CISCO Release 24.2.0 CPS Operations Guide Instruction Manual

CPS Operations Guide, Release 24.2.0
បោះពុម្ពលើកដំបូង៖ 2024-09-18
ទីស្នាក់ការកណ្តាលអាមេរិក
ស៊ីស្កូប្រព័ន្ធអ៊ីនធឺណេត ១៧០ វេសថាសម៉ានដ្រាយសានចូសេ CA ៩៥១៣៤-១៧០៦ សហរដ្ឋអាមេរិក http://www.cisco.com ទូរស័ព្ទ៖ ៤០៨ ៥២៦-៤០០០
៨០០ ៥៥៣-NETS (៦៣៨៧) ទូរសារ៖ ៤០៨ ៥២៧-០៨៨៣

ភាពជាក់លាក់ និងព័ត៌មានទាក់ទងនឹងផលិតផលនៅក្នុងសៀវភៅណែនាំនេះគឺអាចផ្លាស់ប្តូរដោយគ្មានការជូនដំណឹងជាមុន។ សេចក្តីថ្លែងការ ព័ត៌មាន និងអនុសាសន៍ទាំងអស់នៅក្នុងសៀវភៅណែនាំនេះត្រូវបានគេជឿថាមានភាពត្រឹមត្រូវ ប៉ុន្តែត្រូវបានបង្ហាញដោយគ្មានការធានានៃប្រភេទណាមួយ ការបង្ហាញ ឬបង្កប់ន័យ។ អ្នកប្រើប្រាស់ត្រូវតែទទួលខុសត្រូវទាំងស្រុងចំពោះកម្មវិធីរបស់ពួកគេនៃផលិតផលណាមួយ។
អាជ្ញាប័ណ្ណសូហ្វវែរ និងការធានាមានកំណត់សម្រាប់ផលិតផលដែលភ្ជាប់មកជាមួយ ត្រូវបានកំណត់ក្នុងកញ្ចប់ព័ត៌មានដែលដឹកជញ្ជូនជាមួយផលិតផល ហើយត្រូវបានរួមបញ្ចូលនៅទីនេះដោយឯកសារយោងនេះ។ ប្រសិនបើអ្នកមិនអាចកំណត់ទីតាំងអាជ្ញាប័ណ្ណកម្មវិធី ឬការធានាមានកំណត់ សូមទាក់ទងតំណាងស៊ីស្កូរបស់អ្នកសម្រាប់ច្បាប់ចម្លងមួយ។
ការអនុវត្ត Cisco នៃ TCP header compression គឺជាការសម្របខ្លួននៃកម្មវិធីដែលបង្កើតឡើងដោយសាកលវិទ្យាល័យ California, Berkeley (UCB) ដែលជាផ្នែកមួយនៃកំណែដែនសាធារណៈរបស់ UCB នៃប្រព័ន្ធប្រតិបត្តិការ UNIX ។ រក្សាសិទ្ធិគ្រប់យ៉ាង។ រក្សាសិទ្ធិ © 1981, Regents នៃសាកលវិទ្យាល័យកាលីហ្វ័រញ៉ា។
ដោយមិនមានការធានាណាមួយផ្សេងទៀតនៅទីនេះ ឯកសារទាំងអស់។ FILES និងសូហ្វវែររបស់អ្នកផ្គត់ផ្គង់ទាំងនេះត្រូវបានផ្តល់ជូន "ដូចដែលមាន" ជាមួយនឹងកំហុសទាំងអស់។ ក្រុមហ៊ុន CISCO និងអ្នកផ្គត់ផ្គង់ដែលមានឈ្មោះខាងលើបដិសេធមិនទទួលយកការធានាទាំងអស់ បង្ហាញ ឬបង្កប់ន័យ រួមទាំង ដោយគ្មានដែនកំណត់ ពាណិជ្ជកម្ម ភាពសមស្របក្នុងគោលបំណងពិសេស និងមិនរំលោភបំពាន។ ការប្រើប្រាស់ ឬការអនុវត្តពាណិជ្ជកម្ម។
ក្នុងករណីណាក៏ដោយ ស៊ីស្កូ ឬអ្នកផ្គត់ផ្គង់របស់ខ្លួនមិនត្រូវទទួលខុសត្រូវចំពោះការខូចខាតដោយអចេតនា ពិសេស ផលវិបាក ឬដោយចៃដន្យ រួមទាំង ដោយគ្មានដែនកំណត់ ការបាត់បង់ប្រាក់ចំណេញ ឬការបាត់បង់ ឬការខូចខាតក្នុងការប្រើប្រាស់ទិន្នន័យ សៀវភៅណែនាំនេះ ទោះបីជាស៊ីស្កូ ឬអ្នកផ្គត់ផ្គង់របស់ខ្លួនត្រូវបានណែនាំអំពីលទ្ធភាពនៃការខូចខាតបែបនេះក៏ដោយ។
អាសយដ្ឋាន និងលេខទូរស័ព្ទនៃពិធីការអ៊ីនធឺណិត (IP) ណាមួយដែលប្រើក្នុងឯកសារនេះមិនមានបំណងជាអាសយដ្ឋាន និងលេខទូរស័ព្ទពិតប្រាកដនោះទេ។ អតីតamples, command display output, network topology diagrams និងតួលេខផ្សេងទៀតដែលរួមបញ្ចូលក្នុងឯកសារត្រូវបានបង្ហាញក្នុងគោលបំណងជាឧទាហរណ៍ប៉ុណ្ណោះ។ រាល់ការប្រើប្រាស់អាសយដ្ឋាន IP ពិតប្រាកដ ឬលេខទូរស័ព្ទនៅក្នុងខ្លឹមសាររូបភាពគឺអចេតនា និងចៃដន្យ។
រាល់ច្បាប់ចម្លងដែលបានបោះពុម្ព និងច្បាប់ចម្លងទន់នៃឯកសារនេះត្រូវបានចាត់ទុកថាមិនមានការគ្រប់គ្រង។ មើលកំណែអនឡាញបច្ចុប្បន្នសម្រាប់កំណែចុងក្រោយបំផុត។
Cisco មានការិយាល័យជាង 200 នៅទូទាំងពិភពលោក។ អាស័យដ្ឋាន និងលេខទូរសព្ទត្រូវបានចុះបញ្ជីនៅលើ Cisco webគេហទំព័រ www.cisco.com/go/offices ។
Cisco និងនិមិត្តសញ្ញា Cisco គឺជាពាណិជ្ជសញ្ញា ឬពាណិជ្ជសញ្ញាដែលបានចុះបញ្ជីរបស់ Cisco និង/ឬសាខារបស់ខ្លួននៅក្នុងសហរដ្ឋអាមេរិក និងប្រទេសដទៃទៀត។ ទៅ view បញ្ជីនៃពាណិជ្ជសញ្ញា Cisco សូមចូលទៅកាន់នេះ។ URL៖ https://www.cisco.com/c/en/us/about/legal/trademarks.html ។ ពាណិជ្ជសញ្ញាភាគីទីបីដែលបានលើកឡើងគឺជាទ្រព្យសម្បត្តិរបស់ម្ចាស់រៀងៗខ្លួន។ ការប្រើប្រាស់ពាក្យថាដៃគូរមិនមានន័យថាទំនាក់ទំនងភាពជាដៃគូរវាង Cisco និងក្រុមហ៊ុនណាមួយផ្សេងទៀតនោះទេ។ (1721R)
© 2024 Cisco Systems, Inc. រក្សាសិទ្ធិគ្រប់យ៉ាង។

មាតិកា

PREFACE

Preface xiii About This Guide xiii Audience xiii Additional Support xiv Conventions (all documentation) xiv Communications, Services, and Additional Information xv Important Notes xvi
CPS Basic Operations 1 Starting and Stopping CPS 1 Starting VMs Using VMware GUI 1 Shutting Down the Cisco Policy Server Nodes 1 Policy Director (LB) or Policy Server (QNS) Nodes 2 OAM (pcrfclient) Nodes 2 sessionmgr Nodes 3 Restarting the Cisco Policy Server 3 Restarting Database Services 3 Restarting Policy Server Services 4 Restarting All Policy Server Services 4 Restarting All Policy Server Services on a Specific VM 4 Restarting Individual Policy Server Services on a Specific VM 5 Restarting Services Managed by Monit 5 Restarting Other Services 5 Restarting Subversion 5 Restarting Policy Builder 6 Restarting Control Center 6

CPS Operations Guide, Release 24.2.0 iii

មាតិកា

ជំពូកទី 2 ជំពូកទី 3

Restarting Services on Policy Director (lb01 and lb02) 6 Recovering After a Power Outagអ៊ី 6
Recovery Control 7 Cluster State Monitoring 7 Controlled Startup 8
Switching Active and Standby Policy Directors 9 Determining the Active Policy Director 9 Switching Standby and Active Policy Directors 10
Backing Up and Restoring 10 Adding or Replacing Hardware 11 Export and Import Service Configurations 11
Managing CPS Disks 13 Adding a New Disk 13 Prerequisites 13 ESX Server Configuration 13 Target VM Configuration 14 Update the collectd process to use the new file system to store KPIs 14 Mounting the Replication Set from Disk to tmpfs After Deployment 15 Scenario 1 Mounting All Members of the Replication Set to tmpsf 15 Scenario 2 Mounting Specific Members of the Replication Set to tmpfs 16 Manage Disks to Accommodate Increased Subscriber Load 17 Clone Sessionmgr01 VM 17 Disk Repartitioning of Sessionmgr01 VM 17 Cloning and Disk Repartitioning of Sessionmgr02 VM 21
Managing CPS Licenses 23 Smart Software Licensing 23 Classic Licensing 23 Comparison between Licensing Models 24 Smart Accounts/Virtual Accounts 25 Request a Cisco Smart Account 26 Cisco Smart Software Manager 26 License Conversion 27

CPS Operations Guide, Release 24.2.0 iv

ជំពូកទី 4

Enable Smart Licensing for CPS 27 Product ID Tags 29 Smart Licensing CLI Commands 29 License Usage Threshold 31
Configuration 31 Validation Steps 32
Managing CPS Interfaces and APIs 33 CPS Interfaces and APIs 33 Control Center GUI Interface 33 CRD REST API 34 Grafana 37 HAProxy 37 JMX Interface 38 Logstash 38 LDAP SSSD 40 Configure Policy Builder 42 Configure Grafana 42 Mongo Database 45 Adding New Replica-set Members 47 Replica Set Arbiter: Security 51 Admin Database 51 OSGi Console 53 Policy Builder GUI 57 REST API 57 Rsyslog 58 Rsyslog Customization 58 SVN Interface 58 CPS 7.0 and Higher Releases 60 CPS Versions Earlier than 7.0 60 TACACS+ Interface 61 Unified API 62 Accessing the CPS CLI 62 Support for Multiple User Login Credentials 63

មាតិកា

CPS Operations Guide, Release 24.2.0 v

មាតិកា

Multi-user Policy Builder 64 Create Users 64 Revert Configuration 65 Publishing Data 66
Control Center Access 66 Add a Control Center User 67 Update Control Center Mapping 67 Multiple Concurrent User Sessions 68 Configure Session Limit 69 Configure Session Timeout 69 Important Notes 70
Enable Authentication for Unified API 70 Unified API Security: Access Privileges 72
Enable Authentication for Unified API 72 WSDL and Schema Documentation 74
Enabling Unified API Access on HTTP Port 8080 74 TACACS+ 76
ជាងview 77 TACACS+ Service Requirements 77 Caching of TACACS+ Users 78 Reading Log Files 79 CRD APIs 80 Limitations 80 Setup Requirements 80
Policy Server 80 Policy Builder 80 Architecture 85 MongoDB 85 Caching 85 API Endpoints and Examples 86 Query API 86 Create API 87 Update API 88 Delete API 88

CPS Operations Guide, Release 24.2.0 vi

ជំពូកទី 5

Data Comparison API 89 Table Drop API 90 Export API 91 Export Golden CRD API 92 Import API 93 Import Single File API 94 Snapshot POST API 95 Snapshot GET API 96 Revert API 97 Tips for Usage 97 View Logs 97 Policy Builder Publish and CRD Import/Export Automation 98 Remove Traces of Old Policy Director (LB) VIPs 100
Tracking CPS GUI and API Usage 103 Track Usage 103 Capped Collection 103 PurgeAuditHistoryRequests 103 AuditRequests 103 Operation 104 Initial Setup 104 Read Requests 104 APIs 105 Querying 105 Purging 105 Purge History 106 Control Center 106 PurgeAuditHistoryRequest 106 QueryAuditHistoryRequest 107 Policy Builder 109 Reporting 109 Audit Configuration 110 Pre-configured auditd 114

មាតិកា

CPS Operations Guide, Release 24.2.0 vii

មាតិកា

ជំពូកទី 6

Graphite/Prometheus and Grafana 117 Overview 117 Prometheus 117 Enable Prometheus 118 Add Datasource in Grafana for Prometheus 119 Graphite 122 Additional Graphite Documentation 123 Grafana 123 Additional Grafana Documentation 123 Configure Grafana Users using CLI 123 Add User 124 Delete User 124 Connect to Grafana 125 Grafana Administrative User 125 Log in as Grafana Admin User 126 Change Grafana Admin User Credentials 126 Add a Grafana User 127 Change the Role of Grafana User 129 Add an Organization 130 Move Grafana User to another Organization 131 Configure Grafana for First Use 132 Migrate Existing Grafana Dashboards 132 Configuring Graphite User Credentials in Grafana 134 Accessing Graphite Database Using CLI 135 Changing Default graphite_default User Password 135 Manual Dashboard Configuration using Grafana 136 Create a New Dashboard Manually 136 Configure Data Points for the Panel 138 Configure Useful Dashboard Panels 141 Updating Imported Templates 143 Copy Dashboards and Users to pcrfclient02 143 Configure Garbage Collector KPIs 144 Backend Changes 144

CPS Operations Guide, Release 24.2.0 viii

ជំពូកទី 7 ជំពូកទី 8

Frontend Changes 145 Export and Import Dashboards 146
Export Dashboard 146 Import Dashboard 147 Export Graph Data to CSV 148 Session Consumption Report 149 Introduction 149 Data Collection 150 Logging 150 Performance 150 Log Rotation 150 Sample Report 150 Resync Member of a Replica Set 151
Managing High Availability in CPS 153 HAProxy 153 HAProxy Service Operations 153 Diagnostics 153 Service Commands 154 HAProxy Statistics 154 Changing HAProxy Log Level 154 Expanding an HA Deployment 155 Typical Scenarios When Expansion is Necessary 155 Hardware Approach to Expanding 155 High Availability Consequences 156 Adding a New Blade 156 Component (VM Node) Approach to Expanding 156 Adding Additional Component 156 Enable SSL 157
CPS Statistics 159 Bulk Statistics Overview 159 Grafana 160 CPS Statistics 160

មាតិកា

CPS Operations Guide, Release 24.2.0 ix

មាតិកា

ជំពូកទី 9

ជាងview 160 CPS Statistic Types 162
Diameter Statistics 162 LDAP Statistics 162 System Statistics 162 Engine Statistics 163 Error Statistics Definitions 163 Bulk Statistics Collection 163 Retention of CSV Files 164 Configuring Logback.xml 164 Restarting the Collectd Service 165 Adding Realm Names to Diameter Statistics 165 CPS KPI Monitoring 166 System Health Monitoring KPIs 166 Session Monitoring KPIs 169 Diameter Monitoring KPIs 171 Database Fragmentation Monitoring KPIs 188 Configure Custom Database Fragmentation Threshold Percentage 190 Example CPS Statistics 190 Sampពី CSV Files 190 Sample Output 191
Working with CPS Utilities 193 Policy Tracing and Execution Analyzer 193 Architecture 193 Administering Policy Traces 193 Managing Trace Rules using trace_ids.sh 194 Managing Trace Results using trace.sh 196 Policy Trace Database 197 Configure Traces Database in Policy Builder 197 Network Cutter Utility 197 Policy Builder Configuration Reporter 198 CRD Generator Conversion Tool 199 Policy Builder Configuration Converter Conversion Tool 202

CPS Operations Guide, Release 24.2.0 x

ជំពូកទី 10

Modifying Audit Rule File 203 Support for CPS Auto Healing in Case of Endpoint Heart Beat Failures 204 Log Collector 206
CPS Commands 207 about.sh 208 adduser.sh 208 auditrpms.sh 209 build_all.sh 209 build_etc.sh 211 build_set.sh 212 capture_env.sh 212 change_passwd.sh 213 cleanup_license.sh 214 component_alarm_reports.py 214 copytoall.sh 215 diagnostics.sh 216 deploy_all.py 224 dump_utility.py 225 generate_encrypted_password.sh 229 grafana_update_query.sh 229 list_installed_features.sh 230 logcollector.sh 232 reinit.sh 234 restartall.sh 234 restartqns.sh 235 runonall.sh 235 service 236 session_cache_ops.sh 236 Syntax 236 Options 237 Executable on VMs 240 set_priority.sh 240 startall.sh 241

មាតិកា

CPS Operations Guide, Release 24.2.0 xi

មាតិកា

startqns.sh 242 statusall.sh 243 stopall.sh 244 stopqns.sh 245 summaryall.sh 246 sync_times.sh 259 syncconfig.sh 259 terminatesessions 260
show 261 cancel 262 top_qps.sh 263 Diameter Synchronization Message Behavior 264 vmutilities.py 264 vm-init.sh 266

CPS Operations Guide, Release 24.2.0 xii

បុព្វបទ
· About This Guide, on page xiii · Audience, on page xiii · Additional Support, on page xiv · Conventions (all documentation), on page xiv · Communications, Services, and Additional Information, on page xv · Important Notes, on page xvi
អំពីការណែនាំនេះ
Note The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. While any existing biased terms are being substituted, exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.
This document is a part of the Cisco Policy Suite documentation set. For information about available documentation, see the CPS Documentation Map for this release at Cisco.com.
Note The PATS/ATS, ANDSF, and MOG products have reached end of life and are not supported in this release. Any references to these products (specific or implied), their components or functions in this document are coincidental and are not supported. Full details on the end of life for these products are available at: https://www.cisco.com/c/en/us/products/wireless/policy-suite-mobile/eos-eol-notice-listing.html.
ទស្សនិកជន
This guide is best used by these readers: · Network administrators
CPS Operations Guide, Release 24.2.0 xiii

ជំនួយបន្ថែម

បុព្វបទ

· Network engineers · Network operators · System administrators
This document assumes a general understanding of network architecture, configuration, and operations.
ជំនួយបន្ថែម
For further documentation and support: · Contact your Cisco Systems, Inc. technical representative. · Call the Cisco Systems, Inc. technical support number. · Write to Cisco Systems, Inc. at support@cisco.com. · Refer to support matrix at https://www.cisco.com/c/en/us/support/index.html and to other documents related to Cisco Policy Suite.

Conventions (all documentation)
This document uses the following conventions. Conventions bold font italic font
[] {x | y | z } [x|y|z] string
courier font <>

ការចង្អុលបង្ហាញ
ពាក្យបញ្ជា និងពាក្យគន្លឹះ និងអត្ថបទដែលបញ្ចូលដោយអ្នកប្រើបង្ហាញជាពុម្ពអក្សរដិត។
ចំណងជើងឯកសារ ពាក្យថ្មី ឬបានសង្កត់ធ្ងន់ និងអាគុយម៉ង់ដែលអ្នកផ្តល់តម្លៃគឺនៅក្នុងពុម្ពអក្សរទ្រេត។
ធាតុនៅក្នុងតង្កៀបការ៉េគឺស្រេចចិត្ត។
ពាក្យគន្លឹះជំនួសដែលត្រូវការត្រូវបានដាក់ជាក្រុមនៅក្នុងដង្កៀប និងបំបែកដោយរបារបញ្ឈរ។
ពាក្យគន្លឹះជំនួសជាជម្រើសត្រូវបានដាក់ជាក្រុមក្នុងតង្កៀប និងបំបែកដោយរបារបញ្ឈរ។
សំណុំតួអក្សរដែលមិនដកស្រង់។ កុំប្រើសញ្ញាសម្រង់ជុំវិញខ្សែអក្សរ ឬខ្សែអក្សរនឹងរួមបញ្ចូលសញ្ញាសម្រង់។
វគ្គស្ថានីយ និងព័ត៌មានដែលប្រព័ន្ធបង្ហាញបង្ហាញក្នុងពុម្ពអក្សរនាំសំបុត្រ។
តួអក្សរដែលមិនបោះពុម្ពដូចជាពាក្យសម្ងាត់ស្ថិតនៅក្នុងតង្កៀបមុំ។

CPS Operations Guide, Release 24.2.0 xiv

បុព្វបទ

ទំនាក់ទំនង សេវាកម្ម និងព័ត៌មានបន្ថែម

Conventions [] !, #

ការចង្អុលបង្ហាញ
ការឆ្លើយតបលំនាំដើមទៅនឹងការជំរុញប្រព័ន្ធគឺនៅក្នុងតង្កៀបការ៉េ។
សញ្ញាឧទាន (!) ឬសញ្ញាផោន (#) នៅដើមបន្ទាត់នៃកូដបង្ហាញពីបន្ទាត់មតិយោបល់។

ចំណាំមានន័យថាអ្នកអានកត់ចំណាំ។ កំណត់ចំណាំមានការណែនាំ ឬសេចក្តីយោងដ៏មានប្រយោជន៍ចំពោះសម្ភារៈដែលមិនមាននៅក្នុងសៀវភៅណែនាំ។

ប្រយ័ត្នមានន័យថាអ្នកអានប្រយ័ត្ន។ ក្នុងស្ថានភាពនេះ អ្នកអាចនឹងធ្វើសកម្មភាពដែលអាចបណ្តាលឱ្យខូចឧបករណ៍ ឬបាត់បង់ទិន្នន័យ។

ការព្រមាន

ការណែនាំអំពីសុវត្ថិភាពសំខាន់ៗ។
មានន័យថាគ្រោះថ្នាក់។ អ្នកស្ថិតក្នុងស្ថានភាពដែលអាចបណ្តាលឱ្យមានរបួសរាងកាយ។ មុនពេលអ្នកធ្វើការលើឧបករណ៍ណាមួយ ត្រូវដឹងអំពីគ្រោះថ្នាក់ដែលទាក់ទងនឹងសៀគ្វីអគ្គិសនី ហើយត្រូវដឹងពីការអនុវត្តស្តង់ដារសម្រាប់ការពារគ្រោះថ្នាក់។ ប្រើលេខសេចក្តីថ្លែងការណ៍ដែលបានផ្តល់នៅចុងបញ្ចប់នៃការព្រមាននីមួយៗដើម្បីកំណត់ទីតាំងការបកប្រែរបស់វានៅក្នុងការព្រមានសុវត្ថិភាពដែលបានបកប្រែដែលភ្ជាប់មកជាមួយឧបករណ៍នេះ។
រក្សាទុកការណែនាំទាំងនេះ

Note Regulatory: Provided for additional information and to comply with regulatory and customer requirements.
ទំនាក់ទំនង សេវាកម្ម និងព័ត៌មានបន្ថែម
· ដើម្បីទទួលបានព័ត៌មានពាក់ព័ន្ធទាន់ពេលវេលាពី Cisco សូមចុះឈ្មោះនៅ Cisco Profile អ្នកគ្រប់គ្រង។ · ដើម្បីទទួលបានលទ្ធផលអាជីវកម្មដែលអ្នកកំពុងស្វែងរកជាមួយនឹងបច្ចេកវិទ្យាដែលសំខាន់ សូមចូលទៅកាន់សេវាកម្ម Cisco ។ · ដើម្បីដាក់សំណើសេវាកម្ម សូមចូលទៅកាន់ Cisco Support ។ · ដើម្បីស្វែងរក និងរុករកកម្មវិធី ថ្នាក់សហគ្រាស ផលិតផល ដំណោះស្រាយ និងសេវាកម្មដែលមានសុវត្ថិភាព មានសុពលភាព សូមចូលទៅកាន់
ស៊ីស្កូ DevNet ។ · ដើម្បីទទួលបានបណ្តាញទូទៅ ការបណ្តុះបណ្តាល និងចំណងជើងវិញ្ញាបនប័ត្រ សូមចូលទៅកាន់ Cisco Press ។ · ដើម្បីស្វែងរកព័ត៌មានការធានាសម្រាប់ផលិតផលជាក់លាក់ ឬគ្រួសារផលិតផល សូមចូលទៅកាន់ Cisco Warranty Finder។

CPS Operations Guide, Release 24.2.0 xv

កំណត់ចំណាំសំខាន់ៗ

បុព្វបទ

ឧបករណ៍ស្វែងរកកំហុស Cisco Cisco Bug Search Tool (BST) គឺជា ក web-ឧបករណ៍ផ្អែកលើដែលដើរតួនាទីជាច្រកទៅកាន់ប្រព័ន្ធតាមដានកំហុស Cisco ដែលរក្សាបញ្ជីដ៏ទូលំទូលាយនៃពិការភាព និងភាពងាយរងគ្រោះនៅក្នុងផលិតផល និងសូហ្វវែររបស់ស៊ីស្កូ។ BST ផ្តល់ឱ្យអ្នកនូវព័ត៌មានលម្អិតអំពីពិការភាពអំពីផលិតផល និងកម្មវិធីរបស់អ្នក។
កំណត់ចំណាំសំខាន់ៗ
Important Any feature or GUI functionality that is not documented may not be supported in this release or may be customer specific, and must not be used without consulting your Cisco Account representative.

CPS Operations Guide, Release 24.2.0 xvi

1 ជំពូក

CPS Basic Operations

· Starting and Stopping CPS, on page 1 · Restarting the Cisco Policy Server, on page 3 · Recovering After a Power Outage, on page 6 · Backing Up and Restoring, on page 10 · Adding or Replacing Hardware, on page 11 · Export and Import Service Configurations, on page 11
Starting and Stopping CPS
This section describes how to start and stop Cisco Policy Server nodes, VMs, and services.
Starting VMs Using VMware GUI

នីតិវិធី

ជំហានទី 1 ជំហានទី 2
ជំហានទី 3

Start a VMware vSphere session. Right-click the VM and select Power > Power On.
Important If the Policy Server (QNS) VM was previously powered off, it must be powered on only during Maintenance Window or low traffic time. If the VM is powered on during high traffic, then when the qns java process comes up and it immediately starts taking up load. As a result there can be timeouts and high CPU until around 60 seconds from the Policy Server (QNS) VM during the JVM hotspot warmup time. Once the JVM warmup phase is completed, the VM must be able to handle traffic smoothly.
After the VM has started, log into the VM from Cluster Manager and verify that the processes are running.

Shutting Down the Cisco Policy Server Nodes
The following sections describe the commands to shut down the Cisco Policy Server nodes:

CPS Operations Guide, Release 24.2.0 1

Policy Director (LB) or Policy Server (QNS) Nodes

CPS Basic Operations

Policy Director (LB) or Policy Server (QNS) Nodes

នីតិវិធី

ជំហានទី 1 ជំហានទី 2 ជំហានទី 3 ជំហានទី 4 ជំហានទី 5

SSH to the lbxx or qnsxx node from Cluster Manager: ssh lbxx or ssh qnsxx Stop all CPS processes on the node:
/usr/bin/monit stop all
Check the status of all the processes. Verify that all processes are stopped before proceeding.
/usr/bin/monit summary
Stop the monit process:
service monit stop
Shut down lbxx/qnsxx:
បិទ -h ឥឡូវនេះ

OAM (pcrfclient) Nodes

នីតិវិធី

ជំហានទី ១ ជំហានទី ២ ជំហានទី ៣ ជំហានទី ៤ ជំហានទី ៥ ជំហានទី ៦

SSH to the pcrfclientxx node from Cluster Manager:
ssh pcrfclientxx
Stop all CPS processes on the node:
/usr/bin/monit stop all
Check the status of all the processes. Verify that all processes are stopped before proceeding:
/usr/bin/monit summary
Stop the monit process:
service monit stop
Stop the licenses process:
service lmgrd stop
Shut down pcrfclientxx:
បិទ -h ឥឡូវនេះ

CPS Operations Guide, Release 24.2.0 2

CPS Basic Operations

sessionmgr Nodes

នីតិវិធី

ជំហានទី ១ ជំហានទី ២ ជំហានទី ៣ ជំហានទី ៤ ជំហានទី ៥ ជំហានទី ៦
ជំហានទី 7
ជំហានទី 8

SSH to the sessionmgrxx node from Cluster Manager:
ssh sessionmgrxx
Stop all CPS processes on the node:
/usr/bin/monit stop all
Check the status of all the processes. Verify that all processes are stopped before proceeding:
/usr/bin/monit summary
Stop the monit process:
service monit stop
For CPS nodes, such as sessionMgrs, there are mongo processes running that require special steps to stop. First, determine which processes are running by executing:
ls /etc/init.d/sessionmgr*
Make sure the mongo replica set is in secondary:
/usr/bin/mongo –port $PORT –eval “rs.stepDown(10)”
where, PORT is the port number found in the previous step, such as 27717. Stop the MongoDB processes. For exampលេ៖
systemctl stop sessionmgr-27717
Shut down sessionmgrxx:
បិទ -h ឥឡូវនេះ

Restarting the Cisco Policy Server
CPS is composed of a cluster of nodes and services. This section describes how to restart the different services running on various CPS nodes.
Restarting Database Services
Each database port and configuration is defined in the /etc/broadhop/mongoConfig.cfg file. The scripts that start/stop the database services can be found in the /usr/bin directory on the CPS nodes.

CPS Operations Guide, Release 24.2.0 3

Restarting Policy Server Services

CPS Basic Operations

To stop and start a database, log into each Session Manager VM and execute the commands as shown below. For example, to restart the sessionmgr 27717 database, execute:
systemctl stop sessionmgr-27717 systemctl start sessionmgr-27717
ឬ៖
systemctl restart sessionmgr-27717
Note It is important not to stop and start all of the databases in the same replica-set at the same time. As a best practice, stop and start databases one at a time to avoid service interruption.
Restarting Policy Server Services
If the Policy Server (QNS) VM was previously powered off, it must be powered on only during Maintenance Window or low traffic time. If the VM is powered on during high traffic, then when the qns java process comes up and it immediately starts taking up load. As a result there can be timeouts and high CPU until around 60 seconds from the Policy Server (QNS) VM during the JVM hotspot warmup time. Once the JVM warmup phase is completed, the VM must be able to handle traffic smoothly.
Restarting All Policy Server Services
To restart all Policy Server (QNS) services on all VMs, execute the following from the Cluster Manager:
/var/qps/bin/control/restartall.sh
Note This script only restarts the Policy Server (QNS) services. It does not restart any other services.
Caution Executing restartall.sh will cause messages to be dropped. Use summaryall.sh or statusall.sh to see details about these services.
Restarting All Policy Server Services on a Specific VM
To restart all Policy Server (QNS) services on a single CPS VM, execute the following from the Cluster Manager:
/var/qps/bin/control/restartqns.sh <hostname>
where <hostname> is the CPS node name of the VM (qns01, qns02, lb01, pcrfclient01, and so on).

CPS Operations Guide, Release 24.2.0 4

CPS Basic Operations

Restarting Individual Policy Server Services on a Specific VM

នីតិវិធី

ជំហានទី 1 ជំហានទី 2

Log into the specific VM. To determine what Policy Server (QNS) services are currently running on the VM, execute:
monit summary
Output similar to the following appears:
The Monit daemon 5.5 uptime: 1d 17h 18m
Process ‘qns-4’ Running Process ‘qns-3’ Running Process ‘qns-2’ Running Process ‘qns-1′ Running

ជំហានទី 3

Execute the following commands to stop and start the individual Policy Server (QNS) process:
monit stop qns-<instance id> monit start qns-<instance id>

Restarting Services Managed by Monit
The Monit service manages many of the services on each CPS VM. To see a list of services managed by monit on a VM, log in to the specific VM and execute:
monit summary
To stop and start all services managed by monit, log in to the specific VM and execute the following commands:
monit stop all monit start all
To stop and start a specific service managed by Monit, log in to the specific VM and execute the following commands:
monit stop <service_name> monit start <service_name>
where <service_name> is the name as shown in the output of the monit summary command.
Restarting Other Services
Restarting Subversion
To restart Subversion (SVN) on OAM (pcrfclient) nodes, execute:
service httpd restart

CPS Operations Guide, Release 24.2.0 5

Restarting Policy Builder

CPS Basic Operations

Restarting Policy Builder
To restart Policy Builder on OAM (pcrfclient) nodes (pcrfclient01/pcrfclient02), execute:
monit stop qns-2 monit start qns-2
Restarting Control Center
To restart Control Center on OAM (pcrfclient) nodes (pcrfclient01/pcrfclient02), execute:
monit stop qns-1 monit start qns-1
Restarting Services on Policy Director (lb01 and lb02)
The following commands are used to restart the services on the Policy Director (lb) nodes only (lb01 and lb02).

នីតិវិធី

ជំហានទី 1 ជំហានទី 2
ជំហានទី 3

Login to lb01/lb02. To restart the service that controls the virtual IPs (lbvip01 and lbvip02 are virtual IP addresses shared between lb01 and lb02 for High Availability), execute the following command:
monit restart corosync
To restart the service that balances and forwards IP traffic (port forwarding service) from lb01/lb02 to other CPS nodes, execute:
monit restart haproxy

Recovering After a Power Outage
If there is a controlled or uncontrolled power outage, the following power ON procedures should be followed to bring the system up properly.

នីតិវិធី

ជំហានទី 1 ជំហានទី 2 ជំហានទី 3

Power ON the Cluster Manager. Power ON Policy Director (lb) VMs. Stop qns processes on the Policy Director (lb) VMs by running the following command:
for i in {1..4}; do monit stop qns-$i; done
If there are more than 4 qns processes on Policy Director (lb) VMs, change the number in the loop accordingly.

CPS Operations Guide, Release 24.2.0 6

CPS Basic Operations

Recovery Control

ជំហានទី 4 ជំហានទី 5 ជំហានទី 6
ជំហានទី 7 ជំហានទី 8
ជំហានទី 9 ជំហានទី 10

សម្រាប់អតីតample, for 7 qns processes, the command will be:
for i in {1..7}; do monit stop qns-$i; done
Power ON pcrfclient01 VM. Stop mon_db script on pcrfclient01 VM by running the following commands:
monit stop mon_db_for_call_model monit stop mon_db_for_lb_failover
Power ON sessionmgr VMs. Note Make sure all the replica-sets are UP with primary member available on each replica-set.
Note If a member is shown in an unknown state, it is likely that the member is not accessible from one of other members, mostly an arbiter. In that case, you must go to that member and check its connectivity with other members. Also, you can login to mongo on that member and check its actual status.
Power ON Policy Server (QNS) VMs. Note Make sure qns processes on Policy Server (QNS) VMs are UP in monit summary output.
Start qns process on all Policy Director (lb) VMs by running the following command:
for i in {1..4}; do monit start qns-$i; done
If there are more than 4 qns processes on Policy Director (lb) VMs, change the number in the loop accordingly. For example, for 7 qns processes, the command will be:
for i in {1..7}; do monit start qns-$i; done
Start mon_db script pn pcrfclient01 VM by running the following commands:
monit start mon_db_for_call_model monit start mon_db_for_lb_failover
Power ON pcrfclient02 VM and repeat Step 5, on page 7 to Step 9, on page 7.

Recovery Control
Due to the operational inter-dependencies within the CPS, it is necessary for some CPS services and components to become active before others. CPS can monitor the state of the cluster through the various stages of startup. It also includes functionality to allow the system to gracefully recover from unexpected outages.
Cluster State Monitoring
CPS can monitor the state of the services and components of the cluster from the OAM (pcrfclient) VMs. By default, this functionality is disabled.

CPS Operations Guide, Release 24.2.0 7

Controlled Startup

CPS Basic Operations

This functionality can be enabled by setting the cluster_state_monitor option to true in the CPS Deployment Template (Excel spreadsheet).
To update an existing deployment to support this functionality, modify this setting in your CPS Deployment Template and redeploy the csv files as described in the CPS Installation Guide for VMware.
This monitoring system reports the state of the system as an integer value as described in the following table:
Table 1: Cluster State Monitoring

Cluster State 0
1
៦៧ ៨

ការពិពណ៌នា

តម្លៃ

unknown state/pre-inspection state

The system will report `0′ until both conditions have been met under `1′: lbvip02 is UP AND databases are accessible.
Various systems can be coming online while a `0′ state is being reported and does not automatically indicate an error.
Even if the system cannot proceed to `1’ state, Policy Builder and Control Center UIs should be available in order to manage or troubleshoot the system.

lbvip02 is alive

All backend databases must be available and the

និង

lbvip02 interface must be UP for the system to report this state.

all databases in

/etc/broadhop/mongoConfig.cfg

have an accessible primary

lbvip02 port 61616 is accepting TCP connections

Backend Policy Server (QNS) processes access lbvip02 on this port. When this port is activated, it indicates that Policy Server (QNS) processes can proceed to start.

at least 50% of backend Policy Server Once sufficient capacity is available from the backend

(QNS) processes are alive

processes, the Diameter protocol endpoint processes

are allowed to start.

The current cluster state is reported in the following file on the OAM (pcrfclient): /var/run/broadhop.cluster_state
The determine_cluster_state command logs output of the cluster state monitoring process into /var/log/broadhop/determine_cluster_state.log.

Controlled Startup
In addition to the monitoring functionality, CPS can also use the cluster state to regulate the startup of some of the CPS services pending the appropriate state of the cluster.
By default this functionality is disabled. It can be enabled for the entire CPS cluster, or for troubleshooting purposes can be enabled or disabled on a per-VM basis.

CPS Operations Guide, Release 24.2.0 8

CPS Basic Operations

Enable/Disable For All VMs in Cluster

Note Cluster State Monitoring must be enabled for Controlled Startup to function.
Enable/Disable For All VMs in Cluster The Controlled Startup functionality is enabled by the presence of the /etc/broadhop/cluster_state file. To enable this feature on all CPS VMs in the cluster, execute the following commands on the Cluster Manager VM to create this file and to use the syncconfig.sh script to push those changes out to the other VMs.
touch /etc/broadhop/cluster_state syncconfig.sh
To disable this feature on all VMs in the cluster, remove the cluster_state file on the Cluster Manager VM and sync the configuration:
rm /etc/broadhop/cluster_state syncconfig.sh
Enable/Disable For Specific VM To enable this feature on a specific VM, create a /etc/broadhop/cluster_state file on the VM: touch /etc/broadhop/cluster_state To disable this feature again on a specific VM, delete the /etc/broadhop/cluster_state file on the VM: rm /etc/broadhop/cluster_state
Note This is temporary measure and should only be used for diagnostic purposes. Local modifications to a VM can be overwritten under various circumstances, such as running syncconfig.sh.
Switching Active and Standby Policy Directors
In CPS, the active and standby strategy applies only to the Policy Directors (lb). The following are the two Policy Directors in the system:
· lb01 · lb02
Determining the Active Policy Director
នីតិវិធី
Step 1 Log in to the pcrfclient01 VM.
CPS Operations Guide, Release 24.2.0 9

Switching Standby and Active Policy Directors

CPS Basic Operations

ជំហានទី 2 ជំហានទី 3

Run the following command to SSH to the active Policy Director (typically lb01):
ssh lbvip01
You can also confirm an active Policy Director by ensuring it has the virtual IP (VIP) associated with it by running the following command:
ifconfig -a
If you see the eth0:0 or eth1:0 interfaces present in the list and marked as “UP” then that is the active Policy Director.
សម្រាប់អតីតampលេ៖
eth0:0 Link encap:Ethernet HWaddr 00:0C:29:CD:7E:4C inet addr:172.26.241.240 Bcast:172.26.241.255 Mask:255.255.254.0
–> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 The passive or standby load balancer will not have active VIPs
បានបង្ហាញនៅក្នុង
ifconfig -a output (no eth0:0 and eth1:0).

Switching Standby and Active Policy Directors

នីតិវិធី

ជំហានទី 1 ជំហានទី 2
ជំហានទី 3

Log in to the active Policy Director (lb) VM. See Determining the Active Policy Director, on page 9 for details to determine which Policy Director is active. Restart the Heartbeat service using the following command:
monit restart corosync
This command will force the failover of the VIP from the active Policy Director to the standby Policy Director.
To confirm the switchover, SSH to the other Policy Director VM and run the following command to determine if the VIP is now associated with this VM:
ifconfig -a
If you see the eth0:0 or eth1:0 interfaces in the list and marked as “UP” then that is the active Policy Director.

Backing Up and Restoring
As a part of routine operations, it is important to make backups so that if there are any failures, the system can be restored. Do not store backups on system nodes. For detailed information about backup and restore procedures, see the CPS Backup and Restore Guide.

CPS Operations Guide, Release 24.2.0 10

CPS Basic Operations

Adding or Replacing Hardware

Adding or Replacing Hardware
Hardware replacement is usually performed by the hardware vendor with whom your company holds a support contract.
Hardware support is not provided by Cisco. The contact persons and scheduling for replacing hardware is made by your company.
Before replacing hardware, always make a backup. See the CPS Backup and Restore Guide.
Unless you have a readily available backup solution, use VMware Data Recovery. This solution, provided by VMware under a separate license, is easily integrated into your CPS environment.
The templates you download from the Cisco repository are partially pre-configured but require further configuration. Your Cisco technical representative can provide you with detailed instructions.

Note You can download the VMware software and documentation from the following location: http://www.vmware.com/
Export and Import Service Configurations
You can export and import service configurations for the migration and replication of data. You can use the export/import functions to back up both configuration and environmental data or system-specific information from the configuration for lab-to-production migration.

Important While exporting the Policy Builder configurations, CPS excludes stale/unreferenced objects.
You can import the binary in the following two ways:
· Import the binary produced by export – All configuration exported will be removed (If environment is included, only environment will be removed. If environment is excluded, environment will not be removed). The file passed is created from the export API.
· Additive Import – Import the package created manually by adding configuration. The new configurations get added into the server without impacting the existing configurations. The import is allowed only if the CPS running version is greater than or equal to the imported package version specified in the configuration.

នីតិវិធី

ជំហានទី 1 ជំហានទី 2

In a browser, navigate to the export/import page, available at the following URLs: HA/GR: https://<<lbvip01>:7443/doc/import.html Enter the API credentials.

CPS Operations Guide, Release 24.2.0 11

Export and Import Service Configurations

CPS Basic Operations

ជំហានទី 3 ជំហានទី 4

ជ្រើសរើស file to be imported/exported. The following table describes the export/import options:
Table 2: Export and Import Options

ជម្រើស

ការពិពណ៌នា

នាំចេញ

ទិន្នន័យទាំងអស់

Exports service configuration with environment data, which acts as a complete backup of both service configurations and environmental data.

Exclude environment Exports without environment data, which allows exporting configuration from a lab and into another environment without destroying the new system’s environment-specific data.

Only environment

Exports only environment data, which provides a way to back up the system-specific environmental information.

នាំចេញ URL

Found in Policy Builder or viewed directly in Subversion.

នាំចេញ File បុព្វបទ

Provide a name (prefix) for the export file.
Note: The exported filename automatically includes the date and time when the export was performed, for example: prefix_2016-01-12_11-03-56_3882276668.cps
ចំណាំ៖ ប file extension .cps is used so that the file is not opened or modified by mistake by another application. The file should be used for export/import purposes only.

Use ‘Zip’ file extension Enable the check box for an easier view of exported content of data in a zip file ទម្រង់។

នាំចូល

File ដើម្បីនាំចូល

Add configuration zip file ដើម្បីនាំចូល។

នាំចូល URL

URL is updated/created. We recommend importing to a new URL and use Policy Builder to verify/publish.

Commit Message

Message recorded with the import. Provide details that are useful to record.

Allow Import Excluding Allow to import PB configuration excluding the environment data. Environment

Force import even if checksums doesn’t match

Allow import even when the checksums mismatch in the configuration zip file.

បន្ទាប់ពីអ្នកជ្រើសរើស file, នេះ។ file’s information is displayed.
Select Import or Export. CPS displays response messages that indicate the status of the export/import.

CPS Operations Guide, Release 24.2.0 12

2 ជំពូក

Managing CPS Disks

· Adding a New Disk, on page 13 · Mounting the Replication Set from Disk to tmpfs After Deployment, on page 15 · Manage Disks to Accommodate Increased Subscriber Load, on page 17

Adding a New Disk
This section describes the procedures needed to add a new disk to a VM.

តម្រូវការជាមុន

· All the VMs were created using the deployment process.
· This procedure assumes the datastore that will be used to have the virtual disk has sufficient space to add the virtual disk.
· This procedure assumes the datastore has been mounted to the VMware ESX server, regardless of the backend NAS device (SAN or iSCSI, etc).

ESX Server Configuration

នីតិវិធី

ជំហានទី 1 ជំហានទី 2 ជំហានទី 3

Login to the ESX server shell, and make sure the datastore has enough space:
vmkfstools -c 4g /vmfs/volumes/datastore_name/VMNAME/xxxx.vmdk -d thin
Execute vim-cmd vmsvc/getallvms to get the vmid of the VM where the disk needs to be added.

Vmid Name

File

Guest OS Version Annotation

173 vminstaller [datastore5] vminstaller/vminstaller.vmx centos64Guest vmx-08

Assign the disk to the VM. The xxxx is the disk name, and 0 and 1 indicate the SCSI device number.

CPS Operations Guide, Release 24.2.0 13

Target VM Configuration

Managing CPS Disks

នៅក្នុងនេះ អតីតample, this is the second disk:
vim-cmd vmsvc/device.diskaddexisting vmid /vmfs/volumes/path to xxxx.vmdk 0 1

Target VM Configuration

នីតិវិធី

ជំហានទី 1 ជំហានទី 2 ជំហានទី 3 ជំហានទី 4
ជំហានទី ១ ជំហានទី ២ ជំហានទី ៣ ជំហានទី ៤ ជំហានទី ៥ ជំហានទី ៦

Log in as root user on your Linux virtual machine. Open a terminal session. Execute the df command to examine the current disks that are mounted and accessible. Create an ext4 file system on the new disk:
mkfs -t ext4 /dev/sdb Note
b in /dev/sdb is the second SCSI disk. It warns that you are performing this operation on an entire device, not a partition. That is correct, since you created a single virtual disk of the intended size. This is assuming you have specified the correct device. Make sure you have selected the right device; there is no undo.
Execute the following command to verify the existence of the disk you created:
# fdisk -l
Execute the following command to create a mount point for the new disk:
# mkdir /<NewDirectoryName>
Execute the following command to display the current /etc/fstab:
# cat /etc/fstab
Execute the following command to add the disk to /etc/fstab so that it is available across reboots:
/dev/sdb /<NewDirectoryName> ext4 defaults 1 3
Reboot the VM.
shutdown -r now
Execute the df command to check the file system is mounted and the new directory is available.

Update the collectd process to use the new file system to store KPIs
After the disk is added successfully, collectd can use the new disk to store the KPIs.

CPS Operations Guide, Release 24.2.0 14

Managing CPS Disks

Mounting the Replication Set from Disk to tmpfs After Deployment

នីតិវិធី

ជំហានទី 1 ជំហានទី 2
ជំហានទី 3 ជំហានទី 4

SSH into pcrfclient01/pcrfclient02. Execute the following command to open the logback.xml file for editing:
vi /etc/collectd.d/logback.xml
ធ្វើបច្ចុប្បន្នភាព file element <file> with the new directory that was added in the /etc/fstab. Execute the following command to restart collectd:
monit restart collectd
Note The content of logback.xml will be overwritten to the default path after a new upgrade. Make sure to update it after an upgrade.

Mounting the Replication Set from Disk to tmpfs After Deployment
You can mount all of the members of the Replication set to tmpfs, or you can mount specific members to tmpfs. These scenarios are described in the following sections.
Scenario 1 Mounting All Members of the Replication Set to tmpsf
នីតិវិធី

ជំហានទី 1

Modify mongoConfig.cfg file using the vi editor on cluster manager. Change the DBPATH directory for the SPR Replication set that needs to be put on tmpfs.
Note Make sure you change the path to /var/data/sessions.1, which is the tmpfs filesystem. Also, make sure to run diagnostics.sh before and after the activity.
ខាងក្រោមនេះ example shows the contents of mongoConfig.cfg file before modification:
[SPR-SET1] SETNAME=set06 OPLOG_SIZE=5120 ARBITER1=pcrfclient01a:27720 ARBITER_DATA_PATH=/var/data/sessions.6 MEMBER1=sessionmgr04a:27720 MEMBER2=sessionmgr03a:27720 MEMBER3=sessionmgr04b:27720 MEMBER4=sessionmgr03b:27720

CPS Operations Guide, Release 24.2.0 15

Scenario 2 Mounting Specific Members of the Replication Set to tmpfs

Managing CPS Disks

ជំហានទី 2 ជំហានទី 3 ជំហានទី 4
ជំហានទី 5 ជំហានទី 6

DATA_PATH=/var/data/sessions.4 [SPR-SET1-END] The following example shows the contents of mongoConfig.cfg file after modification:
[SPR-SET1] SETNAME=set06 OPLOG_SIZE=5120 ARBITER1=pcrfclient01a:27720 ARBITER_DATA_PATH=/var/data/sessions.6 MEMBER1=sessionmgr04a:27720 MEMBER2=sessionmgr03a:27720 MEMBER3=sessionmgr04b:27720 MEMBER4=sessionmgr03b:27720 DATA_PATH=/var/data/sessions.1/set06 [SPR-SET1-END] Run build_etc.sh to update the modified files. Verify that the sessionmgr-27720 files on sessionmgr VMs are updated with new DB_PATH by using vi or cat command. Stop and start the mongo databases one by one using the following commands:
systemctl stop sessionmgr-<port>
systemctl start sessionmgr-<port>
Run diagnostics.sh. If this is an Active/Active GEOHA setup, scp the mongoConfig.cfg file to Site-B Cluster Manager, and run build_etc.sh to update puppet files.

Scenario 2 Mounting Specific Members of the Replication Set to tmpfs
នីតិវិធី

ជំហានទី 1 ជំហានទី 2
ជំហានទី 3 ជំហានទី 4 ជំហានទី 5
ជំហានទី 6

Ssh to the respective session manager. Edit the mongoDB startup file using the vi editor. In this example we are modifying the SPR member.
[root@sessionmgr01 init.d]# vi /etc/init.d/sessionmgr-27720
Change the DBPATH directory from DBPATH=/var/data/sessions.4 to DBPATH=/var/data/sessions.1/set06. Save and exit the file (using !wq). Enter the following commands to stop and start the SPR DB member:
/usr/bin/systemctl stop sessionmgr-27720 /usr/bin/systemctl start sessionmgr-27720
Wait for the recovery to finish.

CPS Operations Guide, Release 24.2.0 16

Managing CPS Disks

Manage Disks to Accommodate Increased Subscriber Load

Manage Disks to Accommodate Increased Subscriber Load
If you need to prepare CPS for an increased number of subscribers (> 10 million), you can clone and repartition the sessionmgr disks as per your requirement.
Clone Sessionmgr01 VM
Downtime: No downtime
Before you begin · Before disk repartition, clone sessionmgr01. This step is optional but to reduce the risk of losing the data during disk repartitioning, the customer can take the backup of sessionmgr01 VM. If the customer does not have enough space to take the backup this step can be ignored.
· Blade with enough space to hold cloned image of sessionmgr01.

នីតិវិធី

ជំហានទី 1 ជំហានទី 2
ជំហានទី 3

Login to vSphere Client on sessionmgr01 blade with administrator credentials.
Right-click sessionmgr01 and select Clone > Choose appropriate inventory in which blade resides > Choose the blade with enough space to hold sessionmgr01 image > Next > Next > Finish.
Cloning starts. Wait for it to finish the process.

Disk Repartitioning of Sessionmgr01 VM
Downtime: During this procedure Sessionmgr01 is shut down 2 times. Estimate approximately 30 minutes of downtime for sessionmgr01. CPS continues to operate using the other sessionmgr02 while sessionmgr01 is stopped as part of procedure.
Before you begin None
នីតិវិធី

ជំហានទី 1 ជំហានទី 2

Login to sessionmgr01 as a root user. The following commands may be executed to help identify which partition requires additional space.

synph# df -h/synph synphFilesystem synph/dev/mapper/vg_shiprock-lv_root synphtmpfs

Size 7.9G 1.9G

Used Avail Use% Mounted on/synph 1.5G 6.0G 20% //synph
0 1.9G 0% /dev/shm/synph

CPS Operations Guide, Release 24.2.0 17

Disk Repartitioning of Sessionmgr01 VM

Managing CPS Disks

ជំហានទី 3 ជំហានទី 4

synph/dev/sda1

485M 32M 428M 7% /boot/synph

synph/dev/mapper/vg_shiprock-lv_home 2.0G 68M 1.9G 4% /home/synph

synph/dev/mapper/vg_shiprock-lv_var 85G 16G 65G 20% /var/synph

synphtmpfs

2.3G 2.1G 172M 93% /var/data/sessions.1/synph

synph/synph

synph# pvdisplay/synph

synph — Physical volume —/synph

synph PV Name

/dev/sda2/synph

synph VG Name

vg_shiprock/synph

synph PV Size

99.51 GiB / not usable 3.00 MiB/synph

synph Allocatable

yes (but full)/synph

synph PE Size

4.00 MiB/synph

synph Total PE

25474/synph

synph Free PE

0/synph

synph Allocated PE

25474/synph

synph PV UUID

l3Mjox-tLfK-jj4X-98dJ-K3c1-EOel-SlOBq1/synph

synph/synph

synph# vgdisplay/synph

synph— Volume group —/synph

synph VG Name

vg_shiprock/synph

synph System ID

/synph

synph Format

lvm2/synph

synph Metadata Areas

1/synph

synph Metadata Sequence No 5/synph

synph VG Access

read/write/synph

synph VG Status

resizable/synph

synph MAX LV

0/synph

synph Cur LV

4/synph

synph Open LV

4/synph

synph Max PV

0/synph

synph Cur PV

1/synph

synph Act PV

1/synph

synph VG Size

99.51 GiB/synph

synph PE Size

4.00 MiB/synph

synph Total PE

25474/synph

synph Alloc PE / Size

25474 / 99.51 GiB/synph

synph Free PE / Size

0 / 0 /synph

synph VG UUID

P1ET44-jiEI-DIbd-baYt-fVom-bhUn-zgs5Fz/synph

· (df -h): /var is /dev/mapper/vg_shiprock-lv_var. This is equivalent to device /dev/vg_shiprock/lv_var.

· (pvdisplay): vg_shiprock (used by lv_var which is /var) is on /dev/sda2.

Execute the fdisk command to check the disk size.
# fdisk -l /dev/sda

Disk /dev/sda: 107.4 GB, 107374182400 bytes 255 heads, 63 sectors/track, 13054 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x0008dcae

ការចាប់ផ្ដើមឧបករណ៍

ចាប់ផ្តើម

ចប់

ប្លុក

/dev/sda1 *

512000

Partition 1 does not end on cylinder boundary.

/dev/sda2

៦៧ ៨

Id System 83 Linux
8e Linux LVM

Power down the Virtual Machine.

# shutdown -h now Note

CPS Operations Guide, Release 24.2.0 18

Managing CPS Disks

Disk Repartitioning of Sessionmgr01 VM

ជំហានទី ១ ជំហានទី ២ ជំហានទី ៣ ជំហានទី ៤ ជំហានទី ៥ ជំហានទី ៦
ជំហានទី 11

If cloning is not possible because of space limitation on Blade, backup of sessionmgr01 VM can be taken by saving OVF of sessionmgr01 VM to local storage like Laptop, Desktop. (Both cloning and OVF backup are optional steps, but either one of them is highly recommended.)

Log in using the VMware vSphere Client as an administrator (e.g. root) to the ESXi host which has your Linux Virtual Machine on it. Right-click on the Virtual Machine and select Edit Settings > Click Hard Disk 1 > Increase the Provisioned Size of the Hard Disk. Power ON the Virtual Machine. Login (ssh) to the Virtual Machine as root user. Confirm that disk space has been added to the /dev/sda partition.
# fdisk -l /dev/sda

Disk /dev/sda: 70.5 GB, 79529246720 bytes 255 heads, 63 sectors/track, 9668 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes

Execute the following commands (Bold Characters indicates actual inputs from user (all of them are in lower case).

# fdisk /dev/sda

The number of cylinders for this disk is set to 7832.

There is nothing wrong with that, but this is larger than 1024,

and could in certain setups cause problems with:

1) software that runs at boot time (e.g., old versions of LILO)

2) booting and partitioning software from other OSs

(e.g., DOS FDISK, OS/2 FDISK)

ពាក្យបញ្ជា (m សម្រាប់ជំនួយ): ទំ

Disk /dev/sda: 64.4 GB, 64424509440 bytes

255 heads, 63 sectors/track, 7832 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

ការចាប់ផ្ដើមឧបករណ៍

ចាប់ផ្តើម

ចប់

ប្រព័ន្ធលេខសម្គាល់ប្លុក

/dev/sda1 *

104391 83 Linux

/dev/sda2

7179 57560895 8e Linux LVM

Command (m for help): d

Partition number (1-4): 2

Command (m for help) : ន

Command action

e បានពង្រីក

p primary partition (1-4)

Partition number (1-4): 2

First cylinder (14-7832, default 14): [press enter]

ការប្រើប្រាស់តម្លៃលំនាំដើម 14

Last cylinder +sizeM/+sizeK (14-7832,default 7832): [press enter]

ការប្រើប្រាស់តម្លៃលំនាំដើម 7832

ពាក្យបញ្ជា (m សម្រាប់ជំនួយ): t

Partition number (1-4): 2

Hex code (type L to list codes): 8e

Changed system type of partition 2 to 8e (Linux LVM)

ពាក្យបញ្ជា (m សម្រាប់ជំនួយ) : w

តារាងបែងចែកត្រូវបានផ្លាស់ប្តូរ!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.

The kernel still uses the old table.

តារាងថ្មីនឹងត្រូវបានប្រើនៅពេលចាប់ផ្ដើមឡើងវិញបន្ទាប់។

Syncing disks.

Reboot the sessionmgr01 VM by executing the following command:

CPS Operations Guide, Release 24.2.0 19

Disk Repartitioning of Sessionmgr01 VM

Managing CPS Disks

ជំហានទី 12 ជំហានទី 13
ជំហានទី 14
ជំហានទី 15 ជំហានទី 16 ជំហានទី 17

# ចាប់ផ្ដើមឡើងវិញ
This ensures that the new setting match up with the kernel.

After reboot, execute following command:
# pvresize /dev/sda2 Physical volume “/dev/sda2” changed 1 physical volume(s) resized / 0 physical volume(s) not resized

Confirm that the additional free space is added in sessionmgr VM.

# vgdisplay

— Volume group —

VG Name

vg_shiprock

លេខសម្គាល់ប្រព័ន្ធ

ទម្រង់

lvm2

Metadata Areas

Metadata Sequence No 5

VG Access

អាន/សរសេរ

VG Status

resizable

MAX LV

Cur LV

Open LV

PV អតិបរមា

Cur PV

Act PV

VG Size

129.51 GiB

PE Size

4.00 មេកាបៃ

Total PE

32974

Alloc PE / Size

25474 / 99.51 GiB

Free PE / Size

7500 / 30.00 GB

VG UUID

pPSNBU-FRWO-z3aC-iAxS-ewaw-jOFT-dTcBKd

Verify that the /var partition is mounted on /dev/mapper/vg_shiprock-lv_var.

#df -h

Fileប្រព័ន្ធ

ទំហំដែលប្រើរួច ប្រើ % បានម៉ោននៅលើ

/dev/mapper/vg_shiprock-lv_root

18G 2.5G 15G 15% /

/dev/mapper/vg_shiprock-lv_home

5.7G 140M 5.3G 3% /home

/dev/mapper/vg_shiprock-lv_var

85G 16G 65G 20% /var

/dev/sda1

99M 40M 55M 43% /boot

tmpfs

16G

0 16G 0% /dev/shm

tmpfs

8.0G 1.1G 7.0G 14% /data/sessions.1

Extend /var partition to take up additional free space.
#lvextend -l +100%FREE /dev/mapper/vg_shiprock-lv_var Extending logical volume lv_var to 120.00 GB Logical volume lv_var successfully resized

Check the newly added space in /dev/mapper/vg_shiprock-lv_var.
# lvdisplay
Add space to VM file ប្រព័ន្ធ។
# resize2fs /dev/mapper/vg_shiprock-lv_var resize2fs 1.39 (29-May-2006) Filesystem at /dev/mapper/vg_shiprock-lv_var is mounted on /var; on-line resizing required Performing an on-line resize of /dev/mapper/vg_shiprock-lv_var to 6553600 (4k) blocks. The filesystem on /dev/mapper/vg_shiprock-lv_var is now 6553600 blocks long.

CPS Operations Guide, Release 24.2.0 20

Managing CPS Disks

Cloning and Disk Repartitioning of Sessionmgr02 VM

ជំហានទី 18

Check the increased size of /var partition.

# df -h

Fileប្រព័ន្ធ

ទំហំដែលប្រើរួច ប្រើ % បានម៉ោននៅលើ

/dev/mapper/vg_shiprock-lv_root

23G 2.1G 20G 10% /

/dev/mapper/vg_shiprock-lv_home

5.7G 140M 5.3G 3% /home

/dev/mapper/vg_shiprock-lv_var

130G 16G 95G 12% /var

/dev/sda1

99M 40M 55M 43% /boot

tmpfs

2.0G

0 2.0G 0% /dev/shm

Cloning and Disk Repartitioning of Sessionmgr02 VM
Repeat Clone Sessionmgr01 VM, on page 17 and Disk Repartitioning of Sessionmgr01 VM, on page 17 on sessionmgr02 for cloning and disk repartitioning of sessionmgr02 VM.

CPS Operations Guide, Release 24.2.0 21

Cloning and Disk Repartitioning of Sessionmgr02 VM

Managing CPS Disks

CPS Operations Guide, Release 24.2.0 22

3 ជំពូក
Managing CPS Licenses
· Smart Software Licensing, on page 23 · Classic Licensing, on page 23 · Comparison between Licensing Models, on page 24 · Smart Accounts/Virtual Accounts, on page 25 · License Conversion, on page 27 · Enable Smart Licensing for CPS, on page 27 · Product ID Tags, on page 29 · Smart Licensing CLI Commands, on page 29 · License Usage Threshold, on page 31
អាជ្ញាប័ណ្ណកម្មវិធីឆ្លាតវៃ
CPS 10.0.0 and its later releases support Smart Licensing. It is a cloud-based approach to licensing that simplifies the purchase, deployment, and management of Cisco software assets. Entitlements are purchased through your Cisco account via Cisco Commerce Workspace (CCW) and immediately deposited into your Virtual Account for usage. This eliminates the need to install license files on every device. Products that are smart enabled communicate directly to Cisco to report consumption. A single location is available to customers to manage Cisco software licenses–the Cisco Smart Software Manager (CSSM). License ownership and consumption are readily available to help make better purchase decision based on consumption or business need.
Classic Licensing
Classic Licensing is Cisco’s legacy licensing model based on Product Activation Keys (PAK) and Unique Device Identifiers (UDI). On most IOS devices, a determination of bandwidth needs is assessed prior to obtaining and installing a tar file on the platform to retrieve the UDI. A PAK is ordered and typically emailed to the customer. The combination of a UDI and PAK are used to receive a license file, which is installed in the boot directory to complete the installation of IOS on the platform. The License Registration Portal (LRP) is available to help migrate Classic Licenses to Smart Licenses. To access the LRP, and to obtain training and manage licenses, visit https://software.cisco.com/software/swift/lrp/.
CPS Operations Guide, Release 24.2.0 23

Comparison between Licensing Models

Managing CPS Licenses

Comparison between Licensing Models
The following sections provide a comparison of the existing CPS SWIFT-based licensing model, the Cisco Smart Software Licensing model, and Cisco Smart Software Licensing as it is implemented in CPS 10.0.0 and later releases.
CPS SWIFT-Based Licensing For CPS versions prior to 10.0.0, CPS licensing is SWIFT “lmgrd” based, and the license is tied to the MAC address of the device on which CPS is installed. The following list summarizes the CPS SWIFT-based licensing model:
· The License count that is purchased by the customer is defined in the license.lic file and is read into the CPS application using the lmgrd/cisco processes.
· License compliance is determined and tracked by CPS. CPS periodically compares the current session count with the licensed count at a predefined interval.
· CPS creates and logs license statuses: adhere, “RATE_LIMITED” and “VALID” statuses are logged with proper messages, and traps are generated accordingly.
Cisco Smart Software Licensing The following list summarizes the Cisco Smart Software License model:
· Smart Licensing maintains and tracks license information including license quantity, license surplus, and shortage usages.
· There is no API for returning the number of licenses (entitlements) purchased by the customer.
· License compliance is determined and tracked by Cisco Smart Software License. Entitlement enforcement mode notifications will send out when it is changed upon the request.
· License (entitlement) expiration is tracked by Cisco Smart Software License. There is no API for returning the license expiration date.
· Smart Licensing does not support license version.
· Utility/Metering is not supported.
· An entitlement consumption request is allowed once every 24 hours maximum.
· Smart Licensing supports high availability. For Smart Agent clusters, one Smart Agent is active and the rest are standbys. This means that for a given cluster, only one Smart Agent is active, and it will register to the Smart Licensing portal at any time. (Smart License is a combination of Smart Agent and Smart Call Home, which is responsible for communicating to Cisco Smart Software Licensing.)
CPS Cisco Smart Software License Based Model The following list summarizes the Cisco Smart Software License model for CPS 10.0.0 and greater:
· For a CPS high availability installation, only the active client (either pcrfclient01 or pcrfclient02) is registered to the Smart Licensing Portal at any given time, and it uses the same identify for the registration.

CPS Operations Guide, Release 24.2.0 24

Managing CPS Licenses

Smart Accounts/Virtual Accounts

· CPS uses the Smart Licensing API to request the entitlement (license) consumption amount based on the pre-defined maximum licensed concurrent session amount.
· The predefined maximum licensed concurrent session amount is defined in the features.properties file for each CPS feature.
· One licensed entitlement count is equivalent to one CPS Policy concurrent session count.
· Smart Licensing Entitlement notifies CPS about the requested entitlement conformance (enforce mode) if the requested entitlement consumption is InCompliance or OutCompliance or Eval, meaning that the product instance is not registered to the Smart Licensing Portal and is running in evaluation mode. CPS populates license data into mongoDB: shardding/licensedfeats <SITEID> collection based on the received entitlement compliance status.
· The Smart Agent (SA) is embedded in CPS+SL (SA+SCH) integration. A CLI is supported.
· CPS Orchestration API-based installation is not supported.
· Dynamically switching the license manager from lmgrd to Smart Licensing or vise versa is supported. Switching the licensing manager requires a restart of CPS OAM (pcrfclient).
· CPS Smart Licensing integration follows the CPS In-Service Software Upgrade process.
In summary, CPS 10.0.0 and later releases support the same functionality as CPS SWIFT imgrd-based licensing with the following exceptions:
· There is no API to return the license amount available for the virtual account. A new “complianceMode” attribute has been added to indicate the requested feature entitlement compliance status with the following value options: · InCompliance The requested feature entitlement maximum licensed amount is in surplus status.
· OutOfCompliance The requested feature entitlement maximum licensed amount is in shortagស្ថានភាព។
· Eval The product is not yet registered to Cisco Smart License Cloud.
· There is no API to return the license expiration date. The license expiration date value will set to “current date + 10 years future date” in CPS 10.0.0 and later releases.
· Smart Licensing does not support license version. Currently, the license version is set to “V1.0” in CPS.
Smart Accounts/Virtual Accounts
A Smart Account provides a single location for all Smart-enabled products and entitlements. It helps speed procurement, deployment, and maintenance of Cisco Software. When creating a Smart Account, you must have the authority to represent the requesting organization. After submitting, the request goes through a brief approval process. A Virtual Account exists as a sub-account within the Smart Account. Virtual Accounts are a customer-defined structure based on organizational layout, business function, geography or any defined hierarchy. They are created and maintained by the Smart Account administrator. See http://software.cisco.com to learn about, set up, or manage Smart Accounts.

CPS Operations Guide, Release 24.2.0 25

Request a Cisco Smart Account

Managing CPS Licenses

Request a Cisco Smart Account
A Cisco Smart Account is an account where all products enabled for Smart Licensing are deposited. A Cisco Smart Account allows you to manage and activate your licenses to devices, monitor license use, and track Cisco license purchases. Through transparent access, you have a real-time view into your Smart Licensing products. IT administrators can manage licenses and account users within your organization’s Smart Account through the Smart Software Manager.

នីតិវិធី

ជំហានទី 1 ជំហានទី 2 ជំហានទី 3
ជំហានទី 4 ជំហានទី 5

In a browser window, enter the following URL:
http://software.cisco.com
Log in using your credentials, and then click Request Smart Account in the Administration area under Smart Account Management.
The Smart Account Request window is displayed.
Under Create Account, select one of the following options:
· Yes, I have authority to represent my company and want to create the Smart Account If you select this option, you agree to authorization to create and manage product and service entitlements, users, and roles on behalf of your organization.
· No, the person specified below will create the account If you select this option, you must enter the email address of the person who will create the Smart Account.
Under Account Information: a) Click Edit beside Account Domain Identifier. b) In the Edit Account Identifier dialog box, enter the domain, and click OK. By default, the domain is based on the
email address of the person creating the account and must belong to the company that will own this account. c) Enter the Account Name (typically, the company name).
Click Continue. The Smart Account request will be in pending status until it has been approved by the Account Domain Identifier. After approval, you will receive an email confirmation with instructions for completing the setup process.

កម្មវិធីគ្រប់គ្រងកម្មវិធី Cisco Smart
Cisco Smart Software Manager (CSSM) enables the management of software licenses and Smart Account from a single portal. The interface allows you to activate your product, manage entitlements, and renew and upgrade software. A functioning Smart Account is required to complete the registration process. To access the Cisco Smart Software Manager, see https://software.cisco.com/.

CPS Operations Guide, Release 24.2.0 26

Managing CPS Licenses

License Conversion

License Conversion
Using the License Registration Portal, you can convert classic licenses that are associated with Product Activation Keys (PAKs) to smart entitlements.

នីតិវិធី

ជំហានទី 1
ជំហានទី ១ ជំហានទី ២ ជំហានទី ៣ ជំហានទី ៤ ជំហានទី ៥ ជំហានទី ៦

To access the License Registration Portal: a) Login to the Cisco Software Central page at software.cisco.com. b) Under License, click Traditional Licensing.
On the Welcome to the Product License Registration Portal window, you can choose to watch training videos, or you can go directly to the Product License Registration Portal.
c) Select the Product License Registration Portal option.
The Product License Registration page opens.
Select the PAKs/Tokens tab to access your classic licenses. On the PAKs/Tokens tab, check the box next to the PAK/Token ID for which you want to convert licenses. From the Actions drop-down list, select Convert to Smart Entitlements.
In the Convert to Smart Entitlements dialog box, you can change to a different Virtual Account if needed.
Check the box next to the PAK. Enter the Quantity to Convert, and click Submit. You will receive a message when the conversion has completed successfully. Login to the Cisco Smart Software Manager (CCSM), and view the converted Smart Entitlements as follows: a) Select the Virtual Account, and click the License Conversion tab. b) Click the Event Log tab to see the confirmation message that the licenses were converted.

Enable Smart Licensing for CPS
You can enable smart licensing after upgrading CPS, or after a new CPS deployment.

Note These steps must be performed on the Cluster Manager VM.

នីតិវិធី

ជំហានទី 1

CPS Operations Guide, Release 24.2.0 27

Enable Smart Licensing for CPS

Managing CPS Licenses

ជំហានទី 2 ជំហានទី 3
ជំហានទី 4 ជំហានទី 5 ជំហានទី 6 ជំហានទី 7

Enter the following commands to create license_sl_data and license_sl_conf directories:
mkdir -p /etc/broadhop/license_sl_data mkdir -p /etc/broadhop/license_sl_conf
Create the following license configuration files in the /etc/broadhop/license_sl_conf directory on the Cluster Manager: a) Create a file named features.properties, and add the required PID and count. For exampលេ៖
LicenseFeature=<PID>:<COUNT>
b) Create a file named sl.properties with the following content from the CSSM account:
TRANSPORT_URL=https://smartreceiver.cisco.com/licservice/license
c) Create a file named conf.properties with the following content from the CSSM account. For exampលេ៖
PRODUCT_SN=10999 PRODUCT_ID_TAG=CPS SOFTWARE_ID_TAG=regid.2016-06.com.cisco.CPS10,1.0_e454cefa-5e10-4af4-81d8-3f76260485fb USE_PROD_ROOT_CERT=true RENEW_AUTH=false TAC_PROFILE_NAME=CiscoTAC-1 HTTP_TRANSPORT_FLAG=true HTTP_URL=https://smartreceiver.cisco.com/licservice/license PRODUCT_NAME=Cisco Policy Suite SOFTWARE_VERSION=10.0 SYSTEM_DESCRIPTION=Cisco Policy Suite for Mobile is a carrier-grade policy, charging, and subscriber data management solution. PRODUCT_SERIES=Cisco Policy Suite Series
Enter the following command to rebuild the /etc/broadhop/license_sl_data and license_sl_conf directory in the Cluster Manager VM:
/var/qps/install/current/scripts/build/build_etc.sh
Enter the following commands to push the license to pcrfclient01 and pcrfclient02:
ssh pcrfclient01 /etc/init.d/vm-init
ssh pcrfclient02 /etc/init.d/vm-init
Enter the following commands to map the Smart License server hostname to the IP address and to synchronize the /etc/hosts files across the VMs:
echo “64.101.38.11 smartreceiver.cisco.com” >> /etc/hosts /var/qps/bin/update/synchosts.sh
Configure CPS to use Smart Licensing as follows: a) Open the qns.conf file ដោយបញ្ចូលពាក្យបញ្ជាខាងក្រោម៖
vi /etc/broadhop/qns.conf
b) Edit the qns.conf file, and add the following argument:
-Dcom.broadhop.license.approach=sl
c) Save and close the qns.conf file. d) Enter the following commands to copy the modified qns.conf file from Cluster Manager to all of the VMs:

CPS Operations Guide, Release 24.2.0 28

Managing CPS Licenses

លេខសម្គាល់ផលិតផល Tags

ជំហានទី 8
ជំហានទី 9
ជំហានទី 10 ជំហានទី 11 ជំហានទី 12 ជំហានទី 13

copytoall.sh /etc/broadhop/qns.conf /etc/broadhop/qns.conf restartall.sh
Caution Executing restartall.sh causes messages to be dropped.
ទៅ view license related logs, see the following log file: /var/log/broadhop/license.log
Access the Cisco Smart Software Manager (CSSM) at the following location: https://software.cisco.com/
Select the appropriate virtual account, and then click New Token in the General tab. In the Create Token dialog box, enter the required information, accept the terms and responsibilities, and then click Create Token. Select the token text, and copy it to your clipboard. Enter the following command, pasting the token that you copied in place of <token>:
license smart register idtoken <token> [force]

លេខសម្គាល់ផលិតផល Tags

Tags for the following PIDs have been created to enable the proper product IDs to be identified, reported, and enforced.
Table 3: PID Tags

PID

សិទ្ធិ Tag

Entitlement name in CSSM

POLICY-VALUE regid.2016-06.com.cisco.POLICY-VALUE, 1.0_7f667e53-11e1-40e2-9480-ff7eb064561c

CPS Value Plus Feature Pack

POLICY-ALL

regid.2016-06.com.cisco.POLICY-ALL, 1.0_65566461-0788-4c92-8ffa-f9a02e9843e8

CPS All Inclusive Feature Pack

POLICY-UPGRADE regid.2016-06.com.cisco.POLICY-UPGRADE, CPS Upgrade from Value Plus to 1.0_8fa236bc-e481-4673-aa4d-7da8f707647c All Inclusive Feature Pack

POLICY-ADD

regid.2016-06.com.cisco.PCRF-ADD,

CPS PCRF Application License

1.0_676d51ca-4e14-40b3-81e7-1a600d726ce7 – Additional Applications

Smart Licensing CLI Commands
The following sections describe the commands that you can use to register, view information for, and manage Smart Licenses on your CPS systems.

CPS Operations Guide, Release 24.2.0 29

Smart Licensing CLI Commands

Managing CPS Licenses

Note These commands must be run on the active pcrfclient.
Register your Smart License You must issue the following command to register your Smart License:
license smart register idtoken <token> [force] This command registers the device with Cisco using an ID token that you obtain from the CSSM. The agent will register this product with Cisco and receive back an identity certificate. This certificate is saved and automatically used for all future communications with Cisco. After registration it will send the current license usage information to Cisco. Every 180 days the agent will automatically renew the registration information with Cisco. The ID token is not saved on the device. This only needs to be done once per device. The force option will cause the device to attempt registration even if it thinks it is already registered.
Show Smart License Information You can use the following commands to view information related to your Smart License:
· show license status · show license summary · show license UDI · show license usage · show license all · show license tech support
Manage your Smart License You can use the following commands to manage your Smart License:
· license smart renew ID Dependency Before using this command, Smart Licensing must be registered using the license smart register idtoken command. This command initiates a manual update of the license registration information with Cisco. Since the registration renewal is automatically done by the agent every 6 months, the customer will probably never need to use this command. It is available if for some reason the user needs to renew the registration information manually.
· license smart renew auth Dependency Before using this command, Smart Licensing must have been registered using the license smart register idtoken command. This command manually refreshes license authorization information with Cisco. Since the license authorization is renewed automatically by the agent every 30 days, the customer will probably never
CPS Operations Guide, Release 24.2.0 30

Managing CPS Licenses

License Usage Threshold

need to use this command. It is available if for some reason the user needs to renew the license authorization information manually.
· license smart deregister
Dependency Before using this command, Smart Licensing must have been registered using the license smart register idtoken command.
This command unregisters the device. The agent will try to contact the Cisco licensing cloud and unregister itself. All Smart Licensing entitlements and certificates on the platform will be removed. All certificates and registration information will be removed from the trusted store. This is true even if the agent is unable to communicate with Cisco to unregister. If the customer wants to use Smart Licensing again, they must run the license smart register idtoken command again.

License Usage Threshold
The Fault list configuration in Policy Builder allows configuring the thresholds at which License Usage Threshold Exceeded traps are sent out. The default recommended values are: Critical 95, Major 90, Minor 85 and Warning 80 which would result in traps being sent at 80, 85, 90 and 95 percent for License Usage Threshold Limits.
សម្រាប់អតីតample, if the license limit is 10000 sessions and there are 9600 active sessions, configuring the threshold at 95 and type as Critical would generate a Critical trap whose message is Session Count License Usage at 96%, exceeding threshold: 95%.
ការកំណត់រចនាសម្ព័ន្ធ

នីតិវិធី

ជំហានទី 1 ជំហានទី 2 ជំហានទី 3

Open the Policy Builder GUI. Go to Reference Data tab and select Fault List from the left pane. Under Create Child, click Fault List to create a License Usage Threshold Fault as below.

CPS Operations Guide, Release 24.2.0 31

Validation Steps Figure 1: License Usage Threshold Fault

Managing CPS Licenses

ជំហានទី 4

Choose a Name for the Fault List. Currently, only License Usage Threshold Percentage fault type is supported. The Alarm Severity can be configured to be one of Critical, Major, Minor or Warning. The recommended values for License Usage Threshold Percentagអ៊ីគឺ៖
· Critical 95 · Major 90 · Minor 85 · Warning 80
The above PB configuration when saved and published would trigger an application trap of type MAJOR when the 90% threshold configuration is crossed. One example of a trap sent would be number of licenses exceeded.

Validation Steps

នីតិវិធី

ជំហានទី 1 ជំហានទី 2 ជំហានទី 3

Configure a Threshold Limit as explained above in PB. Generate active sessions exceeding the configured threshold limit. Validate the Traps are received on the configured trap receiver for the defined limit and Severity.

CPS Operations Guide, Release 24.2.0 32

4 ជំពូក
Managing CPS Interfaces and APIs
· CPS Interfaces and APIs, on page 33 · Multi-user Policy Builder, on page 64 · Control Center Access, on page 66 · Enable Authentication for Unified API, on page 70 · Unified API Security: Access Privileges, on page 72 · Enabling Unified API Access on HTTP Port 8080, on page 74 · TACACS+, on page 76 · CRD APIs, on page 80 · Policy Builder Publish and CRD Import/Export Automation, on page 98 · Remove Traces of Old Policy Director (LB) VIPs, on page 100
CPS Interfaces and APIs
CPS includes southbound interfaces to various policy control enforcement functions (PCEFs) in the network, and northbound interfaces to OSS/BSS and subscriber applications, IMSs, and web កម្មវិធី។
Control Center GUI Interface
Purpose Cisco Control Center enables you to do these tasks:
· Manage subscriber data, that is, find or create and edit information about your subscribers. · View subscriber sessions. · View system sessions. · Populate custom reference data (CRD) tables.
URL and Port HA: https://<lbvip01>:443
CPS Operations Guide, Release 24.2.0 33

CRD REST API

Managing CPS Interfaces and APIs

Protocol HTTPS/HTTP
Accounts and Roles There are two levels of administrative roles supported for Control Center: Full Privilege and View Only. The logins and passwords for these two roles are configurable in LDAP or in /etc/broadhop/authentication-password.xml.
· Full Privilege Admin Users: These users can view, edit, and delete information and can perform all tasks. Admin users have access to all screens in Control Center.
· View Only Admin Users: These users can view information in Control Center, but cannot edit or change information. View only administrators have access to a subset of screens in the interface.
CRD REST API
Purpose The Custom Reference Data (CRD) REST API enables the query of, creation, deletion, and update of CRD table data without the need to access the Control Center GUI. The CRD APIs are available using an HTTP REST interface. The specific APIs are outlined in a later section in this guide.
URL and Port HA: https:// <lbvip01>:443/custrefdata A validation URL is: HA: https:// <lbvip01>:8443/custrefdata
Protocol HTTPS/HTTP
Accounts and Roles Security and account management is accomplished by using the haproxy mechanism on the platform Policy Director (LB) by defining user lists, user groups, and specific users. On Cluster Manager: /etc/puppet/modules/qps/templates/etc/haproxy/haproxy.cfg
Configure HAProxy Update the HAProxy configuration to add authentication and authorization mechanism in the CRD API module. 1. Back up the /etc/haproxy/haproxy.cfg file. 2. Edit /etc/haproxy/haproxy.cfg on lb01/lb02 and add a userlist with at least one username and
password as shown:
userlist <userlist name> user <username1> password <encrypted password>

CPS Operations Guide, Release 24.2.0 34

Managing CPS Interfaces and APIs

CRD REST API

Use the following step to generate a encrypted password hash:
a. Execute /var/qps/install/current/scripts/bin/support/generate_encrypted_password.sh script to get encrypted password.
b. After script execution the encrypted password will be like below.
+————————————————————————————————————–+ | Fri May 29 11:43:47 UTC 2020
| | Encrypted key
| | $6$bc732ffd2a5ad85e$dYuQfGowAsAS6E2mQyWgGtcSUY4IKss11.4AY1u852gGwZzr4Y54rBdkHG6zQytFPXXDJGwknx.IYIeDeW.jP.
| +————————————————————————————————————–+
3. Add the following line in frontend https-api to enable Authentication and Authorization for CRD REST API and create a new backend server as crd_api_servers to intercept CRD REST API requests:
mode http acl crd_api path_beg -i /custrefdata/ use_backend crd_api_servers if crd_api backend crd_api_servers
mode http balance roundrobin option httpclose option abortonclose server qns01_A qns01:8080 check inter 30s server qns02_A qns02:8080 check inter 30s
4. Update frontend https_all_servers by replacing api_servers with crd_api_servers for CRD API as follows:
acl crd_api path_beg -i /custrefdata/
use_backend crd_api_servers if crd_api
5. Edit /etc/haproxy/haproxy.cfg on lb01/lb02 as follows:
a. Add at least one group with user in userlist created in Step 2 as follows:
group qns-ro users readonly
group qns users apiuser
b. Add the following lines to the backend crd_api_servers:
acl authoriseUsers http_auth_group(<cps-user-list>) <user-group>
http-request auth realm CiscoApiAuth if !authoriseUsers
Map the group created in Step 5 with the acl as follows:
acl authoriseUsers http_auth_group(<cps-user-list>) <user-group>
6. Add the following in the backend crd_api_servers to set read-only permission (GET HTTP operation) for group of users:
http-request deny if !METH_GET authoriseUsers

CPS Operations Guide, Release 24.2.0 35

CRD REST API

Managing CPS Interfaces and APIs

HAProxy Configuration Exampលេ៖
userlist cps_user_list group qns-ro users readonly group qns users apiuser
user readonly password $6$xRtThhVpS0w4lOoS$pyEM6VYpVaUAxO0Pjb61Z5eZrmeAUUdCMF7D75B
XKbs4dhNCbXjgChVE0ckfLDp4T2CsUzzNkoqLRdn7RbAAU1 user apiuser password
$6$xRtThhVpS0w4lOoS$pyEM6VYpVaUAxO0Pjb61Z5eZrmeAUUdCMF7D75B
XKbs4dhNCbXjgChVE0ckfLDp4T2CsUzzNkoqLRdn7RbAAU1
frontend https-api description API bind lbvip01:8443 ssl crt /etc/ssl/certs/quantum.pem

mode http acl crd_api path_beg -i /custrefdata/ use_backend crd_api_servers if crd_api

default_backend api_servers reqadd X-Forwarded-Proto: https if { ssl_fc }

frontend https_all_servers

description Unified API,CC,PB,Grafana,CRD-API,PB-AP

bind lbvip01:443 ssl crt /etc/ssl/certs/quantum.pem no-sslv3 no-tlsv10

ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!

aNULL:!eNULL:!LOW:!

3DES:!MD5:!EXP:!PSK:!SRP:!DSS

mode http

acl crd_api path_beg -i /custrefdata/

use_backend crd_api_servers if crd_api

backend crd_api_servers

mode http

balance roundrobin

option httpclose

option abortonclose

server qns01_A qns01:8080 check inter 30s

server qns02_A qns02:8080 check inter 30s

acl authoriseReadonlyUsers http_auth_group(cps_user_list) qns-ro

acl authoriseAdminUsers http_auth_group(cps_user_list) qns

http-request auth realm CiscoApiAuth if !authoriseReadonlyUsers

!authoriseAdminUsers

http-request deny if !METH_GET authoriseReadonlyUsers

Note The haproxy.cfg file is generated by the Puppet tool. Any manual changes to the file in lb01/lb02 would be reverted if the pupdate or vm-init scripts are run.

CPS Operations Guide, Release 24.2.0 36

Managing CPS Interfaces and APIs

ហ្គ្រាហ្វាណា

Grafana HAProxy

Purpose Grafana is a metrics dashboard and graph editor used to display graphical representations of system, application KPIs, bulkstats of various CPS components.
URL and Port HA: https://<lbvip01>:9443/grafana
Protocol HTTPS/HTTP
Accounts and Roles An administrative user account must be used to add, modify, or delete Grafana dashboards or perform other administrative actions. Refer to the Graphite and Grafana and Prometheus and Grafana chapters in this guide for details on adding or deleting these user accounts.
Purpose Haproxy is a frontend IP traffic proxy process in lb01/lb02 that routes the IP traffic for other applications in CPS. The details of individual port that haproxy forwards is already described in other individual sections. As per the Diameter configuration done, haproxy-diameter statistics will bind to one of the configurations and that URL will be displayed in about.sh output. For various options for Diameter configuration, refer to Diameter Related Configuration section in CPS Installation Guide for VMware. More information about HAProxy is provided in the HAProxy, on page 153. Documentation for HAProxy is available at: http://www.haproxy.org/#docs
URL and Port To view statistics, open a browser and navigate to the following URL:
· For HAProxy Statistics: http://<diameterconfig>:5540/haproxy?stats · For HAProxy Diameter Statistics: http://<diameterconfig>:5540/haproxy-diam?stats
Accounts and Roles Not applicable.

CPS Operations Guide, Release 24.2.0 37

JMX Interface

Managing CPS Interfaces and APIs

JMX Interface

Purpose Java Management Extension (JMX) interface can be used for managing and monitoring applications and system objects. Resources to be managed / monitored are represented by objects called managed beans (mbeans). MBean represents a resource running in JVM and external applications can interact with mbeans through the use of JMX connectors and protocol adapters for collecting statistics (pull); for getting/setting application configurations (push/pull); and notifying events like faults or state changes (push).
CLI Access External applications can be configured to monitor application over JMX. In addition to this, there are scripts provided by application that connects to application over JMX and provide required statistics/information.
Port pcrfclient01/pcrfclient02:
· Control Center: 9045 · Policy Builder: 9046
lb01/lb02: · iomanager: 9045 · Diameter Endpoints: 9046, 9047, 9048…
qns01/qns02/qns… : 9045 Ports should be blocked using firewall to prevent access from outside the CPS system.
Accounts and Roles Not applicable.

ឃ្លាំងសម្ងាត់

គោលបំណង

Logstash is a process that consolidates the log events from CPS nodes into pcrfclient01/pcrfclient02 for logging and alarms. The logs are forwarded to CPS application to raise necessary alarms and the logs are stored at /var/log/logstash/logstash.log.

If logstash in not monitoring, then check the Policy Server (qns) process using monit summary.

monit summary

Monit 5.25.1 uptime: 19h 45m

ឈ្មោះសេវាកម្ម

ស្ថានភាព

ប្រភេទ

sav-pcrfclient01

ប្រព័ន្ធ

CPS Operations Guide, Release 24.2.0 38

Managing CPS Interfaces and APIs

ឃ្លាំងសម្ងាត់

ខ្សឹប

ដំណើរការ

stale-session-cleaner-helper Initializing

ដំណើរការ

stale-session-cleaner

ការចាប់ផ្តើម

ដំណើរការ

snmpd

ដំណើរការ

qns-2

ដំណើរការ

qns-1

ដំណើរការ

corosync

ដំណើរការ

memcached

ដំណើរការ

logstash

ដំណើរការ

collectd

ដំណើរការ

carbon-relay

ដំណើរការ

carbon-cache-c

ដំណើរការ

carbon-cache-b

ដំណើរការ

carbon-cache

ដំណើរការ

carbon-aggregator-b

ដំណើរការ

carbon-aggregator

ដំណើរការ

auditrpms.sh

ដំណើរការ

aido_client

ដំណើរការ

monitor-qns-2

File

monitor-qns-1

File

kpi_trap

កម្មវិធី

db_trap

កម្មវិធី

failover_trap

កម្មវិធី

qps_process_trap

កម្មវិធី

admin_login_trap

កម្មវិធី

vm_trap

កម្មវិធី

qps_message_trap

កម្មវិធី

ldap_message_trap

កម្មវិធី

logstash_process_status

កម្មវិធី

monitor_replica

កម្មវិធី

mon_db_for_lb_failover

កម្មវិធី

mon_db_for_callmodel

កម្មវិធី

CPS Operations Guide, Release 24.2.0 39

LDAP SSSD

Managing CPS Interfaces and APIs

cpu_load_monitor

កម្មវិធី

cpu_load_trap

កម្មវិធី

gen_low_mem_trap

កម្មវិធី

auto_heal_server

កម្មវិធី

Note On pcrfclient node, if Policy Server (qns) process is not running, ‘logstash_process_status’ program stops the logstash process so that the alarm is raised from another pcrfclient node.
CLI Access There is no specific CLI interface for logstash.
Protocol TCP and UDP
Ports TCP: 5544, 5545, 7546, 6514 UDP: 6514
Accounts and Roles Not applicable.
LDAP SSSD
Purpose In CPS 14.0.0 and higher releases, SSSD based authentication is supported, allowing users to authenticate against an external LDAP server and gain access to the CPS CLI. SSSD RPMs and default sssd.conf file is installed on each CPS VM when you perform a new installation or upgrade CPS. For more information, refer to the CPS Installation Guide for VMware. /etc/monit.d/sssd file has been added with the following content so that SSSD is monitored by monit:
check process sssd with pidfile /var/run/sssd.pid start program = “/etc/init.d/sssd start” with timeout 30 seconds stop program = “/etc/init.d/sssd stop” with timeout 30 seconds
Also /etc/logrotate.d/sssd file has been added to rotate the SSSD log files. Here is the default configuration:
” /var/log/sssd/*.log {
daily missingok notifempty sharedscripts

CPS Operations Guide, Release 24.2.0 40

Managing CPS Interfaces and APIs

LDAP SSSD

nodateext rotate 5 size 100M compress delaycompress postrotate
/bin/kill -HUP `cat /var/run/sssd.pid 2>/dev/null` 2> /dev/null || true endscript } ”
Use the monit summary command to view the list of services managed by monit. Here is an exampលេ៖
monit summary The Monit daemon 5.17.1 uptime: 4d 2h 22m

Process ‘whisper’ Process ‘sssd’ Process ‘snmptrapd’ Process ‘snmpd’ Program ‘vip_trap’ Program ‘gr_site_status_trap’ Process ‘redis’ Process ‘qns-4’ Process ‘qns-3’ Process ‘qns-2’ Process ‘qns-1’ File ‘monitor-qns-4’ File ‘monitor-qns-3’ File ‘monitor-qns-2’ File ‘monitor-qns-1’ Process ‘memcached’ Process ‘irqbalance’ Process ‘haproxy-diameter’ Process ‘haproxy’ Process ‘cutter’ Process ‘corosync’ Program ‘cpu_load_monitor’ Program ‘cpu_load_trap’ Program ‘gen_low_mem_trap’ Process ‘collectd’ Process ‘auditrpms.sh’ System ‘lb01’

Running Running Running Running Status ok Status ok Running Running Running Running Running Accessible Accessible Accessible Accessible Running Running Running Running Running Running Status ok Status ok Status ok Running Running Running

Important Setting of other configuration files to support LDAP based authentication and the changes required in sssd.conf file as per the customer deployment is out of scope of this document. For more information, consult your Cisco Technical Representative.
Restriction Grafana support LDAP authentication over httpd and does not use SSSD feature. Due to this, if LDAP server is down then grafana is not accessible for LDAP users.
CLI Access No CLI is provided.

CPS Operations Guide, Release 24.2.0 41

Configure Policy Builder

Managing CPS Interfaces and APIs

Port Port number is not required.
Configure Policy Builder

នីតិវិធី

ជំហានទី 1 ជំហានទី 2

To provide admin access, enter username in the following file:
/var/www/svn/users-access-file
Note This action should be performed on pcrfclient and not on policy server (qns).
[groups] admins = qns,qns-svn,sssd_pb_2 nonadmins = qns-ro [/] @admins = rw @nonadmins = r *=r
Verify if you can export CRD data from the following link:
https://<server_ip>:443/central/

Configure Grafana

នីតិវិធី

ជំហានទី 1

Bypass the first level authentication by updating the /etc/httpd/conf.d/grafana-proxy.conf file ដូចតទៅ៖
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_connect_module modules/mod_proxy_connect.so # Set root to <ip address>/grafana ProxyPass /grafana http://127.0.0.1:3000 ProxyPassReverse /grafana http://127.0.0.1:3000 # Set authentication for Grafana # 1) Use httpd authentication as a front-end to Grafana # 2) Remove header since Grafana is configured for anonymous # authentication and will fail with a pass-thru header # # Notice: scope of authentication and header is limited to Grafana # to avoid conflicts with other applications. Apache configuration # in this file is global unless contained in the directive below. <Location “/grafana”>
LoadModule headers_module modules/mod_headers.so Header set Access-Control-Allow-Origin “*” Header set Access-Control-Allow-Methods “GET, OPTIONS”

CPS Operations Guide, Release 24.2.0 42

Managing CPS Interfaces and APIs

Configure Grafana

ជំហានទី 2 ជំហានទី 3 ជំហានទី 4

Header set Access-Control-Allow-Headers “origin, authorization, accept” Header set Access-Control-Allow-Credentials true # Do not pass credentials to Grafana’s anonymous authorization RequestHeader unset Authorization Satisfy Any #AuthName “Authentication Required” #AuthUserFile “/var/broadhop/.htpasswd” #Require valid-user #Order allow,deny # This is used for local calls to the API during puppet bring up Allow from 127.0.0.1 #Satisfy Any </Location>
Restart httpd by running the following command:
/usr/bin/systemctl restart httpd
If port already in use error is displayed, execute the following steps:
a) Run the following command to get process ID:
ps -eaf | grep httpd
b) Run the following command to kill the pid:
kill -9 <pid>
Update /etc/grafana/grafana.ini file to point to LDAP authentication instead of Basic Auth as follows:
#################################### Basic Auth ########################## [auth.basic] # For CPS, trusted API requests come here and need local authentication ;enabled = true #################################### Auth LDAP ########################## [auth.ldap] enabled = true config_file = /etc/grafana/ldap.toml
Modify /etc/grafana/ldap.toml file to provide LDAP details (for example, search base dn, bind dn, group search base dn, member_of attribute) as follows:
# Set to true to log user information returned from LDAP verbose_logging = true [[servers]] # Ldap server host (specify multiple hosts space separated) host = “ldap_l.cisco.com” # Default port is 389 or 636 if use_ssl = true port = 10648 # Set to true if ldap server supports TLS use_ssl = true # set to true if you want to skip ssl cert validation ssl_skip_verify = true # set to the path to your root CA certificate or leave unset to use system defaults #root_ca_cert = “/etc/openldap/certs/ldap_local.cer”
# Search user bind dn bind_dn = “uid=admin,ou=system” # Search user bind password bind_password = ‘secret’
# User search filter, for example “(cn=%s)” or “(sAMAccountName=%s)” or “(uid=%s)” search_filter = “(uid=%s)”
# An array of base dns to search through

CPS Operations Guide, Release 24.2.0 43

Configure Grafana

Managing CPS Interfaces and APIs

search_base_dns = [“ou=users,dc=sprint,dc=com”] #search_base_dns = [“ou=groups,dc=sprint,dc=com”] # In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups. # This is done by enabling group_search_filter below. You must also set member_of= “cn” # in [servers.attributes] below. # Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN # can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of # below in such a way that the user’s recursive group membership is considered. # # Nested Groups + Active Directory (AD) Example: # # AD groups store the Distinguished Names (DNs) of members, so your filter must # recursively search your groups for the authenticating user’s DN. For example: # # group_search_filter = “(member:1.2.840.113556.1.4.1941:=%s)” # group_search_filter_user_attribute = “distinguishedName” # group_search_base_dns = [“ou=groups,dc=grafana,dc=org”] # # [servers.attributes] # … # member_of = “distinguishedName”
## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available) #group_search_filter = “(cn=%s)” #group_search_filter = “(&(objectClass=*)(cn=%s))” ## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter. ## Defaults to the value of username in [server.attributes] ## Valid options are any of your values in [servers.attributes] ## If you are using nested groups you probably want to set this and member_of in ## [servers.attributes] to “distinguishedName” group_search_filter_user_attribute = “cn” ## An array of the base DNs to search through for groups. Typically uses ou=groups group_search_base_dns = [“ou=groups,dc=sprint,dc=com”] #group_search_base_dns = [“cn=Roles,ou=groups,dc=sprint,dc=com”] # Specify names of the ldap attributes your ldap uses [servers.attributes] name = “cn” surname = “sn” username = “uid” member_of = “cn” email = “email”
# Map ldap groups to grafana org roles [[servers.group_mappings]] group_dn = “cn=Admin,ou=groups,dc=sprint,dc=com” org_role = “Admin” # The Grafana organization database id, optional, if left out the default org (id 1) will be used # org_id = 1
[[servers.group_mappings]] group_dn = “cn=User,ou=groups,dc=sprint,dc=com” org_role = “Editor”
#[[servers.group_mappings]] # If you want to match all (or no ldap groups) then you can use wildcard

CPS Operations Guide, Release 24.2.0 44

Managing CPS Interfaces and APIs

Mongo Database

ជំហានទី 5 ជំហានទី 6

#group_dn = “*” #org_role = “Viewer”
Restart Grafana server by running the following command:
service grafana-server restart
Log in to Grafana using LDAP user credentials.

Mongo Database

គោលបំណង
MongoDB is used to manage session storage efficiently and address key requirements: Low latency reads/writes, high availability, multi-key access and so on.
CPS support different models of mongo database based on CPS deployment such as, HA or Geo-redundancy. The database list is specific to your deployment.
To rotate the MongoDB logs on the Session Manager VM, open the MongoDB file ដោយប្រតិបត្តិពាក្យបញ្ជាដូចខាងក្រោម:
cat /etc/logrotate.d/mongodb
You will have output as similar to the following:
{ daily rotate 5 copytruncate create 640 root root sharedscripts postrotate endscript }
In the above script the MongoDB logs are rotated daily and it ensures that it keeps the latest 5 backups of these log files.
HA
The standard definition for supported replica-set defined in configuration file. ការកំណត់រចនាសម្ព័ន្ធនេះ។ file is self-explanatory which contains replica-set, set-name, hostname, port number, data file path and so on.
Location: /etc/broadhop/mongoConfig.cfg
Table 4: HA MongoDB

Database Name Port Number
session_cache 27717 balance_mgmt 27718

Primary DB Host Secondary DB Arbiter Host
sessionmgr01 sessionmgr02 pcrfclient01
sessionmgr01 sessionmgr02 pcrfclient01

សវនកម្ម

27725

sessionmgr01 sessionmgr02 pcrfclient01

គោលបំណង
Session database Quota/Balance database Reporting database

CPS Operations Guide, Release 24.2.0 45

Mongo Database

Managing CPS Interfaces and APIs

Database Name Port Number

spr cust_ref_data

៦៧ ៨

Primary DB Host Secondary DB Arbiter Host
sessionmgr01 sessionmgr02 pcrfclient01
sessionmgr01 sessionmgr02 pcrfclient01

គោលបំណង
USuM database Custom Reference Data

Note The list provided in the Table 4: HA MongoDB, on page 45 is for reference purposes only.

Note The port number configuration is based on what is configured in each of the respective Policy Builder plug-ins. Refer to the Plug-in Configuration chapter of the CPS Mobile Configuration Guide for correct port number and ports defined in mongo configuration file.
CLI Access Use the following commands to access the MongoDB CLI: HA Login to pcrfclient01 or pcrfclient02 and run: diagnostics.sh –get_replica_status This command will output information about the databases configured in the CPS cluster.
Note If a member is shown in an unknown state, it is likely that the member is not accessible from one of other members, mostly an arbiter. In that case, you must go to that member and check its connectivity with other members. Also, you can login to mongo on that member and check its actual status.
Protocol Not applicable.
Port Not applicable.
Accounts and Roles Restrict MongoDB access for Readonly Users: If firewall is enabled on system, then on all VMs for all readonly users, IP table rule will be created for outgoing connections to reject outgoing traffic to MongoDB replica sets. For example, rule similar to the following is created.
REJECT tcp — anywhere sessionmgr01 tcp dpt:27718 owner GID match qns-ro reject-with icmp-port-unreachable

CPS Operations Guide, Release 24.2.0 46

Managing CPS Interfaces and APIs

Adding New Replica-set Members

With this, qns-ro user has restricted MongoDB access on sessionmgr01 on port 27718. Such rules are added for all readonly users who are part of qns-ro group for all replica sets.
Adding New Replica-set Members
Caution The following procedure must be performed only during a planned Maintenance Window (MW).

Note The procedure is for reference purposes only. Contact your Cisco Account representative before running the procedure.

នីតិវិធី

ជំហានទី 1 ជំហានទី 2 ជំហានទី 3 ជំហានទី 4
ជំហានទី 5
ជំហានទី 6

Update the mongoConfig.cfg file with the new replica-set members to be configured. Login to the Cluster Manager VM of the site where you want to add new replica-set members. Take the backup of the current /etc/broadhop/mongoConfig.cfg file.
/bin/cp /etc/broadhop/mongoConfig.cfg /etc/broadhop/mongoConfig.cfg.$(date +%Y-%m-%d).backup
Copy the updated mongoConfig.cfg file to /etc/broadhop/. If the file is located on a remote machine, then scp <user@vm:updated mongoConfig.cfg file_path> /etc/broadhop/ If the file is present on the current VM but at a different location, then /bin/cp <updated mongoConfig.cfg file_ផ្លូវ>
/etc/broadhop/
Verify that the Session Manager and arbiter VMs have sufficient space available to create the new replica-set member. The verification command depends on where all the new replica-set members will get created. Here is an example in case all the Session Managers VMs are updated.
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “df -h”;done
For arbiter VM, you have to login to each VM and use – df -h command to verify space availability.
Verify if there are existing /var/tmp/stopped-<PORT> entries on Session Managers and arbiter VMs. The verification command depends on where all the new replica-set members will get created. Here is an example in case all the Session Managers VMs are updated.
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “ls -ltrh /var/tmp/stopped-*”; done
For arbiter VM, you have to login to each VM and use ls -ltrh /var/tmp/stopped-* command to see if any file exists. a) If there is an existing /var/tmp/stopped-<PORT> file entry, delete those entries.
Here is an sample command to delete the entries from Session Manager VM:
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “rm -rf /var/tmp/stopped-*”; done
For arbiter VM, you have to login to each VM and use “rm -rf /var/tmp/stopped-*” command to remove the file ធាតុ

CPS Operations Guide, Release 24.2.0 47

Adding New Replica-set Members

Managing CPS Interfaces and APIs

ជំហានទី 7
ជំហានទី 8 ជំហានទី 9 ជំហានទី 10 ជំហានទី 11
ជំហានទី 12

Verify whether mongoConfig.cfg -* files exists under /var/aido/ on each Session Manager and arbiter VM. Here is an sample command to verify whether mongoConfig.cfg -* files exists:
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “ls -ltrh /var/aido/*”; done
For arbiter VM, you have to login to each VM and use “ls -ltrh /var/aido/*” command. a) Delete all mongoConfig.cfg -* files that exists under /var/aido/ on each Session Manager and arbiter
VM. Here is an sample command to delete mongoConfig.cfg -* files that exist:
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “rm -f /var/aido/*”; done
For arbiter VM, you have to login to each VM and use “/bin/rm -f /var/aido/*” command to remove mongoConfig.cfg -* files.
Execute copytoall.sh to copy the updated /etc/broadhop/mongoConfig.cfg from Cluster Manager to all the VMs.
copytoall.sh /etc/broadhop/mongoConfig.cfg
SSH to remote Site2/Cluster2 and take the backup of mongoConfig.cfg file. Copy the mongoConfig.cfg file from local Site1/Cluster1 to remote Site2/Cluster2 on /etc/broadhop.
scp root@<local_site_cluman_ip>:/etc/broadhop/mongoConfig.cfg /etc/broadhop/
Verify if there are existing /var/tmp/stopped-<PORT> entries on Session Managers and arbiter VMs. The verification command depends on where all the new replica-set members will get created. Here is an example in case all the Session Managers VMs are updated.
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “ls -ltrh /var/tmp/stopped-*”; done
For arbiter VM, you have to login to each VM and use ls -ltrh /var/tmp/stopped-* command to see if any file exists. a) If there is an existing /var/tmp/stopped-<PORT> file entry, delete those entries.
Here is an sample command to delete the entries from Session Manager VM:
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “rm -rf /var/tmp/stopped-*”; done
For arbiter VM, you have to login to each VM and use “rm -rf /var/tmp/stopped-*” command to remove the file ធាតុ
Verify the mongoConfig.cfg -* files under /var/aido/ on each Session Manager and arbiter VM. Here is an sample command to verify whether mongoConfig.cfg -* files exists:
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “ls -ltrh /var/aido/*”; done
For arbiter VM, you have to login to each VM and use “ls -ltrh /var/aido/*” command. a) Delete all mongoConfig.cfg -* files that exists under /var/aido/ on each Session Manager and arbiter
VM. Here is an sample command to delete mongoConfig.cfg -* files that exist:
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “rm -f /var/aido/*”; done

CPS Operations Guide, Release 24.2.0 48

Managing CPS Interfaces and APIs

Rollback Replica-set Members

ជំហានទី 13 ជំហានទី 14 ជំហានទី 15 ជំហានទី 16

For arbiter VM, you have to login to each VM and use “/bin/rm -f /var/aido/*” command to remove mongoConfig.cfg -* files.
Execute copytoall.sh to copy the updated /etc/broadhop/mongoConfig.cfg from Cluster Manager to all the VMs.
copytoall.sh /etc/broadhop/mongoConfig.cfg
On local Site1/Cluster1, execute build_etc.sh command to apply the new mongoConfig.cfg file to add the new replica-sets.
/var/qps/install/current/scripts/build/build_etc.sh
On remote Site2/Cluster2, execute build_etc.sh command to apply the new mongoConfig.cfg file to add the new replica-sets.
/var/qps/install/current/scripts/build/build_etc.sh
Wait for sometime (approx 5 minutes) and verify the new replica-set status by executing the following command.
diagnostics.sh –get_replica_status

Rollback Replica-set Members Caution The following procedure must be performed only during a planned Maintenance Window (MW).

Note The procedure is for reference purposes only. Contact your Cisco Account representative before running the procedure.

នីតិវិធី

ជំហានទី 1 ជំហានទី 2
ជំហានទី 3 ជំហានទី 4
ជំហានទី 5

Prepare a list of the replica-sets and setnames that you want to remove from the local and remote site. Execute the following command to remove the all the replica-sets identified in Step 1, on page 49.
build_set.sh –session –remove-replica-set –setname setxx –force
where, setxx with set name identified in Step 1, on page 49.
Verify that the new replica-sets have been removed using diagnostics.sh –get_replica_status command. Copy the mongoConfig.cfg backup file saved in Adding New Replica-set earlier to /etc/broadhop on Cluster Manager VM of local site.
/bin/cp /etc/broadhop/mongoConfig.cfg.*.backup /etc/broadhop/
ផ្ទៀងផ្ទាត់ថា file mongoConfig.cfg has older configuration.
Note You need to verify that the mongoConfig.cfg has older configuration manually.

CPS Operations Guide, Release 24.2.0 49

Rollback Replica-set Members

Managing CPS Interfaces and APIs

ជំហានទី 6 ជំហានទី 7
ជំហានទី 8 ជំហានទី 9 ជំហានទី 10
ជំហានទី 11 ជំហានទី 12 ជំហានទី 13

Execute copytoall.sh to copy the updated /etc/broadhop/mongoConfig.cfg from Cluster Manager to all the VMs.
copytoall.sh /etc/broadhop/mongoConfig.cfg
Verify whether mongoConfig.cfg -* files exists under /var/aido/ on each Session Manager and arbiter VM. Here is an sample command to verify whether mongoConfig.cfg -* files exists:
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “ls -ltrh /var/aido/*”; done
For arbiter VM, you have to login to each VM and use “ls -ltrh /var/aido/*” command. a) Delete all mongoConfig.cfg -* files that exists under /var/aido/ on each Session Manager and arbiter
VM. Here is an sample command to delete mongoConfig.cfg -* files that exist:
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “rm -f /var/aido/*”; done
For arbiter VM, you have to login to each VM and use “/bin/rm -f /var/aido/*” command to remove mongoConfig.cfg -* files.
SSH to remote site and rollback a mongoConfig.cfg from backup. Execute copytoall.sh to copy the updated /etc/broadhop/mongoConfig.cfg from Cluster Manager to all the VMs.
copytoall.sh /etc/broadhop/mongoConfig.cfg
Verify whether mongoConfig.cfg -* files exists under /var/aido/ on each Session Manager and arbiter VM. Here is an sample command to verify whether mongoConfig.cfg -* files exists:
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “ls -ltrh /var/aido/*”; done
For arbiter VM, you have to login to each VM and use “ls -ltrh /var/aido/*” command. a) Delete all mongoConfig.cfg -* files that exists under /var/aido/ on each Session Manager and arbiter
VM. Here is an sample command to delete mongoConfig.cfg -* files that exist:
for i in $(hosts-sessionmgr.sh); do echo $i; ssh $i “rm -f /var/aido/*”; done
For arbiter VM, you have to login to each VM and use “/bin/rm -f /var/aido/*” command to remove mongoConfig.cfg -* files.
On local site, apply the previous version of mongoConfig.cfg file by executing the following command .
/var/qps/install/current/scripts/build/build_etc.sh
On remote site, apply the previous version of mongoConfig.cfg file by executing the following command.
/var/qps/install/current/scripts/build/build_etc.sh
Verify the health check using diagnostics.sh command on local and remote site.

CPS Operations Guide, Release 24.2.0 50

Managing CPS Interfaces and APIs

Replica Set Arbiter: Security

Replica Set Arbiter: Security
As arbiters do not replicate any data, including user/role details, they just participate when voting happens for electing new primary. Thus, when the authentication is enabled, the only way to login to them is through the localhost exception. For more information, refer to https://docs.mongodb.com/v3.6/core/replica-set-arbiter/#security. A few commands (such as, isMaster, ping, connectionStatus, and authenticate) do not require any authentication even if authentication is enabled. This is because these are used to support to connect to a deployment. On the other hand, majority of commands (including rs.status(), show dbs, show collections and so on) requires authentication if authentication is enabled. For detailed command list, refer to https://docs.mongodb.com/v3.6/reference/command/
Admin Database
គោលបំណង
By default, admin replica-set holds the following databases: · sharding: This database holds the following information: · Session sharding: Session shard seeds and its databases.
· Session type counters: Session statistics information. For example, number of sessions present in each shard for Gx, Rx, Sy, and so on.
· Session compression dictionary data: Compression object data of session fields data.
· Memcache rings data: Memcached rings and their sets data. Every set has two sessionmgr VMs followed with memcached port number.
· Secondary Key sharding: Secondary Key shards seeds and its databases.
· License data: Session license information.
· scheduler: This database holds the information about rebuilding the secondary key tasks data. When you execute rebuild sk rings or rebuild sk db, application creates the scheduled tasks to the “tasks” collection in this database. Once tasks are created, application pulls the information from the collection and execute those taks.
· diameter: This database holds the information about connected peers (inbound and outbound) connected to which load balance instance. This also holds the history of peers connected (start) and disconnected (stop) followed with timestamps.
· queueing: This database holds the information about internal TCP connection between the Policy Director (LB) and Policy Server (QNS) VMs in and out queue data.
· clusters: This database holds the information about sitenames and IP address of the ADMIN replica-set members in hosts collections.
· policy_trace: This database holds the information about the particular subscriber traces. To view the traces, you need to enable the trace for a particular subscriber.
· Keystore: This database holds the information about the redis key store configuration.

CPS Operations Guide, Release 24.2.0 51

Admin Database

Managing CPS Interfaces and APIs

Note There are separate configurations available for the Trace Database and Endpoint Database in Cluster configuration under Policy Builder. · If Trace Database is configured, “policy_trace” database is stored in configured replica-set. · If Endpoint Database is configured, “diameter, and queueing” databases are stored in configured replica-set.
For more information on Trace Database and Endpoint Database configuration, see Adding an HA Cluster section in CPS Mobile Configuration Guide.
Note In GR deployment, if any site looses the connectivity (Internal/Replication) to the ADMIN replica-set, then the following impact is observed: · If Admin/Endpoint databases are shared across all the sites. · There can be communication issue between the Policy Server (QNS) and Policy Director (LB) VMs. As the application is not able to get to the connected peers to send the processing messages, timeouts or drops can be observed. · Cross site messaging of stale session RARs from Policy Director (LB) of failed site to Policy Director (LB) of peer of running site fails.
· If Endpoint databases are not shared (co-located locally ) across all the sites. · There is no communication issue between the Policy Server (QNS) and Policy Director (LB) VMs. As the application is able to get to the connected peers information locally to send the processing messages. · Cross site messaging of stale session RARs from Policy Director (LB) of failed site to Policy Director (LB) of peer running site fails and vice versa.
· Grafana does not display the session counters properly. · If subscriber trace is enabled, the policy_trace cannot insert the trace information about the configured
subscribers.
Protocol Not applicable.
Port Not applicable.
Accounts and Roles Not applicable.

CPS Operations Guide, Release 24.2.0 52

Managing CPS Interfaces and APIs

OSGi Console

គោលបំណង
CPS is based on Open Service Gateway initiative (OSGi) and OSGi console is a command-line shell which can be used for analyzing problems at OSGi layer of the application.

CLI Access Use the following command to access the OSGi console: telnet <ip> <port> The following commands can be executed on the OSGi console: ss : List installed bundle status. start <bundle-id> : Start the bundle. stop <bundle-id> : Stop the bundle. diag <bundle-id> : Diagnose the bundle. Sharding Commands Use the following OSGi commands to add or remove shards:
Table 5: Sharding Commands

បញ្ជា
listshards removeshard <shard id>
rebalance <rate limit> rebalancebg <rate limit> rebalancestatus

ការពិពណ៌នា
Lists all the shards.
Marks the shard for removal. If shard is non-backup, rebalance is required for shard to be removed fully. If shard is backup, it does not require rebalance of sessions and hence would be removed immediately.
Rebalances the buckets and migrates session with rate limit. Rate limit is optional. If rate limit is passed, it is applied at rebalance.
Rebalances the buckets and schedules background task to migrate sessions. Rate limit is optional. If rate limit is passed, it is applied at rebalance.
Displays the current rebalance status. Status can be one of the following:
· Rebalance is running (Remaining buckets: <pending count>) · Rebalance is required · Rebalanced

CPS Operations Guide, Release 24.2.0 53

OSGi Console

Managing CPS Interfaces and APIs

បញ្ជា

ការពិពណ៌នា

rebuildAllSkRings

In order for CPS to identify a stale session from the latest session, the secondary key mapping for each site stores the primary key in addition to the bucket ID and the site ID, that is, Secondary Key = <Bucket Id>; <Site Id>; <Primary Key>.
To enable this feature, add the flag -Dcache.config.version=1 in the /etc/broadhop/qns.conf file.
Enabling this flag and running rebuildAllSkRings starts the data migration for the new version so that CPS can load the latest version of the session.

skRingRebuildStatus

Displays the status of the migration and the current cache version.

listskshard

List the SK shards.

addskshard seed1[,seed2] port Adds new SK shard. For backup shard, pass the backup option.
db-index [backup]

removeskshard shardid [confirm]

Mark SK shard for deletion.

rebalancesk [rate limit]

Rebalance SK buckets across SK shards in foreground.

migratesk [rate limit]

Migrate SK data in foreground. If data is already migrated it will query and skip.

rebalanceskbg [rate limit] Rebalance SK buckets across SK shards and schedule the distribute task to migrate SK data in background on multiple QNS

migrateskbg [rate limit]

Schedule the distribute task to migrate SK data in background on multiple QNS. If data is already migrated it will query and skip.

rebalanceskstatus

Show SK DB shard rebalance status.

rebuildskdb [rate limit]

Rebuild SK DB from Session DB. Default rate limit is 1000.

rebuildskdbstatus

Show current SK DB rebuild status.

getskorder

Get current caching system priority order.

setskorder skcache1 [skcache2]

· Change secondary key caching system priority order · skcache1[2] can be MEMCACHE or SK_DB · skcache1 and skcache2 must not be same · skcache2 is optional, If skcache2 is not provided it will be disabled

Exampលេ៖
· setskorder SK_DB: Enables SK_DB and disables MEMCACHE
· setskorder MEMCACHE SK_DB: Enables MEMCACHE as PRIMARY and SK_DB as FALLBACK

CPS Operations Guide, Release 24.2.0 54

Managing CPS Interfaces and APIs

OSGi Console

បញ្ជា

ការពិពណ៌នា

listskshard siteId

Lists the SK shards for corresponding site ID.

addskshard seed1[,seed2] port Adds new SK shard for mentioned site. For backup shard, add the backup

db-index siteid [backup]

ជម្រើស។

rebalances siteid [rate limit]

Rebalance SK buckets across SK shards in foreground for the mentioned site.

migratesk siteid [rate limit] Migrate SK data in foreground for the mentioned site. If data is already migrated it will query and skip.

rebalanceskbg siteid [rate limit]

Rebalance SK buckets across SK shards for the mentioned site ID and schedule the distribute task to migrate SK data in background on multiple Policy Servers (QNS).

migrateskbg siteid [rate limit]

Schedule the distribute task to migrate SK data in background on multiple Policy Servers (QNS) for the mentioned site. If data is already migrated it will query and skip.

rebalanceskstatus siteid

Show SK database shard rebalance status for the mentioned site.

rebuildskdb siteid [rate limit]

Rebuild SK database from Session database for the mentioned site. Default rate limit is 1000.

rebuildskdbstatus siteid

Show current SK database rebuild status for the mentioned site ID.

CPS Alarm Commands Use the following OSGi command to get the information related to open application alarms in CPS:
Table 6: Alarm Commands

បញ្ជា
listalarms

ការពិពណ៌នា
To list the open/active application alarms since last restart of policy server (QNS) process on pcrfclient01/02 VM.

Exampលេ៖
osgi> listalarms Active Application Alarms id=1000 sub_id=3001 event_host=lb02 status=down date=2017-11-22,10:47:34, 051+0000 msg=”3001:Host: site-host-gx Realm: site-gx-client.com is down” id=1000 sub_id=3001 event_host=lb02 status=down date=2017-11-22,10:47:34, 048+0000 msg=”3001:Host: site-host-sd Realm: site-sd-client.com is down” id=1000 sub_id=3001 event_host=lb01 status=down date=2017-11-22,10:45:17, 927+0000 msg=”3001:Host: site-server Realm: site-server.com is down” id=1000 sub_id=3001 event_host=lb02 status=down date=2017-11-22,10:47:34, 091+0000 msg=”3001:Host: site-host-rx Realm: site-rx-client.com is down” id=1000 sub_id=3002 event_host=lb02 status=down date=2017-11-22,10:47:34, 111+0000 msg=”3002:Realm: site-server.com:applicationId: 7:all peers are down”
Memcache Commands
Use the following OSGi commands to get the information related to memcache:

CPS Operations Guide, Release 24.2.0 55

OSGi Console

Managing CPS Interfaces and APIs

Note The memcache commands have been deprecated in CPS 20.1.0 and later releases.

Table 7: Memcache Commands
បញ្ជា
disableCacheAudit
enableCacheAudit
cacheAuditStatus enableFtsBasedCacheAudit
disableFtsBasedCacheAudit ftsBasedCacheAuditStatus currentCacheAuditInterval updateCacheAuditInterval Audi Interval[Integer] currentFTSCacheAuditThreshold setFTSCacheAuditThreshold ThresholdVal[Integer] nextCacheAuditSchedule

ការពិពណ៌នា
Used to disable the complete memcached audit. Default: enable
Used to enable the regular memcached audit. Default: enable
Used to display the current regular memcached audit status.
Used to enable Full Table Scan (FTS) threshold based audit. This works only when audit feature is enabled. Default: true
Used to disable the FTS Threshold based audit.
Used to display the current FTS based memcached audit status.
Used to display current periodic memcached audit interval.
Used to update the regular memcached audit interval. Audit interval cannot be less than 360 minutes.
Used to provide the current FTS threshold for FTS based memcached audit.
Used to specify the FTS threshold value for FTS based memcached audit. This value cannot be less than 25% of total allowed FTS per qns.
Used to display next regular memcached audit schedule when memcache audit is done.

Ports pcrfclientXX:
· Control Center: 9091 · Policy Builder: 9092
lbXX:

CPS Operations Guide, Release 24.2.0 56

Managing CPS Interfaces and APIs

Policy Builder GUI

· iomanager: 9091 · Diameter Endpoints: 9092, 9093, 9094 … qnsXX: 9091 Ports should be blocked using a firewall to prevent access from outside the CPS cluster.
Accounts and Roles Not applicable.
Policy Builder GUI
Purpose Policy Builder is the web-based client interface for the configuration of policies in Cisco Policy Suite.
URL and Port HA: https://<lbvip01>:7443/pb
Protocol HTTPS/HTTP
Accounts and Roles Initial accounts are created during the software installation. Refer to the CPS Operations Guide for commands to add users and change passwords.
REST API
Purpose To allow initial investigation into a Proof of Concept API for managing a CPS System and Custom Reference Data related through an HTTPS accessible JSON API.
CLI Access This is an HTTPS/Web interface and has no Command Line Interface.
URL and Port API: http://<Cluster Manager IP>:8458 Documentation: http://<Cluster Manager IP>:7070/doc/index.html
Accounts and Roles Initial accounts are created during the software installation. Refer to the CPS Operations Guide for commands to add users and change passwords.

CPS Operations Guide, Release 24.2.0 57

Rsyslog

Managing CPS Interfaces and APIs

Rsyslog
Purpose Enhanced log processing is provided using Rsyslog. Rsyslog logs Operating System (OS) data locally (/var/log/messages etc.) using the /etc/rsyslog.conf and /etc/rsyslog.d/*conf configuration files. rsyslog outputs all WARN level logs on CPS VMs to /var/log/warn.log file. On all nodes, Rsyslog forwards the OS system log data to lbvip02 via UDP over the port defined in the logback_syslog_daemon_port variable as set in the CPS deployment template (Excel spreadsheet). To download the most current CPS Deployment Template (/var/qps/install/current/scripts/deployer/templates/QPS_deployment_config_template.xlsm), refer to the CPS Installation Guide for VMware or CPS Release Notes for this release. Additional information is available in the Logging chapter of the CPS Troubleshooting Guide. Refer also to http://www.rsyslog.com/doc/ for the Rsyslog documentation.
CLI Access Not applicable.
ពិធីការ UDP
ច្រក 6514
Accounts and Roles Account and role management is not applicable.
Rsyslog Customization
CPS provides the ability to configure forwarding of consolidated syslogs from rsyslog-proxy on Policy Director VMs to remote syslog servers (refer to CPS Installation Guide for VMware). However, if additional customizations are made to rsyslog configuration to forward logs to external syslog servers in customer’s network for monitoring purposes, such forwarding must be performed via dedicated action queues in rsyslog. In the absence of dedicated action queues, when rsyslog is unable to deliver a message to the remote server, its main message queue can fill up which can lead to severe issues, such as, preventing SSH logging, which in turn can prevent SSH access to the VM. Sample configuration for dedicated action queues is available in the Logging chapter of the CPS Troubleshooting Guide. Refer to rsyslog documentation on http://www.rsyslog.com/doc/v5-stable/concepts/queues.html for more details about action queues.
SVN Interface
ApacheTM Subversion (SVN) is the versioning and revision control system used within CPS. It maintains all the CPS policy configurations and has repositories in which files can be created, updated and deleted. SVN

CPS Operations Guide, Release 24.2.0 58

Managing CPS Interfaces and APIs

SVN Interface

maintains the file difference each time any change is made to a file on the server and for each change it generates a revision number. In general, most interactions with SVN are performed via Policy Builder.
CLI Access Use the following commands to access SVN: From a remote machine with the SVN client installed, use the following commands to access SVN: Get all files from the server:
svn checkout –username <username> –password <password> <SVN Repository URL> <Local Path>
Exampលេ៖
svn checkout –username broadhop –password broadhop http://pcrfclient01/repos/configuration/root/configuration
If <Local Path> is not provided, files are checked out to the current directory. Store/check-in the changed files to the server:
svn commit –username <username> –password <password> <Local Path> -m “modified config”
Exampលេ៖
svn commit –username broadhop –password broadhop /root/configuration -m “modified config”
Update local copy to latest from SVN:
svn update <Local Path>
Exampលេ៖
svn update /root/configuration/
Check current revision of files:
svn info <Local Path>
Exampលេ៖
svn info /root/configuration/
Note Use svn –help for a list of other commands.
Protocol HTTP
ច្រក 80

CPS Operations Guide, Release 24.2.0 59

CPS 7.0 and Higher Releases

Managing CPS Interfaces and APIs

Accounts and Roles
CPS 7.0 and Higher Releases
Add User with Read Only Permission From the pcrfclient01 VM, run adduser.sh to create a new user.
/var/qps/bin/support/adduser.sh
Note This command can also be run from the Cluster Manager VM, but you must include the OAM (PCRFCLIENT) option:
/var/qps/bin/support/adduser.sh pcrfclient
Exampលេ៖
[root@pcrfclient01 /]# /var/qps/bin/support/adduser.sh Enter username: <username> Enter group for the user: <any group> Enter password: Re-enter password:
Add User with Read/Write Permission By default, the adduser.sh script creates a new user with read-only permissions. For read-write permission, you must assign the user to the qns-svn group and then run the vm-init command. From the pcrfclient01 VM, run the adduser.sh script to create the new user. Run the following command on both pcrfclient01 and pcrfclient02 VMs:
/etc/init.d/vm-init
You can now login and commit changes as the newly created user.
Change Password From the pcrfclient01 VM, run the change_passwd.sh script to change the password of a user.
/var/qps/bin/support/change_passwd.sh
Exampលេ៖
[root@pcrfclient01 /]# /var/qps/bin/support/change_passwd.sh Enter username whose password needs to be changed: user1 Enter current password: Enter new password: Re-enter new password:
CPS Versions Earlier than 7.0
Perform all of the following commands on both the pcrfclient01 and pcrfclient02 VMs.
Add User Use the htpasswd utility to add a new user

CPS Operations Guide, Release 24.2.0 60

Managing CPS Interfaces and APIs

TACACS+ Interface

htpasswd -mb /var/www/svn/.htpasswd <username> <password>
Exampលេ៖
htpasswd -mb /var/www/svn/.htpasswd user1 password
In some versions, the password file is /var/www/svn/password
Provide Access Update the user role file /var/www/svn/users-access-file and add the username under admins (for read/writer permissions) or nonadmins (for read-only permissions). For exampលេ៖
[groups] admins = broadhop nonadmins = read-only, user1 [/] @admins = rw @nonadmins = r
Change Password Use the htpasswd utility to change passwords.
htpasswd -mb /var/www/svn/.htpasswd <username> <password>
Exampលេ៖
htpasswd -mb /var/www/svn/.htpasswd user1 password
TACACS+ Interface
Purpose CPS 7.0 and above has been designed to leverage the Terminal Access Controller Access Control System Plus (TACACS+) to facilitate centralized management of users. Leveraging TACACS+, the system is able to provide system-wide authentication, authorization, and accounting (AAA) for the CPS system. Further the system allows users to gain different entitlements based on user role. These can be centrally managed based on the attribute-value pairs (AVP) returned on TACACS+ authorization queries.
CLI Access No CLI is provided.
Port CPS communicates to the AAA backend using IP address/port combinations configured by the operator.
Account Management Configuration is managed by the Cluster Management VM which deploys the /etc/tacplus.conf and various PAM configuration files to the application VMs. For more account management information, refer to TACACS+ Service Requirements, on page 77. For more information about TACACS+, refer to the following links:
· TACAC+ Protocol Draft: http://tools.ietf.org/html/draft-grant-tacacs-02

CPS Operations Guide, Release 24.2.0 61

Unified API

Managing CPS Interfaces and APIs

· Portions of the solution reuse software from the open source pam_tacplus project hosted at: https://github.com/jeroennijhof/pam_tacplus
For information on CLI commands, refer to Accessing the CPS CLI, on page 62.
Unified API
Purpose Unified APIs are used to reference customer data table values.
URL and Port HA: https://<lbvip01>:8443/ua/soap
Protocol HTTPS/HTTP
Accounts and Roles Currently there is no authorization for this API
Accessing the CPS CLI
sudo supports a plugin architecture for security policies and input/output logging. The default security policy is sudoers, which is configured via the file /etc/sudoers, contains the rules that users must follow when using the sudo command. sudo allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. For example: %adm ALL=(ALL) NOPASSWD: ALL This means that any user in the administrator group on any host may run any command as any user without a password. The first ALL refers to hosts, the second to target users, and the last to allowed commands. When an authenticated user has one of the above group permissions, they can access the CPS CLI and run predefined commands available to that user role. A list of commands available after authentication can be viewed using the sudo -l command (-l for list), or any user with root privileges can use sudo -l -U <qns-role> to see the available command for a specific Policy Server (qns) role. The /etc/sudoers file contains user specifications that define the commands that users may execute. When sudo is invoked, these specifications are checked in order, and the last match is used. A user specification looks like this at its most basic:
User Host = (Runas) Command
Read this as “User may run Command as the Runas user on Host”. Any or all of the above may be the special keyword ALL, which always matches. User and Runas may be usernames, group names prefixed with %, numeric UIDs prefixed with #, or numeric GIDs prefixed with %#. Host may be a hostname, IP address, or a whole network (for example, 192.0.2.0/24), but not 127.0.0.1.

CPS Operations Guide, Release 24.2.0 62

Managing CPS Interfaces and APIs

Support for Multiple User Login Credentials

Group Identifiers gid The group identifier of the TACACS+ authenticated user on the VM nodes. This value should reflect the role assigned to a given user, based on the following values:
· group id=500 (qns) The group identifier used by Policy Server (qns) user in application.
· group id=501 (qns-su) This group identifier should be used for users that are entitled to attain superuser (or ‘root’) access on the CPS VM nodes.
· group id=504 (qns-admin) This group identifier should be used for users that are entitled to perform administrative maintenance on the CPS VM nodes.
Note To execute administrative scripts from qns-admin, prefix the command with sudo. For example
sudo stopall.sh
· group id=505 (qns-ro) This group identifier should be used for users that are entitled to read-only access to the CPS VM nodes.
When an authenticated user has one of the above group permissions, they can access the CPS CLI and run predefined commands available to that user role. A list of commands available after authentication can be viewed using the sudo -l command (-l for list), or any user with root privileges can use sudo -l -U <qns-role> to see the available command for a specific Policy Server (qns) role. For more information, refer to https://www.sudo.ws/intro.html. home The user’s home directory on the CPS VM nodes. To enable simpler management of these systems, the users should be configured with a pre-deployed shared home directory based on the role they are assigned with the gid.
· home=/home/qns-su should be used for users in the ‘qns-su’ group (gid=501) · home=/home/qns-admin should be used for users in the ‘qnsadmin’ group (gid=504) · home=/home/qns-ro should be used for users in the ‘qns-ro’ group (gid=505)
Support for Multiple User Login Credentials
CPS supports multiple user login credentials with different privileges for all non-cluman vms. Add allow_user_for_cluman flag in configuration.csv file, to update sudoers file. This flag functionality supports the following different privileges accessible for cluman.

CPS Operations Guide, Release

ឯកសារ/ធនធាន

CISCO Release 24.2.0 CPS Operations Guide [pdf] សៀវភៅណែនាំ
Release 24.2.0, Release 24.2.0 CPS Operations Guide, Release 24.2.0, CPS Operations Guide, Operations Guide

ឯកសារយោង

សៀវភៅណែនាំអ្នកប្រើប្រាស់

CISCO Release 24.2.0 CPS Operations Guide

លក្ខណៈបច្ចេកទេស

ការណែនាំអំពីការប្រើប្រាស់ផលិតផល

PREFACE

ឯកសារ/ធនធាន

ឯកសារយោង

ទុកមតិយោបល់

បោះបង់ការឆ្លើយតប