Installation APIs
Input and Output Formats
The CPS Orchestration API supports both YAML and JSON formats for both inputs (request payload) and outputs (response payloads).
The input format is specified by the "Content-Type" attribute in the header. The input format is mandatory if the request includes a message body; it must be specified in the header for any API such request.
The output format is specified by the "Accept" attribute in the header. The output format is optional.
The following formats are supported for Content-Type and Accept attributes:
-
application/json
-
application/yaml
-
text/yaml
The default output format (if the Accept attribute is not specified) for all APIs is always application/json except for following APIs, for which the default output format is text/yaml:
- /api/system/config
- /api/system/config/additional-hosts
- /api/system/config/hosts
- /api/system/config/replica-sets
- /api/system/mongo/config
/api/system/status/cluman
Purpose
This API returns the readiness status of the Cluster Manager VM.
Cluster Manager VM Readiness
If
/mnt/iso/install.sh
is executing, the status is
returned as 'not ready'.
If
/mnt/iso/install.sh
has completed executing, status is
returned as 'ready'.
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/status/cluman
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/json
-
Method: GET
-
Payload: JSON
-
Response: 200 OK: success
The following example shows the status reported for a new CPS deployment:
{ "status": "ready", }
API logs are at written to: /var/log/orchestration-api-server.log
/api/system/config/
Purpose
This API is used to load an initial configuration or return (GET) the current CPS cluster configuration.
This API is also used to apply the loaded configuration to all VMs within the CPS cluster.
API logs are at written to: /var/log/orchestration-api-server.log
Retrieve the Current Configuration
To retrieve (GET) the current CPS cluster configuration that is loaded on the CPS Cluster Manager:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/yaml
-
Method: GET
-
Payload: There is no payload.
-
Response Codes: 200: OK.
Example Response (No Configuration Present) XML:
--- configVersion: null hosts: null vlans: null additionalHosts: null config: null licenses: null replicaSets: null
For a response showing an example configuration file refer to Sample YAML Configuration File - HA Setup.
Load a Configuration
Note |
This API can only be used once for initial deployment. Once a configuration has been applied (/system/config/action/apply) as described below, this API is no longer available. |
Note |
Before loading the configuration file to your CPS cluster, verify that the YAML file uses the proper syntax. There are many publicly-available websites which you can use to validate your YAML configuration file. |
Note |
When this API is issued, the following basic validations are performed on the consolidated configuration (YAML) file submitted in the payload:
If a validation error is detected, an appropriate message is provided in the API response, and reported in |
To load a new CPS cluster configuration on the CPS Cluster Manager:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/yaml
-
Method: POST
-
Payload: Include the YAML configuration file in the POST. Refer to Sample YAML Configuration File - HA Setup for more information about this configuration file.
-
Response: 200: success; 400: malformed or invalid; 403: Configuration may not be changed at this time (for example, after it has been applied).
To verify the configuration was properly loaded, perform another GET to http://<Cluster Manager IP>:8458/api/system/config/
Apply the Loaded Configuration
Note |
This API can only be used once for initial deployment. After a configuration has been applied, the API is no longer available. |
Once a new configuration file has been uploaded to the Cluster Manager VM, you must apply the configuration. This triggers the Cluster Manager VM prepare and push out the new configurations to all VMs in the cluster, as well as perform any post-update steps.
During an initial deployment of a CPS cluster, the CPS VMs in the cluster will remain in an inactive/waiting state until this configuration file is applied.
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/action/apply
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/json
-
Method: POST
-
Payload: There is no payload.
-
Response: 200: success; 400: malformed or invalid; 403: Configuration may not be applied at this time; 500: System error. See logs.
To check the status of the CPS cluster after applying a configuration, refer to /api/system/config/status.
Encrypt Administration Traffic Parameters
The administration traffic parameters (rysyslog, haproxy, SNMPv3) can be configured under the “config:” section which defines general global parameters used to deploy CPS.
Important |
For fresh installation, in case the parameters rsyslog_tls and rsyslog_ca are not set, they would be initialized to default values and feature would be enabled. If the user wants to disable the feature rsyslog_tls should be set to FALSE. Similarly, for haproxy_stats_tls, if no value is set (TRUE or FALSE), the default value (TRUE) is used and the feature is enabled. For SNMPv3, until the snmpv3 tag is not commented out, the feature would not be enabled. |
Note |
For upgrade scenario, if parameters are not defined they are initialized to empty. |
Parameter |
Description |
---|---|
rsyslog_tls |
This field is used to enable or disable encryption for rsyslog. Default: TRUE |
rsyslog_cert |
This field is used to define the path for trusted Certificate of server. |
rsyslog_ca |
This field is used to define the Path of certifying authority (CA). Default: /etc/ssl/cert/quantum.pem |
rsyslog_key |
This field is used to define the path of private key. |
haproxy_stats_tls |
This field is used to enable or disable the encryption for HAproxy statistics. Default: TRUE |
config:
# enable SNMP V3.
# If null, SNMP V3 is disabled.
# To enable add the following:
# v3User: The SNMP V3 user: REQUIRED
# engineId: hex value (ie, 0x0102030405060708): REQUIRED
# authProto: SHA or MD5: REQUIRED
# authPass: at least 8 characters: REQUIRED
# privProto: AES or DES: REQUIRED
# privPass: OPTIONAL
snmpv3:
v3User: "cisco_snmpv3" #---->Default value. You can change as per your deployment requirements
engineId: "0x0102030405060708"
authProto: "SHA"
authPass: "cisco_12345"
privProto: "AES"
privPass: ""rsyslogTls: "TRUE"
config:
rsyslogCa: "/etc/ssl/certs/quantum.pem"
rsyslogCert: "/etc/ssl/cert/quantum.pem"
rsyslogKey: "/etc/ssl/cert/quantum.key"
haproxyStatsTls: "TRUE"
Configuration Parameters - HA System
The following parameters can be defined in the CPS configuration file. For sample configuration file, refer to Sample YAML Configuration File - HA Setup section.
In this file, the Internal, Management and Gx networks must have an exact case match of "Internal", "Management" and " Gx" in the following sections:
-
hosts: interfaces: value of "network"
-
vlans: value of "name"
All parameters and values are case sensitive.
Note |
Before loading the configuration file to your CPS cluster, verify that the YAML file uses the proper syntax. There are many publicly-available websites which you can use to validate your YAML configuration file. |
Parameter |
Description |
||||||
---|---|---|---|---|---|---|---|
|
The version of the configuration file. This must be set to |
||||||
|
This section defines the host entries for each of the CPS VMs in the deployment. |
||||||
|
Defines the host name of the VM. This name must be resolvable in the enterprise DNS environment.
|
||||||
|
Defines the internal host name used by each CPS VMs for internal communication, such as lb0x, pcrfclient0x, sessionmgr0x, or qns0x. |
||||||
|
This section defines the network details for each VM. |
||||||
|
The network name which must match a VLAN name (see below). |
||||||
|
The IP interface address. |
||||||
|
This section defines the separate VLANs to be configured. The "Internal" and "Management" VLANs are always needed. For additional networks, add more as needed. |
||||||
|
Defines the name for a particular VLAN. It is recommended to use a name representing the network for certain traffic. The
VLAN names defined here must be used in the The "Internal" VLAN Name is always needed. Names must consist only of alphanumeric characters and underscores, and must not start with a number. |
||||||
|
The hostname associated with virtual interfaces on the Policy Directors (LBs), typically "Internal", "Management", and "Gx". |
||||||
|
The Virtual IP address used on this VLAN. The virtual addresses are used to distribute the traffic between two Policy Directors. If using IPv6, the address must be specified in canonical form as described in RFC5929. |
||||||
|
The Name of the interface specified in the host cloud config or Heat definition. |
||||||
|
The OAM (pcrfclient) VIP alias. |
||||||
|
This section defines any hosts not configured in the hosts section above.
In a CPS cluster which is configured with more than 2 Policy Directors (LBs), HAproxy and the VIPs are hosted only on LB01 and LB02. The additional LBs serve only as diameter endpoints to route diameter traffic. Any other hosts which CPS must interact with, such as NTP or NMS servers, must be defined in this section. Any hosts defined here are added to each CPS VM /etc/hosts file.
|
||||||
|
The hostname of the host. |
||||||
|
The internal host name used by CPS nodes for internal communication, such as qns01. |
||||||
|
The IP address to use in the /etc/hosts file. |
||||||
|
This section defines general global parameters used to deploy CPS. |
||||||
|
Do not change. |
||||||
|
Do not change. Security Enhanced Linux (SELinux) support: disabled | enforcing. Default: disabled |
||||||
|
Do not change. |
||||||
|
Do not change. Default: broadhop |
||||||
|
Enter TRUE to enable TACACS+ authentication. For more information, refer to the CPS Installation Guide for VMware. Default: FALSE |
||||||
|
Defines the IP address of the TACACS+ server.
|
||||||
|
Defines the password/secret of the TACACS+ server. |
||||||
|
A string value indicating which service to be used when authorizing and auditing against the TACACS+ servers. Default: |
||||||
|
A string value indicating which protocol to be used when authorizing and auditing against the TACACS+ servers. Default: |
||||||
|
An integer that represents how long the software needs to wait, in seconds, for the TACACS+ server to respond to the queries. Default: |
||||||
|
An integer value indicating the debug level to run the software in. Currently, this is effectively boolean. Default: 0 |
||||||
|
This field is used to enable or disable Redis authentication. Default: true (For fresh installations) To enable or disable Redis authentication for upgrade and migration setups, refer to Redis Authentication for Upgrading/Migrating Systems. |
||||||
|
This field is used to add an encrypted password for Redis. For more information about generating encrypted password, refer to Password Encryption section under Redis Authentication in CPS Installation Guide for VMware. |
||||||
|
This value specifies the number of Redis server instances running on each policy director (lb) VM. Redis authentication is enabled with the number of instances as defined in redisServerCount. If the value for Redis server count is not provided, default value of 3 is used. To disable Redis explicitly, Redis server count should have value 0. Default: 3 Value range: 0 to 64 |
||||||
|
This parameter is used only when dedicated LDAP instance is required. Default: false Possible values: true, false If you configure LDAP instance explicitly, first Redis instance on policy director (lb) VMs running on port 6379 is used for LDAP and the remaining is used for diameter.
|
||||||
|
This parameter allows user to provide interface names on which the firewall is opened for replica-set on a VM. If If
|
||||||
|
By default, a low memory alert is generated when the available memory of any CPS VM drops below 10% of the total memory. To change the default threshold, enter a new value (0.0-1.0) for the alert threshold. The system generates an alert trap whenever the available memory falls below this percentage of total memory for any given VM. Default: 0.10 (10% free). |
||||||
|
Entries are space separated tuples consisting of protocol:hostname:port. Only UDP is supported at this time. Default: 514. For example: udp:corporate_syslog_ip:514 udp:corporate_syslog_ip2:514 |
||||||
|
A comma separated list of port values. This must match values in the syslog_managers_list. |
||||||
|
Port value for the rsyslog proxy server to listen for incoming connections, used in the rsyslog configuration on the Policy Director (lb) and in the logback.xml on the OAM (pcrfclient). Default: 6515 |
||||||
|
IP address value used in the Default: lbvip02 |
||||||
|
The following cpu_usage settings are related to the High CPU Usage Alert and High CPU Usage Clear traps that can be generated for CPS VMs. Refer to the CPS SNMP, Alarms and Clearing Procedures Guide for more details about these SNMP traps. Set the higher threshold value for CPU usage. The system generates an Alert trap whenever the CPU usage is higher than this value. |
||||||
|
The lower threshold value for CPU usage. The system generates a Clear trap whenever the CPU usage is than this value and Alert trap is already generated. |
||||||
|
The interval period to execute the CPU usage trap script. The interval value is calculated by multiplying five with the given value. For example, if set to one, then the script is executed every five seconds. The default value is 12, which means the script is executed every 60 seconds. |
||||||
|
The SNMP trap community string. Default: broadhop |
||||||
|
This value is the SNMP read-only community string. Default: broadhop |
||||||
|
Do not change. |
||||||
|
By default, a low memory alert is generated when the available memory of any CPS VM drops below 10% of the total memory. To change the default threshold, enter a new value (0.0-1.0) for the alert threshold. The system generates an alert trap whenever the available memory falls below this percentage of total memory for any given VM. Default: 0.10 (10% free) |
||||||
|
Enter a value (0.0-1.0) for the clear threshold. The system generates a low memory clear trap whenever available memory for any given VM is more than 30% of total memory. Default: 0.3 (30% of the total memory) |
||||||
|
This value is used to configure the replica-set timeout value. The default value is 540 seconds considering four replica sets. The customer can set timeout value according to the number of replica sets in their network. To recover a single session replica-set, it takes approximately 120 sec and adding 20% buffer to it; we are using 540 sec for default (for four replica sets). Without any latency between sessionmgr VMs, one replica-set recovers in ~135 seconds. If latency (40 -100 ms) is present between sessionmgr VMs, add a 10% buffer to 135 seconds and set the timeout value for the required number of replica sets in the deployment. |
||||||
|
Enables ( Default: |
||||||
|
Enables or disables linux firewall (IPtables) on all VMs. Valid Options: enabled / disabled Default: enabled
|
||||||
|
Enable SNMPv3 support within CPS by deleting
|
||||||
|
This field contains the value of a VLAN name which can be used to access the KPIs value provided by SNMP. Default: Management |
||||||
|
This parameter is used for GR deployments to synchronize mongo configuration across sites. For more information, refer to /api/system/config/replica-sets/action/sync-mongo. |
||||||
|
This field is used to enable or disable MongoDB authentication. Possible value: true or false
For MongoDB authentication process, refer to MongoDB Authentication Process section. |
||||||
|
This parameter is the plain or encrypted password for admin user depending on the value set in |
||||||
|
This parameter is the plain or encrypted password for readonly user depending on the value set in |
||||||
|
If this parameter is false, then the
If this parameter is true, then the encrypted password needs to be configured. For encrypted passwords, you need to SSH to
a Cluster Manager and execute the following command: Default: false |
||||||
|
This parameter is used to update the remote site Cluster Manager IP address.
|
||||||
|
This parameter allows user to enable or disable SSH login security. Default: disabled Possible values: enabled, disabled |
||||||
|
This parameter is used to configure Cluster Manager administrator user. |
||||||
|
This parameter is the encrypted password for administrator user.
|
||||||
|
Valid values are an array of whitelisted hosts specified in string for which SSH access needs to be allowed. This configuration is effective only when the SSH login security is enabled. If the hostname is mentioned then it should be resolvable by CPS VM's. No validation on hostname/IP addresses is provided. You can specify both IPv4/IPv6 address.
|
||||||
MongoDB Replication Health Monitoring |
For more information, refer to MongoDB Replication Health Monitoring. |
||||||
|
This section defines CPS system users. |
||||||
|
The username of this user. |
||||||
|
The password must be encrypted for this user. For more information, refer to System Password Encryption section in CPS Installation Guide for VMware. For High Availability (HA) environments or Geographic Redundancy (GR) environments, the password entered here in the spreadsheet
is not used even if you specify one. You must set the password for the user prior to first access by connecting to the Cluster
Manager after deployment and running the
|
||||||
|
This section defines the groups to which this user belongs.
|
||||||
|
List each group on a separate line. |
||||||
|
This section defines the hypervisor users. |
||||||
|
The username of a user with root access to the host/blade. If installing CPS to multiple blade servers, it is assumed that the same username and password can be used for all blades. |
||||||
|
The password for this user. To pass special characters, they need to be replaced with the “% Hex ASCII” equivalent. For example, “$” would be “%24” or “hello$world” would be “hello%24world”. |
||||||
|
This section defines additional CPS system users, such as those given access to Control Center. |
||||||
|
The username of this user. |
||||||
|
The clear text password for this user. |
||||||
|
This section defines the groups to which this user belongs. |
||||||
|
List each group on a separate line. |
||||||
|
This section is used to enter the CPS license information. Contact your Cisco representative to receive your CPS license key(s). |
||||||
|
The name of the feature license, for example: "MOBILE_CORE". |
||||||
|
The license key for this feature. |
||||||
|
This section defines the CPS MongoDB replica sets. |
||||||
|
The database for which the replica set is being created. |
||||||
|
The name of the replica set. |
||||||
|
MongoDB operations log (oplog) size, in MB. Default: 5120 |
||||||
|
The hostnames and ports of the arbiter. |
||||||
|
The data directory on the arbiter VM. |
||||||
|
The list of members for the replica set. Each list element is a session manager hostname:port. For example, sessionmgr01:27718. |
||||||
|
List each member hostname:port on a separate line. |
||||||
|
The data directory path on the Session Manager VM. |
||||||
|
For more information, refer to LDAP SSSD. |
||||||
|
This parameter is used to enable/disable Prometheus in CPS. Default: disabled Possible Values: enabled, disabled For more information, refer to Graphite/Prometheus and Grafana chapter in CPS Operations Guide. |
||||||
|
This parameter is used to configure statistics granularity in seconds. Default: 10 seconds Possible Values: Positive Number For more information, refer to Graphite/Prometheus and Grafana chapter in CPS Operations Guide. |
||||||
DSCP Configuration |
For more information, refer to DSCP Configuration. |
||||||
Critical Files Configuration |
For more information, refer to Critical File Monitoring Configuration. |
||||||
|
This parameter is used to enable or disable service log on tmpfs. Currently, this is supported only on Policy Director (LB), Policy Server (QNS) and UDC VMs. Default: false Possible Values: true, false If this parameter is not configured, then by default, the value is false. For more information, refer to Service Log on tmpfs. |
||||||
|
This parameter is used to configure additional processes on OAM (pcrfclient) VMs. Multiple processes can be defined as an array (list). By default, the following processes are monitored:
|
||||||
|
This parameter is used to configure additional processes on Policy Director (LB) VMs. Multiple processes can be defined as an array (list). By default, the following processes are monitored:
|
||||||
|
This parameter is used to configure additional processes on Policy Server (QNS) VMs. Multiple processes can be defined as an array (list). By default, the following processes are monitored:
|
||||||
|
This parameter is used to configure additional processes on sessionmgr VMs. Multiple processes can be defined as an array (list). By default, the following processes are monitored:
|
||||||
|
This parameter is used to configure additional processes on UDC VMs. Multiple processes can be defined as an array (list). By default, the following processes are monitored:
|
||||||
|
This parameter is used to configure additional processes on LWR VMs. Multiple processes can be defined as an array (list). By default, the following processes are monitored:
|
||||||
|
1 or undefined: CPS java processes are run by Zulu on Policy Server (QNS), Policy Director (LB), and UDC VMs.
If 2: CPS java processes are run by Zing on Policy Server (QNS), Policy Director (LB), and UDC VMs in the OpenStack. To disable Zing, refer to Enable Zulu. For more information, refer to Performance Mode. |
||||||
|
This parameter is used to prevent primary flapping from impacting the remote sites. Default: false
For more information, refer to Enable Health Check to Prevent Flapping. |
||||||
|
This parameter is used to specify the list of diameter endpoints that are enabled for Policy Director (LB) HAProxy Balancing. For more information, refer to HAProxy Connection Balancing. |
||||||
|
This parameter is used to update the /etc/sudoers with CPS entries on Cluster Manager. Default: false Possible Values: true, false |
||||||
|
This parameter is used to specify the threshold value for Gx CCR-I response time in Gx Average Message processing Dropped alarm. Default: 20 millisec For alarm information, refer to Gx Average Message processing Dropped in CPS SNMP, Alarms, and Clearing Procedures Guide. |
||||||
|
This parameter is used to specify the threshold value for Gx CCR-U response time in Gx Average Message processing Dropped alarm. Default: 20 millisec For alarm information, refer to Gx Average Message processing Dropped in CPS SNMP, Alarms, and Clearing Procedures Guide. |
||||||
|
This parameter is used to specify the threshold value for Gx CCR-T response time in Gx Average Message processing Dropped alarm. Default: 20 millisec For alarm information, refer to Gx Average Message processing Dropped in CPS SNMP, Alarms, and Clearing Procedures Guide. |
||||||
|
This parameter is used to specify the threshold value for Percentage of LDAP retry threshold Exceeded alarm. Default: 10 % For alarm information, refer to Percentage of LDAP retry threshold Exceeded in CPS SNMP, Alarms, and Clearing Procedures Guide. |
||||||
|
This parameter is used to specify the threshold value for LDAP Requests as percentage of CCR-I Dropped alarm. Default: 25 % For alarm information, refer to LDAP Requests as percentage of CCR-I Dropped in CPS SNMP, Alarms, and Clearing Procedures Guide. |
||||||
|
This parameter is used to specify the threshold value for LDAP Query Result Dropped alarm. Default: 0 (recommended) For alarm information, refer to LDAP Query Result Dropped in CPS SNMP, Alarms, and Clearing Procedures Guide. |
||||||
|
This parameter is used to specify the threshold value for LDAP Requests Dropped alarm. Default: 0 For alarm information, refer to LDAP Requests Dropped in CPS SNMP, Alarms, and Clearing Procedures Guide. |
||||||
clientAliveInterval: |
For example: clientAliveInterval, 500 Default value is 0 (zero). |
||||||
|
This parameter is used to specify an exact value of shard count for PCRF Shards. For example, Diagnostics shows result for each of the shards: Pcrf shards: Expected shards count: <Num/> Actual shards count: <Num/> [PASS] or [FAIL] |
||||||
|
This parameter is used to specify an exact value of shard count for UDC Shards. |
||||||
|
This parameter is used to specify an exact value of shard count for PCRF SkShards. |
LDAP SSSD
Note |
For LDAP SSSD routable IP is required. LDAP server must be accessible from CPS VMs (LDAP client). |
Parameter |
Description |
||
---|---|---|---|
|
When set to true, it installs the LDAP SSSD on all CPS VMs. When set to false, it install the LDAP SSSD only on pcrfclient/policy directors (lb) VMs.
|
||
|
When set to true, applies the SSSD configuration as per input provided by user. When set to false, use the default configuration.
|
||
|
Contains server IP:port to configure LDAP. Format: ldaps://<serverip>:<port> |
||
|
This is required for SSSD configuration. The default base DN to use for performing LDAP user operations. Format: ou=users,dc=cisco,dc=com |
||
|
The default bind DN to use for performing LDAP operations. Format: uid=admin,ou=system |
||
|
The authentication token for the default bind DN. Currently, only clear text passwords are supported. For example, secret |
||
|
The default LDAP user to be configured in LDAP server. For example, admin |
||
|
The default LDAP user OU. For example, users |
||
|
The default LDAP group user OU. For example, groups |
||
|
The LDAP attribute that corresponds to the group name. For example, Admin |
||
|
This is a user group which has the editor access to Grafana. For example, User |
||
|
This is a single entity of all domains. Format: dc=cisco,dc=com |
After migration from CPS 13.x.x or CPS 14.x.x to CPS 18.2.0 release, LDAP SSSD configuration is installed on default VM (pcrfclient/lb) and not on all VMs. You need to configure LDAP SSSD on all the other VMs.
Once LDAP SSSD configuration is complete, you need to authenticate the LDAP certificate. For more information, refer to LDAP SSSD Configuration section in CPS Installation Guide for VMware.
If you are migrating from a lower version such as CPS 13.x.x to CPS 18.x.x and you do not want the LDAP SSSD, modify the LDAP parameters as follows in YAML file:
ldapOnAll=false
ldapEnabled=false
After the modification, run import_deploy.sh
so that LDAP SSSD is not installed by default
For more information about LDAP SSSD certificate authentication and troubleshooting, refer to LDAP SSSD Configuration section in CPS Installation Guide for VMware.
Redis Authentication for Upgrading/Migrating Systems
Caution |
Enabling or disabling Redis authentication for upgraded or migrated systems require application downtime. |
Change Redis User Password
-
Modify password using config PATCH API.
-
Wait for the patch task to be completed.
-
Run
redis_auth_upgrade.sh
script to change the password and provide the old plain text password./var/qps/bin/support/redis/redis_auth_upgrade.sh -c <old_plaintext_password>
-
Restart all the java processes.
Disable Redis Authentication
-
Modify redis authentication using config PATCH API.
-
Wait for the patch task to be completed.
-
Run
redis_auth_upgrade.sh
script to disable authentication and provide the plain text password./var/qps/bin/support/redis/redis_auth_upgrade.sh -d <plaintext_password>
-
Restart all the java processes.
Enable Redis Authentication
-
Modify redis authentication using config PATCH API.
-
Wait for the patch task to be completed.
-
Run
redis_auth_upgrade.sh
script to enable the authentication and provide the old plain text password./var/qps/bin/support/redis/redis_auth_upgrade.sh -e <plaintext_password>
-
Restart all the java processes.
DSCP Configuration
You can configure DSCP bits using DSCP class or DSCP value on the following for IPv4 and/or IPv6:
Parameter |
Description |
---|---|
vmRole |
This parameter is used to specify the VM type. Valid values are: lb, pcrfclient, qns, sessionmgr, udc. |
ipFamily |
This parameter is used to specify ipv4 or ipv6 address. If no parameter is configured, then the value ipv4 and ipv6 are used. |
outInterface |
This parameter is used to specify the interface name i.e., eth0/eth1. If no parameter is configured, then DSCP marking is applied to any interface. |
protocol |
This parameter is used to specify tcp/udp and so on. If no parameter is configured, then DSCP marking is applied to any protocol. |
destIp |
This parameter is used to specify destination IP. |
destPort |
This parameter is used to specify destination port. |
sourcePort |
This parameter is used to specify the source port. |
dscpClass |
This parameter is used to specify DSCP class. Supported values are: af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef |
dscpValue |
This parameter is used to specify DSCP value. |
Retrieve the Current Configuration Change for DSCP
To retrieve (GET) the current CPS cluster configuration that is loaded on the CPS Cluster Manager:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Example Response (YAML format) XML:
dscpconfig: - vmRole: "qns" ipFamily: "" outInterface: "eth0" protocol: "tcp" sourcePort: "" destIp: "" destPort: "80" dscpClass: "" dscpValue: "0x12"
For a response showing an example configuration file refer to Sample YAML Configuration File - HA Setup section in this document.
Retrieve the Current DSCP Configuration
To retrieve (GET) the current DSCP configuration:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/dscp-config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/yaml
-
Method: GET
-
Payload: There is no payload.
-
Response Codes: 200 OK: success; 400: The request is invalid; 500: Server Error
Example Response (YAML format) XML: HA Setup
# curl -s http://installer:8458/api/system/config/dscp-config --- - vmRole: "qns" ipFamily: "" outInterface: "eth0" protocol: "tcp" sourcePort: "" destIp: "" destPort: "80" dscpClass: "" dscpValue: "0x12" - vmRole: "" ipFamily: "" outInterface: "eth0" protocol: "udp" sourcePort: "" destIp: "" destPort: "5405" dscpClass: "af21" dscpValue: ""
For a response showing an example configuration file refer to Sample YAML Configuration File - HA Setup section in this document.
Load Updated DSCP Configuration
This API is used to load an updated DSCP configuration on the CPS Cluster Manager:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/dscp-config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/yaml
-
Method: PUT
-
Payload: Include the YAML configuration file in the PUT request. The entire contents of the DSCP configuration must be included. Refer to Sample YAML Configuration File - HA Setup section in this document for more information about this configuration file.
-
Response Codes: 200 OK: success; 400: The request is invalid; 500: Server Error
Example Response: The updated contents of dhcp.pp, reinit are returned in the response in YAML format.
Example Response (YAML format) XML: HA Setup
--- - vmRole: "sessionmgr" ipFamily: "" protocol: "tcp" sourcePort: "" destIp: "" destPort: "" outInterface: "eth3" dscpClass: "af11" dscpValue: ""
Note
If you pass empty payload then all DSCP rules are removed (that is, disable DSCP configuration).
Critical File Monitoring Configuration
You can configure the critical file names to be monitored for write, execute or any other attribute changes.
Important |
Critical Files configuration is specific to Cluster Manager. If you are using Geographic Redundancy configuration, then you need to do the configuration across all the Cluster Managers. |
Parameter |
Description |
---|---|
fileToBeMonitored |
File name with absolute path of the file that needs to be monitored. |
actionToBeMonitored |
Action for file that needs to be monitored. Supported options are:
|
Important |
File monitoring for read operation is not supported. |
Rules configured in CriticalFilesMonConfig section of YAML files are added in #BEGIN_CPS_AUDIT_RULES
and #END_CPS_AUDIT_RULES
block in /etc/audit/rules.d/audit.rules file on Cluster Manager VM.
Sample output of AUDIT block in audit.rules:
#BEGIN_CPS_AUDIT_RULES
-w /etc/hosts -p wxa -k watch_critical_files
-w /etc/broadhop.profile -p wxa -k watch_critical_files
#END_CPS_AUDIT_RULES
Important |
Do not modify the rules in |
You can add the custom rules in /etc/audit/rules.d/audit.rules file outside of the #BEGIN_CPS_AUDIT_RULES
and #END_CPS_AUDIT_RULE
block but notification (SNMP trap) is not sent for the rules.
Note |
SNMP alarm with version v2c or v3 is generated based on SNMP configuration done in YAML file. There is no clear alarm. |
Audit daemon logs all the audit events occurred in /var/log/audit/audit.log file with no delay.
/var/qps/install/current/scripts/bin/support/snmp-traps/vm-traps/gen-crit-file-mod-traps.py
script monitors audit.log file for any file modification event since last execution of script and send traps for all the
events occurred during this time.
gen-crit-file-mod-traps.py
scripts last execution time is stored in /var/tmp/lastGenCritFileModExeTime. If the file does not contain any entry for last execution or the file is not present, then trap for events occurred during
last 60 seconds is sent.
These traps are available in /var/log/snmp/trap file on active Policy Director (lb) VM.
You can execute the following command on Cluster Manager VM to validate particular audit logs:
ausearch -i -k watch_critical_files
Sample Output:
type=PROCTITLE msg=audit(08/26/2018 18:53:56.834:250) : proctitle=vim /etc/hosts
type=PATH msg=audit(08/26/2018 18:53:56.834:250) : item=1 name=/etc/hosts inode=5245468
dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00 objtype=CREATE
type=PATH msg=audit(08/26/2018 18:53:56.834:250) : item=0 name=/etc/ inode=5242881 dev=08:02
mode=dir,755 ouid=root ogid=root rdev=00:00 objtype=PARENT
type=CWD msg=audit(08/26/2018 18:53:56.834:250) : cwd=/root/modified_iso
type=SYSCALL msg=audit(08/26/2018 18:53:56.834:250) : arch=x86_64 syscall=open success=yes
exit=3 a0=0x1c74390 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0644 a3=0x0 items=2 ppid=18335 pid=13946
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=pts0 ses=9 comm=vim exe=/usr/bin/vim key=watch_critical_files
Retrieve the Current CPS Cluster Configuration
To retrieve (GET) the current CPS cluster configuration that is loaded on the CPS Cluster Manager:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Example Response (YAML format) XML: In response the following section with configured files if any or Null if not configured is displayed:
CriticalFilesMonConfig:
For a response showing an example configuration file refer to Sample YAML Configuration File - HA Setup section in this document.
Retrieve Critical File Monitoring Configuration
To retrieve (GET) the current configuration:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/critFileMon-config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/json
-
Method: GET
-
Payload: There is no payload.
-
Response Codes: 200 OK: success; 400: The request is invalid; 500: Server Error
Example Response (YAML format) XML: HA Setup
# curl -s http://installer:8458/api/system/config/critFileMon-config ---HTTP/1.1 200 OK Date: Fri, 24 Aug 2018 11:08:57 GMT Content-Type: text/yaml Content-Length: 171 --- - fileToBeMonitored: "/etc/hosts" actionToBeMonitored: "wxa" - fileToBeMonitored: "/etc/shadow" actionToBeMonitored: "xa" - fileToBeMonitored: "/etc/passwd" actionToBeMonitored: "xa"
For a response showing an example configuration file refer to Sample YAML Configuration File - HA Setup section in this document.
Load Updated Critical File Monitoring Configuration
This API is used to load an updated critical file monitoring configuration on the CPS Cluster Manager:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/critFileMon-config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/yaml
-
Method: PUT
-
Payload: Include the YAML configuration file in the PUT request. The entire contents of the critical file monitoring config must be included. Refer to Sample YAML Configuration File - HA Setup section in this document for more information about this configuration file.
-
Response Codes: 200 OK: success; 400: The request is invalid; 500: Server Error
Sample command:
curl -i -X PUT http://installer:8458/api/system/config/critFileMon-config -H "Content-Type: application/yaml" --data-binary "@<input json file>"
Service Log on tmpfs
Retrieve the Current Service Log Configuration
To retrieve (GET) the current configuration:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/yaml
-
Method: GET
-
Payload: There is no payload.
-
Response Codes: 200 OK: success; 400: The request is invalid; 500: Server Error
Example Response (YAML format) XML: HA Setup
# curl -s http://installer:8458/api/system/config/config | grep serviceLogTmpfsEnabled serviceLogTmpfsEnabled: "1"
OR
# curl -s http://installer:8458/api/system/config | grep serviceLogTmpfsEnabled serviceLogTmpfsEnabled: "1"
For a response showing an example configuration file refer to Sample YAML Configuration File - HA Setup section in this document.
Update Service Log Configuration
This API is used to update service log configuration on the CPS Cluster Manager:
# cat set_parm.json
---
serviceLogTmpfsEnabled: "true"
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/yaml
-
Method: PATCH
-
Payload: There is no payload.
-
Response Codes: 200 OK: success; 400: The request is invalid; 500: Server Error
Example Response (YAML format) XML: HA Setup
# curl -i -X PATCH http://installer:8458/api/system/config/config -H "Content-Type: application/yaml" --data-binary "@set_parm.json" HTTP/1.1 200 OK Date: Mon, 27 Aug 2018 02:53:11 GMT Content-Length: 0
Configuring Invalid Parameter
When you add an invalid service log configuration on the CPS Cluster Manager:
# cat invalid_set.json
---
serviceLogTmpfsEnabled: "invalid"
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/yaml
-
Method: PATCH
-
Payload: There is no payload.
-
Response Codes: 200 OK: success; 400: The request is invalid; 500: Server Error
Example Response (YAML format) XML: HA Setup
# curl -i -X PATCH http://installer:8458/api/system/config/config -H "Content-Type: application/yaml" --data-binary "@perf.json" HTTP/1.1 400 Bad Request Date: Mon, 27 Aug 2018 02:58:20 GMT Content-Type: text/yaml Content-Length: 41 --- message: "Invalid serviceLogTmpfsEnabled mode."
Performance Mode
Retrieve the Current Performance Mode Configuration
To retrieve (GET) the current configuration:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/yaml
-
Method: GET
-
Payload: There is no payload.
-
Response Codes: 200 OK: success; 400: The request is invalid; 500: Server Error
Example Response (YAML format) XML: HA Setup
# curl -s http://installer:8458/api/system/config/config | grep performanceMode performanceMode: "1"
OR
# curl -s http://installer:8458/api/system/config | grep performanceMode performanceMode: "1"
For a response showing an example configuration file refer to Sample YAML Configuration File - HA Setup.
Update Performance Mode Configuration
This API is used to update performance mode configuration on the CPS Cluster Manager:
# cat perf.json
---
performanceMode: "1"
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/yaml
-
Method: PATCH
-
Payload: There is no payload.
-
Response Codes: 200 OK: success; 400: The request is invalid; 500: Server Error
Example Response (YAML format) XML: HA Setup
# curl -i -X PATCH http://installer:8458/api/system/config/config -H "Content-Type: application/yaml" --data-binary "@perf.json" HTTP/1.1 200 OK Date: Mon, 27 Aug 2018 02:53:11 GMT Content-Length: 0
Configuring Invalid Parameter
When you add an invalid performance mode configuration on the CPS Cluster Manager:
# cat perf.json
---
performanceMode: "3"
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/config
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/yaml
-
Method: PATCH
-
Payload: There is no payload.
-
Response Codes: 200 OK: success; 400: The request is invalid; 500: Server Error
Example Response (YAML format) XML: HA Setup
# curl -i -X PATCH http://installer:8458/api/system/config/config -H "Content-Type: application/yaml" --data-binary "@perf.json" HTTP/1.1 400 Bad Request Date: Mon, 27 Aug 2018 02:58:20 GMT Content-Type: text/yaml Content-Length: 41 --- message: "Invalid performance mode."
Enable Health Check to Prevent Flapping
Procedure
Step 1 |
Verify curl -s http://installer:8458/api/system/config/config | grep preventPrimaryFlappingEnabled preventPrimaryFlappingEnabled:
"false" |
Step 2 |
To enable the the health check, create config.json file with # cat additionConfig.json preventPrimaryFlappingEnabled: "true" |
Step 3 |
Apply curl -i -X PATCH http://installer:8458/api/system/config/config -H "Content-Type: application/yaml" --data-binary "@additionConfig.json" |
Step 4 |
Monitor configuration status. curl -s http://installer:8458/api/system/config/status |
Disable Health Check to Prevent Flapping
Procedure
Step 1 |
Verify curl -s http://installer:8458/api/system/config/config | grep preventPrimaryFlappingEnabled preventPrimaryFlappingEnabled:
"false" |
Step 2 |
To disable the the health check, create config.json file with # cat additionConfig.json preventPrimaryFlappingEnabled: "false" |
Step 3 |
Apply curl -i -X PATCH http://installer:8458/api/system/config/config -H "Content-Type: application/yaml" --data-binary "@additionConfig.json" |
Step 4 |
Monitor configuration status. curl -s http://installer:8458/api/system/config/status |
HAProxy Connection Balancing
Enabling HAProxy Connection Balancing
-
Create config JSON file with
autoHaproxyBalancingList
with diameter endpoint details.cat set_parm.json --- autoHaproxyBalancingList: "diameter-int1-vip diameter-int2-vip"
-
Apply
autoHaproxyBalancingList
configuration.curl -i -X PATCH http://installer:8458/api/system/config/config -H "Content-Type: application/yaml" --data-binary "@ set_parm.json"
-
Wait for few mins or monitor the configuration status.
curl -s http://installer:8458/api/system/config/status
Disabling HAProxy Connection Balancing
-
Create JSON file with
autoHaproxyBalancingList
as empty.cat set_parm.json --- autoHaproxyBalancingList: ""
-
Apply
autoHaproxyBalancingList
configuration.curl -i -X PATCH http://installer:8458/api/system/config/config -H "Content-Type: application/yaml" --data-binary "@ set_parm.json"
-
Wait for few mins or monitor the configuration status.
curl -s http://installer:8458/api/system/config/status
MongoDB Authentication Process
-
Change MongoDB user password:
-
Modify password using config PATCH API.
-
Wait for the process to complete.
-
Execute change password script (
/var/qps/install/current/scripts/modules/mongo_change_password.py
) and enter the old password.Syntax:
/var/qps/install/current/scripts/modules/mongo_change_password.py <old password>
-
-
Disable MongoDB authentication:
-
Modify MongoDB authentication configuration using config PATCH API.
-
Wait for the process to complete.
-
Execute disable MongoDB authentication script:
/var/qps/install/current/scripts/modules/mongo_auth_upgrade.py
-
-
Enable MongoDB authentication:
-
Modify MongoDB authentication configuration using config PATCH API.
-
Wait for the process to complete.
-
Execute enable MongoDB authentication script:
/var/qps/install/current/scripts/modules/mongo_auth_upgrade.py
-
Enable Zulu
To enable this feature:
-
Create a json file with performanceMode and set value to 1.
cat perf.json --- performanceMode: "1"
Note
If you are using Zing, to enable Zulu either change theperformanceMode
as 1 or you can remove theperformanceMode
parameter from YAML file.
-
Apply performanceModeconfiguration using PATCH.
curl -i -X PATCH http://installer:8458/api/system/config/config -H "Content-Type: application/yaml" --data-binary "@ perf.json"
-
Wait for few minutes or monitor config status using the following command:
curl -s http://installer:8458/api/system/config/status
MongoDB Replication Health Monitoring
CPS supports monitoring secondary members of the replica sets and if any of them lags behind the primary member it recovers automatically. To support this functionality, a new script auto_recovery_replica.sh is added. The following parameters can be configured.
Parameter |
Description |
||
---|---|---|---|
auto_replica_monitor |
When set to true, it enables the script for monitoring of replica sets. When set to false, it removes the script monitoring from cron. Example: auto_replica_monitor,true, Default: false Possible Values: true, false |
||
max_replica_lag_time |
(Optional) This parameter allows you to customize the maximum number of seconds a secondary replica set is allowed to lag from its primary member. For example, if the value is set to 60 that means the configuration allows all the secondary members of the replica sets to have a maximum of 60 seconds lag. By default, the maximum allowed lag is set to 30 seconds.
|
||
auto_replica_cron_hour |
(Optional) This parameter allows you to configure the iteration in which the script for monitoring replica set has to be triggered using cron. For example, if the value is set to 5, the cron triggers the replica recovery script every 5th hour. Default: 5 hours Possible Range: 0—23 hours |
||
auto_replica_cron_minute |
(Optional) This parameter allows you to set the minute interval for the cron job. For example, if the value is set to 30, it ensures that the cron triggers this script every 30th minute. Default: 30 minutes Possible Range: 0—59 minutes |
-
Create a json file and add the
auto_replica_monitor
parameter. If required you can add optional parameters described in Table 1.cat autoreplica.json --- autoReplicaMonitor: "true" maxReplicaLagTime: "60" autoReplicaCronMinute: "45" autoReplicaCronHour: "1"
-
To apply the parameters, run the following command:
curl -i -X PATCH http://installer:8458/api/system/config/config -H "Content-Type: application/yaml" --data-binary "@autoreplica.json"
Once the parameters are configured, you can check the configuration using the following facter
command and then grepping for the respective values.
facter | grep auto
auto_replica_cron_hour => 1
auto_replica_cron_minute => 45
auto_replica_monitor => true
facter | grep max
max_replica_lag_time => 60
Sample YAML Configuration File - HA Setup
Use the following file as a template to create the YAML configuration file for your CPS deployment. Refer to Configuration Parameters - HA System section for a description of the available parameters.
Important |
GuestNic must be populated as per network VLAN defined on ethenet interfaces in VMs. |
Note |
RADIUS-based policy control is no longer supported in CPS 14.0.0 and later releases as 3GPP Gx Diameter interface has become the industry-standard policy control interface. |
#
# CPS system configuration
#
# CPS configuration is a YAML file with all the configuration required
# to bring up a new installation of CPS.
#
# This example file lists all possible configuration fields.
# Fields that are not marked as required can be left out of
# the configuration. Fields that are not provided will use
# the default value. If not default is indicated the default
# is an empty string.p
# The version of the configuration file. The installation documentation
# for the version of the CPS you are installing will indicate which
# configuration version you must use.
# REQUIRED
configVersion: 1.0
# Configuration section for CPS hosts
# REQUIRED
hosts:
# The host section must specify all hosts that are members of the CPS
# deployment. Host entries consist of the following REQUIRED fields
# name: the string to be used as a hostname for the VM
# alias: the string to be used in hostname lookup for the VM
# interfaces: Network details consisting of the following REQUIRED fields
# network: The network name which must match a VLAN name (see below)
# ipAddress: The interface address
- name: "lb01"
alias: "lb01"
interfaces:
- network: "Internal"
ipAddress: "172.16.2.201"
- network: "Management"
ipAddress: "172.18.11.154"
- network: "Gx"
ipAddress: "192.168.2.201"
- name: "lb02"
alias: "lb02"
interfaces:
- network: "Internal"
ipAddress: "172.16.2.202"
- network: "Management"
ipAddress: "172.18.11.155"
- network: "Gx"
ipAddress: "192.168.2.202"
- name: "sessionmgr01"
alias: "sessionmgr01"
interfaces:
- network: "Internal"
ipAddress: "172.16.2.22"
- network: "Management"
ipAddress: "172.18.11.157"
- name: "sessionmgr02"
alias: "sessionmgr02"
interfaces:
- network: "Internal"
ipAddress: "172.16.2.23"
- network: "Management"
ipAddress: "172.18.11.158"
- name: "qns01"
alias: "qns01"
interfaces:
- network: "Internal"
ipAddress: "172.16.2.24"
- name: "qns02"
alias: "qns02"
interfaces:
- network: "Internal"
ipAddress: "172.16.2.25"
- name: "qns03"
alias: "qns03"
interfaces:
- network: "Internal"
ipAddress: "172.16.2.26"
- name: "qns04"
alias: "qns04"
interfaces:
- network: "Internal"
ipAddress: "172.16.2.27"
- name: "pcrfclient01"
alias: "pcrfclient01"
interfaces:
- network: "Internal"
ipAddress: "172.16.2.20"
- network: "Management"
ipAddress: "172.18.11.152"
- name: "pcrfclient02"
alias: "pcrfclient02"
interfaces:
- network: "Internal"
ipAddress: "172.16.2.21"
- network: "Management"
ipAddress: "172.18.11.153"
# Configuration section for CPS VLANs
# REQUIRED
vlans:
# VLAN entries consist of the following REQUIRED fields
# name: The VLAN name. This name must be used in the "network" field
# host interfaces (see above)
# vipAlias: Hostname associated with the vip
# vip: Virtual IP used no this network, if any.
# guestNic: The name of the interface specified in the host cloud config
# or the Heat definition.
#
- name: "Internal"
vipAlias: "lbvip02"
vip: "172.16.2.200"
guestNic: "eth0"
- name: "Management"
vipAlias: "lbvip01"
vip: "172.18.11.156"
- name: "Gx"
vipAlias: "gxvip"
vip: "192.168.2.200"
# Configuration section for hosts not configured in the hosts section above.
# REQUIRED
additionalHosts:
# additionalHosts entries consist of the following REQUIRED fields
# name: The hostname
# alias: The string to be used in the etc/host file.
# ipAddress: The IP address to use in the etc/host file.
#
# the "arbitervip" to the pcrfclient01 internal ip is mandatory.
#
- name: "lbvip01"
ipAddress: "172.18.11.156"
alias: "lbvip01"
- name: "lbvip02"
ipAddress: "172.16.2.200"
alias: "lbvip02"
- name: "diam-int1-vip"
ipAddress: "192.168.2.200"
alias: "gxvip"
- name: "arbitervip"
ipAddress: "172.16.2.20"
alias: "arbitervip"
# Configuration section for general configuration items.
# REQUIRED
config:
# Do not change. See install documentation for details.
# default: sys_user_0
qpsUser: "sys_user_0"
# Do not change. See install documentation for details.
# default: disabled
selinuxState: "disabled"
# REQUIRED
serviceLogTmpfsEnabled: "true"
# REQUIRED
lbProcMonList:
- "whisper"
pcrfProcMonList:
- "corosync"
- "whisper"
# default: 1
# Valid option:
# 1 or undefined or less than 16 GB RAM on VM => QNS process is run
# by Zulu on QNS VMs
# 2 => QNS process is run by Zing on QNS VMs
performanceMode: "1"
# REQUIRED
cpuPriority: "-20"
# Do not change. See install documentation for details.
# default: targeted
selinuxType: "targeted"
# See install documentation for details.
# default: broadhop
broadhopVar: "broadhop"
# Set true to enable TACACS+ authentication.
# default: FALSE
tacacsEnabled: "FALSE"
# The IP Address of the TACACS+ server
tacacsServer: "127.0.0.1"
# The password/secret of the TACACS+ server.
tacacsSecret: "CPE1704TKS"
# A set of SNMP Network Management Stations.
# NMS can be specified as IP addresses or IP
# addresses. Entries are space separated.
# Hostnames must also be specified in Additional
# Host configuration.
# See install documentation for details.
nmsManagers:
# Low Memory alert threshold %.
# default: 0.1 (10% free)
freeMemPer: "0.1"
# A space separated set of protocol:hostname:port
# entries. UDP is the only supported protocol.
# Example:
# upd:corporate_syslog_ip:514 udp:corporate_syslog_ip2:514
syslogManagers:
# A comma separated set of port values.
# This must match values in the syslog_managers_list.
# default: 514
syslogManagersPorts: "514"
# Port value for the rsyslog proxy server to listen
# for incoming connections
# default: 6515
logbackSyslogDaemonPort: "6515"
# IP address value used in the
# /etc/broadhop/controlcenter/logback.xml
# on the pcrfclient.
# default: lbvip02
logbackSyslogDaemonAddr: "lbvip02"
# High CPU alert threshold.
# The system will alert whenever the usage is
# higher than this value.
# default: 80
cpuUsageAlertThreshold: "80"
# Clear High CPU Trap threshold.
# The system will generate a clear trap when a
# High CPU trap has been generated and the CPU
# usage is lower than this value.
# default: 40
cpuUsageClearThreshold: "40"
# The number of 5 sec intervals to wait between
# checking the CPU usage.
# default: 12 (60 seconds)
cpuUsageTrapIntervalCycle: "12"
# The SNMP trap community string.
snmpTrapCommunity: "broadhop"
#The SNMP read community string.
snmpRoCommunity: "broadhop"
#
monQnsLb:
# The memory alert threshold (0.1 is 10%)
freeMemoryPerAlert: "0.1"
# The memory clear threshold (0.3 is 30%)
freeMemoryPerClear: "0.3"
#
monitorReplicaTimeout: "540"
# Enable SCTP
# TRUE - feature enabled
# FALSE - feature disabled
sctpEnabled: "TRUE"
# Enables or disables linux firewall on all VMs (IPtables).
# default: disabled
firewallState: "disabled"
# enable SNMP V3.
# If null, SNMP V3 is disabled.
# To enabled add the following:
# v3User: The SNMP V3 user: REQUIRED
# engineId: hex value (ie, 0x0102030405060708): REQUIRED
# authProto: SHA or MD5: REQUIRED
# authPass: at least 8 characters: REQUIRED
# privProto: AES or DES: REQUIRED
# privPass: OPTIONAL
snmpv3:
null
# v3User: "cisco_snmpv3"
# engineId: "0x0102030405060708"
# authProto: "SHA"
# authPass: "cisco_12345"
# privProto: "AES"
# privPass: ""
# Users
# There are different categories of users specified for the CPS.
# All users have the following fields:
#
# name: The user name. REQUIRED
# password: The password for the user. REQUIRED
# The password will need to be either in cleartext or
# encrypted. Please refer to Install documentation for details.
# groups: The groups for the user. Groups are specified as a list
# of group names.
# System Users
# Note that there must be a system use named sys_user_0
sysUsers:
- name: "qns"
password: "$6$z5yv/Hf98NkO6Ven$5uramn6hvapA1Zq2AA4pA9ieDpKF7e9ICa0lFhFKrSwtRe7rPUdlyJ0La.dAW/Ws3CMlW2Ckr5GLNRhJU4XkC."
groups:
- pwauth
- name: "qns-svn"
password: "$6$z5yv/Hf98NkO6Ven$5uramn6hvapA1Zq2AA4pA9ieDpKF7e9ICa0lFhFKrSwtRe7rPUdlyJ0La.dAW/Ws3CMlW2Ckr5GLNRhJU4XkC."
- name: "qns-ro"
password: "$6$z5yv/Hf98NkO6Ven$5uramn6hvapA1Zq2AA4pA9ieDpKF7e9ICa0lFhFKrSwtRe7rPUdlyJ0La.dAW/Ws3CMlW2Ckr5GLNRhJU4XkC."
# Hypervisor Users
hvUsers:
- name: "root"
password: "CpS!^246"
# Other Users for the CPS
# e.g. Control Center Users
additionalUsers:
- name: "admin"
password: "qns123"
groups:
- qns
# Configuration section for feature licenses
# REQUIRED
licenses:
# Licenses have the following required fields:
# feature: The name of the feature license.
# license: The license key for the feature.
# - feature: "feature 1 Name"
# license: "license 1 key string"
- feature: "MOBILE_CORE"
license: "xxxxxxx"
- feature: "RADIUS_AUTH"
license: "xxxxxxx"
# Configuration section for mongo replica sets
# REQUIRED
replicaSets:
#
# Mongo replica sets have the following REQUIRED fields
# <Mongo Set Identifier> : The database for which the replica
# set is being created.
# setName: The name of the replica set
# oplogSize: Mongo Oplog size
# arbiters: The Arbiter hostnames and ports
# arbiterDataPath: The data directory on the arbiter VM
# members: List of members for the replica set. Each list element
# will be a session manager hostname:port
# dataPath: The data directory path on the session manager VMs
- title: SESSION-SET1
setName: set01
oplogSize: 5120
arbiters:
- "pcrfclient01:27717"
arbiterDataPath: "/var/data/sessions.1"
members:
- "sessionmgr01:27717"
- "sessionmgr02:27717"
dataPath: "/var/data/sessions.1/1"
- title: SESSION-SET2
setName: set08
oplogSize: 5120
arbiters:
- "pcrfclient01:37717"
arbiterDataPath: "/var/data/sessions.1/2"
members:
- "sessionmgr01:37717"
- "sessionmgr02:37717"
dataPath: "/var/data/sessions.1/2"
seeds: "sessionmgr01:sessionmgr02:37717"
- title: BALANCE-SET1
setName: set02
oplogSize: 5120
arbiters:
- "pcrfclient01:27718"
arbiterDataPath: "/var/data/sessions.2"
members:
- "sessionmgr01:27718"
- "sessionmgr02:27718"
dataPath: "/var/data/sessions.2"
- title: REPORTING-SET1
setName: set03
oplogSize: 5120
arbiters:
- "pcrfclient01:27719"
arbiterDataPath: "/var/data/sessions.3"
members:
- "sessionmgr01:27719"
- "sessionmgr02:27719"
dataPath: "/var/data/sessions.3"
- title: SPR-SET1
setName: set04
oplogSize: 3072
arbiters:
- "pcrfclient01:27720"
arbiterDataPath: "/var/data/sessions.4"
members:
- "sessionmgr01:27720"
- "sessionmgr02:27720"
dataPath: /var/data/sessions.4
- title: AUDIT-SET1
setName: set05
oplogSize: 3072
arbiters:
- "pcrfclient01:27725
arbiterDataPath: "/var/data/sessions.5"
members:
- "sessionmgr01:27725"
- "sessionmgr02:27725"
dataPath: "/var/data/sessions.5"
- title: ADMIN-SET1
setName: set06
oplogSize: 3072
arbiters:
- "pcrfclient01:27721"
arbiterDataPath: "/var/data/sessions.6"
members:
- "sessionmgr01:27721"
- "sessionmgr02:27721"
dataPath: "/var/data/sessions.6"
- title: ADMIN-SET2
setName: set07
oplogSize: 3072
arbiters:
- "pcrfclient01:27731"
arbiterDataPath: "/var/data/sessions.7"
members:
- "sessionmgr01:27731"
- "sessionmgr02:27731"
dataPath: "/var/data/sessions.7"
# Configuration section for LDAP/SSSD
ldapEnabled: “true”
ldapOnAll:true
ldapServer: "ldaps://<serverip>:10648"
ldapSearchBase: "ou=users,dc=cisco,dc=com"
ldapDefaultBindDn: "uid=admin,ou=system"
ldapSecret: “secret”
ldapDefaultUser: “admin”
ldapOuUser: “users”
ldapOuGroup: “groups”
ldapDefaultGroup: “Admin”
ldapDefaultGroupEditor: “User”
ldapDcName: "dc=cisco,dc=com"
# Configuration section for DSCP configuration
# OPTIONAL
dscpconfig:
#
# dscpconfig have the following fields
# vmRole - VM type i.e lb/pcrfclient/qns/sessionmgr/udc
# ipFamily - ipv4 or ipv6 and if empty then ipv4 & ipv6
# outInterface - interface name i.e eth0/eth1, if empty then apply to any interfaces
# protocol - tcp/udp/etc.., if empty then apply to any protocol
# destIp - Specify Destination IP
# destPort - Specify Destination Port
# sourcePort - Specify Source Port
# dscpClass - Specify DSCP class or value
# dscpValue - Specify DSCP class or value
- vmRole: "lb"
protocol: "tcp"
outInterface: "eth1"
destPort: "27717"
dscpClass: "af11"
- role: "lb"
protocol: "udp"
destIp: "1.1.1.1"
destPort: "27717"
dscpClass: "af12"
# Configuration section for Critical File Monitor configuration
#
# CriticalFilesConfig have the following fields
# FileToBeMonitored: Absolute path of file which needs to monitor.
# ActionToBeMonitored: Action for which file needs to monitor. Supported options are wxa ( w –write, x - execute and a – attribute changes).
---
critFileMonConfig:
---
- fileToBeMonitored: "/etc/hosts"
actionToBeMonitored: "wxa"
- fileToBeMonitored: "/etc/shadow"
actionToBeMonitored: "xa"
- fileToBeMonitored: "/etc/passwd"
actionToBeMonitored: "xa"
/api/system/config/status
Purpose
This API retrieves the status of individual install and deploy tasks run when a new or updated configuration is applied on the Cluster Manager VM.
This API can be called while the installation and deployment tasks are actively running.
The status reports:
-
timestamp: timestamp in milliseconds.
-
taskname: name of the individual task.
-
status:
-
START: start of task.
-
INFO: general information about the task.
-
WARNING: error information about the task.
-
SUCCESS: task was successfully completed.
-
FAILURE: task failed and deployment failed.
-
-
details: information about this task.
Retrieve Deployment Status
To retrieve the deployment status:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/config/status
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/json
-
Method: GET
-
Payload: There is no payload.
-
Response Codes: 200 OK: success.
Example Response:
--- [ {"timestamp":"1454367943000","taskName":"CPS Installation","status":"START","details":""}, {"timestamp":"1454367943000","taskName":"Cluman Setup","status":"START","details":""}, {"timestamp":"1454367943000","taskName":"Cluman Setup","status":"SUCCESS","details":"Wait for Puppet to complete"}, {"timestamp":"1454367943000","taskName":"Post Install","status":"START","details":""}, {"timestamp":"1454367943000","taskName":"SyncSvn","status":"START","details":""}, {"timestamp":"1454367943000","taskName":"SyncSvn","status":"WARNING","details":"Failed to sync SVN."}, {"timestamp":"1454367943000","taskName":"SyncSvn","status":"SUCCESS","details":""}, {"timestamp":"1454367943000","taskName":"build_set","status":"START","details":"Building replica sets"}, {"timestamp":"1454367943000","taskName":"build_set","status":"INFO","details":"Wrote mongo config"}, {"timestamp":"1454367943000","taskName":"build_set","status":"INFO","details":"Syncing mongo config to other hosts"}, {"timestamp":"1454367943000","taskName":"build_set","status":"SUCCESS","details":"Replica sets have been created successfully"}, {"timestamp":"1454367943000","taskName":"SetPriority","status":"START","details":""}, {"timestamp":"1454367943000","taskName":"SetPriority","status":"SUCCESS","details":""}, {"timestamp":"1454367943000","taskName":"AddAdditionalUsers","status":"START","details":""}, {"timestamp":"1454367943000","taskName":"AddAdditionalUsers","status":"SUCCESS","details":""}, {"timestamp":"1454367943000","taskName":"Licenses","status":"START","details":""}, {"timestamp":"1454367943000","taskName":"Licenses","status":"SUCCESS","details":""}, {"timestamp":"1454367943000","taskName":"Post Install","status":"SUCCESS","details":""} ]
The deployment
process is complete when the following response is received:
"Post
Install","status":"SUCCESS"
Note |
The amount of time needed to complete the entire deployment process depends on the number of VMs being deployed, as well as the hardware on which it is being deployed. A typical deployment can take 45 minutes or more. |
Startup status logs are written to: /var/log/startupStatus.log on the Cluster Manager VM.
API logs are written to: /var/log/orchestration-api-server.log
Refer to the /api/system/config/status to determine the readiness status of the CPS cluster.
/api/system/status/cps
Purpose
This API returns the readiness status of CPS cluster.
Cluster Readiness
This API returns the "readiness" status of the CPS cluster.
The cluster is deemed "ready" when Puppet has run to completion on all VMs and the Replica set creation is complete on the Session Manager VMs. The Orchestrator can use this API to check when the cluster is ready so that it can then invoke the Service Creation APIs.
This API reports an aggregate status of MongoDB replica sets, qns processes, and the cluster (Puppet) for all VMs.
This API will timeout after 150 seconds.
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/status/cps
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/json
-
Method: GET
-
Payload: JSON
-
Response:
The following example shows the readiness status for a CPS cluster:
{ "clusterStatus": "ready", "mongoStatus": "ready", "qnsStatus": "ready" }
mongoStatus and clusterStatus can report "ready", "not ready", or "error". qnsStatus can report "ready" or "not ready". If mongoStatus reports an "error" status, the clusterStatus also reports an "error" status.
If any database replica-sets are reporting "ok", but members are "off-line", mongoStatus reports "not ready".
If any of the replica-sets are down or in an error state, mongoStatus reports "error".
-
Error Codes: -
200 OK: success
-
404: Unknown entity
-
500: Script config not found
-
500: CPS status job interrupted
-
500: CPS status job timeout
-
500: CPS status job termination interrupted
-
500: Failed retrieval of CPS status job results
-
API logs are at written to: /var/log/orchestration-api-server.log
/api/system
Purpose
This API is to used to determine the current state of the CPS system, and if necessary, override it in the event the reported state does not match the actual system state.
Many CPS orchestration APIs are accepted only when the CPS system is in a particular state. This API provides a method of overriding the reported API system state. It does not rectify or correct the underlying issue. For example setting the state to pre_deploy does not un-deploy the CPS deployment.
API logs are at written to: /var/log/orchestration-api-server.log
Retrieve the Current API State
To determine the current system state:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/json
-
Method: GET
-
Payload: There is no payload.
-
Response Codes: 200: OK.
Example Response:
{ "state": "pre_config" }
This API can be used at any time.
The following states can be reported:
-
pre_config: no configuration has been loaded onto the system (/api/system/config).
-
pre_deploy: a configuration has been loaded, but not applied (api/system/config/action/apply).
-
deploying: the system is in the process of being deployed.
-
deployed: the system has finished the installation/deployment.
-
upgrading: the system is in the process of being upgraded.
-
busy: the system is currently processing an operation.
Override the Current API State
Caution |
This API should only be used as directed by a Cisco representative. Improper use can cause irreparable harm to the CPS deployment. |
To override the current system state:
-
Endpoint and Resource: http://<Cluster Manager IP>:8458/api/system/
Note
If HTTPS is enabled, the Endpoint and Resource URL changes from HTTP to HTTPS. For more information, see HTTPS Support for Orchestration API.
-
Header: Content-Type: application/json
-
Method: POST
-
Payload: JSON payload with the new state specified as one of the following options:
pre_config
,pre_deploy
,deploying
,deployed
, orupgrading
.For example:
{ "state": "pre_config" }
-
Response Codes: 400: Invalid state, please use: [pre_config, pre_deploy, deploying, deployed, upgrading]; 500: System error. See logs.
Example Response:
{ "state": "pre_config" }