Migration of Existing NSM Server from standalone to an

Migration of Existing NSM Server from standalone to an
Migration of Existing NSM Server from standalone
to an Extended HA environment
The below procedure is to migrate the existing Standalone NSM server setup to a 4 Server HA environment where the
GUI Server & Device Server are installed on different systems.
During the process, the below assumptions are considered:
 Operating System on the existing environment and the new environment are the same (RedHat). The exact matches
in the version of the operating systems are not required.
 After the migration is complete, the devices will automatically connect to the new server. The IP Address of the Device
Server defined on the devices will not change.
 The IP Address of the existing standalone NSM server will be assigned to the new Primary Device Server.
 The IP Address of the Primary GUI Server, Secondary GUI Server and Secondary Device Server will have new
address.
 The version of NSM is the same on the current installation and the new installation.
 Only the NSM database is transferred, logs that are stored on the existing NSM Device Server are not transferred.
 Only the current Version of DB is migrated to the new setup. All other versioning information will not be migrated to
the new setup.
 The below mentioned procedure is applicable to NSM versions 2008.1r1 and above only.
Step 1: Installation of NSM 4 server extended HA environment
 Follow the procedure as mentioned in the NSM install guide & install the new environment as an extended HA with 4
servers.
 During the installation there will be several prompts requesting for password. Provide all the passwords as
“netscreen”.
 Make sure the Primary Device Server is setup with the existing Standalone Server ip address. This install may need to
be performed in isolated network as re-using the current Standalone server ip for the new Primary Device Server may
cause ip-conflict.
 After the installation is complete establish the trust relationship between the primary & secondary servers. Follow the
instructions provided in the KB article http://kb.juniper.net/KB11653 for setting up trust relations between the GUI
servers and DEV servers.
 Once the above procedure is complete, you will have a fresh install of the GUI Server & Device server in a 4 server
HA environment
 After the above is complete, shutdown all the NSM processes on all 4 servers (/etc/init.d/haSvr stop )
 Execute /usr/netscreen/GuiSvr/utils/.xdbViewEdit.sh and choose read-only option on the Primary GUI Server.
 Select option 4 and copy the contents of the below containers
-
0.server
-
0.shadow_server
 Choose option 10 to quit.
 Do not star the NSM processes on any of the 4 servers.
© Juniper Networks, Inc.
1
NSM Server Migration – Standalone to Extended H.A (4 server)
Step 2: Perform the DB export of the Standalone NSM database
 Login to the standalone NSM server as the root user
 Stop all the NSM processes on the Standalone NSM server.
/etc/init.d/haSvr stop
/etc/init.d/guiSvr stop
/etc/init.d/devSvr stop
 Execute the below command to take a backup of the NSM database from the GUI Server. Make sure there is enough
space available under /tmp to export the DB.
cd /usr/netscreen/GuiSvr/utils/
./xdbExporter.sh /usr/netscreen/GuiSvr/var/xdb/ /tmp/XDB_STANDALONE.XML
 The DB export is created and the file /tmp/XDB_STANDALONE.XML consists of the NSM database.
 Compress the DB export using below command
tar –zcvf STANDALONE_DB_EXPORT.tar.gz /tmp/XDB_STANDALONE.XML
 Transfer the file STANDALONE_DB_EXPORT.tar.gz to a place where it can be retrieved later.
Step 3: Restore the GUI Server database
 Login to the Primary GUI Server as the root user
 Transfer the file STANDALONE_DB_EXPORT.tar.gz that was backed up from the standalone NSM Server to a
temporary location. Copy this file on the Primary GUI server under /tmp location.
 Make sure all the processes are down all 4 servers. (/etc/init.d/haSvr status , /etc/init.d/guiSvr status and
/etc/init.d/devSvr status)
 Execute the below commands to import the DB. Last command may take several minutes to load the DB.
cd /tmp
tar –zxvf STANDALONE_DB_EXPORT.tar.gz
chmod 777 /tmp/XDB_STANDALONE.XML
chown nsm:nsm /tmp/XDB_STANDALONE.XML
cd /usr/netscreen/GuiSvr/utils
./xdifImporter.sh /tmp/XDB_STANDALONE.XML /usr/netscreen/GuiSvr/var/xdb/init
 Start the HA Server process on the Primary GUI Server only by executing the below command.
/etc/init.d/haSvr start
 Once the GUI Server processes are up, login to the GUI via the NSM client . Use the old admin username and
password for login.
 Once logged into the NSM GUI interface, modify the GUI Server and DEV Server ip address information by browsing
to the options Administrator -> Server Manager -> Servers
 In this window, old NSM ip addresses will be displayed for the GUI and Device Servers since the imported DB is from
the Standalone NSM Server. Double click on the GUI Server to modify GUI Server ip address as shown below.
© Juniper Networks, Inc.
2
NSM Server Migration – Standalone to Extended H.A (4 server)
© Juniper Networks, Inc.
3
NSM Server Migration – Standalone to Extended H.A (4 server)
Note: After changing to GUI Server Cluster and clicking on OK, if any error window is popped-up, click on
ignore in the pop-up window.
 Now double click on the GUI Server entry one more time and follow below steps to enter the Secondary GUI Server ip
address.
© Juniper Networks, Inc.
4
NSM Server Migration – Standalone to Extended H.A (4 server)
 Now double click on the Device Server entry to configure new ip addresses for Primary and Secondary Device Server
as shown below.
© Juniper Networks, Inc.
5
NSM Server Migration – Standalone to Extended H.A (4 server)
 Restart H.A Server processes on the Primary GUI Server.
/etc/init.d/haSvr stop
/etc/init.d/haSvr start
 Login to the Secondary GUI Server as user root via ssh.
 Edit the file /usr/netscreen/GuiSvr/var/guiSvr.cfg. In this file there is a parameter “clientOneTimePassword”, make
sure the password specified here is “netscreen”. If the password shown is different then change it to “netscreen”.
Step 4: Device Server Configuration verification
 Login to the Primary Device Server as the root user
 Edit the file /usr/netscreen/DevSvr/var/devSvr.cfg. In this file there is a parameter “clientOneTimePassword”, make
sure the password matches with the devsvr one time password saved in the STEP1 Bullet 8.
 Perform the same step on the Secondary Device server and correct the “clientOneTimePassword” if needed in the file
/usr/netscreen/DevSvr/var/devSvr.cfg
 Start the HA Server process on Primary Device servers by executing the below command.
/etc/init.d/haSvr start
Step 5: Confirm the new setup
 Login using the NSM GUI and enter the IP Address of the Primary GUI Server. Login using the NSM administrator id
of “super”.
 Select Server Manager & confirm that the GUI Server & Device Server is displayed in green as OK. The active server
must be displayed as primary and the secondary server must be displayed as “timed-out”.
 Select Realtime Monitor  Device Monitor and confirm that the devices are displayed as UP.
 Perform “Summarize Delta Configuration” directive and confirm that the configuration is up to date. You might see
NSM trying to push Secondary Device server ip configuration to firewall in the delta-config. Perform update Device to
push the secondary Device Server ip to the Devices.
 Start the processes on the secondary GUI server & secondary Device Server by executing the below command
/etc/init.d/haSvr start
 Verify on NSM GUI under Server Manager & that the active server is displayed as primary and the secondary server
must be displayed as standby.
 Wait for the replication to complete. Depending on the size of DB, replication may take anywhere from 10 mins to an
hour. In order to confirm if replication is complete, run below command on the CLI of one of the GUI servers.
cd /usr/netscreen/haSvr/utils
./haStatus
(This command will Provide DB Syns status. DB replication should show up as In-Sync.
If the status doesn’t change for a long time then contact JTAC for assistance).
 Proceed to Step6 only after verifying the replication is complete.
Step 6: Confirm failover
 Login to the Primary Device Server and Primary GUI Server as the root user
 Stop the HA Server on the Primary GUI Server & Primary Device Server by executing the below command.
/etc/init.d/haSvr stop
 Login to the NSM Secondary GUI Server using the NSM GUI
© Juniper Networks, Inc.
6
NSM Server Migration – Standalone to Extended H.A (4 server)
 Select Server Manager & confirm that the GUI Server & Device Server is displayed in green as OK. The active server
must be displayed as secondary and the primary server must be displayed as “timed-out”.
 Select Realtime Monitor  Device Monitor and confirm that the devices are displayed as UP (Step5 Bullet3 must be
performed in order for devices to connect to secondary Device Server).
 Perform “Summarize Delta Configuration” directive and confirm that the configuration is up to date.
 Start the processes on the primary GUI server & primary Device Server by executing the below command
/etc/init.d/haSvr start
 Verify on NSM GUI under Server Manager & that the active server is displayed as secondary and the primary server
must be displayed as standby.
© Juniper Networks, Inc.
7
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising