/server.key, enter any phrase and re-enter the same

phrase at each of the following prompts for the server key. Remember the

pass phrase, as you may need to provide it later.

10. (Optional) If you did not create a Subscriber Web Database in Step 8 and you

intend to import data from a different database, create one now by running the

following script as the postgres user:


Note: db_dump.sql is an output from the following command, when it is

run on a database to be re-stored:


11. (Optional) If you created the Subscriber Web Database in step 10 or 11, as the

postgres user check that the database was created and initialized

successfully using the following command:

psql -l

The output should show the newly created subscriber database in the List of

Databases.

12. Re-start the PostgreSQL database service to apply the updated configuration:

svcadm disable postgresql_83:default_32bitsvcadm enable postgresql_83:default_32bit

Step Action


Fastwire Pty Ltd 53


13. Run or re-run the Apache service by performing the following steps:

a. Stop any running apache instances:

svcadm disable apache2

b. Ensure that current points to the newly-installed version of OPENca-

SUBWEB:

ls -l /opt/OPENca/

c. If current points to a previous version, update it using the following

commands:

rm /opt/OPENca/currentln -s /opt/OPENca/<new_version> /opt/OPENca/current

d. As the otcaop user decrypt the server.key, removing the requirement

for a pass phrase on each re-start of the Apache service:

cd /opt/OPENca/current/apache/confmv server.key server.key.orig/usr/sfw/bin/openssl rsa -in server.key.org -out server.key

e. As the root user, start the HTTP daemon:

svcadm enable apache2

f. Check that the Apache service has started successfully:

svcs | grep apache2

The output should be similar to the following:

online 15:33:55 svc:/network/http:apache2

14. Test the subscriber database is accessible using an internet browser:

https://<web_host_address>

Step Action


54 May 2010


Additional Steps for Installing openCA Subscriber Web Access on a Different Host

If you are installing openCA Subscriber Web Access on a separate (non-openCA) host,

perform the following additional configuration steps after installation.

Step Action


• You have access to the root account on each openCA host.

• You have installed OPENca-SUBWEB on the current (non-openCA host)

for your operating system: Installing openCA Subscriber Web Access on

Linux (page 49) or Installing openCA Subscriber Web Access on Solaris

(page 52).

1. As the root user, edit the configuration file

/opt/OPENca/current/etc/openCallAgent.conf on each openCA host:

a. Set the ViaTCP.listenhostIP parameter of the Subscriber Database

package to the FVIP IP address.

b. Set the ViaTCP.remotehostIP parameter of the Subscriber Database

package to the IP address of the (non-openCA) host running the

Subscriber Access Web Service.

2. PostgreSQL database uses the /opt/OPENca/openCA-4.3.8/apache/conf/pg_hba.conf file installed on the Subscriber Access

Web Service host to authenticate clients connecting to the database. The file

has the following default settings that connect to the database using UNIX-

domain sockets or local loopback TCP/IP connections:

local all all trusthost all all 127.0.0.1/32 trust

Edit the file to provide both openCA servers with access to the database.

Substitute:

#host all all >>OpenCA Peer IP Address<</32 trust

with the following lines:

host all all <OpenCA-1 IP Address>/32 trusthost all all <OpenCA-2 IP Address>/32 trust

3. Edit the /opt/OPENca/openCA-4.3.8/apache/cgi-bin/sub/configMap.pm

file on the Subscriber Access Service host.

Set the SubDB_HOST parameter to the FVIP IP address of openCA:

SubDB_HOST => '<OpenCA FVIP IP Address>',

Procedure 8-3: Additional steps when installing openCA Subscriber Web Access on another host.

Fastwire Pty Ltd 55


Creating the Subscriber Web Database

The OPENca-SUBWEB package uses the sub_createdb.pl script to create the

Subscriber Web Database. If the sub_configure.pl step in the installation process was

skipped or unsuccessful in creating the Web database, you must run the

sub_createdb.pl script explicitly.

If you are creating a brand new database, run the script below:

. /sub_createdb.pl

Otherwise, if you are restoring the database with previously created (plain-file) import

data, run the script below:


Note: The db_dump.sql file is an output of the following command when run on a

database to be restored


For information on how to restore the database using a custom archived format, refer to

the openCallAgent 4.3.8 User Guide.

Running the sub_createdb.pl script prompts you with the following questions:

Enter the name of the Subscriber Database to be created[subdb-ibm1]:Enter version to be configured[openCA-version]:

56 May 2010

Appendix A: Operating System Patches

Solaris Patches

Solaris patches, as specified in the openCallAgent 4.3.8 Release Notes, should be

applied to the system before installation.

You can get information on the patches from Sun Microsystems at the SunSolve web site

(http://sunsolve.sun.com/).

On most systems, follow Procedure A-1.

Note: Maintaining patch levels is an important (and ongoing) part of Solaris system

administration. It is recommended that operators include patch level

management in their system administration policies and procedures.

Step Action

1. Download and the Patch Cluster recommended in the openCallAgent 4.3.8

Release Notes from SunSolve (or Solaris maintenance CD).

2. Search SunSolve for the patches for each individual Solaris feature required

by openCA (for example, IP Multipathing and multicast).

3. Use the showrev command to verify that each patch is present on the system

and to check the revision number.

4. If a particular patch is not present on the system, or a newer revision of the

patch is required, download the latest revision of the patch from SunSolve.

5. Use the patchadd command to add the patch to the system.

6. When all patches have been added to the system, reboot the system for the

new patches to take effect.

Procedure A-1: Configuring Solaris Patches

Fastwire Pty Ltd 57

Operating System Patches openCA 4.3.8

Linux Patches

Liunx patches, as specified in the openCallAgent 4.3.8 Release Notes, should be applied

to the system before installation.

On most systems, follow Procedure A-2.

Note: Maintaining patch levels is an important (and ongoing) part of system

administration. It is recommended that operators include patch level

management in their system administration policies and procedures.

Step Action

1. Download and install the recommended service pack from Red Hat

2. Use the rpm command to add the patch to the system.

Procedure A-2: Configuring Linux Patches

58 May 2010

Appendix B: Disk Partitioning and Mirroring

Introduction

This appendix contains information about how openCA hosts should be configured to

meet High Availability / Fault Tolerance (redundancy) requirements in the following

areas:

• Disk mirroring

• Disk partitioning

• Disk configuration

Note: You must perform this configuration before installing the openCA software.

Solaris

Partitioning Disk Space

Note: You must install openCA on a UFS partition. It will not work on a ZFS

partition.

The configuration is two mirrored disks. (i.e. four disks altogether, two 18 GB disks and

two 36 GB disks). The two external disks are mirrored against the two internal disks.

Disk 1 : 18 GB

/ 512 MB

swap 4 GB

mirroring (meta-db) 10 MB

/var 2 GB

Table B-1: 18 GB disk mirroring example

Fastwire Pty Ltd 59

Disk Partitioning and Mirroring openCA 4.3.8

Disk 2 : 36 GB

Solaris Disk Mirroring

This section describes how to configure UFS mirrored disks.

Copying Partitioning Information

When mirroring drive 0 to drive 1, the partitioning information must be copied from drive 0

to drive 1 (see Procedure B-1).

Note: Procedure B-1 has fewer partiitons than would normally be used in an

openCA deployment.

/usr 5 GB

/opt 9.5 GB

/CDR 33 GB

/logs 2 GB

mirroring (meta-db) 10 MB



60 May 2010

Installation Guide Disk Partitioning and Mirroring

Step Action

1. Enter format

The following is an example of the screen that appears:

Searching for disks...doneAVAILABLE DISK SELECTIONS: 0. c0t0d0 <SUN18G cyl 7506 alt 2 hd 19 sec 248> /pci@1f,4000/scsi@3/sd@0,0 1. c0t1d0 <SUN18G cyl 7506 alt 2 hd 19 sec 248> /pci@1f,4000/scsi@3/sd@1,0Specify disk (enter its number):

2. At the format prompt, enter 1.


selecting c0t1d0[disk formatted]FORMAT MENU: disk - select a disk type - select (define) a disk type partition - select (define) a partition table current - describe the current disk format - format and analyze the disk repair - repair a defective sector label - write label to the disk analyze - surface analysis defect - defect list management backup - search for backup labels verify - read and display labels save - save new disk/partition definitions inquiry - show vendor, product and revision volname - set 8-character volume name !<cmd> - execute <cmd>, then return quit

Procedure B-1: Copying Partitioning Information (Sheet 1 of 3)

Fastwire Pty Ltd 61


3. At the format prompt, enter p.


PARTITION MENU: 0 - change `0' partition 1 - change `1' partition 2 - change `2' partition 3 - change `3' partition 4 - change `4' partition 5 - change `5' partition 6 - change `6' partition 7 - change `7' partition select - select a predefined table modify - modify a predefined partition table name - name the current table print - display the current table label - write partition map and label to the disk !<cmd> - execute <cmd>, then return quit

4. At the partition prompt, enter p.


Current partition table (original):Total disk cylinders available: 7506 + 2 (reserved cylinders)

5. At the partition prompt, enter s.


0. original 1. originalSpecify table (enter its number)[1]:

6. At the prompt, enter 0.

Step Action


Part Tag Flag Cylinders Size Blocks0 unassigned wm 0 0 (0/0/0) 01 swap wu 0-222 513.07MB (223/0/0) 10507762 backup wm 0-7505 16.86GB (7506/0/0) 353682723 unassigned wm 0 0 (0/0/0) 04 unassigned wm 0 0 (0/0/0) 05 unassigned wm 0 0 (0/0/0) 06 unassigned wm 0 0 (0/0/0) 07 unassigned wm 0 0 (0/0/0) 0

62 May 2010


7. At the partition prompt, enter p.


Current partition table (original):Total disk cylinders available: 7506 + 2 (reserved cylinders)

8. At the partition prompt, enter l.

The following prompt appears:

Ready to label disk, continue?

9. At the prompt, enter y.

10. At the partition prompt, enter q.


FORMAT MENU: disk - select a disk type - select (define) a disk type partition - select (define) a partition table current - describe the current disk format - format and analyze the disk repair - repair a defective sector label - write label to the disk analyze - surface analysis defect - defect list management backup - search for backup labels verify - read and display labels save - save new disk/partition definitions inquiry - show vendor, product and revision volname - set 8-character volume name !<cmd> - execute <cmd>, then return quit

11. At the format prompt, enter q.

Step Action


Part Tag Flag Cylinders Size Blocks0 root wm 1781-2003 513.07MB (223/0/0) 10507761 swap wu 0-1780 4.00GB (1781/0/0) 83920722 backup wm 0-7505 16.86GB (7506/0/0) 353682723 unassigned wm 2004-2008 11.50MB (5/0/0) 235604 var wm 2009-2899 2.00GB (891/0/0) 41983925 usr wm 2900-3359 1.03GB (460/0/0) 21675206 unassigned wm 0 0 (0/0/0) 07 unassigned wm 3360-7505 9.32GB (4146/0/0) 19535952

Fastwire Pty Ltd 63


Configuring Active Disk Mirroring

Procedure B-2 describes the steps to configure active disk mirroring on an openCA host.

Step Action

1. Edit the md.tab file.

See Example Edited md.tab file on page 65. This file resides in /etc/lvm.

2. Enter the following commands to activate the configuration.

# metadb -af mddb01# metainit -af# metaroot d0# lockfs -fa# reboot

When the system comes back up, /etc/vfstab will be as follows:

#device device mount FS fsck mount mount#to mount to fsck point type pass at boot options##/dev/dsk/c1d0s2 /dev/rdsk/c1d0s2 /usr ufs 1 yes -fd - /dev/fd fd - no -/proc - /proc proc - no -/dev/dsk/c0t0d0s1 - - swap - no -/dev/md/dsk/d0 /dev/md/rdsk/d0 / ufs 1 no -/dev/dsk/c0t0d0s6 /dev/rdsk/c0t0d0s6 /usr ufs 1 no -/dev/dsk/c0t0d0s5 /dev/rdsk/c0t0d0s5 /var ufs 1 no -/dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /opt ufs 2 yes -/dev/dsk/c0t1d0s6 /dev/rdsk/c0t1d0s6 /logs ufs 2 yes -/dev/dsk/c0t1d0s7 /dev/rdsk/c0t1d0s7 /CDR ufs 2 yes -swap - /tmp tmpfs - yes -

3. Edit /etc/vfstab as follows.

#device device mount FS fsck mount mount#to mount to fsck point type pass at boot options#fd - /dev/fd fd - no -/proc - /proc proc - no -/dev/md/dsk/d1 - - swap - no -/dev/md/dsk/d0 /dev/md/rdsk/d0 / ufs 1 no -/dev/md/dsk/d3 /dev/md/rdsk/d3 /usr ufs 1 no -/dev/md/dsk/d2 /dev/md/rdsk/d2 /var ufs 1 no -/dev/md/dsk/d4 /dev/md/rdsk/d4 /opt ufs 2 yes -/dev/md/dsk/d5 /dev/md/rdsk/d5 /logs ufs 2 yes -/dev/md/dsk/d6 /dev/md/rdsk/d6 /CDR ufs 2 yes -swap - /tmp tmpfs - yes -

Procedure B-2: Configuring Disk Mirroring (Sheet 1 of 2)

64 May 2010


Example Edited md.tab file

# metainit & metadb utilities input file.## Metadevice database entry:-#mddb01 -c 2 /dev/dsk/c0t0d0s3 /dev/dsk/c0t1d0s3 \ /dev/dsk/c1t10d0s3 /dev/dsk/c1t11d0s3## Mirror configurations## Mirror / partitiond10 1 1 c0t0d0s0d20 1 1 c1t10d0s0d0 -m d10# Mirror swap partitiond11 1 1 c0t0d0s1d21 1 1 c1t10d0s1d1 -m d11# Mirror /var partitiond12 1 1 c0t0d0s4d22 1 1 c1t10d0s4d2 -m d12# Mirror /usr partitiond13 1 1 c0t0d0s5d23 1 1 c1t10d0s5d3 -m d13# Mirror /opt partitiond14 1 1 c0t0d0s7d24 1 1 c1t10d0s7d4 -m d14# Mirror /logs partitiond15 1 1 c0t1d0s6d25 1 1 c1t11d0s6d5 -m d15# Mirror /CDR partitiond16 1 1 c0t1d0s7d26 1 1 c1t11d0s7d6 -m d16# End of configurations.

4. Reboot the system.

5. When the system restarts, enter the following to attach the mirror copies:

# metattach d0 d20# metattach d1 d21# metattach d2 d22# metattach d3 d23# metattach d4 d24# metattach d5 d25# metattach d6 d26

The mirrors update automatically.

6. To check the status or progress of mirrors, use the metastat command.

Step Action

Procedure B-2: Configuring Disk Mirroring (Sheet 2 of 2)

Fastwire Pty Ltd 65


References

For more detailed information, refer to the Solstice DiskSuite 4.2.1 User's Guide and

Solstice DiskSuite 4.2.1 Reference Guide. Also refer to the following Solaris man pages:

• man metadb

• man metainit

• man metaroot

• man lockfs

• man md.tab

• man metastat

Linux

Fastwire recommend you run the Linux version of openCA with the following minimum

hardware and software components:

• IBM Blade Server

• 2 CPU (i686)

• 2 * 36GB Disks.

• Red Hat Enterprise Linux ES 5.2

Partitioning Disk Space

The configuration shown assumes the system has been setup with a single mirrored

disk. Some systems, for example the IBM BladeCenter, use hardware disk mirroring. For

information on how to configure disk partitioning, consult the documentation supplied

with the hardware and operating system distribution.

Disk : 36 GB

/ 512 MB

swap 2 tImes available RAM

/var 2 GB

/usr 1 GB

/opt 9.5 GB

/CDR 10 GB

/logs 8 GB

Table B-3: 36 GB Disk Partitioning Example

66 May 2010

Appendix C: IP Network Configuration

Solaris IP Network Configuration

Redundant Configuration

For a redundant configuration on Solaris, there are two different IP networks associated

with openCA hosts. One is the Call VLAN which is the IP connectivity for all external

communication, the other network is the Redundancy network. The Redundancy

network is used by a pair of servers to communicate with each other, to determine the

active Call Agent and to pass synchronisation information.

Each network requires its own pair of physical interface ports.

The openCA servers should be setup as shown below.

The Redundancy network consists of two point-to-point (P2P) connections. Crossover

cables are required for each connection between the two servers. Multipathing is NOT

configured on these network connections. Multipathing is used only for connections to

the Call VLAN.

Figure C-1: Redundant openCA server setup configuration

CA 1 CA 2

Call VLAN

RedundancyNetwork

P2P connection

multipathingmultipathing

Fastwire Pty Ltd 67

IP Network Configuration openCA 4.3.8

Standalone Configuration

In a standalone configuration on Solaris, there is no redundancy network to configure.

The openCA host connects to the call VLAN over a pair of physical interface ports

configured for IP multipathing.

The openCA servers should be setup as shown below.

Solaris Configuring IP Multipathing and Point to Point Connections

This section provides step-by-step instructions for the configuration of IP Multipathing

and Point-to-Point connections. For more information on IP Multipathing, see:

• IP Network Multipathing Administration Guide at http://docs.sun.com/

• IP Network Multipathing blueprint at http://www.sun.com/blueprints

Solaris Enabling Unique MAC Addresses

Ensure that unique MAC addresses are used for each network interface card.

As user root, enter the eeprom command and look at the value of the

local-mac-address parameter. If the value is false (the default), all network interface

cards in the server use the same MAC address. If this is the case, you will not be able to

connect two network interface cards to the same subnet and you will not be able to

configure IP Multipathing.

To set the correct eeprom value, enter the following command,

eeprom local-mac-address?=true

Note: You must reboot the server for this command to take effect.

Figure C-2: Standalone openCA server setup configuration

CA

Call VLAN

multipathing

68 May 2010

Installation Guide IP Network Configuration

Solaris Allocating IP Addresses

Allocate IP addresses (in the same subnet) for IP Multipathing. Allocate the following:

• One IP address for each physical interface (in this case, hme0 and hme1)

• One IP address to the primary (virtual) IP address of the machine

• One IP address to the backup (virtual) IP address of the machine

For a redundant configuration, allocate IP addresses (different subnet to the mulipathing

network) for the P2P devices.

• One IP address for each physical interface (in this case, qfe1 and qfe3)

Update the /etc/hosts file with the IP addresses defined above.

Fastwire recommend you use the following naming convention:

• hostname: The primary (virtual) IP address of the machine.

• hostname-interface: The IP address of each physical interface on the machine.

• hostname-backup: The backup (virtual) IP address of the machine.

An example /etc/hosts setup for a openCA host is provided below.

## Internet host table#127.0.0.1 localhost

# openCA host oca01’s IP addresses203.194.24.1 oca01-hme0203.194.24.2 oca01-qfe0203.194.24.3 oca01-backup203.194.24.4 oca01-kent-syd10.10.10.1 oca01-qfe110.10.10.3 oca01-qfe3

# openCA host oca02’s IP addresses203.194.24.5 oca02-hme0203.194.24.6 oca02-qfe0203.194.24.7 oca02-backup203.194.24.8 oca02-kent-syd10.10.10.2 oca02-qfe110.10.10.4 oca02-qfe3

# Signalling Gateway host osg01’s IP addresses203.194.24.12 osg01-hme0203.194.24.13 osg01-hme1203.194.24.14 osg01-backup203.194.24.15 osg01-kent-syd osg01 loghost

Fastwire Pty Ltd 69


# openSG host osg02’s IP addresses203.194.24.16 osg02-hme0203.194.24.17 osg02-hme1203.194.24.18 osg02-backup203.194.24.19 osg02-kent-syd osg02

Note: Ensure that physical interface cards are cabled correctly and that IP

addresses are assigned to the appropriate interfaces.

Solaris Disabling Network Routing

If the node will not be performing network routing (recommended), enter the following

command:

touch /etc/notrouter

Note: You must reboot the server for this command to take effect, unless the IP

driver parameter ip_forwarding is set to zero using the ndd /dev/ip command.

Solaris Configuring Router Discovery

To configure the router discovery daemon, follow the steps in Procedure C-1.

By default, the router discovery daemon will not start if there are routes defined in the

/etc/defaultrouter file. Procedure C-1 ensures that the router discovery daemon will

start under all circumstances.

Step Action

1. Create the rdisc file in /etc/init.d

See Contents of /etc/init.d/rdisc on page 71.

2. Enter the following command to allow execute permission on the file:

chmod 755 /etc/init.d/rdisc

3. To test the script, start the router discover daemon by entering the following

command:

/etc/init.d/rdisc start

4. Enter the following command to create a hard link to this file in /etc/rc2.d.

ln /etc/init.d/rdisc /etc/rc2.d/S70rdisc

Procedure C-1: Configuring Router Discovery

70 May 2010


Contents of /etc/init.d/rdisc

#!/bin/sh## If parameter 1 is "start" then check if the router discovery# daemon, in.rdisc, is running and if not, start it. If parameter 1# is "stop" then stop in.rdisc#case "$1" in'start') if [ -x /usr/bin/pgrep ] then /usr/bin/pgrep -x -u 0 in.rdisc >/dev/null 2>&1 || \ /usr/sbin/in.rdisc -f >/dev/msglog 2>&1 else logger Cannot execute /usr/bin/pgrep, in.rdisc not started. fi ;;

'stop') /usr/bin/pkill -x -u 0 in.rdisc ;;

*) echo "Usage: $0 { start | stop }" ;;esacexit 0

Solaris Configuring Network Interfaces

Update the configuration files for each network interface. This ensures that the IP

Multipathing configuration survives a server reboot.

Fastwire recommend that you keep a copy of the original configuration files and a copy of

these configuration files with an IP Multipathing configuration. This allows a system

administrator to change the configuration of the server very quickly if required. The

following are examples:

• /etc/hostname.hme0 (current configuration for hme0)

• /etc/hostname.hme0.orig (original configuration of hme0)

• /etc/hostname.hme0.multipath (IP Multipathing configuration for hme0)

• /etc/hostname.qfe0 (current configuration of qfe0)

• /etc/hostname.qfe0.orig (original configuration of qfe0)

• /etc/hostname.qfe0.multipath (IP Multipathing configuration of qfe0)

• /etc/hostname.qfe1.p2p (P2P configuration of qfe1)


• /etc/hostname.qfe3.p2p (P2P configuration of qfe3)


Fastwire Pty Ltd 71


Contents of /etc/hostname.hme0

oca01-hme0 netmask + broadcast + \group call-control deprecated -failover up \addif oca01 netmask + broadcast + failover up

Contents of /etc/hostname.qfe0

oca01-qfe0 netmask + broadcast + \group call-control deprecated -failover up \addif oca01-backup netmask + broadcast + failover up


oca01-qfe1 netmask + destination oca02-qfe1


oca01-qfe3 netmask + destination oca02-qfe3

This configuration will place interface hme0 and hme1 in an IP Multipathing group known

as production and the interfaces qfe1 and qfe3 as P2P connections for the

Redundancy network.

The addif command creates the virtual interfaces used by the IP Multipathing daemon

(in.mpathd). These virtual interfaces have the failover flag indicating that they will fail

over in the event of an interface failure.

Reboot the server for the multipathing changes to take effect.

Solaris Setting Failure Detection Times

In the file /etc/default/mpathd, change the parameter FAILURE_DETECTION_TIME from

10000 milliseconds (10 seconds) to 6000 milliseconds (6 seconds).

To change the multipath detection timeout, follow the steps in Procedure C-2.

Step Action

1. Become root user.

2. Edit /etc/default/mpathd and enter the new value for the

FAILURE_DETECTION_TIME parameter, i.e. FAILURE_DETECTION_TIME=6000

3. Restart the daemon for this change to take effect. Either reboot the machine

or send a SIGHUP to the IP Multipathing daemon process:

kill -HUP process-ID-for-in.mpathd

or

pkill -HUP in.mpathd

Procedure C-2: Multipath Detection Timeout (Sheet 1 of 2)

72 May 2010


If you get a large number of messages as shown below, you may need to increase the

FAILURE_DETECTION_TIME:

Jan 18 15:16:55 osg01 in.mpathd[32]: [ID 398532 daemon.error] Cannot meet requested failure detection time of 6000 ms on (inet hme0) new failure detection time is 6368 ms

If you're still seeing a large number of these messages and the

FAILURE_DETECTION_TIME is above 6 seconds, notify Customer Support. Other openCA

parameters may have to be adjusted to support this FAILURE_DETECTION_TIME.

FAILURE_DETECTION_TIME in the mpathd File

##ident "@(#)mpathd.dfl 1.1 00/01/03 SMI"## Time taken by mpathd to detect a NIC failure in ms. The minimum time# that can be specified is 100 ms.#FAILURE_DETECTION_TIME=6000## Failback is enabled by default. To disable failback turn off this option#FAILBACK=yes## By default only interfaces configured as part of multipathing groups# are tracked. Turn off this option to track all network interfaces# on the system#TRACK_INTERFACES_ONLY_WITH_GROUPS=yes

4. To check that in.mpathd is running, enter the following command:

ps -ef | grep in.mpathd

5. Monitor the file /var/adm/messages for messages from the IP Multipathing

daemon.

Step Action

Procedure C-2: Multipath Detection Timeout (Sheet 2 of 2)

Fastwire Pty Ltd 73


Configuring Probe Targets

IP Multipathing will dynamically select probe targets in the local network to determine the

status of the interfaces in a particular IP Multipathing group. Although this mechanism

works fine in simple networks where there is only a single default gateway out of the local

area network, it is recommended that probe targets are seeded in situations where

redundant gateways are used (for example, where redundant Cisco Content Services

Switch (CSS) devices are configured as the default gateway).

To determine whether this step is necessary, refer to the network diagram and

deployment documentation for your installation.

Step Action

1. Configure the IP address of the default router for the local network in the

/etc/defaultrouter file (as normal).

For example, where CSS devices are used, the IP address of the default router

is typically the redundant interface address in the local network that was

configured on both CSS devices.

In this example, 203.194.24.11.

2. Select a subnet address that is not used in the network or which is not

accessible from the local network (for example, 192.168.254.0).

3. Determine the local interface IP addresses of the local redundant gateway

devices.

For example:

• 203.194.24.9 is the IP address of interface e2 on CSS01 in the local network

• 203.194.24.10 is the IP address of interface e2 on CSS02 in the local

network

4. Configure a static route to the network selected in Step 2 to the interface IP

address on each redundant gateway device.

In this example:

# route add 192.168.254.0 203.194.24.9# route add 192.168.254.0 203.194.24.10

5. To verify the correct operation of IP Multipathing after the change in Step 4,

enter the following command:

# snoop –d <interface> icmp

Where <interface> is the interface on the local network (for example, hme0,

qfe0 and so forth).

Look for periodic ICMP echo request for three addresses. In this example,

203.194.24.9, 203.194.24.10 and 203.194.24.11.

Procedure C-3: Configuring IP Multipathing Targets

74 May 2010


Verifying Operation of IP Multipathing and P2P Connections

Enter the following command to view the configuration of the network interface cards:

ifconfig -a

Using the example above, this command will yield the response below:

lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bchme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255qfe0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 3 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.255 groupname production ether 8:0:20:f9:f2:bdqfe0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 203.194.24.3 netmask ffffff00 broadcast 204.194.24.255qfe1: flags=1000851<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 10.10.10.1 --> 10.10.10.2 netmask ffffff00qfe3: flags=1000851<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 10.10.10.3 --> 10.10.10.4 netmask ffffff00

To verify the P2P connections ping the far end of the connection (i.e. from oca01).

ping 10.10.10.2

and get a response:

10.10.10.2 is alive

Troubleshooting IP Multipathing

In the example in below, hme0 will be failed.

Sep 21 12:10:40 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : No response fromEthernet network : Link down -- cable problem?Sep 21 12:10:48 oca01 in.mpathd[4698]: [ID 533792 daemon.error] NIC failure detected on hme0Sep 21 12:10:48 oca01 in.mpathd[4698]: [ID 832587 daemon.error] Successfully failed over from NIC hme0 to NIC qfe0Sep 21 12:10:51 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : No response fromEthernet network : Link down -- cable problem?

The message log shows that the interface failure is detected almost immediately. Then,

within FAILURE_DETECTION_TIME, the IP Multipathing daemon (in.mpathd) fails over the

primary (virtual) IP address to hme1.

Fastwire Pty Ltd 75


The ifconfig command shows how IP Multipathing handles the interface failure.

Interface hme0 is labelled FAILED and the primary (virtual) IP address that was virtual

interface hme0:1 on hme0 has moved to virtual interface hme1:2 on hme1.

The server will not respond to 203.194.24.1 (the IP address assigned to the physical

interface hme0) but will respond to the remaining three IP address, 203.194.24.2,

203.194.24.3 and 203.194.24.4.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=19040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,FAILED> mtu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bcqfe0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 3 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bdqfe0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 203.194.24.3 netmask ffffff00 broadcast 203.194.24.255qfe0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255qfe1: flags=1000851<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 10.10.10.1 --> 10.10.10.2 netmask ffffff00qfe3: flags=1000851<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 10.10.10.3 --> 10.10.10.4 netmask ffffff00

The messages below are generated when hme0 is repaired. The output of ifconfig will

return to that shown in Verifying Operation of IP Multipathing and P2P Connections on

page 75.

Sep 21 12:12:06 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : External Transceiver Selected.Sep 21 12:12:06 oca01 hme: [ID 786680 kern.notice] SUNW,hme0 : Auto-Negotiated100 Mbps Full-Duplex Link UpSep 21 12:12:50 oca01 in.mpathd[4698]: [ID 218011 daemon.error] NIC repair detected on hme0Sep 21 12:12:50 oca03 in.mpathd[4698]: [ID 620804 daemon.error] Successfully failed back to NIC hme0

In the example below, hme1 will be failed.

Sep 21 12:07:32 oca01 hme: [ID 786680 kern.notice] SUNW,hme1 : No response fromEthernet network : Link down -- cable problem?Sep 21 12:07:40 oca01 in.mpathd[4698]: [ID 533792 daemon.error] NIC failure detected on qfe0Sep 21 12:07:40 oca01 in.mpathd[4698]: [ID 832587 daemon.error] Successfully failed over from NIC hme1 to NIC hme0

76 May 2010


The message log shows that the interface failure is detected almost immediately. Then,

within FAILURE_DETECTION_TIME, the IP Multipathing daemon (in.mpathd) fails over the

backup (virtual) IP address to hme0.

The ifconfig command shows how IP Multipathing handles the interface failure.

Interface hme1 is labelled FAILED and the backup (virtual) IP address that was virtual

interface hme1:1 on hme1 has moved to virtual interface hme0:2 on hme0.

The server will not respond to 203.194.24.2 (the IP address assigned to the physical

interface qfe0) but will respond to the remaining three IP address, 203.194.24.1,

203.194.24.3 and 203.194.24.4.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bchme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255hme0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.3 netmask ffffff00 broadcast 203.194.24.255qfe0: flags=19040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,FAILED> mtu 1500 index 3 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.255 groupname call-control ether 8:0:20:f9:f2:bd

The following example shows the messages generated when hme1 is repaired. The

output of ifconfig will return to that shown in Verifying Operation of IP Multipathing and

P2P Connections on page 75.

Sep 21 12:08:27 oca01 hme: [ID 786680 kern.notice] SUNW,hme1 : External Transceiver Selected.Sep 21 12:08:27 oca01 hme: [ID 786680 kern.notice] SUNW,hme1 : Auto-Negotiated100 Mbps Full-Duplex Link UpSep 21 12:09:12 oca01 in.mpathd[4698]: [ID 218011 daemon.error] NIC repair detected on qfe0Sep 21 12:09:12 oca01 in.mpathd[4698]: [ID 620804 daemon.error] Successfully failed back to NIC qfe0

Fastwire Pty Ltd 77


Related Commands

The two main daemons required for correct operation of IP Multipathing are:

• /usr/sbin/in.rdisc (router discovery daemon)

• /sbin/in.mpathd (IP Multipathing daemon)

The following commands let you see whether these daemons (for example, in.mpathd)

are running:

• /usr/bin/pgrep in.mpathd

• /bin/ps -ef | grep in.mpathd

The pgrep command returns the process ID of the process, if the process is running

(scheduled). If the process is not running, pgrep will return nothing.

The grep command performs a operation on the list of running (scheduled) processes.

The netstat -rn command shows the current routing table on the server (see below). In

this case, the best route to network 192.168.16.0 is through interface hme0:1, which is

the primary (virtual) IP address (192.168.16.20).

# netstat -rn

Routing Table: IPv4 Destination Gateway Flags Ref Use Interface------------------- ------------------ ----- ----- -------- ---------203.194.24.0 203.194.24.3 U 1 12 qfe0:1203.194.24.0 203.194.24.4 U 1 2 hme0:1203.194.24.0 203.194.24.2 U 1 0 qfe0203.194.24.0 203.194.24.1 U 1 0 hme0224.0.0.0 203.194.24.4 U 1 0 hme0:110.10.10.2 10.10.10.1 UH 1 0 qfe110.10.10.4 10.10.10.3 UH 1 0 qfe3default 203.194.24.11 UG 1 367127.0.0.1 127.0.0.1 UH 23 696581 lo0

78 May 2010


Solaris Name Service Configuration

The name service on each openCA host must be configured according to the following

guidelines to ensure proper operation of the openCA application.

Name Service Switch Configuration

Solaris uses a number of databases for information about hosts, IP nodes, passwords,

groups and so forth. This data can come from a variety of sources, for example,

/etc/hosts (files), NIS, NIS+, DNS or LDAP.

The name service switch configuration file (/etc/nsswitch.conf) specifies which

information sources are used and their lookup order. For each openCA host, edit

/etc/nsswitch.conf so that the hosts and services lines are as follows:

hosts: files services: files

For openCA hosts, only files should be used – DNS, NIS, NIS+ and LDAP are not

currently supported.

Solaris Configuration of /etc/hosts

The /etc/hosts file for any machine should contain the IP address/hostname pair for

each host that users or applications on this machine may wish to refer to or communicate

with by hostname. In other words, it effectively provides a lookup service which takes a

hostname as an argument and returns the correct IP address for that hostname.

Each openCA host should contain an entry for every IP address of:

• openCA hosts

• openSG hosts

• openVI hosts

• openSCP hosts

• media gateways and network access servers

• H.323 gateways

Each entry in the /etc/hosts should take the following form:

IP_address hostname [alternate hostname]

For example, to register a remote host called oca02, with a primary IP address of

203.194.24.19 and a backup IP address of 203.194.24.18, the following entries would

need to be inserted in /etc/hosts:

203.194.24.8 oca02 alt-name-4-oca02203.194.24.7 oca02-backup

Fastwire Pty Ltd 79


Thereafter, if we ping or telnet oca02 (or alt-name-4-oca02), all communications

will be with the remote IP address 203.194.24.8, whereas if we ping or telnet oca02-backup, all communications will be with the remote IP address 203.194.24.7.

Linux IP Network Configuration

IBM Blade Center Redundant Configuration

The IBM Blade Center redundant configuration is two IBM Blade servers running in a IBM

BladeCenter that is connected to the call VLAN. The configuration is shown in

Figure C-3.

Figure C-3: IBM Blade Center redundant configuration

CA 1 CA 2

BladeCenterIP Backbone

Call VLAN

80 May 2010


Linux Server Redundant Configuration with Ethernet Bonding

This configuration utilises ethernet bonding to provide network redundancy.

Standalone Configuration

In a standalone Linux configuration the openCA host is directly connected to the call

VLAN over a single network interface as shown in the diagram below.

Figure C-4: Linux Server Redundant Configuration with Ethernet Bonding

CA 1 CA 2

Call VLAN

SW 1 SW 2ISL

Figure C-5: Standalone Linux configuration

openCA

Call VLAN

Fastwire Pty Ltd 81


Linux Name Service Configuration

The name service on each openCA host must be configured according to the following

guidelines to ensure proper operation of the openCA application.

Name Service Switch Configuration

Linux uses a number of databases for information about hosts, IP nodes, passwords,

groups and so forth. This data can come from a variety of sources, for example,

/etc/hosts (files), NIS, NIS+, DNS or LDAP.

The name service switch configuration file (/etc/nsswitch.conf) specifies which

information sources are used and their lookup order. For each openCA host, edit

/etc/nsswitch.conf so that the hosts and services lines are as follows:

hosts: files services: files

Linux Configuration of /etc/hosts

For openCA hosts, only files should be used – DNS, NIS, NIS+ and LDAP are not

currently supported.

Each openCA host should contain an entry for every IP address of:

• openCA hosts

• Signalling Gateway hosts

• openSCP and openSDF hosts (if applicable)

• Media Gateways and Network Access Servers

• openVI hosts (if applicable)

• H.323 gateways (if applicable)

Each entry in the /etc/hosts should take the following form:

IP_address hostname [alternate hostname]

For example, to register a remote host called oca02, with a primary IP address of

203.194.24.8, the following entry would need to be inserted in /etc/hosts:

203.194.24.8 oca02

Thereafter, if we ping or telnet oca02, all communications will be with the remote IP

address 203.194.24.8.

Finally, process logging, CDR storing, and listening for H323 connections will also

usually occur on the same host as openCA is running. Therefore, loghost, myCDR,

myASP, and myH323Listener should be added to the entry for the local Call Agent.

82 May 2010


An example of an openCA host’s /etc/hosts is provided below.

## Internet host table#127.0.0.1 localhost

# openCA host oca01’s IP address203.194.24.118 oca01 loghost myASP myCDR

# Fvip address.

203.194.24.5 ocafvip myH323Listener

# openCA host oca02’s IP address203.194.24.119 oca02

# openSG host osg01’s IP addresses203.194.24.12 osg01

Note: Ensure that physical interface cards are cabled correctly and that IP

addresses are assigned to the appropriate interfaces.

Linux Disabling Network Routing

If the node will not be performing network routing (recommended), consult the

documentation supplied with the operating system distribution for information on how to

disable network routing. For RedHat Linux ES4, this can be done at install time.

Fastwire Pty Ltd 83


Ethernet Bonding on RedHat ES 5

Ethernet bonding provides equivalent functionality to the Solaris multipathing with two

ethernet interfaces able to be linked as an activce/backup pair. In a redundant

configuration, two physical ethernet interfaces are usually installed on each server. One

interface on each server is then connected to each of two layer 2 ethernet switches as

shown in Figure C-6.

This provides interface redundancy and also facilitates switch redundancy.

Note: Ethernet bonding is not configured if IBM Blade Center Redundant

Configuration is used.

Configuring a Bonded Interface

The Linux bonding interfaces differ from Sun multipathing in that only a single IP interface

is required.

For the purposes of this discussion assume that:

Figure C-6: Ethernet Bonding on RedHat ES 5

CA 1 CA 2

Call VLAN

SW 1 SW 2ISL

84 May 2010


• bond0 is the name of the virtual bonded interface to be created

• eth0 is the first slave interface

• eth1 is the second slave interface

• 203.194.24.118 is to be assigned to the bonded interface

The configuration proceeds as described in Procedure C-4.

Step Action

1. As user root, change directory to /etc/sysconfig/network-scripts and

create the interface configuration file for the bonding interface ifcfg-bond0.

It should contain the following lines:

DEVICE=bond0BONDING_OPTS="mode=active-backup miimon=100"BOOTPROTO=staticONBOOT=YESNETWORK=203.194.24.0NETMASK=255.255.255.0IPADDR=203.194.24.118USERCTL=no

2. Create (or edit if it already exists) the interface config file ifcfg-eth0 as

follows:

DEVICE=eth0HWADDR=<MAC address>BOOTPROTO=noneONBOOT=yesMASTER=bond0SLAVE=yesUSERCTL=no

3. Create (or edit if it already exists) the interface config file ifcfg-eth1 as

follows:

DEVICE=eth1HWADDR=<MAC address>BOOTPROTO=noneONBOOT=yesMASTER=bond0SLAVE=yesUSERCTL=no

Procedure C-4: Configuring a bonded interface (Sheet 1 of 2)

Fastwire Pty Ltd 85


Displaying a Bonded Interface’s Status

To display the current status of the bond0 bonded interface, use the following command:

4. Enable the loading of the bonding ethernet kernel module with the correct

options by editing the fine /etc/modprobe.conf and adding the following

lines.

alias bond0 bonding

5. The server should be rebooted for the changes to take effect.

reboot

6. After reboot there should be a bond0 interface. The bond0 interface should be

the MASTER interface. Whilst eth0 and eth1 should be SLAVE interfaces.

Enter the following command to view the configuration of the network interface

cards:

ifconfig -abond0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet addr:10.70.80.60 Bcast:10.70.80.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:64291620 errors:0 dropped:0 overruns:0 frame:0 TX packets:13654588 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:0 RX bytes:3083505453 (2.8 GiB) TX bytes:3472883492 (3.2 GiB)

eth0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING NOARP SLAVE MULTICAST MTU:1500 Metric:1 RX packets:29667303 errors:0 dropped:0 overruns:0 frame:0 TX packets:4443221 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2581088162 (2.4 GiB) TX bytes:1780952642 (1.6 GiB)

eth1 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:34624320 errors:0 dropped:0 overruns:0 frame:0 TX packets:9211375 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:1000 RX bytes:502417582 (479.1 MiB) TX bytes:1691932738 (1.5 GiB) Interrupt:209 Base address:0xe000

Step Action

Procedure C-4: Configuring a bonded interface (Sheet 2 of 2)

86 May 2010


cat /proc/net/bonding/bond0

Fastwire Pty Ltd 87


88 May 2010

Appendix D: Network Time

Configuring Network Time

openCA uses databases to store configuration data. In a redundant configuration, a

replica of the database exists on each host. When configuration data is added or updated

in one of the databases, that database automatically ensures that the new data is

propagated to the other database replica. The replication mechanism requires that the

clocks on each host are synchronised. Network Time Protocol (NTP) is used for this

purpose.

Note: NTP is not required in a standalone configuration with only a single database.

Fastwire Pty Ltd 89

Network Time openCA 4.3.8

Solaris

Procedure D-1 contains the Solaris NTP configuration procedure. For more information,

refer to the XNTPD manual page (man xntpd).

Step Action

1. Log in as root.

2. Create the NTP configuration file: /etc/inet/ntp.conf.

# @(#)ntp.conf 1.5 99/09/21 SMI## /etc/inet/ntp.conf## An example file that could be copied over to /etc/inet/ntp.conf.#server 203.194.28.160server 203.194.28.161

enable monitordriftfile /var/ntp/ntp.driftstatsdir /var/ntp/ntpstats/#filegen peerstats file peerstats type day enable#filegen loopstats file loopstats type day enable#filegen clockstats file clockstats type day enable

#keys /etc/inet/ntp.keys#trustedkey 10#requestkey 0#controlkey 0

In the example above, 203.194.28.160 and 203.194.28.161 are the primary

and secondary NTP servers.

Note: In the example above, statistics are disabled in order to avoid the

creation of a large number of files.

3. Use the date command to set the time correctly.

4. Start the ntp service by entering:

svcadm enable ntp

Procedure D-1: NTP Configuration for Solaris (Sheet 1 of 2)

90 May 2010

Installation Guide Network Time

For more information, refer to the XNTPD manual page (man xntpd).

Linux

Procedure D-2 contains the Linux NTP configuration procedure to use if NTP has not

already been enabled at installation time (see Procedure D-1 for information on how to

configure NTP at install time).

For more information, refer to the NTPD manual page (man ntpd).

Note: For more information, refer to the NTPD manual page (man ntpd).

5. Enter the ntpq -p command to check the status of the synchronisation. When

there is a * next to the NTP server, the time is synchronised between hosts.

The following is an example of the response:

% ntpq -premote refid st t when poll reach delay offset disp*oca01 .LCL. 1 - 13 64 377 0.40 0.017 1.05

Step Action

Procedure D-1: NTP Configuration for Solaris (Sheet 2 of 2)

Step Action

1. Log in as root.

2. Edit the NTP Servers file: /etc/ntp.conf.

server 203.194.28.160server 203.194.28.161In the example above, 203.194.28.160 and 203.194.28.161 are the primary and secondary NTP servers.

3. Use the date command to set the time correctly.

4. Start the xntpd daemon by entering:

/etc/init.d/ntpd start

5. Enter the ntpq -p command to check the status of the synchronisation. When

there is a * next to the NTP server, the time is synchronised between hosts.

The following is an example of the response:

% ntpq -premote refid st t when poll reach delay offset jitter*oca01 .LCL. 1 - 13 64 377 0.40 0.017 1.05

Procedure D-2: NTP Configuration for Linux

Fastwire Pty Ltd 91

Network Time openCA 4.3.8

92 May 2010

Appendix E: Security

Introduction

By default, Both Solaris 10 an Linux have services enabled that are not required by

openCA. Some of these services may have security implications, so it is good practice to

disable any service that is not specifically required.

This section identifies the startup scripts and services that have been proven surplus to

openCA requirements.

Solaris Security

Solaris Run level and network services

Solaris Disabling unnecessary services

The /etc/rc2.d and /etc/rc3.d directories contain scripts that are executed at boot

time or when the run level is changed. Some of these scripts start services not required

by openCA. The following tables define scripts that can be disabled on an openCA host.

/etc/rc2.d

Enabled Disabled

K06mipagent _K06mipagent.NOTUSED

K07dmi _K07dmi.NOTUSED

K07snmpdx _K07snmpdx.NOTUSED

K16apache _K16apache.NOTUSED

K28nfs.server _K28nfs.server.NOTUSED

S20sysetup _S20sysetup.NOTUSED

S47asppp _S47asppp.NOTUSED

S71ldap.client _S71ldap.client.NOTUSED

Table E-1: Unnecessary services at run level 2 (Sheet 1 of 2)

Fastwire Pty Ltd 93

Security openCA 4.3.8

S71rpc _S71rpc.NOTUSED

S71sysid.sys _S71sysid.sys.NOTUSED

S72autoinstall _S72autoinstall.NOTUSED

S72slpd _S72slpd.NOTUSED

S73cachefs.daemon _S73cachefs.daemon.NOTUSED

S73nfs.client _S73nfs.client.NOTUSED

S74autofs _S74autofs.NOTUSED

S80lp _S80lp.NOTUSED

S80PRESERVE _S80PRESERVE.NOTUSED

S80spc _S80spc.NOTUSED

S85power _S85power.NOTUSED

S90wbem _S90wbem.NOTUSED

S99dtlogin _S99dtlogin.NOTUSED

/etc/rc3.d

Enabled Disabled

S15nfs.server _ S15nfs.server.NOTUSED

S50apache _S50apache.NOTUSED

S76snmpdx _S76snmpdx.NOTUSED

S77dmi _S77dmi.NOTUSED

S80mipagent _S80mipagent.NOTUSED

Table E-2: Unnecessary services at run level 3

/etc/rc2.d

Enabled Disabled

Table E-1: Unnecessary services at run level 2 (Sheet 2 of 2)

94 May 2010

Installation Guide Security

IP FILTER (Solaris)

Fastwire recommends that you turn IP filters off and use an external firewall. If your

environment requires the use of IP filter, add the rules shown in Procedure E-1 to the

/etc/ipf/ipf.conf file.

Step Action

1. Allow TCP and UDP between the peers:

@1 pass in log quick proto tcp from <peer_address>/32 to <self_address>/32@3 pass in log quick proto udp from <peer_address>/32 to <self_address>/32

2. Allow local loopback:

@4 pass in log quick on lo0

3. Allow NTP:

@5 pass in log quick from <ntp_server_subnet>/24 port=123 to <self_address>/32 port=123@6 pass in log quick from <openca_subnet>/24 to 224.0.1.1/32

4. Allow DNS:

@7 pass in log quick from <openca_subnet>/24 to 224.0.0.251/32

5. Allow Multicast & Broadcast (MMI & Alarms)

@11 pass in log quick from <openca_subnet>/24 to 239.255.0.133/32@12 pass in log quick from <openca_subnet>/24 to 10.70.80.255

6. Allow SIP:

@13 pass in log quick proto udp from any to <fvip_address>/32 port=5060 keep state

7. Allow H323:

@15 pass in log quick from any to 224.0.1.141/32 port = 1718 keep state@16 pass in log quick proto udp from any to <openca_subnet>/24 port = 1719 keep state@17 pass in log quick proto tcp from any to <fvip_address>/24 port = 1720 keep state@19 pass in log quick proto tcp from <h323_gw_address> to <fvip_address>/32 keep state

8. Allow Subscriber Web Access:

@21 pass in log quick proto tcp from <openca_subnet_address>/24 to <self_address>/32 port=5432 keep state@22 pass in log quick proto tcp from <openca_subnet_address>/24 to <self_address>/32 port=12345 keep state@23 pass in log quick proto tcp from any to <self_address>/32 port=443 keep state

Procedure E-1: Rules to add to the ipf.conf file for IP filtering. (Sheet 1 of 2)

Fastwire Pty Ltd 95


For an example ipf.conf file, see Appendix K: IPFILTER Configuration File.

Linux Security

The following services can be turned off on Linux hosts:

• cups

• iptables

• sendmail

• autofs

• arptables_jf

For information on how turn off these services, consult the Linux manual pages for the

chkconfig command. For example, to turn off a service, log on as root and enter the

following:

chkconfig --levels 23456 <service> off

9. Allow ICMP:

@24 pass in log quick proto icmp from any to any icmp-type 0 keep state@25 pass in log quick proto icmp from any to any icmp-type 11 keep state@26 pass in log quick proto icmp from <openca_subnet_address>/24 to <openca_subnet_address>/24 keep state

10. Allow ISUP and MGCP communication:

@27 pass in log quick proto 132 from <signaling_gw_address>/32 to <self/fvip_address>/32 keep state@31 pass in log quick proto udp from <media_gw_address>/32 port = 2427 to <self/fvip_address>/32 port = 2727 keep state

11. Reset ipfilter when the above modifications are complete (ipf -D; ipf -E; ipf -f /etc/ipf/ipf.conf):

Step Action

Procedure E-1: Rules to add to the ipf.conf file for IP filtering. (Sheet 2 of 2)

96 May 2010

Installation Guide Security

IP TABLES (Linux)

Fastwire recommends you turn IP tables off and instead use an external firewall. If your

environment requires IP tables, however, add the rules shown in Procedure E-2 to the

/etc/sysconfig/iptables configuration file. These settings are required when using IP

tables as a firewall.

Step Action

1. Allow ICMP:

-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -j ACCEPT-A RH-Firewall-1-INPUT -p icmp --icmp-type 11 -j ACCEPT-A RH-Firewall-1-INPUT -p icmp -s <openca_subnet>/24 -d <openca_subnet>/24 -j ACCEPT

2. Allow local loopback:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

3. Allow Broadcast and Multicast to support MMI:

-A RH-Firewall-1-INPUT -m addrtype --dst-type BROADCAST -j ACCEPT-A RH-Firewall-1-INPUT -m addrtype --dst-type MULTICAST -j ACCEPT

4. Allow TCP/UDP connections between the redundant peer hosts:

-A RH-Firewall-1-INPUT -s <peer_address>/32 -d <self_address>/32 -p tcp -j ACCEPT-A RH-Firewall-1-INPUT -s <peer_address>/32 -d <self_address>/32 -p udp -j ACCEPT

5. Allow NTP communication:

-A RH-Firewall-1-INPUT -s <ntp_server_subnet>/24 -d <self_address>/32 -p tcp --sport 123 --dport 123 -j ACCEPT-A RH-Firewall-1-INPUT -s <openca_subnet>/24 -d 224.0.1.1/32 -j ACCEPT

6. Allow DNS communication:

-A RH-Firewall-1-INPUT -s <openca_subnet>/24 -d 224.0.0.251/32 -j ACCEPT

7. Accept SIP requests:

-A RH-Firewall-1-INPUT -d <fvip_address>/32 -p udp --dport 5060 -j ACCEPT

8. Allow H323:

-A RH-Firewall-1-INPUT -d 224.0.1.141/32 -p udp --dport 1718 -j ACCEPT-A RH-Firewall-1-INPUT -p udp --dport 1719 -j ACCEPT-A RH-Firewall-1-INPUT -d <fvip_address>/32 -p tcp --dport 1720 -j ACCEPT-A RH-Firewall-1-INPUT -s <h323_gw_address>/32 -d <fvip_address>/32 -p tcp -j ACCEPT

Procedure E-2: Settings required when using IP tables as a firewall. (Sheet 1 of 2)

Fastwire Pty Ltd 97


For example IP tables, see Appendix J: IPTABLES Configuration File.

9. Allow Subscriber WEB Access:

-A RH-Firewall-1-INPUT -s <openca_subnet>/24 -d <self_address>/32 -p tcp --dport 5432 -j ACCEPT-A RH-Firewall-1-INPUT -s <openca_subnet>/24 -d <self_address>/32 -p tcp --dport 12345 -j ACCEPT-A RH-Firewall-1-INPUT -d <self_address>/32 -p tcp --dport 443 -j ACCEPT

10. Allow ISUP amd MGCP Signalling:

-A RH-Firewall-1-INPUT -s <signaling_gw_address>/32 -p 132 -j ACCEPT-A RH-Firewall-1-INPUT -s <media_gw_address>/32 -p udp --sport 2427 --dport 2727 -j ACCEPT

Step Action

Procedure E-2: Settings required when using IP tables as a firewall. (Sheet 2 of 2)

98 May 2010

Appendix F: Solaris Configuring rsh

Configuring rsh Between Two Hosts

Procedure F-1 lists the steps to enable a particular user to remote shell (rsh), without

password verification, between two hosts (A and B).

Linux installations do not use RSH by default.

Note: Procedure F-1 lets ca_ps.rsh function correctly in a redundant configuration.

Step Action

1. On machine A, put all the IP addresses of machine B (both virtual and

physical) into /etc/hosts with unique hostnames.

2. On machine A, put the hostnames (as defined in step 1) of machine B into

/etc/hosts.equiv.

3. On machine A, add entries for each of the hostnames of machine B plus

username, i.e. <machine_B_hostname> <username> into the .rhosts file of

<username>.

4. As a security measure, ensure the permissions for the .rhosts file are as

follows:

# ls -al .rhosts -rw------- 1 otcaop otcaop 48 Feb 6 13:06 .rhosts

5. Repeat steps 1 to 4 for machine B.

Procedure F-1: Setting up rsh between two hosts

Fastwire Pty Ltd 99

Solaris Configuring rsh openCA 4.3.8

100 May 2010

Appendix G: Configuring Floating Virtual IP

Procedure for Configuring FVIP

A redundant openCA call agent pair may be contacted using a single virtual IP address.

This virtual IP address is held by the active call agent. If the standby call agent becomes

active, the virtual IP address is passed to the newly active call agent.

This virtual IP address is said to float between the call agent hosts and is therefore

referred to as a floating virtual IP address (FVIP).

Note: FVIP is not required in a standalone openCA configuration.

Configuring FVIP for Solaris

Procedure G-1 lists the steps used to configure an FVIP on a call agent host. This

procedure must be carried out on each call agent host in a redundant pair.

For illustrative purposes this procedure includes an example. In this example the call

agent pair is made up of hosts oca01 and oca02.

Step Action

1. Identify the physical network interface on which you want to configure the

logical FVIP interface.

Note: You must choose one of the signalling (call-control) interfaces, i.e.

not an interface which is being used for redundancy.

Enter the following command to view network interface card configurations:

ifconfig -a

Example output is shown in Example network interface card configurations

(Solaris) on page 103. In this example, we choose the hme0 physical signalling

interface for the logical FVIP interface. The other physical interface in the "call-

control" group, qfe0, will be used as an alternative interface if hme0 fails.

Procedure G-1: Solaris Configuring the Floating Virtual IP addess (FVIP) (Sheet 1 of 3)

Fastwire Pty Ltd 101

Configuring Floating Virtual IP openCA 4.3.8

2. The new FVIP interface requires an IP address, so allocate a new IP address,

on the same subnet as the signalling interface chosen in the previous step.

In our example we choose 203.194.24.132 as our FVIP address.

3. As user root, edit /etc/hosts and add an entry for this new FVIP IP address.

In our example the following entry is added:

203.194.24.132 ocafvip

Additionally if the FVIP IP address is to be used for H323 calls, the

myH323Listener listener entry should also be added to the FVIP adddress

(and removed from any other address):


Note: The myH323Listener must be placed after the ocafvip name in the

above example.

4. As user otcaop, edit /opt/OPENca/openCA-4.3.8/etc/fvip.conf and

make the following configuration changes in the FVip package:

peer.host = <other_host>network.ipaddress = <fvip_address>network.interface = <fvip_interface>network.interface2 = <alternative_fvip_interface>

In our example, if this procedure was being carried out on host ibmblade1,

these entries would be configured as follows:

peer.host = oca02network.ipaddress = ocafvipnetwork.interface = hme0network.interface2 = qfe0

5. For the configuration change made in the previous step to take effect, the

machine must be either rebooted or the script started.

As user root, execute the following command to reboot the machine:

reboot

or

/etc/init.d/fvip_control stop/etc/init.d/fvip_control start

Step Action


102 May 2010

Installation Guide Configuring Floating Virtual IP

Example network interface card configurations (Solaris)

lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED, IPv4,NOFAILOVER> mtu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-controlhme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255qfe0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED, IPv4,NOFAILOVER> mtu 1500 index 4 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.127 groupname call-controlqfe0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 203.194.24.3 netmask ffffff00 broadcast 203.194.24.127qfe1: flags=9040843<UP,POINTOPOINT,RUNNING,MULTICAST, DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 5 inet 10.10.10.1 --> 10.10.10.2 netmask ffffff00qfe3: flags=1000843<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 10.10.10.3 --> 10.10.10.4 netmask ffffff00

In the example above:

• hme0, qfe0, qfe1 and qfe3 are all physical interfaces

• hme0 and qfe0 are the physical interfaces used for signalling (specifying an IP

multipathing group “call-control”)

• qfe1 and qfe3 are the physical interfaces used for redundancy (specifying an IP

multipathing group “redundancy”)

• lo0 is the loopback interface

• hme0:1, qfe0:1 are logical interfaces

6. Once the host has rebooted, check that the new FVIP interface has been

created by executing the following command as user root:

ifconfig -a

In our example the output is as shown in FVIP interface created sample output

(Solaris) on page 104. A new logical interface, hme0:2, has been created

using the ocafvip IP address (203.194.24.132).

Step Action




FVIP interface created sample output (Solaris)

lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 2 inet 203.194.24.1 netmask ffffff00 broadcast 203.194.24.255 groupname call-controlhme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.4 netmask ffffff00 broadcast 203.194.24.255hme0:2: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 203.194.24.132 netmask ffffff00 broadcast 203.194.24.255qfe0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 4 inet 203.194.24.2 netmask ffffff00 broadcast 203.194.24.127 groupname call-controlqfe0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 203.194.24.3 netmask ffffff00 broadcast 203.194.24.127qfe1: flags=9040843<UP,POINTOPOINT,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 5 inet 10.10.10.1 --> 10.10.10.2 netmask ffffff00qfe3: flags=1000843<UP,POINTOPOINT,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 10.10.10.3 --> 10.10.10.4 netmask ffffff00

Configuring FVIP for Linux

Procedure G-2 lists the steps used to configure an FVIP on a call agent host. This

procedure must be carried out on each call agent host in a redundant pair.

Note: FVIP is not required in a standalone call agent configuration.

For the purposes of clairty, this procedure includes an example. In this example the

openCA pair is made up of hosts oca01 and oca02. Ethernet Bonding is assumed to be

configured as described in Linux IP Network Configuration.

104 May 2010


Step Action

1. Identify the physical network interface on which you want to configure the

logical FVIP interface.

Note: You must choose one of the signalling (call-control) interfaces, i.e.

not an interface which is being used for redundancy.

Enter the following command to view the network interface card

configurations.

ifconfig -a

Example output is shown in Procedure G-2. In this example, we choose the

bond0 signalling interface on which to put our logical FVIP interface. Once

configured, the logical interface will be designated bond0:1 because it is the

first logical interface on bond0.

2. The bond0 interface can be used only if Ethernet Bonding is configured. For a

description of how to configure Ethernet Bonding, see Linux IP Network

Configuration on page 80.

We will assume that Ethernet Bonding is configured. Otherwise, you should

use the eth0 interface.

3. The new FVIP interface requires an IP address, so allocate a new IP address

on the same subnet as the signalling interface chosen in the previous step.

In our example, we choose 203.194.24.5 as our FVIP address.

4. As user root, edit /etc/hosts and add an entry for this new FVIP IP address.

In our example the following entry is added:

203.194.24.5 ocafvip

Additionally if the FVIP IP address is to be used for H323 calls then the

myH323Listener listener entry should also be added to the FVIP adddress

(and removed from any other address):


Procedure G-2: Linux Configuring the Floating Virtual IP addess (FVIP) (Sheet 1 of 2)



5. As user otcaop, edit /opt/OPENca/openCA-4.3.8/etc/fvip.conf and

ensure the following configuration exists in the FVip package:

peer.host = <other_host>network.ipaddress = <fvip_address>network.interface = <fvip_logical_interface>network.broadcast = <fvip_broadcast_address>network.netmask = <fvip_netmask>

In our example, if this procedure was being carried out on host ibmblade1,

these entries would be configured as follows:

peer.host = oca02network.ipaddress = ocafvipnetwork.interface = bond0:1network.broadcast = 203.194.24.255network.netmask = 255.255.255.0

6. For the configuration change made in the previous step to take effect, the

machine must be either rebooted or the script started.

As user root, execute the following command to reboot the machine:

rebootor/etc/init.d/fvip_control stop/etc/init.d/fvip_control start

7. Once the host has rebooted or the script started, check that the new FVIP

interface has been created by executing the following command as user root:

ifconfig -a

Example output is shown in Example network interface card configurations

(Linux) on page 107. A new logical interface has been created, bond0:1,

using our ocafvip IP address (203.194.24.5). This is the FVIP interface.

8. Check that the FVIP address has been disabled until the active call agent

takes control of the FVIP address. Use the following command as user root:

/etc/init.d/fvip_control status

Example output is shown in Example check that the FVIP address has been

disabled on page 108. When the active call agent takes over the FVIP

address, the rules mentioned above are deleted from the (ARP and IP) tables.

Step Action

Procedure G-2: Linux Configuring the Floating Virtual IP addess (FVIP) (Sheet 2 of 2)

106 May 2010


Example network interface card configurations (Linux)

bond0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet addr:203.194.24.118 Bcast:10.70.80.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:63057826 errors:0 dropped:0 overruns:0 frame:0 TX packets:13287903 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:0 RX bytes:2918350604 (2.7 GiB) TX bytes:3263492140 (3.0 GiB)eth0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING NOARP SLAVE MULTICAST MTU:1500 Metric:1 RX packets:29223621 errors:0 dropped:0 overruns:0 frame:0 TX packets:4443221 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2551847261 (2.3 GiB) TX bytes:1780952642 (1.6 GiB)eth1 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:33834209 errors:0 dropped:0 overruns:0 frame:0 TX packets:8844690 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:1000 RX bytes:366503731 (349.5 MiB) TX bytes:1482541306 (1.3 GiB) Interrupt:209 Base address:0xe000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2922845 errors:0 dropped:0 overruns:0 frame:0 TX packets:2922845 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1524791007 (1.4 GiB) TX bytes:1524791007 (1.4 GiB)

In the example above:

• bond0 is the bonding interface

• eth0, eth1 are physical interfaces, slaved to bond0

• lo0 is the loopback interface

• ignore the sit0 interface

FVIP interface created sample output (LInux)

bond0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet addr:203.194.24.5 Bcast:10.70.80.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:63057826 errors:0 dropped:0 overruns:0 frame:0 TX packets:13287903 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:0 RX bytes:2918350604 (2.7 GiB) TX bytes:3263492140 (3.0 GiB)



bond0:1 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet addr:203.194.24.132 Bcast:10.70.80.255 Mask:255.255.255.0 UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1

eth0 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING NOARP SLAVE MULTICAST MTU:1500 Metric:1 RX packets:29223621 errors:0 dropped:0 overruns:0 frame:0 TX packets:4443221 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2551847261 (2.3 GiB) TX bytes:1780952642 (1.6 GiB)

eth1 Link encap:Ethernet HWaddr 00:13:20:83:D6:F2 inet6 addr: fe80::213:20ff:fe83:d6f2/64 Scope:Link UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:33834209 errors:0 dropped:0 overruns:0 frame:0 TX packets:8844690 errors:5 dropped:0 overruns:5 carrier:5 collisions:0 txqueuelen:1000 RX bytes:366503731 (349.5 MiB) TX bytes:1482541306 (1.3 GiB) Interrupt:209 Base address:0xe000

Example check that the FVIP address has been disabled

=================== IP tables ====================Chain INPUT (policy ACCEPT 29G packets, 1565G bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 203.194.24.5

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 24G packets, 1334G bytes) pkts bytes target prot opt in out source destination 5655 3770K DROP all -- * * 203.194.24.5 0.0.0.0/0 =================== ARP tables ====================Chain IN (policy ACCEPT 736K packets, 21M bytes) pkts bytes target in out source-ip destination-ip source-hw destination-hw hlen op hrd pro 1 28 DROP * * 0.0.0.0/0 203.194.24.5 00/00 00/00 any 0000/0000 0000/0000 0000/0000

Chain OUT (policy ACCEPT 13306 packets, 373K bytes) pkts bytes target in out source-ip destination-ip source-hw destination-hw hlen op hrd pro

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target in out source-ip destination-ip source-hw destination-hw hlen op hrd pro

108 May 2010

Appendix H: Configuring SNMP Reporting

Procedure for Configuring SNMP Alarms and Alerts

If SNMP Reporting of Alarms and Alerts is required, you must provide a suitable third-

party SNMP Management Application. Part of the installation depends on the

Management Application chosen.

Solaris and Linux

Step Action

1. Open the configuration file:

/opt/OPENca/current/etc/CA_ApplicationMonitor.conf

2. In the CA_ApplicationMonitor.conf file, find the package SNMP.

• if SNMP is required, set the parameter AlarmManager.Required to 1

• if SNMP is not required, set the parameter AlarmManager.Required to 0 and perform no further steps in this procedure.

Procedure H-1: Configuring SNMP Alarm and Alert Reporting (Sheet 1 of 2)


Configuring SNMP Reporting openCA 4.3.8

3. Configure the SNMP destinations.

Set the AlarmManager.Destination parameter to a space-separated list of

(one or more) destinations to which SNMP traps are to be sent.

Specify each destinations using any of the following formats:

<hostname><hostname>:<port><IP address><IP address>:<port>

If you do not specify a port, the standard SNMP trap port 162 is used.

A destination may be a third-party SNMP management application or an

SNMP trap distribution agent, running on the same or a different server.

To specify the same server, use localhost as the <hostname>, for example:

AlarmManager.Destination = localhost manager.mydomain:2162 10.70.12.219

4. The SNMP Management Application may require knowledge of the enterprise

OID defined for Fastwire. If so, ensure it is configured as: 1.3.6.1.4.1.5373.

The procedure for configuring the enterprise OID may be different for each

SNMP Management Application. Refer to your SNMP Management

Application documentation for information on how to configure the enterprise

OID.

5. The SNMP Management Application may require access to the Management

Information Base ("MIB") files that specify the contents of the SNMP Alarm

and Alert reports. The MIB files are located in /opt/OPENca/current/skel/

mib_core.txtot_mib.txtoca_mib.txt

The procedure for configuring the MIB files may be different for each SNMP

Management Application. Refer to your SNMP Management Application

documentation for information on how to configure the MIB files.

Step Action

Procedure H-1: Configuring SNMP Alarm and Alert Reporting (Sheet 2 of 2)

110 May 2010

Appendix I: Example Linux Installation

Procedure for Installing Red Hat Enterprise Server

Procedure I-1 is provided for information purposes only. It is not intended to be a

replacement the RedHat product documentation. For information on how to install the

Linux Operating system, consult the documentation provided with Linux installation.

Step Action

1. Insert Installation Disk 1

Select [ENTER] to install or upgrade in graphical mode.

2. Select [SKIP] CD media testing

3. The installation program anaconda should start. After a short period of time,

the Welcome screen is displayed.

4. Select [NEXT].

The Language selection screen should appear.

Select the required language. For example English.

5. Select [NEXT].

The keyboard selection screen should appear.

Select the required keyboard. For example US English.

6. Select [NEXT].

The "Installation Number" dialogue box will appear.

7. Enter the installation number, or, click the Skip entering Installation Number

button, then select [OK].

If you clicked the Skip entering Installation Number button, a new dialog box

appears and you will need to select [SKIP] again.

The Disk Partitioning Setup screen should appear.

Procedure I-1: Sample RedHat Linux ES5 Installation Procedure (Sheet 1 of 6)


Example Linux Installation openCA 4.3.8

8. Select Create custom layout in the dropdown box.

Click the Review and modify partitioning layout tick box.

Select [NEXT].

The Disk Partitioning Setup screen should appear.

9. Set up the required disk partitions, including any required disk mirroring.

For IBM Blade Center installations, hardware disk mirroring should be used.

Consult the Blade Center documentation for information on how to set up

hardware disk mirroring.

10. Select [NEXT].

If existing partitions are being reformatted, the Format Warnings dialog box

appears.

11. Verify that the information is correct, then select [Format].

The next screen is the Boot Loader Configuration screen. The default values

for the information on this screen should already be correct.

12. Select [NEXT].

The Network Configuration screen should appear.

13. For each network interface (for example eth0, eth1):

• Select [EDIT] to edit the interface.

• Manually set IP Address and Network parameters.

14. Select [NEXT].

The Timezone Selection screen should appear.

15. Select the timezone from the graphical map.

Ensure the System Clock uses UTC box is selected, then select [NEXT].

The Root Password screen should appear.

16. Set the root password, then select [NEXT].

The “Reading Package Information ..”. message should appear, then the

Package Installation screen.

17. Select the Software Development tick box.

Select [NEXT].

The “Click next to begin Installation” screen is displayed.

18. Select [NEXT].

The "Required Install Media" dialog box is displayed.

Step Action


112 May 2010

Installation Guide Example Linux Installation

19. Select [CONTINUE] to continue with the installation.

Insert Disks as required.

20. When the Linux Installation is complete, select [REBOOT].

After a short time the Welcome screen appears.

21. Select [FORWARD].

The Licence Agreement screen should appear.

22. Select Yes, I agree to the licence agreement”

Select [FORWARD].

The Firewall screen should appear.

23. Select Firewall Disabled.

Select [FORWARD].

A warning Dialog box appears asking whether the firewall really should be

disabled.

24. Select [YES].

The SELinux screen appears.

25. Select SELinux Setting "Disabled".

Select [FORWARD].

A warning Dialog box appears, informing a Reboot will again be required after

setup is completed.

26. Select [YES].

The KDump screen will appear.


The Date and Time screen should appear.

28. Select the Network Time Protocol tab.

Enable Network Time Protocol.

Add NTP Servers as required.

Select [FORWARD].

The install process attempts to contact the NTP servers added, then the Set

Up Software Updates screen appears.

29. After deciding whether to register, select [FORWARD].

The Finish Updates Setup screen appears.

Step Action





The Create User screen appears.

31. Do not create a user.

Select [FORWARD].

A warning Dialog box appears, encouraging you to create a user. Do not.

32. Select [Continue].

The Sound Card screen should appear.


The Additional CDs screen appears.

34. Select [FINISH].

A warning dialog box appears, saying that the system must now reboot.

35. Select [OK].

After a short time the login screen appears.

36. Login as root.

37. Place Installation CDROM #3 (or the Installation DVD) in the drive.

RHEL 5.2 should automatically mount it.

38. Go into the Server directory and install arptables and openssl using the

following commands:

rpm -i arptables_jf-0.0.8-8.i386.rpmrpm -i openssl1097a-0.9.7a-9.el5_2.1.i386.rpm

39. To check what services are running, use the command.

# chkconfig --list

Step Action


114 May 2010

Installation Guide Example Linux Installation

40. Turn off any unnecessary services using the command:

chkconfig --levels 23456 <service> off

for each of the following <service>

• iptables

• sendmail

• autofs

• arptables_jf

• cups

Note: Turning off iptables is optional. If you retain them, see IP TABLES

(Linux) on page 97 for filtering rule recommendations.

41. If you wish to turn off the loading of the graphical interface, edit the

/etc/inittab file.

Change from:

id:5:initdefault

to

id:3:initdefault

REBOOT for this to take effect.

42. Limits (user limits)

Check the /etc/profile file to see if cores are allowed for users. Ensure the

following line starts with a ‘#’, for example:

# ulimit -S -c 0 > /dev/null 2>&1

Ensure hard and soft limits for core files are set in

/etc/security/limits.conf:

* hard core 4000000* soft core 4000000* hard stack 1024000* soft stack 10240* hard memlock 4096000* soft memlock 102400* hard rss 4096000* soft rss 4096000

REBOOT for this to take effect

Step Action




43. Check /etc/sysconfig/network to ensure network settings are as

expected. There should be entries for:

NETWORKING=yesHOSTNAME=<hostname>GATEWAY=<gateway>

44. Check /etc/resolv.conf to ensure settings are as expected.

There may be entries for nameserver, but should not be any for search.

For example:

nameserver <nameserver address>

Step Action


116 May 2010

Appendix J: IPTABLES Configuration File

Overview

Below is an example of the /etc/sysconfig/iptables file on an openCA host. In this

example openCA runs on IP addresses 10.70.80.108 and 10.70.80.109, with fvip on IP

address 10.70.80.95. The subnet mask is 255.255.255.0.

# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -j ACCEPT-A RH-Firewall-1-INPUT -p icmp --icmp-type 11 -j ACCEPT-A RH-Firewall-1-INPUT -p icmp -s 10.70.80.0/24 -d 10.70.80.0/24 -j ACCEPT-A RH-Firewall-1-INPUT -p 50 -j ACCEPT-A RH-Firewall-1-INPUT -p 51 -j ACCEPT-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A RH-Firewall-1-INPUT -m addrtype --dst-type BROADCAST -j ACCEPT-A RH-Firewall-1-INPUT -m addrtype --dst-type MULTICAST -j ACCEPT-A RH-Firewall-1-INPUT -s 10.70.80.109/32 -d 10.70.80.108/32 -p tcp -j ACCEPT-A RH-Firewall-1-INPUT -s 10.70.80.109/32 -d 10.70.80.108/32 -p udp -j ACCEPT-A RH-Firewall-1-INPUT -s 10.70.0.0/24 -d 10.70.80.108/32 -p tcp --sport 123 --dport 123 -j ACCEPT-A RH-Firewall-1-INPUT -s 10.70.80.0/24 -d 224.0.1.1/32 -j ACCEPT-A RH-Firewall-1-INPUT -s 10.70.80.0/24 -d 224.0.0.251/32 -j ACCEPT-A RH-Firewall-1-INPUT -d 10.70.80.108/32 -p udp --dport 5060 -j ACCEPT-A RH-Firewall-1-INPUT -d 10.70.80.110/32 -p udp --dport 5060 -j ACCEPT-A RH-Firewall-1-INPUT -d 224.0.1.141/32 -p udp --dport 1718 -j ACCEPT-A RH-Firewall-1-INPUT -p udp --dport 1719 -j ACCEPT-A RH-Firewall-1-INPUT -d 10.70.80.108/32 -p tcp --dport 1720 -j ACCEPT-A RH-Firewall-1-INPUT -d 10.70.80.110/32 -p tcp --dport 1720 -j ACCEPT-A RH-Firewall-1-INPUT -s 10.79.104.12/32 -d 10.70.80.108/32 -p tcp -j ACCEPT-A RH-Firewall-1-INPUT -s 10.79.104.12/32 -d 10.70.80.110/32 -p tcp -j ACCEPT


IPTABLES Configuration File openCA 4.3.8

-A RH-Firewall-1-INPUT -s 10.70.80.0/24 -d 10.70.80.108/32 -p tcp --dport 5432 -j ACCEPT-A RH-Firewall-1-INPUT -s 10.70.80.0/24 -d 10.70.80.108/32 -p tcp --dport 12345 -j ACCEPT-A RH-Firewall-1-INPUT -d 10.70.80.108/32 -p tcp --dport 443 -j ACCEPT-A RH-Firewall-1-INPUT -s 10.70.80.210/32 -p 132 -j ACCEPT-A RH-Firewall-1-INPUT -s 10.70.80.10/32 -p 132 -j ACCEPT-A RH-Firewall-1-INPUT -s 10.70.80.210/32 -p udp --sport 2427 --dport 2727 -j ACCEPT-A RH-Firewall-1-INPUT -s 10.70.80.10/32 -p udp -j ACCEPT-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT

118 May 2010

Appendix K: IPFILTER Configuration File

Overview

Below is an example of the /etc/ipf/ipf.conf file for an openCA host. In this example,

openCA runs on IP addresses 10.70.80.100 and 10.70.80.100, with fvip on IP address

10.70.80.95. The subnet mask is 255.255.255.0.

@1 block in log all

# TCP between the peers (covers SDF, FVIP, Redundancy)@2 pass in log quick proto tcp from 10.70.80.100/32 to 10.70.80.90/32

# UDP between the peers@3 pass in log quick proto udp from 10.70.80.100/32 to 10.70.80.90/32

# Local Loopback@4 pass in log quick on lo0

# NTP@5 pass in log quick from 10.70.0.0/24 port=123 to 10.70.80.90/32 port=123@6 pass in log quick from 10.70.80.0/24 to 224.0.1.1/32

# DNS@7 pass in log quick from 10.70.80.0/24 to 224.0.0.251/32

# SSH@8 pass in log quick proto tcp from 10.70.80.0/24 to 10.70.80.90/32 port = 22 keep state@9 pass in log quick proto udp from 10.70.80.10/32 to 10.70.80.90/32 keep state@10 pass in log quick proto tcp from 10.70.80.10/32 to 10.70.80.90/32 keep state

# Multicast & Broadcast (MMI)

@11 pass in log quick from 10.70.80.0/24 to 239.255.0.133/32@12 pass in log quick from 10.70.80.0/24 to 10.70.80.255

# SIP@13 pass in log quick proto udp from any to 10.70.80.90/32 port=5060 keep state@14 pass in log quick proto udp from any to 10.70.80.95/32 port=5060 keep state

# H323@15 pass in log quick from any to 224.0.1.141/32 port = 1718 keep state@16 pass in log quick proto udp from any to 10.70.80.0/24 port = 1719 keep state


IPFILTER Configuration File openCA 4.3.8

@17 pass in log quick proto tcp from any to 10.70.80.90/24 port = 1720 keep state@18 pass in log quick proto tcp from any to 10.70.80.95/24 port = 1720 keep state@19 pass in log quick proto tcp from 10.79.104.12 to 10.70.80.90/32 keep state@20 pass in log quick proto tcp from 10.79.104.12 to 10.70.80.95/32 keep state

# WebDB@21 pass in log quick proto tcp from 10.70.80.0/24 to 10.70.80.90/32 port=5432 keep state@22 pass in log quick proto tcp from 10.70.80.0/24 to 10.70.80.90/32 port=12345 keep state@23 pass in log quick proto tcp from any to 10.70.80.90/32 port=443 keep state

# OPENca@24 pass in log quick proto icmp from any to any icmp-type 0 keep state@25 pass in log quick proto icmp from any to any icmp-type 11 keep state@26 pass in log quick proto icmp from 10.70.80.0/24 to 10.70.80.0/24 keep state

# SG-s/ MGW-s@27 pass in log quick proto 132 from 10.70.80.210/32 to 10.70.80.90/32 keep state@28 pass in log quick proto 132 from 10.70.80.10/32 to 10.70.80.90/32 keep state@29 pass in log quick proto 132 from 10.70.80.210/32 to 10.70.80.95/32 keep state@30 pass in log quick proto 132 from 10.70.80.10/32 to 10.70.80.95/32 keep state@31 pass in log quick proto udp from 10.70.80.210/32 port = 2427 to 10.70.80.90/32 port = 2727 keep state@32 pass in log quick proto udp from 10.70.80.10/32 to 10.70.80.90/32 keep state@33 pass in log quick proto udp from 10.70.80.210/32 port = 2427 to 10.70.80.95/32 port = 2727 keep state@34 pass in log quick proto udp from 10.70.80.10/32 to 10.70.80.95/32 keep state

120 May 2010

Documents

OpenCA Installation Guide-V4.3.8